Wow, nice way to find/create an anti-ms slant on the story. I can respect people who bash microsoft if they know what they are talking about, but you clearly don't so no biscut.
Prolems with your theory:
1) Microsoft updates don't patch files. They replace them. Probably to avoid the issues you assume are happening here (even though they aren't). I'll excuse you for not knowing this.
2) The file that the rootkit infects isn't the file affected by the patch. The file MS patched WAS 100% clean. The rootkit was either modifying or calling the patched file using a static offset. After the patch this offset was no longer correct and the rootkit caused a bluescreen when it used it.
3) Even if the patch was a delta and not a whole file, and the file to be patched was the infected file, and if the patch _did_ checksum the file first then the checksum would not have revealed anything was wrong. Do you even know what a rootkit is? A rootkit, by definition cloaks itself by modifying the OS so system calls will not reveal the rootkit. Read the file where the rootkit resides and the rootkit will intercept this and return the original file contents, sans rootkit.
Does the Windows update process, in fact, just naively apply patches to files that have the correct name and path, without verifying hashes or signatures, thus running a very high risk of breaking hard any file that had been slightly modified?
Or was this some subtler and more complex situation, where the modified file itself was fine; but some tampered-with component was depending on the precise behavior of the modified file?
Sounds like that is exactly what this is. The file being patched isn't infected, but the rootkit has some dependancy on the exact layout of this file, and when the file is updated by the patch the rootkit (accidently) causes a bluescreen. Possibly the rootkit tries to patch the in-memory image of this file, which messes things up.
What I find really frightening about this situation is how widespread the rootkit that is causing this problem is. Most people have no idea they were infected. (and still do, they are blaming microsoft) MS is really gonna cop some flak for this one. Unfortunately this rootkit seems to be so stealthy that its damn hard to tell if the machine is infected until its too late and your machine won't boot.
A machine that had been on our network has the patch yesterday and won't boot, could be some be _very_ interesting when we roll out the patch via SUS to the rest of the machines in the network and smoke out how many are really infected.
Except its LOTS more crappy than pc suite. I'd consider it an alpha version. Shows some promise, but they need to finish it.
I just installed on my win 7 x64 machine at work here and I'm probably going to go back to the old pc suite.
It keeps offering ovi maps 3.0 for my phone, which is NOT compatible with it (6110 navigator). If I go to the "maps" section it says there has been an internal error, and helpfully suggests I restart ovi suite, and if that doesn't work I should try and restart my PC. WTF?.
There is no "sync" log to see what contacts/calendar entries were updated after a sync.
And yesterday it started crashing about 30 seconds after my phone connected (via bluetooth). Every time.
I unplugged my bluetooth dongle, started it, disabled all the sync stuff and plugged my phone in. ovi suite connected to the phone, then blew up again.
And then it offered me an update to ovi suite, would I like to install it? I said yes please, and it failed with an "unknown internal error" halfway through. Tried it like 5 times, same error. In desperation I started ovi suite with "run as administrator" and what do ya know, it updated. And now it won't crash when I connect my phone.
What Progress!
But I'm still in shock that their new flagship desktop application for working with your phone, probably designed to compete with itunes (not that thats really a worthy target, but I digress...) DOES NOT RUN PROPERLY WITH UAC ENABLED.
k'mon nokia, you released this app since 7 came out. and its not properly compatible with 7, or vista.
PC Suite used to be the biggest flakiest turd on my PC 5 years ago, and since that time most of the bugs have been ironed out. Why chuck all this out and go back to the drawing board??
The great part about galvanising is it is still effective even if the galvanised surface is removed, exposing the steel underneath.
Zinc is more reactive than iron, and acts as a sacrificial anode. In short, the steel won't really corrode until all of the zinc in contact has corroded away. Look up the chemistry of oxidisation and galvanizing on wikipedia or something.
Except it doesn't, and whoever modded you up is an idiot.
Don't be a dick. Windows 7 does support XP/2000 drivers, I've used them myself.
Don't assume it doesn't just because you can't fix it yourself and you can't google for help from someone who can.
I installed win 7 on my wife's old compaq NX5000 laptop. Video didn't work out of the box. Its got an 855 GMA graphics chipset. There are no WDDM drivers for this POS.
Yes, lots of people have trouble getting these to work in 7 or vista, but some claim to have got it working, and that should have twigged you in that it IS possible.
