Slashdot Mirror
Virus Costs Dell Millions in Ireland
ruggerbugger writes "Dell's production plant in Limerick, Ireland was [temporarily] shut down due to a funlove virus causing the recall of 12,000 computers... For full story see the Irish Times."
← Back to Stories (view on slashdot.org)
You'd think that if they have a machine that does nothing but control the installation of software to the new units, they would not do much other stuff on there, so I would be really interested in how they managed to get a virus on there. Unless of course they stuff their new PCs with copies of Win2000 that they warezed off the net.
"The FunLove virus infects both desktop computers and computer servers running Windows 95, 98 and Windows NT operating systems." /. about them. Maybe this will mean they push their preinstalled linux boxes a bit harder! :)
Another one in the eye for Billy G! Excellent PR for Microsoft (not!)- this will surely make the financial pages of international media. PHB's don't really understand stuff like "inherently weak security model", they just believe the Redmond spin doctors advice. But £14 Million, now that's something that will get their attention. Hear that mindshare slowly deflating in your bosses brain...
OTOH, it's bad news for Dell - they were doing well, last time I saw an article posted on
Strong data typing is for those with weak minds.
A car thief once told me "There is no such thing as complete security. All your precautions are going to do is stop the incompetant, who aren't a danger anyway, and slow down the professionals, who won't be stopped at any rate." Or maybe it was my dad.
Either way, no amount of virus protection will stop all virii. This should not be seen as a setback for Dell, but be a time for rejoicing. Dell actually admitted that there was a problem, has attempted to correct it, and not tried to hide any of this from the public. All at great cost to themselves.
Many other computer companies would simply hush up a problem of this magnitude, but Dell deserves our praise for coming forward and correcting a problem publicly.
Computers can only simulate determinism. ~Hermetic.
Notice my email address; it's at ireland.com . I can pretty much forget about checking that for the next few hours. Bastards.
On a lighter note, last year I took a train from Dublin to Limerick for a job interview with Dell. The two techies told me I more or less had the job, but the HR guy equivocated. I got another train home, and never heard from them again. Not as much as a PFO (does that term enjoy currency outside Ireland?).
Anyway: I can't condone the use of viruses (or viri, but not virii), but I did laugh. Hard.
The last line in the article. Look at all the companies that installed AV software afterwards. You would think that at least Microsoft would have decent AV stuff running.
Antivirus procedures in most companies is a joke.
I went round upgrading Win95/98/NT for Y2K compliance (another joke) in a very important company in N. Ireland over the summer, and everytime we did a computer we ahd to copy a Word document to the hard drive and fill it in, date, time etc. Then we copied it to a floppy. When we finally got all the disks back there were 4 different boot sector viruses on them, and numerous Macro viruses. All the computers were running virus checkers, so the PHB's all thought they were safe from viruses. The only problem was that the checkers were 4 years out of date.
My PC was one of those held up by this problem, and whilst it's irritating not to get my hands on my new kit I think Dell have delt with it very well. I got a very apologetic phonecall and it's only going to be a couple of days late - far better than sending out infected machines.
Somatizer
There once was a man named Dell
Whose computere truly were swell
And he said,
as the computers were recalled
Whoever did this is gonna catch Hell!
then it comes to be that the soothing light at the end of your tunnel is just a freight train coming your way
--
Electronic warfare? I doubt it. We're just witnessing an OS that was designed like a petri dish. It has neglegable security and poor design. Why does it organized help from governments to destroy it?
The deal was this: we took shipment of a whole bunch of Dell PCs with their supposedly useful auto-install Win95 thingy on, so you could turn them on, agree to the license and it would install Win95 from a CD image on the hard disc. Only, because of the massive amounts of custom hardware on the mobo, it didn't work, and in quite a major way. The machines firstly died during initial installation, requiring a reboot. They then just about made it to the Win95 desktop, but didn't autodetect any hardware, so you had to restart the machines again, which crashed them. Rebooting into safe mode, shutting down, and restarting finally persuaded them to autodetect the onboard hardware, and then a final reboot bought them up in a 'useable' state.
I repeat, these machines were *straight* out of the box, with no weird setups or anything. My feeling is that if Dell quality control is lax enough to let this kind of thing slip through, I'm not at all surprised a virus made it onto their machines...
-- I reserve the right to be completely wrong --
Can Linux catch a virus? Well, send a loaded email to my ISP. They happen to run Linux, use Pine for email, and under user accounts. There you have three reasons why the system files will not be corrupted.
