I have a ComSci degree from an accredited university, and I disagree to some extent.
Math and Physics is overrated. The skills I use most have to do with logic and dissecting algorithms. This has more to do with Geometry than Differential Calculus.
Writing skills are underrated and should have been stressed more because they are so absolutely critical in our field. I only had one writing course labeled 'technical writing' but turned out to be how to write business proposals.
The course I had on Software Engineering was a complete joke and had nothing to do with the subject.
At the time I graduated in '91 there seemed to be a disconnect between ComSci and Management Information Systems. The MIS dept tended to teach real world skills which were useful in jobs, and ComSci was trying to teach develop new university professors.
That has changed somewhat over time, but probably not by much.
I would have thought the various reports from Netcraft showing IIS is in use on most commercial web sites would have laid to rest the false claim that Apache is more popular.
That's interesting, but Nimda doesn't change the desktop background to a cheesy pic of a skeleton.
I don't know what you did exactly, but I seriously doubt it came from your browsing stuff through IE 6.0. Especially considering IE 6.0 is not vulnerable to the MIME problem Nimda exploited.
First of all I love the comment "Given that IIS sucks anyway".
Just for the record. We had some issues with this at work because some development machines weren't properly patched. Old NT4 w/SP5, Office 97, etc.
At home, on the other hand, I am at the bleeding edge. Win2k sp2/hotfixes, Norton XP, Office XP, IE 6.0, etc.
Got home after fighting the virus at work, went to Outlook to check my email. Yep, got a handful of emails from Nimda.
Confidentally opened up the emails to see what they contained using Outlook XP... thought it was kind of cute, but I deleted them.
Went out viewed a couple of websites to see what the latest news was.
Then I decided I probably better update my Virus definitions, so I did that.
Not once was I ever vulnerable to Nimda. The IIS exploits were very old, as were the IE exploits. Outlook has had patches available since last year for Outlook 2000 to prevent this type of attack. Outlook XP by default out of the box blocks many types of attachments, and does not allow email with HTML content to be scripted.
So granted, some older versions of their applications and OS are vulnerable to some problems. What do you expect Microsoft to do? Fix it?
Umm, you don't want to install every damn hotfix in the world on your machine. Some of them are only needed if you have a particular RAID controller and you are trying to run FTP during a full moon.
The important ones in this context are all listed, up to date, under www.microsoft.com/security
Peasants of old were tied to the land because they had to accept the bargain or go hungry and die.
Are you saying that if you don't listen to NSync while playing Quake you are going to die?
Re:Is Critical Thinking Just Not Popular Anymore?
on
Brian West Update
·
· Score: 2
Apparently critical thinking isn't very popular at all.
Your analysis makes a lot of assumptions, the primary one being that what this guy did was harmless and unassuming.
There were quite a number of us at the time who read the original description, and when we got to the part where after he noticed the initial flaw he kept probing downloading files and passwords, etc., thought "Why?"
This guy went too far. It's quite possible he didn't mean any harm, and that's why the prosecutors are being lenient on him.
But he was clearly a clueless numbskull who deserves to get his hand slapped.
You need to lose your preconceived notions of the sexiness of computer crimes, or that law enforcement officers don't understand the issues. That might have been true in the 80's and even ten years ago, but times have changed.
I'm no longer a college student, but in the tech world you still have ongoing training for Oracle, Microsoft, some obscure Tivoli tool, whatever. We spend about the same for one week of training as most college students spend for an entire semester.(i.e. around $2-3k)
Because they are technical training courses, they have computers.
But you know what?
They aren't connected to the internet.
Why?
Because it's distracting. Everybody knows that, accepts it and learns to deal with it.
Most people also turn off their cell phones and pagers in the classroom as well.
In quite a number of the responses I've seen there has been discussion about whether IIS is simply more targetted, or really insecure.
Some have discounted the more targetted point of view because Apache is reportedly far more popular. Ok, granted. But now for my sad analogy... Single family homes are far more popular in the United States than skyscrapers, but when terrorists want to make a point, what types of buildings do they attack?
People who write viruses may not be "terrorists" as they aren't trying to kill people. Sometimes they don't even have a point to make, but they most certainly want to cause financial damage, so who better to target?
On forcing '95 developers to also develop to NT...
I don't remember that happening, especially since NT4 didn't arrive for another year. I do recall a move in the MS logo program around '98 which required the software to work both on 9x and NT.
