The network is not trusted. Not ever. Not even a lab network with air gap. For the lifetime that these devices are expected to see somebody will defeat the network security, even if they have to invent a parallel port to wifi adapter.
The trick is to never expose services to the network on clients. Ever. Clients are for using services, not providing them. And audit your network periodically to ensure the damned clients haven't started listening without permission. When you implement this policy expect to have considerable disruption as you discover precisely what services are running on clients that are used for important work. It's very scary. Port monitoring can be used also to detect if a client is performing services on a "stealth" port. There's a whole lot more to running a secure network but most people don't even do this much so locking down broadcast and monitoring for slow scanning and other steps are pretty moot.
Also, audit your servers. Each server needs to have services exposed. But it should have those required only. By default all ports should be not listening and this should be checked with snort before the required services are started.
Congratulations! You're now the proud owner of an incubator for Conficker++. The worm probably downloaded a stealth virus that'll wait a while before it activates. These things are devious. They're autogenerated and each one is unique so there won't be a signature update for it.
If a non-essential feature reduces the security of an operating system the correct default is "don't." This is a non-essential feature. They've done the right thing here.
Go ahead and turn it on. Then if your box gets owned this way they bear less responsibility. It probably won't because if you know enough to turn it on you've probably considered the risks and decided your experience mitigates the problem. But for millions of consumers who don't know enough about the question, making them more aware of the risks by making them change the default is the right thing to do.
And as for malware, if they're downloading it to fix autorun then they're going to do it to speed up their PC or get a funny mouse pointer or screensaver or whatever anyway so this is a spurious argument.
but what are these flash drives and optical disks containing viruses that autorun when you plug them in? do they come in the mail like AOL disks?
No, we buy them in bulk and leave them in your parking lot. Then some idiot picks it up and sticks it into their PC inside the network. One network admin and it's in the root of a share. The next morning when everybody logs in all your base are belong to us. One successful attach is worth a hundred plants but there's always a chance you'll jackpot with some MCSE who should not have been hired.
They're cheap so it's affordable to sprinkle them around the bathrooms at trendy clubs, leave them on the bar at the country club, wherever they might get picked up and used by somebody with good access to money and/or information. Shiny ones work best for money targets, civil servants and soldiers, but with network admins and engineers we get a higher attach rate with this one.
And they're not removing the feature. They're just making sure the default is "off". It's the sensible thing to do.
If you're secure enough about what's on the disks/pendrives/cameras/network shares you mount to use it then by all means turn it back on. But that ought not be the default because not everybody is at that level.
I'm not one to praise Microsoft usually, but this is a move in the right direction.
The leap to Firefox is not as great as the leap to IE8. If your organization can't handle this technology shift, you've got real problems. They're not in the IT department, and you're not going to avoid them because you don't really have a choice whether or not to move on from the Microsoft application versions. The only choice you have is where you move to.
Ubuntu is looking good and their support rates seem quite reasonable. I'm typing this in Jaunty right now, and am very happy with it. It supports as many VMs as I have resources for - I'm still testing it so I've got Linux Mint playing a DVD in one window and YouTube playing in another. I'm not sure what the business case for VT on the enterprise desktop is yet, but I'm sure we'll find some excuse eventually. Micro-VMs for application sandboxing maybe? Microsoft isn't going to play in this space for a very long time - perhaps too long to save their bacon.
There are custom distributions that do some really cool stuff. Archeos is a good example of this - it's for archaeologists and people who do GIS applications. The Distro system makes for a great model for image development tailored to specific job roles and it's open to you too, to roll up the apps you want into your own distributions or publish virtual machines tailored to specific jobs. Because the software is free, the accounting headaches are taken care of - just buy the support for the folks who need it, usually your platforms development team and support crews. There's probably a distribution out already that's a great fit for everyone in your organization. If you're running XP in a VM you've now got plenty of time to port everything and you can get the rest of the Return On your Investment you were expecting when you licensed those applications for XP. XP is more secure in a VM and it's easy to wipe and refresh so you don't need to fret as much about patches either.