Now I hear people say virus can infect anything regardless of what operating system I have, no matter how secure I think I am. Well, I haven't learned how to do scripting in Pine and I can see non text funny stuff from spammers and friends like a trojan. Things between the mailers like pagers, routers, copper wire, and your modem, etc., just really are not designed to host a virus. But when you run it on a Windows system that takes security as a joke, be prepared.
Frightening as it may seem to you, most people have moved beyond the 1970's computing paradigms. As (I should really say if) Linux becomes more popular, the viruses will proliferate. Unless you can convince people to get all nostalgic and embrace the TTY non-GUI.
/etc/passwd, and why they can't run that administration tool. The multi-user aspect just doesn't make sense to the average Joe User, esp. if it's a machine on their desktop. I've encountered this before: "Multi-user? Who else is using my computer??!?"
It's not about the GUI, it's about the security permissions. You can run any damn window manager/GUI you want, but if you routinely login as root, you're an idiot who deserves whatever happens. If you're not root, you shouldn't have permission to access any files you don't need, and then only with the minimal permissions you need. That, in fact, is pretty much the point of a multi-user system.
Of course, it's awfully difficult to explain to a windoze luser why they can't delete the system files, and why they're not allowed to edit
Any operating system is vulnerable to a virus. Period. Linux has very few viruses. There are none that I know of that can hose your system unless you're running as root (idiot). While I concede it may be possible to integrate a root security breach into a virus, so that it could do what it damn well pleased, I don't think any like this exist yet. And even so, once the security hole would be patched (quickly), that virus would no longer proliferate well.
---
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Well done! Does anybody happen to have the exact formula for a properly scanning limerick? It would be nice to know the accepted rule rather constantly trying to match again the Man from Nantucket. :-)
but the post that started this thread was implying that Linux was immune to viri,
No, unless I am reading a different post than you. He suggested Dell should push Linux boxes harder. I supose you could interpret what the first poster said might suggest that Linux was a an alternative, but he did not state any facts about Linux dealing with viruses.
"Virii" isn't a word: true
"Virii" is used by script kiddies: true
"Virii" was coined by script kiddies: false
The usage of "virii" as the plural of virus is older than the script kiddie phenominon. It is an instance of standard hacker word play, like the usage of "boxen" as the plural of "box", unices as the plural of unix, etc...
For more info, see the Jargon file.
-- The act of censorship is always worse than whatever is being censored. Always.
Unclued posts arguably deserve a negative moderation. A deceptive post with faulty logic based on non-existent facts that utterly defy reality qualifies.
That includes the idea that Linux is just as vulnerable. It isn't; no remotely-decent truly multi-user system with permissions is.
A clued Windows 9X user is functioning as root 100% of the time. A clued Linux user, perhaps a couple % at most, if they're still testing their hardware configuration or installing additional system-wide software. Read up on permissions, and you'll see that there's a fundamental difference.
Only the dead have seen the end of war.
It might be reasonable at least for an OEM to do it.
It's certainly reasonable for either MS or an OEM to include some documentation that drops the hysteria (along the lines that "Viruses are mysterious things that can destroy all your files, anytime, anywhere... so you'd better buy our AV product!") in favor of some sanity (like "Be aware of the risks when getting files from untrusted sources, but if you just do WWW browsing, no explicit sharing, and don't use a let's-try-to-do-everything-under-the-sun mail client, you're pretty safe...").
Only the dead have seen the end of war.
FUD stands for Fear, Uncertainty, and Doubt. Its a tool used by marketing departments and paid professionals to cause confustion and mudslinging between otherwise rational people.
You are correct that it is no mean trick to write a program that can damage the system it runs on, largely irrespective of what kind of system we're talking about. And so long as you can hoodwink some unwitting user into executing that program on their system, that program can, of course, cause damages commensurate with the privileges and capabilities of that user.
What you've failed to consider is how the dramatic cultural differences between Unix and the much-maligned consumerist toys serve to affect the issue to our benefit and their detriment.
Probably the most important of these cultural differences is that Unix has historically been a source-only world. Programs are distributed in the form of source code, code which shall be configured, built, and ultimately installed on the target machine. Programs solely accessible in machine language form fall immediately under a taint of mistrust.
Think back to the last time you read a notice from someone whom you've never heard of before that was asking you to go fetch some random binary program from some random place on the net and then to run that program under full sysadmin privileges? I can already see the incredulous Unix sysadmin reading that and bursting out in uncontrollable guffaws. Because the de facto standard for program interchange in Unix is as source code, a Unix programmer will be far less likely to fall for your ploy than would your average Prisoner of Bill, who has been lulled into gullibility by a binary-only culture.