This worked for me, the laptop will sleep and resume perfectly, the panel runs at its native 1650x1050 and I can even watch HD video. No it doesn't support Aero, and my windows experience index is a solid 1.0
Honestly, for someone on purely 32 bit hardware and not needing massive amounts of RAM, is there any notable benefit to 64 bit ? Please, tell me about these improvements ?
One thing I can think of is 64 bit windows prevents unsigned drivers, and also prevents even signed drivers from patching the in-memory kernel functions. This gives you a great deal of protection against rootkits.
Overall I don't think there are many benefits of going to an x64 OS with less than 3gb of ram (remember the 4gb limit of x32 inclides video ram etc.) but there aren't really any downsides either.
Also, as you say your CPU / MB only support 32bit, you'd need to upgrade your hardware to run a 64 bit OS....
Bad choice of algorithm isn't normally the cause of a break in a crypto system. Its normally caused by the bad implementation of an algorythm, or handling the keys badly.
Did you know WEP uses RC4? RC4 *can* be fairly secure, SSL still uses it.
Unfortunately RC4 has known weaknesses, and the WEP spec wasn't written to avoid these weaknesses.
"The new alcohol is being developed by a team at Imperial College London, led by Professor David Nutt,"
Re:Victim of its own success (sorta)
on
A Requiem For Saab
·
· Score: 2, Interesting
And what is it with Doctors and Saabs? In Australia and New Zealand at least, probably 3/4ths of the Saab drivers you'll meet are Doctors! How does that work?
Actually, IIRC that pilot was not trained by American Airlines to wag the rudder like a jackass. That was his own dumb idea and he'd been warned about it in the past.
Air crash investigations did an episode on this crash, and they were quite clear in saying that the pilot was doing exactly what AA had trained him to do, and airbus were horrified when they found out about it.
"The Communications Minister, Stephen Conroy, said today he would introduce legislation just before next year's elections to force ISPs to block a blacklist of "refused classification" (RC) websites for all Australian internet users."
Anyway, trust me - it's very professional, clean code, nice design, and not filled with hacks like the Big Global Lock that used to be in the Linux kernel.
Bad example. Just about every uniprocessor-developed OS had a Big Global Lock until they went multi-cpu - and even then it usually took a few releases before it was really eliminated. I would be hugely surprised to find that the Win9x series didn't have one too. When did the linux kernel deprecate it? Like a decade ago?
Actually, one of the major changes in 7 is the removal of a global lock in the scheduler. Prior to this windows didn't really scale beyond 64 cpus, now I don't know what the limit is, but I've seen pics (on the web) of server 2008 r2 running on 256 cpu machines.
ok, firstly WTF? Most xp apps have their roots in windows 95? Thats not even remotely close to plausible.
And secondly and more importantly an app doesn't need to *support* ACLs in the registry. It asks the OS to modify some key, and the OS will return an error saying you can't do that. If the app can't handle this, then it will crash and burn. Vista actually made the OS more forgiving in this regard, as it can "virtualize" parts of the registry so the app thinks it is writing to HKLM or somewhere, but in reality the changes it makes are visible to that app only. XP doesn't do that.
Actually, the Registry is a good concept. The Registry is just a file system for little data items. The trouble is that any application can write to any part of it. It lacks a security model. (Yes, you can attach security restrictions to registry keys, but nobody does this, because Windows 95 didn't have that, and applications didn't have support for it.)
Um, 100% wrong dude. The Registry uses ACLs, just like the file system. Infact if you edit the registry permissions its the exact same control that you use to edit filesystem ACLs. And as for "nobody does this"... Try logging onto windows as a non-administrator and editing anything in HKLM. you can't.
The "real" problem is that outside of a large company, all desktop users are administrators.
Dell make good stuff, and crap stuff. I'd never touch the inspiron series, but I've had a couple of latitudes and I've been very happy. Both of them came with 3-year worldwide onsite warranties, and yes I used them. Both laptops had their screens and motherboards replaced at some point, but it was no drama. Call dell and the next day or the day after a technician arrived to swap them out.
PS Slashdot has the slowest comment preview of any website I know.
I blame MySQL. AFAIK slashdot uses a cluster of mysql servers, in a master/slave setup where only one server handles updates/inserts, which are then propogated to the other servers so any server can handle a DB reads (probably 95%+ of the queries)
My theory is an insert is much slower than an update. A preview actually inserts a record, a submit only updates the record to "active". I haven't actually looked at slashcode to check, perl makes my brain hurt.
