I disagree. MrP's revision on my idea would:
* Only infect machines already sick with w32.Blaster
* Stop these machines from restarting due to the RPC process being terminated.
* Stop these machines from causing network slowdown by scanning.
Even if there was a problem with the code, it would still do more good than harm, because every machine patched would be one less flooding the 'net searching for machines to infect. It would not increase the traffic, because machines unpatched but uninfected would not be affected by this "good" worm.
While I agree that in many situations, one might worry about releasing any worm into the wild, I think in this case the worst case scenario is it doesn't work. Which is the same as if you don't try at all, so there's little to lose.
> Any smart and experienced programmer will also know that almost any complex program...
Complex? This could be accomplished with a really small app. Its job would be incredibly simple:
1. Kill blaster process, delete blaster app
2. Attempt to download MS patch. If unsuccessful several times, terminate.
3. Execute patch.
4. Open relevant port
5. Wait for a connection.
6. Transmit self to next machine.
7. Has it been a week since last time scanned? If so, terminate.
8. Goto 5.
Sounds pretty simple to me, at least. I think it'd be pretty easy to debug.
My cable (internet) went out for a couple hours earlier, too. I called Adelphia and the guy told me "Looks like you're part of an outage. From Ukiah (California, my town) to Los Angeles."
Of course, Adelphia doesn't serve a large amount of markets in that area, but anyway, I wonder if it's really because of this. Somehow I'll bet it's not. It wasn't like it was slow, it just couldn't even sync upstream.
I think the dude who wrote it had a good idea... We had a discussion here about automatic updates... If people won't patch their own machines, then someone has to.
However, the execution here was poorly thought-out. It should have been written to be far less agressive so as to avoid network slowdown. I would have had it scan for one hour per day, which hour would be chosen randomly. Then you cut traffic to 1/24 of the original level. Then have it de-activate and self-destruct after 5 pcs had been "infected" or 3 hours of scanning, whichever comes first.
The thinking is, let a worm-writer take a crack at getting patches installed. If patches spread as quickly as viruses, this whole thing would never have happened!
The answer to worms is firewalls. Period. Not installing patches every other day.
Everyone should get broadband, now. Sorry if that comes off as terribly elitist, but no one should be using dial-up anymore. It was okay five years ago, but it's just the wrong way to be networking. Using POTS for networking is like using a tricycle to commute 20 miles to work. Not its purpose and painfully inadequate. POTS is for voice, broadband is for data.
The fault for low broadband adoption rates is partially the end-user's, for not placing enough importance on a reliable, fast Internet link. But it is mostly the fault of broadband ISP's for not providing Joe Averageuser a compelling price. Just as AOL offers Grandma a $7.95 plan for limited use, (Insert your local cable monopoly here) should offer a $19/month plan for about 192k-256k downstream. Joe Averageuser doesn't need large amounts of bandwidth, so this should be adequate. Then when he turns on his computer twice a week, he won't have to wait for a dial-up connection. The cable company wins, they don't have to provide much in the way of bandwidth, and Joe wins because he's paying the same as he paid his old ISP for a better connection. If he becomes a power user later he can "upgrade" to a plan more like what they offer presently.
Now that we've solved the problem of universal broadband, let's move on to firewalls. Every ISP (broadband ISP, since dial-up ISPs should die off) should provide a basic router at minimal cost and require its use. My cable company rents me a modem for $3 a month, so they should raise it to $5 and put in a router, or swap my modem for a modem+router unit. Or you can supply your own and forego the charge. The ISPs should constantly scan for open ports 135, 137-139, 69, 445, 5000 and send out threatening letters to anyone who accepts a connection warning the user that if they do not install a router, they will be considered breaching the AUP and be terminated. Follow-up violators in a week and terminate if necessary.
That is all the enforcement you need, since if they have no router, but never expose those ports, then they're probably not a threat to anyone since they're probably either running Mac OS X, another Unix variant (not that Unix is secure 100%, but who's seen 1000s of Unix boxes DDOS'ing or propagating a worm?), or Mac OS 9, none of which are playgrounds for script kiddies.