But for the sake of the argument, let's say that you've found a way to effect this trick. Suppose you're an employee of some reasonably respected company that happens to produce a binary-only distribution of their commercial software, and you decide to sneak something wicked into the binary image. You manage to replace the standard, clean copy on your company's ftp or http server, or even floppies or CDs, with your own naughty version. People are accustomed to downloading from your company, or using your company's floppies, so they do as they've always done, run the installation as the superuser, and you thereby have your way with their system.
If this scenario were to play out, just how dangerous--how destructive--could it really prove? Whom could you harm, and who would be immune to your ploy? The answer is that you could only hurt those folks running the exact platform for which your binary had been compiled, and everybody is unassailable. By platform, I mean the whole feature vector that includes processor chip (eg Sparc vs Intel), operating system (e.g. SGI vs BSD), shared libraries (e.g. libc vs glibc), and site-specific configuration (e.g. shadowed vs non-shadowed password files.
Let's not get too full of ourselves and pretend that the Unix culture's predilection for source-only program distribution derives only, or even mainly, from altruism. We have no choice in this matter. Consumer-targetted systems from Microsoft or Apple are two instances are a static monoculture, as vulnerable to mayhap as a field of cloned sweet corn. It only takes one genetically engineered virus to bring down the whole field. Unix is different.
In his acclaimed essay, In The Beginning , Neal Stephenson writes:
There is no one thing called Unix. Instead, Unix comprises a diverse set of subtly (and often not so subtly) variant platforms. A nefarious binary laced with exquisitely designed evil bullets hidden inside it can hurt only a few of us. When Apple and Microsoft laugh at our diversity, be sure to remind them that is it their lack of the same that contributes to their incredible vulnerability--and to our strength. Hybrid vigor ultimately wins out over a monoculture, for the latter is too in-bred and fragile to prove long viable.
Let me now return to your particular suggestion, that of a malignant Perl program activated by a Makefile rule at installation time. Because you're talking source code, and because Perl tries rather hard to attain a high level cross-platform intercompatibility, this form of subterfuge would appear exempt from the inherent protections stemming from diversity in variant Unix platforms. So, could your trick be done? How much of a problem could this really be? What might happen?
The answer is that of course, it could be done. And in point of fact, a demonstration model is already available, courtesy of Abigail. Guess what? There's no reason to run around like a chicken with its head cut off: the sky isn't falling. This sort of approach stands little chance of making a big splash, because you aren't going to insinuate it into a place that can affect a lot of people. Sure, you might catch a few folks, but just how long to you think this kind of thing will go unnoticed? Remember, it's in source code. That means anybody who wonders what happened can just look at it. There's a very low barrier to entry. And even if the naughtiness removes itself from your copy once its dirty deeds are done, that naughtiness is still sitting there in plain view for easy inspection back wherever you got your copy from.
Is there a way around this? Well, yes, if you're as clever as Ken Thompson. Fortunately, you aren't, and neither are the crackers. If they were, they'd doubtless receive more Turing Awards for their vaunted efforts. :-)
The only way you're going to get good propagation is if your nastiness into a copy that a lot of people will download and install. There's a very fine reason why so many archives contain a checksum of the image. It's to help with this problem. Security of course depends on several matters, including the strength of the algorithm and the integrity of the authenticating agent. But better that than nothing.
Let's talk about propagation some more. I assume that the goal is to have a notable impact, which means you need to spread your bad code as widely as possible. A hacked up install script, even if all goes to your liking, just doesn't have a very high rate of reproduction. First of all, how often do how many people install this software? Secondly, how do you plan to trick them into doing so? It's not really much of a challenge to get one person to this, especially if they trust. If that's your goal, maybe you'll succeed. But the risk of being traced and apprehended is high.
So how come this stuff can spread like wildfire amongst the OS-challenged? Can't whatever mechanism that's used there be used to get at the rest of us, too?
Over the last few years, a frighteningly frequent conduit of contagion for viral infection on toy systems has been the implicit, automatic execution of code with little or not manual intervention on the part of the box's owner. DOWN THIS PATH LIES MADNESS!. That this can ever, ever happen is as a plain a symptom of complete and total cretinization in the toybox world as you are ever going to see. It's stupid, it's crazy, and it's dangerous. Any programmer who even suggests it needs to go back to flipping hamburgers. Any user who asks for this feature needs to be quietly taken into the back room by the doleful men in long trenchcoats, where he will be told in no uncertain terms that his request is not only in the best interest of no one but criminals, but that he also now has a permanent record even for asking about it.