Of course,/. is one of the busier sites on teh interwebs so I shouldn't complain to much.
The PopSci page links to a more detailed story on the register, which has a link to this page which is a real-time temperature graph of the actual area involved.
Pretty damn cool IMHO that this data is live on the web.
The actual area where the overheating occoured is named "Sector 81".
And another thing the "article" (and by "article" I mean "infomercial") didn't mention was how many of those malware apps successfully *infected* the machine.
Out of the 10, 2 threw an error and crashed, 8 "ran". Whats his criteria for "ran". I'm betting that means "didn't crash and burn horribly with an error message shown to the user."
I looked up the details on the first virus sophos listed (troj/fakeAV) here and apparently one of its actions is to add a link to the all users start menu folder here:
%Documents and Settings%\All Users\Start Menu\Programs\XP_Antispyware\Uninstall.lnk
I know for a fact you can't write to this folder without UAC elevation on vista/7, so I'd say it is more likely than not that when the malware ran it tried to write to this folder, failed, and *caught the exception*. The machine was NOT infected.
I'm not going to check each of the 8 malware apps he ran "successfully" but I'd be surprised if any of them were able to "infect" the pc in any meaninful way with UAC enabled, or if the user was running as non-admin.
In other words 8/10 malware apps are probably well written enough to have some sort of error handling that eats any errors that may occour without alerting the user.
Slashdot Mirror
Wow, nice way to find/create an anti-ms slant on the story. I can respect people who bash microsoft if they know what they are talking about, but you clearly don't so no biscut.
Prolems with your theory:
1) Microsoft updates don't patch files. They replace them. Probably to avoid the issues you assume are happening here (even though they aren't). I'll excuse you for not knowing this.
2) The file that the rootkit infects isn't the file affected by the patch. The file MS patched WAS 100% clean. The rootkit was either modifying or calling the patched file using a static offset. After the patch this offset was no longer correct and the rootkit caused a bluescreen when it used it.
3) Even if the patch was a delta and not a whole file, and the file to be patched was the infected file, and if the patch _did_ checksum the file first then the checksum would not have revealed anything was wrong. Do you even know what a rootkit is? A rootkit, by definition cloaks itself by modifying the OS so system calls will not reveal the rootkit. Read the file where the rootkit resides and the rootkit will intercept this and return the original file contents, sans rootkit.
The foundation books, while great Sci-fi, don't have a lot of action.
I'm beting that Emmerich will "sex up" asimov's grand story with some ridiculous chase scenes and lots of action.
Does the Windows update process, in fact, just naively apply patches to files that have the correct name and path, without verifying hashes or signatures, thus running a very high risk of breaking hard any file that had been slightly modified?
Or was this some subtler and more complex situation, where the modified file itself was fine; but some tampered-with component was depending on the precise behavior of the modified file?
Sounds like that is exactly what this is. The file being patched isn't infected, but the rootkit has some dependancy on the exact layout of this file, and when the file is updated by the patch the rootkit (accidently) causes a bluescreen. Possibly the rootkit tries to patch the in-memory image of this file, which messes things up.
What I find really frightening about this situation is how widespread the rootkit that is causing this problem is. Most people have no idea they were infected. (and still do, they are blaming microsoft)
MS is really gonna cop some flak for this one. Unfortunately this rootkit seems to be so stealthy that its damn hard to tell if the machine is infected until its too late and your machine won't boot.
A machine that had been on our network has the patch yesterday and won't boot, could be some be _very_ interesting when we roll out the patch via SUS to the rest of the machines in the network and smoke out how many are really infected.
Except its LOTS more crappy than pc suite. I'd consider it an alpha version. Shows some promise, but they need to finish it.
I just installed on my win 7 x64 machine at work here and I'm probably going to go back to the old pc suite.
It keeps offering ovi maps 3.0 for my phone, which is NOT compatible with it (6110 navigator). If I go to the "maps" section it says there has been an internal error, and helpfully suggests I restart ovi suite, and if that doesn't work I should try and restart my PC. WTF?.
There is no "sync" log to see what contacts/calendar entries were updated after a sync.
And yesterday it started crashing about 30 seconds after my phone connected (via bluetooth). Every time.
I unplugged my bluetooth dongle, started it, disabled all the sync stuff and plugged my phone in. ovi suite connected to the phone, then blew up again.