Was that squashing competition? I don't see how. Was it using one position to move into another market? Again I don't see how.
That particular issue applies solely to desktop applications. One typically does not run Quicken on the server.
But Microsoft did learn from the migration from Win3.1 to Win95 that it wasn't easy, because of the lack of discipline amongst developers. They were telling us as early as 1996 that their ultimate goal was to merge the codebases of Win9x and NT together into one platform.
This goal has become realized with the release of WinXP.
But obviously for consumers to be able to move easily from Win9x to WinXP they needed to have a software base that maintained some semblance of compatibility. Something that didn't happen with the DOS/Win3.1 move to Win95 and certainly not with the move to WinNT4.
So they started encouraging developers to write software that was compatible with both OS types. As it turned out it wasn't that hard as long as you were disciplined and careful, and it helped increase your marketshare as you could sell to both Win9x and NT users.
I've come to the conclusion that most anti-MS sentiment really comes from a hatred of all things popular. When I was in school we hated IBM. I don't really remember now why that was, and I still harbor a mistrust for the company to this day.
Once you establish your hatred, you then start working backwards to try to find a reason for the hatred. This inevitably results in illogical reasoning, such as the example you just gave.
I am not trying to troll here, although I'm sure I'll be accused of it, but one sees the very same behavior in a lot of the world protests. Whether it be globalization, anarchists, anti-US, etc. You watch people complaining about globalization enjoying the fruits of this by eating at McD's. You watch anarchists complaining about government, while enjoying the freedom that our democracies grant them. You watch anti-US sentiments from people eating hamburgers, drinking coke and wearing Levi's.
Maybe human's simply need something to hate, whatever that might be.
Found it...
http://www.microsoft.com/permission/copyrgt/cop- so ft.htm
"Microsoft does allow the downgrading of current versions of retail Microsoft software on a case-by-case basis by special permission, (unless such permission is already granted to you under your Microsoft product End User License Agreement (EULA)). "
Service Pack 2 included the patch for the exploit Nimda used.
However if you had not patched for Code Red in June and were infected by that, Nimda utilized one of the backdoors left behind. That's been the primary reason behind every claim of "we were patched and still got infected", and you should investigate that possibility.
Of course that just covers the IIS exploit. There were other ways of Nimda spreading, and if you were web browsing or running random executables on the machine that may also be a concern.
We got hit by Nimda, but only on our development machines. The production machines had been kept up to date with security patches.
In the specific case of Nimda, the patch was available in April of 2000. That gave everybody plenty of time to do something about it, however many didn't. i.e. most of our development machines.
What's more expensive? Spending an hour once a month patching your production web servers, or shutting down the company for half a day?
My experience with reading Gartner group reports over the past six years indicates they typically correct maybe 50% of the time.
The cool thing is that they'll recommend you replace IIS in one report, and then recommend in another report you replace everything else and move to IIS.
This allows them to always be right on any given issue, regardless of their overall batting average.
It's weird. I usually don't install service packs right away, but wait a few weeks. Even if I do, I install it to a test machine first to see what it does.
There are sometimes reports of problems, and I'm smart enough to know that some applications that do low level bit tweaking may not work. (Firewalls come to mind)
And strangely enough, I've never had any problems with any Microsoft service patches.
As far as your proper action. That's incorrect. You should do both.
You may also want to look at the new URLCheck utility from microsoft which also tries to prevent malicious requests.
I must have posted this at least a dozen times to/. alone over the past few months. It's been posted to ntbugtraq and every other support mailing list.
Here it is, one more time. Live it, learn it, love it.
http://www.microsoft.com/Downloads/Release.asp?R el easeID=24168
Besides as of right now there has been any major patches for about a month and you just need to do Win2k SP2 plus the August hotfix rollup. Over WinNT4 SP6a plus a similar rollup hotfix.
You forgot Great Britain.
:)
Where do you think all those british colonies got their ideas?
I have a ComSci degree from an accredited university, and I disagree to some extent.
Math and Physics is overrated. The skills I use most have to do with logic and dissecting algorithms. This has more to do with Geometry than Differential Calculus.
Writing skills are underrated and should have been stressed more because they are so absolutely critical in our field. I only had one writing course labeled 'technical writing' but turned out to be how to write business proposals.