No, I don't care that a customer asked for it. Customers are idiots, just like any other user. So what if they pay you? They're still idiots, and it's your professional responsibility to act responsibly, to refuse to go along with their madnesses. The customer is not always right. In fact, they're very often wrong. A physician or a lawyer doesn't do whatever the customer requests, and neither do you. They, meaning the customers or users, simply don't have the background and training; they don't have the experience of seeing why automatic execution from untrustable source is the work of the Devil.
It's not as though we in Unix have never seen this issue before. In fact, we've seen it time and time again. And guess what? We recognized the problem and we addressed it. And we don't cater to that kind of lunacy anymore.
Here are a few concrete examples.
Remember when vi would--or at least, could--automatically execute macro commands embedded in a file in a specific way? That was a dubious feature called modelines. On my OpenBSD systems, if I type :set modeline, the program comes back and says set: the modeline option may never be turned on.
Another example of learning from our mistakes is the issue of shell archives. Instead of automatically running the sharfile through /bin/sh, there are specially made unshar programs that will do the common things, safely, and nothing else.
When CGI was first getting big, owners of toy systems would blindly install compilers and interpreters in such a way that these would easily execute arbitrary content coming in off the wire. Despite my pleas, both Netscape and Microsoft were actually advocating this! After a year of warning admins not to do this, and sending mail to the companies who were saying to just go ahead, nothing changed. So I released latro. Then and only then did various companies retract their suggestions, even though they'd been aware of the nature of the problem for a long, long time. Sure, you could be equally stupid on Unix, but for some reason, we weren't. History counts.
Implicit execution of untrusted material is simply stupid beyond words. And for some reason, the toybox people keep falling for the same chump moves, from MIME attachments to word processor and spreadsheet macros to embedded active scripting controls. I don't know quite why they just keep doing this crap. My hunch, and it's only a hunch, is that this is happening because Microsoft and their moronic minions simply cannot for the all the tea in China ever manage to think outside of their quaint but completely fictional little single-user universe. Maybe they don't hire people who come from a background in multiuser and/or networked computing systems. Maybe they don't hire people with real experience at all, just script-kiddies trying to make a buck legitimately but with no true understanding. Maybe the software makers simply can't say no to a customer request, no matter how suicidal they know that request to be. I don't know.
Whatever the cause, decades of history are completely and repeatedly ignored. They keep making the same mistakes, and they don't fix the underlying causes. Sure, there are things that are hard. Denial of service attacks are hard. People who know exactly all the ramifications of IP who go sending maliciously hand-crafted packets aren't much fun either.
But these highly technical ploys aren't why most folks on their toyboxes are being screwed up, down, left, right, and sideways. They're being screwed because of very simple matters. They don't have the notion of a protected execution mode. They don't have file permissions or memory protections. They automatically execute content willy-nilly, often with complete access to the whole machine. They expect a program to show up in binary not source form. They don't compare robust checksums from a strongly authenticated sources. They live in an infinitely vulnerable monoculture. They expect things to just magically happen for them without a thought or a care, and guess what? Their wishes are duly granted, much to their eventual dismay.
It is possible that mass-market factors may someday end up plaguing Unix systems in ways not so far removed from the stupidities that the toy boxes are riddled with. We just have to tell them no, and to condemn in the strongest and loudest possible terms any backsliding into insecurities that if we ever had, long ago banished. Looking at the Winix phenomenon, in which a dozen different vendors put together and ship their own Linux operating systems, all specifically constructed to be user-obsequious and Unix-hostile all in order to appease the lowered expectations of a hundred million Windows idiots, who, despite their numbers, really can still be wrong. The stupidity of the masses must never be underestimated.
PS: Congratulations for reading this far. :-)
But it still begs the question of what a "virius" is, eh? :-(
It's not like it's all the same, though. In English (assuming you deem England to be part of Europe :-), you have viruses, but in German, you have viren. Most curious of all, you in the Romance tongues have an invariant virus even in the plural, as in French les virus or Italian i virus. Given the historical provenance of the Romance tongues, I'd say that this invariance lends credibility to those scholars who opt for a 4th declension explanation of events.
The first erratum is that when I said " everybody is unassailable", I of course meant that "everybody else is unassailable".
