Windows Virus Takes Out Gov't Agencies in MD, PA 984
Zolzar writes "Looks like the Md. State Motor Vehicles Administration is the first government agency reporting a failure of their systems due to the recent virus." This is a more specific story about the outage. And the city of Philadelphia has suffered as well.
People should start taking note (Score:4, Insightful)
Thanks, Microsoft! (Score:5, Insightful)
Spoke with both sides of the family this evening, going on about how messed up their computers were acting and all they had to go through to get it patched up. I listened and informed them how well my iBook and the relative merits of UN*X and they listened...
Thanks again, Bill!
A good arguement for... (Score:5, Insightful)
I know there'll be dozens of "they shouldda been using un*x" posts, but in defense of Windows, there has been a patch for this on Windows Update since July 16. Even I had enough time to test the patch on a non-production system between then and now. Every platform gets its 'sploits throughout its lifetime, it's just a matter of learning about them and applying the proper patches in a resonable amount of time... especially on mission-critical machines. (DMV computers, etc...)
Worm (Score:5, Insightful)
Its good for us to keep using the correct terminology
Ok, time to get modded down.
Re:Yes (Score:5, Insightful)
Patch! (Score:5, Insightful)
STUPID!!
Why do we put up with this? (Score:2, Insightful)
So why do we put up with it? Please, I'd love to hear ideas. I don't know of much of anything that the average bureaucrat, or military office, or CIA spook, or DOT drivers-license-tester can do on Windows/Office systems, that couldn't be done under Linux or FreeBSD. I really would love to know why, when Germany, India, and who knows how many other countries have ditched closed-source software for OSS, we can't do the same...
Any thoughts?
Re:I don't pity them (Score:5, Insightful)
Three weeks isn't that long for a patch to be out. Many organizations actually test patches out on non-production machines before randomly installing software that Microsoft says is OK.
Monoculture (Score:5, Insightful)
As far as blaming people who haven't patched their computer, I can't see it. This thing is hitting home dialup users fer crying out loud - my friend had to drive over to his dad's house to disinfect a machine. You can't expect everybody's grandmother to behave as a professional sysadmin.
Re:Yes (Score:5, Insightful)
Re:I don't pity them (Score:5, Insightful)
What, three or four weeks? Here is the problem with Microsoft patches. Folks have been screwed more than once due to poor testing on Microsoft's part when the patches completely screw up your system forcing you to spend hours rolling things back to where they were or even completely reinstalling Windows. So, many IT folks are understandibly reluctant to employ these "patches" before adequate testing on their own systems. This may take a number of weeks.
Re:This sucks... (Engagement ring) (Score:2, Insightful)
Power corrupts; absolute power corrupts absolutely.
Re:People should start taking note (Score:3, Insightful)
There could be this kind of problem w/Linux but no one would ever know because a) Linux/Unix users are more clueful than Windows users and b) there are FAR fewer Linux/Unix machines out there.
Blah blah, don't use MS, blah blah. That's just not an option for 90% of the world.
When will they learn? (Score:2, Insightful)
"Blame the admins for not patching when patches were available"....
This has some merit, yes. *BUT* has anyone ever adminned a server that must be up 24/7? If you've got a whole room full of them, you just don't have the time to go in and manually apply patches. Yet, automatic Updates pose another problem: You probably just can't have a MSSQL server doing unexpected reboots all the time. You can lose data, what if the patch breaks something? etc.
And even after all the patches and fixes (we're sidestepping the Microsoft "patch one hole, open 3 others" issue for the moment), stuff still happens. Servers get knocked over. Look how many times it's happened in the last 12 months.
For home users, a disabled computer is a bummer, sure. But for businesses and governments, when will they simply decide that "This Just Cannot Happen Anymore."? Seriously. We're talking lives, national security, and huge amounts of money at stake here.
The alternatives are out there. I know, you know, and
We all know that Linux, Solaris, *BSD and the like are not 100% perfect
When will they learn? Seriously! I think it would make better business sense (read: make more money in the long run) to look away from Microsoft and look towards other Free(software) and Commercial products.
Fwiw, when i booted up my WintendoXP box to download the patch, i got nailed before i got to type a URL into the browser!!