The course I had on Software Engineering was a complete joke and had nothing to do with the subject.
At the time I graduated in '91 there seemed to be a disconnect between ComSci and Management Information Systems. The MIS dept tended to teach real world skills which were useful in jobs, and ComSci was trying to teach develop new university professors.
That has changed somewhat over time, but probably not by much.
How much are they paying you?
I share my knowledge and expertise for free.
HAHA!
:)
You are absolutely correct.
I would have thought the various reports from Netcraft showing IIS is in use on most commercial web sites would have laid to rest the false claim that Apache is more popular.
That's interesting, but Nimda doesn't change the desktop background to a cheesy pic of a skeleton.
I don't know what you did exactly, but I seriously doubt it came from your browsing stuff through IE 6.0. Especially considering IE 6.0 is not vulnerable to the MIME problem Nimda exploited.
Perhaps you aren't as savvy as you thought.
First of all I love the comment "Given that IIS sucks anyway".
Just for the record. We had some issues with this at work because some development machines weren't properly patched. Old NT4 w/SP5, Office 97, etc.
At home, on the other hand, I am at the bleeding edge. Win2k sp2/hotfixes, Norton XP, Office XP, IE 6.0, etc.
Got home after fighting the virus at work, went to Outlook to check my email. Yep, got a handful of emails from Nimda.
Confidentally opened up the emails to see what they contained using Outlook XP... thought it was kind of cute, but I deleted them.
Went out viewed a couple of websites to see what the latest news was.
Then I decided I probably better update my Virus definitions, so I did that.
Not once was I ever vulnerable to Nimda. The IIS exploits were very old, as were the IE exploits. Outlook has had patches available since last year for Outlook 2000 to prevent this type of attack. Outlook XP by default out of the box blocks many types of attachments, and does not allow email with HTML content to be scripted.
So granted, some older versions of their applications and OS are vulnerable to some problems. What do you expect Microsoft to do? Fix it?
They already have.
Umm, you don't want to install every damn hotfix in the world on your machine. Some of them are only needed if you have a particular RAID controller and you are trying to run FTP during a full moon.
The important ones in this context are all listed, up to date, under www.microsoft.com/security
Peasants of old were tied to the land because they had to accept the bargain or go hungry and die.
Are you saying that if you don't listen to NSync while playing Quake you are going to die?
Apparently critical thinking isn't very popular at all.
Your analysis makes a lot of assumptions, the primary one being that what this guy did was harmless and unassuming.
There were quite a number of us at the time who read the original description, and when we got to the part where after he noticed the initial flaw he kept probing downloading files and passwords, etc., thought "Why?"
This guy went too far. It's quite possible he didn't mean any harm, and that's why the prosecutors are being lenient on him.
But he was clearly a clueless numbskull who deserves to get his hand slapped.
You need to lose your preconceived notions of the sexiness of computer crimes, or that law enforcement officers don't understand the issues. That might have been true in the 80's and even ten years ago, but times have changed.
As I was reading your post, an interesting quote came up at the bottom of slashdot.org.
"No character, however upright, is a match for constantly reiterated attacks, however false. -- Alexander Hamilton "
It seemed appropriate.
Buffy the Vampire slayer? What do they want the high school 3l33t hack0r3?
:)
The perfect opportunity is tonight on UPN when the new Star Trek premiers.
Sheesh.
I'm no longer a college student, but in the tech world you still have ongoing training for Oracle, Microsoft, some obscure Tivoli tool, whatever. We spend about the same for one week of training as most college students spend for an entire semester.(i.e. around $2-3k)
Because they are technical training courses, they have computers.
But you know what?
They aren't connected to the internet.
Why?
Because it's distracting. Everybody knows that, accepts it and learns to deal with it.
Most people also turn off their cell phones and pagers in the classroom as well.
I can't believe this is even a news story.
In quite a number of the responses I've seen there has been discussion about whether IIS is simply more targetted, or really insecure.
Some have discounted the more targetted point of view because Apache is reportedly far more popular. Ok, granted. But now for my sad analogy... Single family homes are far more popular in the United States than skyscrapers, but when terrorists want to make a point, what types of buildings do they attack?
People who write viruses may not be "terrorists" as they aren't trying to kill people. Sometimes they don't even have a point to make, but they most certainly want to cause financial damage, so who better to target?
On forcing '95 developers to also develop to NT...