Or you could re-up on the horror train, just for a little while. Just a warning though: getting off the train at the station is a lot easier than between stops.
I haven't ever needed Windows, or MS-DOS before it either. I cut my teeth on Unix long before there was an MS-DOS, and I've had Unix, BSD or Linux ever since. These things have always met my needs. Maybe I'm just weird that way. My interest in the proprietary things has always been like the morbid curiosity of someone studying a rattlesnake. The fangs contain poison toxic to any potential competitor or victim, and that's the only two classes of creature the snake recognizes. The fangs are curved to ensure a journey into the snake is a one way trip. Some useful information can be gained from studying the rattlesnake, but it's not a pet. It's not a friend. It's not a tool. It might be a weapon if you can get it to bite someone else, but play that game and it will bite you too eventually. It's mostly just one of the hazards of life it's best to be informed about if you live in rattlesnake country.
If you're tired of being bitten, put down the snake.
There's enough taint on the RIAA for both sides of the aisle. If any of them are in the least concerned about our fair use rights, or right to due process, or our right to freedom of expression if those rights diminishes their campaign funds, then those few are too scarce to make a change.
You know, 40 years ago businesses with rare exception didn't have computers. There was no Internet. It took a professional typist about 10 minutes to bang out a professional letter. There were no cellular phones - hell, touch-tone wouldn't even be invented for fifteen years.
I've got more transistors in my house than existed then in all the world. I've got more storage in my desktop computer (3TB) than existed in the world at that time. I can communicate in ways that at that time were absurd speculative fiction, and would have seemed absurdly undesirable. For example, an annoying computer sends an email reminder every night at midnight to my cellular phone and I can't convince its administrator to make it stop. I could turn my cell phone into a streaming web beacon that updates my position on a world-visible map in real time and I don't actually know if it's doing that without my permission. I can stream my live first person perspective to everyone in the world bored enough to watch it. And now it takes a team of 3 most of a day to craft and deliver a professional email.
You're right. By then we may have lost the ability to communicate in the written form entirely, and lost the option to opt out. That would definitely be "more change".
Well if you wind up implementing XP in a virtual machine and going to all the trouble and expense... think carefully about what OS to use as a host. There was never a better time to escape the lock-in. If you're tired of the carousel, get off.
Legend has it that XP will run in a virtual machine in (gasp!) Linux.
As long as you're going to run all your legacy apps in a VM and everybody has to learn a new interface anyway, why not get off the train to crazytown now? You can keep your legacy apps, you can keep paying Microsoft their Software assurance, and - hey - I'll bet you will be amazed how well some of your stuff migrates.
When you run a virtual machine in Linux it's typically behind a NAT firewall. Since TFA specifically states that the Windows management tools will work on these clients it's generally assumed they'll be listening to the network somehow, probably through some multicast system. And if they're listening to the network, they'll get owned eventually even if they're doing nothing but idling in the background.
I suppose you could add hardware, software, and 30% of all the processing power on the planet to support bloated antivirus software. And don't forget power. That's a lot of Watts. And that's just the client side - half of those websites you refer too are actually traps for people trying to perform some self-help that actually install more malware.
The numbers are horrid. And it's all unnecessary. Wasteful. Shameful. We can do better than this.
No.
The network is not trusted. Not ever. Not even a lab network with air gap. For the lifetime that these devices are expected to see somebody will defeat the network security, even if they have to invent a parallel port to wifi adapter.
The trick is to never expose services to the network on clients. Ever. Clients are for using services, not providing them. And audit your network periodically to ensure the damned clients haven't started listening without permission. When you implement this policy expect to have considerable disruption as you discover precisely what services are running on clients that are used for important work. It's very scary. Port monitoring can be used also to detect if a client is performing services on a "stealth" port. There's a whole lot more to running a secure network but most people don't even do this much so locking down broadcast and monitoring for slow scanning and other steps are pretty moot.