And then it offered me an update to ovi suite, would I like to install it? I said yes please, and it failed with an "unknown internal error" halfway through. Tried it like 5 times, same error. In desperation I started ovi suite with "run as administrator" and what do ya know, it updated. And now it won't crash when I connect my phone.
What Progress!
But I'm still in shock that their new flagship desktop application for working with your phone, probably designed to compete with itunes (not that thats really a worthy target, but I digress...) DOES NOT RUN PROPERLY WITH UAC ENABLED.
k'mon nokia, you released this app since 7 came out. and its not properly compatible with 7, or vista.
PC Suite used to be the biggest flakiest turd on my PC 5 years ago, and since that time most of the bugs have been ironed out. Why chuck all this out and go back to the drawing board??
"Dune" is probably the greatest 20th-century science fiction novel. It is, for better or worse, unfilmable.
Maybe Peter Jackson should have a crack. They said LOTR was "unfilmable" too :)
Thats a very cool link, thanks
The great part about galvanising is it is still effective even if the galvanised surface is removed, exposing the steel underneath.
Zinc is more reactive than iron, and acts as a sacrificial anode. In short, the steel won't really corrode until all of the zinc in contact has corroded away. Look up the chemistry of oxidisation and galvanizing on wikipedia or something.
Except it doesn't, and whoever modded you up is an idiot.
Don't be a dick. Windows 7 does support XP/2000 drivers, I've used them myself.
Don't assume it doesn't just because you can't fix it yourself and you can't google for help from someone who can.
I installed win 7 on my wife's old compaq NX5000 laptop. Video didn't work out of the box. Its got an 855 GMA graphics chipset. There are no WDDM drivers for this POS.
Yes, lots of people have trouble getting these to work in 7 or vista, but some claim to have got it working, and that should have twigged you in that it IS possible.
Go to this page: http://www.groundstate.net/855GMWin7.html and download the drivers linked there, and follow the instructions.
This worked for me, the laptop will sleep and resume perfectly, the panel runs at its native 1650x1050 and I can even watch HD video. No it doesn't support Aero, and my windows experience index is a solid 1.0
Honestly, for someone on purely 32 bit hardware and not needing massive amounts of RAM, is there any notable benefit to 64 bit ? Please, tell me about these improvements ?
One thing I can think of is 64 bit windows prevents unsigned drivers, and also prevents even signed drivers from patching the in-memory kernel functions. This gives you a great deal of protection against rootkits.
Overall I don't think there are many benefits of going to an x64 OS with less than 3gb of ram (remember the 4gb limit of x32 inclides video ram etc.) but there aren't really any downsides either.
Also, as you say your CPU / MB only support 32bit, you'd need to upgrade your hardware to run a 64 bit OS....
I used to be a hypochondriac AND a kleptomaniac. So I took something for it.
Thats nothing. I used to be into necrophilia and beastiality.
Then I realized I was just flogging a dead horse.
It is in my back right pocket, shaped suspiciously like my wallet.
On a similar note, my wife's friend says she pays for her jewlery etc with her "hairy chequebook"....
Bad choice of algorithm isn't normally the cause of a break in a crypto system. Its normally caused by the bad implementation of an algorythm, or handling the keys badly.
Did you know WEP uses RC4? RC4 *can* be fairly secure, SSL still uses it.
Unfortunately RC4 has known weaknesses, and the WEP spec wasn't written to avoid these weaknesses.
Did you RTFA?
"The new alcohol is being developed by a team at Imperial College London, led by Professor David Nutt,"
And what is it with Doctors and Saabs? In Australia and New Zealand at least, probably 3/4ths of the Saab drivers you'll meet are Doctors! How does that work?
Actually, IIRC that pilot was not trained by American Airlines to wag the rudder like a jackass. That was his own dumb idea and he'd been warned about it in the past.
Air crash investigations did an episode on this crash, and they were quite clear in saying that the pilot was doing exactly what AA had trained him to do, and airbus were horrified when they found out about it.
Wikipedia says pretty much the same thing
http://en.wikipedia.org/wiki/American_Airlines_Flight_587#NTSB_findings
If you doubt me then point to where Conroy has said a compulsory filter is a good idea.
Ahem.
"The Communications Minister, Stephen Conroy, said today he would introduce legislation just before next year's elections to force ISPs to block a blacklist of "refused classification" (RC) websites for all Australian internet users."