The routers the cable company gives you (though you should be allowed to supply your own) should, by default, (A) not forward any of those ports we mentioned, and (B) block any large amounts of forged packets (to prevent DDOS attacks. (B) should be forced, because no one should want to take part in a DDOS attack.
That will solve the problem of worms and general mischief, since you can't install/control a trojan or spread a NetBIOS worm to someone who's behind NAT. To solve the problem of e-mail worms:
1. No one should use Outlook.
2. Repeat step 1.
Eliminating ActiveX exploits will require the same procedure, but for MSIE. Both of these products are inferior to many of their alternatives. There is little excuse for anyone to require their use or to use the products themselves.
In conclusion, by following my plan, we can render security vulnerabilities in MS Windows irrelevant, because no one would be vulnerable to attacks on those vulnerabilities.
> Think about it, if you don't know enough about something to know how to turn it on or off, do you really think you should be able to choose if it's on or off?
was that since the majority of Windows "home users" arguably barely know enough about PCs to know how to turn them on or off, then maybe they shouldn't be able to choose if their PC is on or off, ergo, they shouldn't be allowed to use them.
I found it rather funny.
In addition, "secure-as-default" is a commonsense idea that anyone should support.
Wait a minute... I thought he and the Owner of AOL were going to send $1 to that kid with no legs, arms or head that's dying of cancer... wait a minute.... was that... a hoax??
Oh, no!
I must tell my friend in Nigeria! I'd hate for him to get fooled by something like that.
> Almost everytime "new, crippling virus" is mentioned, you hear "exploits a vunerability in Outlook Express"
Change "Outlook Express" to "Outlook" and that would be about correct. OL had many more worms and such than OLE ever did (not that OLE was that great in that department). And look which product is still out there.
> Just about every webmail I've seen has been on an https connection,
*Buzz!* Wrong. Just about every webmail user uses either Hotmail or Yahoo! Mail. Well, not quite that large a proportion, but those are likely the two most guilty parties responsible for this webmail trend.
Anyway, both those services only use SSL (https:) for half a second while you log-in. The rest is sent in the clear (I should know, I used to sniff packets when bored, but unfortunately, it was even more boring).
Maybe nicer webmail services let you encrypt the whole session (I know the POP3/IMAP-to-Web service Mail2Web does), but most people don't use nicer webmail services. Most (but of course not all) webmail users are clueless n00bs. Most webmail users have accounts for free with lots of ads that do not afford them any additional security, nor allow them the option to use POP, IMAP, SMTP or any other standard protocol. This is not real e-mail.
On the other hand, many users of real e-mail can choose an SSL or otherwise encrypted login.
> webmail does not require SMTP/port 25 to send mail
First, that's not what he said. He said "the server must recieve your message somehow," and that that was done with SMTP.
Second, you are totally wrong. You need SMTP to send or receive mail.
Here's an incoming message, if you had a Hotmail account.
1. I send you an e-mail, from a "real" e-mail account.
2. My SMTP server finds the MX record for @hotmail.com
3. My SMTP server makes an SMTP connection to said server; sends message.
4. Hotmail server serves up your e-mail in a big ad-laden MSIE-tailored webpage, IIRC not via SSL. Only the login itself was SSL a few years ago, the last I used a Hotmail account. Though I agree, a few "webmail" providers do offer this.
So in an incoming e-mail, it was exposed in plaintext once, or more likely, twice.
You reply to me:
1. You load another huge webpage.
2. You type a message and click "Send."
3. Hotmail looks up the MX record for @starseven.net
4. Hotmail uses SMTP to send the message to the given server.
5. I read the message via IMAP.
So, in an outgoing message, e-mail, it was exposed in plaintext twice.
The only way you wouldn't use SMTP is if oneguy@hotmail.com e-mails anotherguy@hotmail.com, since Hotmail will then proudly tell you it used the "HotmailDirect(tm)" System to "instantly deliver" your message. But that is by no means all the time.
For everyone's sake, people need to learn how e-mail works, before the stinking mass that is "webmail" engulfs us all.
Slashdot Mirror
I disagree. MrP's revision on my idea would:
* Only infect machines already sick with w32.Blaster
* Stop these machines from restarting due to the RPC process being terminated.
* Stop these machines from causing network slowdown by scanning.