C'MON!! AT LEAST GIMME A CHANCE, DAMMIT!!
Re:A good arguement for... (Score:5, Insightful)
The fact is, quite simply, that they should have been running a *nix. It amazes me how much MS can get away with; debit cards weren't working at the local Price Chopper today because of this, some guy posted that at least one ATM in the UK was down, which suggests that a lot more followed suit, the DMV, the IRS, etc, etc. Yes, the people responsible for this virus are to blame, and yes, the people that left their boxes exposed and flapping in the breeze are to blame, but the Windows culture also has a big part to play in it. Need a computer? Toss up a windows box, and you're all set.
I think a big part of it is just that people expect Unix administration ot be tough, and hire someone competent, whereas the Windows boxes get Joe MSCE.
Re:When are people going to wake up? (Score:3, Insightful)
If only 1 person drove a Pinto, we might have never found out the problems with it. Since so many people drove them, the serious problems quickly became evident. It's the same kinda thing with operating systems. The more they're used, the easier it is to find vulnerabilities.
Re:Yes (Score:5, Insightful)
My point is that if a staff has competent employees with an eye for security, usually viruses and worms' impact can be reduced to at most, a nuisance.
Still, I agree with you completely. Virus authors need to realize that it's not all just in fun. People don't "deserve it" just because they are vulnerable. And, you're not going to teach anyone a lesson. It's not l33t haxoring, it's childish and immature vandalism, plain and simple.
Re:Yes (Score:2, Insightful)
To wit:
1) The parent says nothing about switching to Linux.
2) The article mentions that the worm leaves a message poking fun at Windows' security history thus demonstrating the author =does= have a point to prove.
Re:I don't pity them (Score:4, Insightful)
---
I've had to patch several Windows 2000 boxes for clueless friends and mothers of friends.
The patch is ony 1.3 Megs or so, but the problem is that you have to have SP3 or higher to apply the patch and going from no service pack to SP4 takes 11 hours over a 56K connection.
Try explanig that over the phone.
It woulden't be so bad if Windows 2000 had a servacable firewall - there's one hidden in the managment console thingy.
It's really pathetetic that in the year 2000 - ALL of the free unixes had decent, available firewalls, and most of them fit under 60 Megs.
Re:Thanks, Microsoft! (Score:5, Insightful)
- Windows 9x: 10%
- Windows XP: 20%
- Mac OS 9: 5%
- Mac OS X: 10%
- Red Hat: 15%
- SuSE: 15%
- Debian: 5%
- Mandrake: 10%
- *BSD: 5%
- Others: 5%
What would people target? Probably IOS until it suffered the same fate and saw it's dominance split. Then anyone wanting to wreak havoc would have to accept the fact that they can't or do some amazing things to find cross platform targets (i.e. common flaws in java runtimes or multi-platform binaries). You wouldn't even really be able to target the Linux 45% I have above very well as each system would have it's own software versions and policies which would make finding common exploits very difficult. Diversity is key here!Re: Monoculture (Score:5, Insightful)
> One of the downsides to having just one type of OS is that it makes you very vulnerable to this sort of thing.
Everyone says that, but does it really? If all OSes and their associated software had easy exploits, would it really be that hard to write a polymorphic worm?
> As far as blaming people who haven't patched their computer, I can't see it. This thing is hitting home dialup users fer crying out loud - my friend had to drive over to his dad's house to disinfect a machine. You can't expect everybody's grandmother to behave as a professional sysadmin.
So true. That's why it's important to design OSes and user software for safety rather than for a faux ease-of-use. I hope the GNOME and KDE hackers and other FOSS writers are seeing the right message in this.
Patches were *not* available on the update page (Score:5, Insightful)
That's everything on the update page.
Installed Norton AV 2003 and got all the updates available as of last Friday. After doing that one would have a reasonable expectation of being safe against a problem, especially since the problem was discovered a full month ago.
Monday the customer called with the machine giving a 60 second countdown and rebooting.
Now even if the people at the MVA and other places *did* the updates from the updates page, they'd still be screwed.