Also, audit your servers. Each server needs to have services exposed. But it should have those required only. By default all ports should be not listening and this should be checked with snort before the required services are started.
And of course turn off auto run.
Congratulations! You're now the proud owner of an incubator for Conficker++. The worm probably downloaded a stealth virus that'll wait a while before it activates. These things are devious. They're autogenerated and each one is unique so there won't be a signature update for it.
Good luck with that.
This is why the manufacturers fold their tents every five years and move on.
Don't get sick.
have you seen the throne?
If a non-essential feature reduces the security of an operating system the correct default is "don't." This is a non-essential feature. They've done the right thing here.
Go ahead and turn it on. Then if your box gets owned this way they bear less responsibility. It probably won't because if you know enough to turn it on you've probably considered the risks and decided your experience mitigates the problem. But for millions of consumers who don't know enough about the question, making them more aware of the risks by making them change the default is the right thing to do.
And as for malware, if they're downloading it to fix autorun then they're going to do it to speed up their PC or get a funny mouse pointer or screensaver or whatever anyway so this is a spurious argument.
but what are these flash drives and optical disks containing viruses that autorun when you plug them in? do they come in the mail like AOL disks?
No, we buy them in bulk and leave them in your parking lot. Then some idiot picks it up and sticks it into their PC inside the network. One network admin and it's in the root of a share. The next morning when everybody logs in all your base are belong to us. One successful attach is worth a hundred plants but there's always a chance you'll jackpot with some MCSE who should not have been hired.
They're cheap so it's affordable to sprinkle them around the bathrooms at trendy clubs, leave them on the bar at the country club, wherever they might get picked up and used by somebody with good access to money and/or information. Shiny ones work best for money targets, civil servants and soldiers, but with network admins and engineers we get a higher attach rate with this one.
It says in the article that there is a patch planned for XP and Vista.
Maybe they're starting to wake up to "default deny" thinking. It would be a welcome change.
And they're not removing the feature. They're just making sure the default is "off". It's the sensible thing to do.
If you're secure enough about what's on the disks/pendrives/cameras/network shares you mount to use it then by all means turn it back on. But that ought not be the default because not everybody is at that level.
I'm not one to praise Microsoft usually, but this is a move in the right direction.
Thanks.
Nor was it intended to be. Ah, the whims of moderators.
In the same way that being Monica Lewinsky is better than being Ashley Alexandra Dupre.
Until computers are granted suffrage they ought not be trusted to count votes.
"A system and methods for protecting innovation by preventing environment simulation or open systems adoption"
Method 1: Protection from open systems installation images.
Method 2: Protection from unauthorized network access software applications.
If you hurry you might get the patent on this one.
IE6 has some root code that is insecure and patching is merely chasing the tail of the dragon when it comes to security exploits.
This would have been a great post without the spurious "6" in there. Was that a miskey?
The leap to Firefox is not as great as the leap to IE8. If your organization can't handle this technology shift, you've got real problems. They're not in the IT department, and you're not going to avoid them because you don't really have a choice whether or not to move on from the Microsoft application versions. The only choice you have is where you move to.
Ubuntu is looking good and their support rates seem quite reasonable. I'm typing this in Jaunty right now, and am very happy with it. It supports as many VMs as I have resources for - I'm still testing it so I've got Linux Mint playing a DVD in one window and YouTube playing in another. I'm not sure what the business case for VT on the enterprise desktop is yet, but I'm sure we'll find some excuse eventually. Micro-VMs for application sandboxing maybe? Microsoft isn't going to play in this space for a very long time - perhaps too long to save their bacon.
There are custom distributions that do some really cool stuff. Archeos is a good example of this - it's for archaeologists and people who do GIS applications. The Distro system makes for a great model for image development tailored to specific job roles and it's open to you too, to roll up the apps you want into your own distributions or publish virtual machines tailored to specific jobs. Because the software is free, the accounting headaches are taken care of - just buy the support for the folks who need it, usually your platforms development team and support crews. There's probably a distribution out already that's a great fit for everyone in your organization. If you're running XP in a VM you've now got plenty of time to port everything and you can get the rest of the Return On your Investment you were expecting when you licensed those applications for XP. XP is more secure in a VM and it's easy to wipe and refresh so you don't need to fret as much about patches either.