Even if there was a problem with the code, it would still do more good than harm, because every machine patched would be one less flooding the 'net searching for machines to infect. It would not increase the traffic, because machines unpatched but uninfected would not be affected by this "good" worm.
While I agree that in many situations, one might worry about releasing any worm into the wild, I think in this case the worst case scenario is it doesn't work. Which is the same as if you don't try at all, so there's little to lose.
> Any smart and experienced programmer will also know that almost any complex program...
Complex? This could be accomplished with a really small app. Its job would be incredibly simple:
1. Kill blaster process, delete blaster app
2. Attempt to download MS patch. If unsuccessful several times, terminate.
3. Execute patch.
4. Open relevant port 5. Wait for a connection.
6. Transmit self to next machine.
7. Has it been a week since last time scanned? If so, terminate.
8. Goto 5.
Sounds pretty simple to me, at least. I think it'd be pretty easy to debug.
At Boston/Logan airport last Friday, I saw on a Delta departures/arrivals screen this Windows error dialog in front of the grid of flights:
"At least one service failed to start..."
I took a photo of it. I thought:
- "I'm glad I don't run Windows." - "I'm glad I'm not flying Delta today."
Excellent idea. I agree. Doesn't add to traffic at all.
My cable (internet) went out for a couple hours earlier, too. I called Adelphia and the guy told me "Looks like you're part of an outage. From Ukiah (California, my town) to Los Angeles."
Of course, Adelphia doesn't serve a large amount of markets in that area, but anyway, I wonder if it's really because of this. Somehow I'll bet it's not. It wasn't like it was slow, it just couldn't even sync upstream.
What is your ISP and metro area?
I think the dude who wrote it had a good idea... We had a discussion here about automatic updates... If people won't patch their own machines, then someone has to.
However, the execution here was poorly thought-out. It should have been written to be far less agressive so as to avoid network slowdown. I would have had it scan for one hour per day, which hour would be chosen randomly. Then you cut traffic to 1/24 of the original level. Then have it de-activate and self-destruct after 5 pcs had been "infected" or 3 hours of scanning, whichever comes first.
The thinking is, let a worm-writer take a crack at getting patches installed. If patches spread as quickly as viruses, this whole thing would never have happened!
The answer to worms is firewalls. Period. Not installing patches every other day.
Everyone should get broadband, now. Sorry if that comes off as terribly elitist, but no one should be using dial-up anymore. It was okay five years ago, but it's just the wrong way to be networking. Using POTS for networking is like using a tricycle to commute 20 miles to work. Not its purpose and painfully inadequate. POTS is for voice, broadband is for data.
The fault for low broadband adoption rates is partially the end-user's, for not placing enough importance on a reliable, fast Internet link. But it is mostly the fault of broadband ISP's for not providing Joe Averageuser a compelling price. Just as AOL offers Grandma a $7.95 plan for limited use, (Insert your local cable monopoly here) should offer a $19/month plan for about 192k-256k downstream. Joe Averageuser doesn't need large amounts of bandwidth, so this should be adequate. Then when he turns on his computer twice a week, he won't have to wait for a dial-up connection. The cable company wins, they don't have to provide much in the way of bandwidth, and Joe wins because he's paying the same as he paid his old ISP for a better connection. If he becomes a power user later he can "upgrade" to a plan more like what they offer presently.
Now that we've solved the problem of universal broadband, let's move on to firewalls. Every ISP (broadband ISP, since dial-up ISPs should die off) should provide a basic router at minimal cost and require its use. My cable company rents me a modem for $3 a month, so they should raise it to $5 and put in a router, or swap my modem for a modem+router unit. Or you can supply your own and forego the charge. The ISPs should constantly scan for open ports 135, 137-139, 69, 445, 5000 and send out threatening letters to anyone who accepts a connection warning the user that if they do not install a router, they will be considered breaching the AUP and be terminated. Follow-up violators in a week and terminate if necessary.
That is all the enforcement you need, since if they have no router, but never expose those ports, then they're probably not a threat to anyone since they're probably either running Mac OS X, another Unix variant (not that Unix is secure 100%, but who's seen 1000s of Unix boxes DDOS'ing or propagating a worm?), or Mac OS 9, none of which are playgrounds for script kiddies.