All I want is these virus programmers, their fingers, a ball-peen hammer and 5 minutes...it's all the time I'd need
Windows not ready for prime time (Score:5, Insightful)
A win2k sp3 machine I patched has something like 16 critical updates needed. Several reboots.
That's too much downtime. You can update just about everything but the kernel in linux/bsd without a reboot. Going through this every couple of days is a drag!
The architecture is fundamentally broken: the enabling stuff by default; implementing dozens of new ways for strangers to do things to your computer without your knowledge (as features!) with each release; welding mere applications (web browser, email client) to the OS, having them run with system priviledges, and making it impossible to remove...
Finally - windows update is fundamentally broken. It will report success when the patching operation fails. This is one way:
http://www.ntbugtraq.com/default.asp?pid=36
They need to start over. Maybe if they start clean they can come up with something that compares to Linux.
Re:Yes (Score:3, Insightful)
I have many systems in many hospitals and they are windows based.
Am I scared of what could happen?
You bet your life.
One of the corprate hospitals (oh yeah, they can own those too) I support had, at last report, five servers in there local server room completely down. The traffic alone on the network hindered my system, but we are still up, and a patch time is set.
"... is set?" you say?
Downtime is a HUGE issue for my company. If our system isn't up, a major communtication link that ALL hospitals rely on in one fashion or another is gone. The last thing I need is to get a call saying that a Radiologist's report on an ER patient didn't get seen or heard by the ER physician in time to save a life. You want to talk mission critical systems? 24/7 with human lives at stake. I don't think it can get more serious than that.
The Truth? Fire the bastards. (Score:5, Insightful)
The fact is, there is no 'secure' operating system, but there are enough things that can be done to prevent virus infections that any large company stricken by this virus should fire their IT staff TODAY.
What company does NOT demand auto updating anti-virus software on every system connecting to their corporate network? What company does not have a person in charge of installing MS patches within 24-48 hours of their availability? Dont give me that crap about being afraid of the patches, because if they damage your network, you can blame Microsoft and save your fucking job.
Viruses are a reality for Windows networks, and companies without policies and recovery plans to deal with them should fire their staffs and get competent people in place. Businesses need to understand that competancy costs MONEY, so if your IT people are paid dirt wages, your network is a sitting duck, trust me. Can your MCSE who cant tell you what circular logging does on an Exchange installation. Fire the fool who told you to build trusts between multiple AD forests, I dont care how reasonable his explaination was. I see this shit every day, because 80% of Windows admins suck monkey dick. Microsoft is on their 3rd round of creating a certification program. Maybe they should consider taking the aftermarket PROFIT out of it, and stop caring about pass/fail rates long enough to get a core group of people who know what the fuck they are doing?
There is no excuse for this shit anymore. A virus attack on a company running Windows these days should mean an instant termination of the staff that let it happen.
Re:People should start taking note (Score:5, Insightful)
if it weren't, they'd post an exploit in a public forum and/or notify ms, not write a worm and release it into the wild.
i'm personally annoyed at all of the extra work this fscking thing cost me today - never mind that both my ISPs seem to be slower than shit and my iptables log grew 10 megs this week.
to the author - grow up and put a grey or white hat on if you want to play with the rest of us.
I have better things to do than patch windows (Score:3, Insightful)
This is not good, it's not acceptable, and I am moving toward not accepting it. Screw em. Lousy products, massively offensive licensing terms (both in dollar amount and provisions), and smarmy, arrogant execs. Piss on them.
Re:Yes (Score:5, Insightful)
Re:Yes (Score:3, Insightful)
It's too much to ask (Score:5, Insightful)
We IT gnomes have other things to do than patch and patch and patch and patch. We can't trust Windows Update to even correctly report the status of the application of a patch. We have users screaming for new installations, new hardware, new software, new networks, wireless, email, etc. Staffing doesn't get determined by workload. Not in my world.
I find the quality of this article lacking... (Score:4, Insightful)
How could one already be infected if their computer hasn't been running? Maybe he's implying "as soon as you turn on your computer you'll be infected", I don't know.
Millions of unprotected personal computers remain vulnerable to the worm, which can infect any machine connected to the Internet, experts said Tuesday.