Or you could re-up on the horror train, just for a little while. Just a warning though: getting off the train at the station is a lot easier than between stops.
I haven't ever needed Windows, or MS-DOS before it either. I cut my teeth on Unix long before there was an MS-DOS, and I've had Unix, BSD or Linux ever since. These things have always met my needs. Maybe I'm just weird that way. My interest in the proprietary things has always been like the morbid curiosity of someone studying a rattlesnake. The fangs contain poison toxic to any potential competitor or victim, and that's the only two classes of creature the snake recognizes. The fangs are curved to ensure a journey into the snake is a one way trip. Some useful information can be gained from studying the rattlesnake, but it's not a pet. It's not a friend. It's not a tool. It might be a weapon if you can get it to bite someone else, but play that game and it will bite you too eventually. It's mostly just one of the hazards of life it's best to be informed about if you live in rattlesnake country.
If you're tired of being bitten, put down the snake.
Your political party bias is showing. Look - I made you a list.
There's enough taint on the RIAA for both sides of the aisle. If any of them are in the least concerned about our fair use rights, or right to due process, or our right to freedom of expression if those rights diminishes their campaign funds, then those few are too scarce to make a change.
You know, 40 years ago businesses with rare exception didn't have computers. There was no Internet. It took a professional typist about 10 minutes to bang out a professional letter. There were no cellular phones - hell, touch-tone wouldn't even be invented for fifteen years.
I've got more transistors in my house than existed then in all the world. I've got more storage in my desktop computer (3TB) than existed in the world at that time. I can communicate in ways that at that time were absurd speculative fiction, and would have seemed absurdly undesirable. For example, an annoying computer sends an email reminder every night at midnight to my cellular phone and I can't convince its administrator to make it stop. I could turn my cell phone into a streaming web beacon that updates my position on a world-visible map in real time and I don't actually know if it's doing that without my permission. I can stream my live first person perspective to everyone in the world bored enough to watch it. And now it takes a team of 3 most of a day to craft and deliver a professional email.
You're right. By then we may have lost the ability to communicate in the written form entirely, and lost the option to opt out. That would definitely be "more change".
40 years ago there was no Internet.
Well if you wind up implementing XP in a virtual machine and going to all the trouble and expense... think carefully about what OS to use as a host. There was never a better time to escape the lock-in. If you're tired of the carousel, get off.
Legend has it that XP will run in a virtual machine in (gasp!) Linux.
As long as you're going to run all your legacy apps in a VM and everybody has to learn a new interface anyway, why not get off the train to crazytown now? You can keep your legacy apps, you can keep paying Microsoft their Software assurance, and - hey - I'll bet you will be amazed how well some of your stuff migrates.
Just whistling to itself in the background, listening on the network in case it should happen to get an anonymous call from a new friend.
Nothing to worry about at all. Just ignore it.
When you run a virtual machine in Linux it's typically behind a NAT firewall. Since TFA specifically states that the Windows management tools will work on these clients it's generally assumed they'll be listening to the network somehow, probably through some multicast system. And if they're listening to the network, they'll get owned eventually even if they're doing nothing but idling in the background.
Let's take the recent estimate of a lost laptop at $50,000. Now let's multiply that by an estimated 2 million hosts "lost" to a botnet discovered already this year. That's $100B and it's only April.
I suppose you could add hardware, software, and 30% of all the processing power on the planet to support bloated antivirus software. And don't forget power. That's a lot of Watts. And that's just the client side - half of those websites you refer too are actually traps for people trying to perform some self-help that actually install more malware.
The numbers are horrid. And it's all unnecessary. Wasteful. Shameful. We can do better than this.