That conclusive enough for you? :(
Anyway, trust me - it's very professional, clean code, nice design, and not filled with hacks like the Big Global Lock that used to be in the Linux kernel.
Bad example. Just about every uniprocessor-developed OS had a Big Global Lock until they went multi-cpu - and even then it usually took a few releases before it was really eliminated. I would be hugely surprised to find that the Win9x series didn't have one too. When did the linux kernel deprecate it? Like a decade ago?
Actually, one of the major changes in 7 is the removal of a global lock in the scheduler. Prior to this windows didn't really scale beyond 64 cpus, now I don't know what the limit is, but I've seen pics (on the web) of server 2008 r2 running on 256 cpu machines.
More info here: http://channel9.msdn.com/shows/Going+Deep/Arun-Kishan-Farewell-to-the-Windows-Kernel-Dispatcher-Lock/
ok, firstly WTF? Most xp apps have their roots in windows 95? Thats not even remotely close to plausible.
And secondly and more importantly an app doesn't need to *support* ACLs in the registry. It asks the OS to modify some key, and the OS will return an error saying you can't do that. If the app can't handle this, then it will crash and burn. Vista actually made the OS more forgiving in this regard, as it can "virtualize" parts of the registry so the app thinks it is writing to HKLM or somewhere, but in reality the changes it makes are visible to that app only. XP doesn't do that.
Actually, the Registry is a good concept. The Registry is just a file system for little data items. The trouble is that any application can write to any part of it. It lacks a security model. (Yes, you can attach security restrictions to registry keys, but nobody does this, because Windows 95 didn't have that, and applications didn't have support for it.)
Um, 100% wrong dude. The Registry uses ACLs, just like the file system. Infact if you edit the registry permissions its the exact same control that you use to edit filesystem ACLs.
And as for "nobody does this"... Try logging onto windows as a non-administrator and editing anything in HKLM. you can't.
The "real" problem is that outside of a large company, all desktop users are administrators.
Dell make good stuff, and crap stuff. I'd never touch the inspiron series, but I've had a couple of latitudes and I've been very happy. Both of them came with 3-year worldwide onsite warranties, and yes I used them. Both laptops had their screens and motherboards replaced at some point, but it was no drama. Call dell and the next day or the day after a technician arrived to swap them out.
http://arxiv.org/abs/0901.3775
PS Slashdot has the slowest comment preview of any website I know.
I blame MySQL. AFAIK slashdot uses a cluster of mysql servers, in a master/slave setup where only one server handles updates/inserts, which are then propogated to the other servers so any server can handle a DB reads (probably 95%+ of the queries)
My theory is an insert is much slower than an update. A preview actually inserts a record, a submit only updates the record to "active". I haven't actually looked at slashcode to check, perl makes my brain hurt.
Of course, /. is one of the busier sites on teh interwebs so I shouldn't complain to much.
I'm not sure what is funnier, your comment or the fact it is +5 insightful
No complaints here though, its two jokes in one!
The PopSci page links to a more detailed story on the register, which has a link to this page which is a real-time temperature graph of the actual area involved.
Pretty damn cool IMHO that this data is live on the web.
The actual area where the overheating occoured is named "Sector 81".
I wonder if they have headcrabs!
Yeah, something called "Rain" comes to mind...
They were depending on it - to wash the Baguettes off!
And another thing the "article" (and by "article" I mean "infomercial") didn't mention was how many of those malware apps successfully *infected* the machine.
Out of the 10, 2 threw an error and crashed, 8 "ran". Whats his criteria for "ran". I'm betting that means "didn't crash and burn horribly with an error message shown to the user."
I looked up the details on the first virus sophos listed (troj/fakeAV) here and apparently one of its actions is to add a link to the all users start menu folder here:
%Documents and Settings%\All Users\Start Menu\Programs\XP_Antispyware\Uninstall.lnk
I know for a fact you can't write to this folder without UAC elevation on vista/7, so I'd say it is more likely than not that when the malware ran it tried to write to this folder, failed, and *caught the exception*. The machine was NOT infected.
I'm not going to check each of the 8 malware apps he ran "successfully" but I'd be surprised if any of them were able to "infect" the pc in any meaninful way with UAC enabled, or if the user was running as non-admin.
In other words 8/10 malware apps are probably well written enough to have some sort of error handling that eats any errors that may occour without alerting the user.