Really? I thought it was only Win2k, XP, and 03, not every computer on the planet. But experts said so, so I guess it must be true.
The worm attacks computers through a flaw in the part of Windows that allows computers to share files and control Inter net traffic. Four versions of Windows operating systems are targeted: Windows NT, Windows 2000, Windows XP and Windows Server 2003.
Oh you are aware it doesn't affect every computer on the planet. That's good because five paragraphs before you said it did and now you're contradicting yourself. Wonderful
"This is certainly a capable person who did this," Sundwall said. "In most cases, it takes about six to nine months for a worm to appear after a patch is released. This is certainly something that did occur quicker than we are accustomed to."
Because it is just so hard to create a self replicating buffer overflow program. It's not like this is down to a science. The statement implies a team of developers would have to sit down for a year to create something this "sophisticated". It couldn't be that MS products are inherently insecure and easily exploitable. There are thousands if not millions of people "capable" of this, just not immature enough.
You'll notice some of my excerpts are quotes from within the article, and not necessarily the words of the author. The author still choose to include this malformed crap.
I would recommend seeing this older Slashdot article [slashdot.org] concerning the worm or going to google to find better written information on the matter. The facts within the new article are interesting, but so blatantly misrepresented it's annoying and I would view an alternative source.
Re:Yes (Score:2, Insightful)
As far as being on a lan with access to the interent, that argument is pretty much useless. One infected machine on the inside and you are a potential target. Just the way it works.
Re:Windows not ready for prime time (Score:4, Insightful)
It's hard to imagine how that statement could be true - throw out 15+ years of OS development to start anew?
However, Apple managed to do it by standing on the shoulders of giants, and using the time-tested Unix architecture while finding clever ways to support existing apps. MSFT could do it too, but I'd much rather see them continue down this path until they're toast. Preemptive multitasking and multiple users (done right) is the only way to go.
You know how you sort of laugh at the Linux n00b who always logs in as root so he doesn't get those pesky permission errors? Well guess what - that's what 99.99% of the Windows world is doing now. But it's not just the users - it's practically every damn thing running on their system.
I say bring on the virii!
Re:I don't pity them (Score:5, Insightful)
Suppose you've got a mission critical app. Suppose the folks that wrote this app went out of business in 2000. Suppose it incorporates a library that includes a control that uses a deprecated interface to call an obsolete method. Suppose this method returns a value of 127 for a particular failure. Suppose that this failure is one that should not be retried in this environment because it would another intitiate query to master database in Frankfurt. Suppose that a patch (incorrectly) causes this interface to begin returning 63 for that failure code. Suppose that what USED to be failure 63 should be retried 255 times. Suppose that one day this particular failure (was 127, now 63) occurs.
Now suppose that you're the boss of that guy who convinced you last week "We don't need to test patches apps from Microsoft before deploying them enterprise-wide." and your boss wants to know why his boss in Frankfurt is on the line.
Now you know why I'm unemployed.
DO blame MS! (Score:5, Insightful)
That's an easy question to answer.
The more interesting question is how many of them would not be required if they had implemented a sensible architecture, if they hadn't bolted on a bunch of crap to advance the monopoly into the internet, etc. Then we could hope for a massive improvement in code quality. My impression is that a bunch of this was avoidable, but for lazy and incompetent product managers and programmers, and perverse design goals intended to hurt competitors no matter what collateral damage to consumers.
What should I use? (Score:3, Insightful)
Microsoft actually seems to be getting better about security. They still have holes that you have to patch, but so does everybody. Here's a list of the security updates for my OS distribution of choice, for instance:
Red Hat Linux 9 Security Advisories [redhat.com]
Most of these aren't as bad as the recent Windows hole (and many aren't in software that even has an equivalent included with Windows), but there have been a lot of them recently, and they're not Red Hat specific problems either.
That's a scary thought ! (Score:3, Insightful)
It's amazing how little they seem to learn from better OS's. That and your point reminds me of a sig I saw a little while ago: "If I am near-sighted, it's because I stand on the shoulders of midgets."
Re:Windows insecure? (Score:4, Insightful)
The reason why it is so easy to attack MS machines is because they insist on running what really should be considered User space applications as part of the Kernel space, IE is a good example as is Office.