The routers the cable company gives you (though you should be allowed to supply your own) should, by default, (A) not forward any of those ports we mentioned, and (B) block any large amounts of forged packets (to prevent DDOS attacks. (B) should be forced, because no one should want to take part in a DDOS attack.
That will solve the problem of worms and general mischief, since you can't install/control a trojan or spread a NetBIOS worm to someone who's behind NAT. To solve the problem of e-mail worms:
1. No one should use Outlook.
2. Repeat step 1.
Eliminating ActiveX exploits will require the same procedure, but for MSIE. Both of these products are inferior to many of their alternatives. There is little excuse for anyone to require their use or to use the products themselves.
In conclusion, by following my plan, we can render security vulnerabilities in MS Windows irrelevant, because no one would be vulnerable to attacks on those vulnerabilities.
I thought what he meant by:
> Think about it, if you don't know enough about something to know how to turn it on or off, do you really think you should be able to choose if it's on or off?
was that since the majority of Windows "home users" arguably barely know enough about PCs to know how to turn them on or off, then maybe they shouldn't be able to choose if their PC is on or off, ergo, they shouldn't be allowed to use them.
I found it rather funny. In addition, "secure-as-default" is a commonsense idea that anyone should support.
This, considering how inexpensive basic routers are now, is an excellent idea.
Wait a minute... I thought he and the Owner of AOL were going to send $1 to that kid with no legs, arms or head that's dying of cancer... wait a minute.... was that... a hoax??
Oh, no!
I must tell my friend in Nigeria! I'd hate for him to get fooled by something like that.
> Almost everytime "new, crippling virus" is mentioned, you hear "exploits a vunerability in Outlook Express"
Change "Outlook Express" to "Outlook" and that would be about correct. OL had many more worms and such than OLE ever did (not that OLE was that great in that department). And look which product is still out there.
> Just about every webmail I've seen has been on an https connection,
*Buzz!* Wrong. Just about every webmail user uses either Hotmail or Yahoo! Mail. Well, not quite that large a proportion, but those are likely the two most guilty parties responsible for this webmail trend.
Anyway, both those services only use SSL (https:) for half a second while you log-in. The rest is sent in the clear (I should know, I used to sniff packets when bored, but unfortunately, it was even more boring).
Maybe nicer webmail services let you encrypt the whole session (I know the POP3/IMAP-to-Web service Mail2Web does), but most people don't use nicer webmail services. Most (but of course not all) webmail users are clueless n00bs. Most webmail users have accounts for free with lots of ads that do not afford them any additional security, nor allow them the option to use POP, IMAP, SMTP or any other standard protocol. This is not real e-mail.
On the other hand, many users of real e-mail can choose an SSL or otherwise encrypted login.
> webmail does not require SMTP/port 25 to send mail
First, that's not what he said. He said "the server must recieve your message somehow," and that that was done with SMTP.
Second, you are totally wrong. You need SMTP to send or receive mail.
Here's an incoming message, if you had a Hotmail account.
1. I send you an e-mail, from a "real" e-mail account.
2. My SMTP server finds the MX record for @hotmail.com
3. My SMTP server makes an SMTP connection to said server; sends message.
4. Hotmail server serves up your e-mail in a big ad-laden MSIE-tailored webpage, IIRC not via SSL. Only the login itself was SSL a few years ago, the last I used a Hotmail account. Though I agree, a few "webmail" providers do offer this.
So in an incoming e-mail, it was exposed in plaintext once, or more likely, twice.
You reply to me:
1. You load another huge webpage.
2. You type a message and click "Send."
3. Hotmail looks up the MX record for @starseven.net
4. Hotmail uses SMTP to send the message to the given server.
5. I read the message via IMAP.
So, in an outgoing message, e-mail, it was exposed in plaintext twice.
The only way you wouldn't use SMTP is if oneguy@hotmail.com e-mails anotherguy@hotmail.com, since Hotmail will then proudly tell you it used the "HotmailDirect(tm)" System to "instantly deliver" your message. But that is by no means all the time.
For everyone's sake, people need to learn how e-mail works, before the stinking mass that is "webmail" engulfs us all.