I don't remember that happening, especially since NT4 didn't arrive for another year. I do recall a move in the MS logo program around '98 which required the software to work both on 9x and NT.
Was that squashing competition? I don't see how. Was it using one position to move into another market? Again I don't see how.
That particular issue applies solely to desktop applications. One typically does not run Quicken on the server.
But Microsoft did learn from the migration from Win3.1 to Win95 that it wasn't easy, because of the lack of discipline amongst developers. They were telling us as early as 1996 that their ultimate goal was to merge the codebases of Win9x and NT together into one platform.
This goal has become realized with the release of WinXP.
But obviously for consumers to be able to move easily from Win9x to WinXP they needed to have a software base that maintained some semblance of compatibility. Something that didn't happen with the DOS/Win3.1 move to Win95 and certainly not with the move to WinNT4.
So they started encouraging developers to write software that was compatible with both OS types. As it turned out it wasn't that hard as long as you were disciplined and careful, and it helped increase your marketshare as you could sell to both Win9x and NT users.
I've come to the conclusion that most anti-MS sentiment really comes from a hatred of all things popular. When I was in school we hated IBM. I don't really remember now why that was, and I still harbor a mistrust for the company to this day.
Once you establish your hatred, you then start working backwards to try to find a reason for the hatred. This inevitably results in illogical reasoning, such as the example you just gave.
I am not trying to troll here, although I'm sure I'll be accused of it, but one sees the very same behavior in a lot of the world protests. Whether it be globalization, anarchists, anti-US, etc. You watch people complaining about globalization enjoying the fruits of this by eating at McD's. You watch anarchists complaining about government, while enjoying the freedom that our democracies grant them. You watch anti-US sentiments from people eating hamburgers, drinking coke and wearing Levi's.
Maybe human's simply need something to hate, whatever that might be.
Found it...- so ft.htm
http://www.microsoft.com/permission/copyrgt/cop
"Microsoft does allow the downgrading of current versions of retail Microsoft software on a case-by-case basis by special permission, (unless such permission is already granted to you under your Microsoft product End User License Agreement (EULA)). "
Service Pack 2 included the patch for the exploit Nimda used.
However if you had not patched for Code Red in June and were infected by that, Nimda utilized one of the backdoors left behind. That's been the primary reason behind every claim of "we were patched and still got infected", and you should investigate that possibility.
Of course that just covers the IIS exploit. There were other ways of Nimda spreading, and if you were web browsing or running random executables on the machine that may also be a concern.
Apache is not a direct one for one replacement for IIS, and no amount of learning curve is going to change that.
Sigh, sounds like someone else who just installed Linux last year and is now convinced it rewls. :(
We got hit by Nimda, but only on our development machines. The production machines had been kept up to date with security patches.
In the specific case of Nimda, the patch was available in April of 2000. That gave everybody plenty of time to do something about it, however many didn't. i.e. most of our development machines.
What's more expensive? Spending an hour once a month patching your production web servers, or shutting down the company for half a day?
My experience with reading Gartner group reports over the past six years indicates they typically correct maybe 50% of the time.
The cool thing is that they'll recommend you replace IIS in one report, and then recommend in another report you replace everything else and move to IIS.
This allows them to always be right on any given issue, regardless of their overall batting average.
Microsoft never claimed it was in SP2.
That's incorrect. The patch that fixed the problem Code Red exploited was only released a month previous.
However in the case of Nimda, you had 16 months to patch your IIS server.
It's weird. I usually don't install service packs right away, but wait a few weeks. Even if I do, I install it to a test machine first to see what it does.
There are sometimes reports of problems, and I'm smart enough to know that some applications that do low level bit tweaking may not work. (Firewalls come to mind)
And strangely enough, I've never had any problems with any Microsoft service patches.
As far as your proper action. That's incorrect. You should do both.
You may also want to look at the new URLCheck utility from microsoft which also tries to prevent malicious requests.
I must have posted this at least a dozen times to /. alone over the past few months. It's been posted to ntbugtraq and every other support mailing list.
R el easeID=24168
Here it is, one more time. Live it, learn it, love it.
http://www.microsoft.com/Downloads/Release.asp?
Besides as of right now there has been any major patches for about a month and you just need to do Win2k SP2 plus the August hotfix rollup. Over WinNT4 SP6a plus a similar rollup hotfix.