The other is that immediately prior to the sentence beginning "Consumer-targetted systems", you should insert this:
Somehow this slipped by in the posted copy, and it's an important point.Finally, I fixed the latro links at the bottom, so you'll be able to see the real program. And yes, it works. Like nmap and other, um, security tools, this should of course only be used to verify the security of those systems that you yourself directly administer and have responsibility for. Not that it's apt to be sufficiently well logged to know what's really going on. It seems that POSTs never get their content logged. Play nice, and don't pick on the WinVictims. :-)
Sanity's post did not deserve to be moderated down. Inaccuracies deserve responses, not negative moderation. What his post deserved was Tom Christiansen's response. Moderate that up.
"Flamebait" is the deliberate provocation of a flamewar. Sanity's did not seem to me to be that, and if I get the chance the metamoderate, I'll make the "unfair" call. It raised a point that was worth raising, if for nothing else, because of the response it engendered.
Unfortunately, some seem to take the moderation system as a way to dock people for unpopular opinions. This is not the first time I've seen a post moderated down because it said something negative about Linux or postive about Microsoft. That is not good, and only serves to inspire the kind of group think that would make a site such as this worthless. There is a reason that are no "wrong" or "stupid" or "bothers me" moderation options. We should only be preventing abuses. Abuses like offtopic posts or intentional flamebait.
Believe me, if a post rated '1' is followed up by a contradicting post rated '5', the message is there. Docking people who have good intent is just spiteful.
(I also find it very sad that someone felt compelled to moderate down Mawbid's objection to the moderation. I suppose I'll be next...)
The cake is a pie
I dualboot LinuxPPC (not terribly often, but I insist on being able to do it). This means that there are some Linux software packages that I can't, actually run, because anything that's binary-only or depends on PC hardware is something I can't run. For instance, anything that expects a parallel port is likewise something I can't use.
Contrariwise, if someone makes a Linux binary that is a x86 virus, I can't run it either (nor would I want to). There's a level of inconvenience that is also protection. Add to this the fact that I like to not run a desktop such as KDE or Gnome, and mostly hack around with console apps and play with Window Maker when I _do_ boot into Linux, and it becomes extremely awkward for someone to make a generic Linux virus that can function under those conditions. I end up making a relentlessly nonstandard environment for myself, simply because Linux does _not_ deliver a very well realised and completed user environment, and because it encourages my active involvement in the building of this user environment.
This diversity is a strength, not a weakness: it makes it appallingly difficult for a commercial vendor to target the average Linux system (they will have to pick RH or something and support only that), but it also makes it appallingly difficult for a virus writer to target the average Linux system (again, they will have to pick the RH or something and 'support' only that...)
The most significant effects of this are as follows:
- Commercial 'Winux' offerings will overwhelmingly focus their efforts into a single dist, probably Red Hat, possibly Caldera or Corel or something. Divergent dists and installations will not be supported- with varying degrees of haughtiness.
- Because Linux is in fact poorly suited to being turned into a Windows clone (much of the advantages are wasted), a very _large_ percentage of the userbase will refuse to be homogenized, _much_ larger than the comparable percentage of Windows or Mac users running substantially unusual configurations. This will continue, emphasised by the ability to distribute and publicise novel experiments in interface and user environment.
- Because of this, Linux will continue to seemingly be penalized in comparison with, for instance, Windows, as a developer's platform and commercial target platform- the commercial Linux distributions will infight and intentionally foster conflicts with each other, and too many users will drastically alter their user environments to make distribution of generic Linux software easy. Some vendors will define really limited targets, others will attempt to issue zillions of patches and diffs to cover the widest area possible. These approaches will coexist.
- At this time, at least _some_ people will have the presence of mind to suggest the obvious: there is choice, change to a different sort of Linux that is not vulnerable. No single Linux distributor will have the leverage to be able to significantly eliminate other dists (though certain ones may be able to get very large percentages of marketshare simply through commercial distribution networks and the ability to make the Linux versions of 'AOL disks' and proliferate them)
So, the 'Linux virus' _will_ exist, but it's important to understand the context they will exist in. They will be targeting the passive consumers and the largest commercial vendors- anytime you have a single voice outshouting the chorus, you'll have the Linux virus targetted to that particular distribution, perhaps motivated by anger at some business decisions the company makes that violate unwritten or written rules, perhaps simply taking advantage of sloppiness.When Linux virii _do_ become a significant force, the commercial Linux distributions will be the ones taking the hit, and such attacks will be specific to individual releases of commercial distributions.