Wrong on all counts (Score:3, Insightful)
It has nothing to do with 90%, it has nothing to do with people not patching because they are technically incompetent, IT IS BECAUSE WINDOWS BY DEFAULT RUNS A SHITLOAD OF NETWORK SERVICES AND DOESN'T FIREWALL ANYTHING.
In case you didn't catch that, let me repeat:
IT IS BECAUSE WINDOWS BY DEFAULT RUNS A SHITLOAD OF SERVICES AND DOESN'T FIREWALL ANYTHING.
Run a netstat on a default XP install, and count the open ports. Now do the same on a default Linux (RedHat/Mandrake/Deb/you name it) install and count the open ports. You'll notice a 2:1, 3:1, as high as 10:1 ratio, Windows:Linux. Ok, so by default Windows has many more open doors. Huh, wonder why it gets exploited so often.
Unfortunately, that's not the end of it. Most Linux distros I've seen (fellow slashdotters correct me on this stuff) are now using IPtables by default, with at least a level of security that blocks incoming connections to almost everything. All you have to do in some is select 'high' security, and bang, almost nothing gets through.
Windows by default has no firewall enabled. In fact, you can't do *anything* with pre-XP Windows. Linux has had built-in firewalling for years and years and years...
This is all bad, but it gets worse. The latest worm attacks the RPC service in Windows. Now, logically, you'd think you could shut off an RPC service, if you're never making/receiving REMOTE PROCEDURE CALLS. Nope, the OS breaks pretty nastily if you do that.
I have yet to see a single example of a listening service on a Linux box that cannot be disabled without wrecking the OS itself.
This has nothing to do with patches, volume, or the price of tea in China. Windows simply uses a poor security model, one based more around convenience than intelligence.
I really don't get the massive amount of Windows apologists on Slashdot, either. I personally love Windows for what it's good for, but a simple 5 minutes research into TCP/IP will show anyone just how poor the security model is in Windows. Yet you're modded up with 100% complete nonsense.
Re:Thanks, Microsoft! (Score:2, Insightful)
What if Microsoft says "See what happens when we don't control everyone's access to computers. THIS IS WHY WE NEEDS TRUSTED COMPUTING!"
And *poof" there goes Open Source.
I would like to hear what you all think.
Thanks for reading.
Re:Stop blaming people! (Score:5, Insightful)
Re:People should start taking note (Score:5, Insightful)
Re:I don't pity them (Score:5, Insightful)
Sounds like a time for damage control and updating that app or library (even if it means using a disassembler).
As for deploying at a large enterprise, it would be wise to test mission critical apps before doing so. But such testing should be routine and be completed ASAP.
Re:Yes (Score:2, Insightful)
And then the issue is compounded to be even worse. People like the parent phrase it like there's an alternative, and not numerous alternatives. Some of the alternatives are significantly more usable than Linux on the desktop. Yet we find people here posing it like it's an either/or choice.
Re:The Truth? Fire the bastards. (Score:5, Insightful)
No way!
If one of my clients happened to have mission critical software that was taken down because I applied a patch, then I'd deserve to get turfed. I agree that patches breaking other software is used far too much as an excuse for laziness, but testing your patches before you go live is still critically important.
If I ended up costing a company a $10,000 gig (say I couldn't recover a database - or maybe just had so much downtime the company missed a deadline) I'm not going to last long enough to point the finger and say, "It's Microsoft's fault!" I'd likely have my ass grinding over the welcome mat on my way out the door. And in the small businesses that I deal with, losing more than one or two shows will bring the company down anyways.
Part of competency is understanding risk management. If I have the time to test patches before applying them, there is no excuse to patch blindly. If it's a nice standard shop that doesn't have anything exotic, then yeah I'll let auto-update take care of it. But you better understand the business and what kind of tolerance they have to down time or broken patches!
For the record, all of the systems have been clean and, knock on wood, I'll drop by the last of my clients this weekend and check theirs in person (I haven't got a complaint call yet, so I'm hoping things are as I left them.)
- Zarquil
Re:Yeah, since Linux is 100% bug free right? (Score:5, Insightful)
Microsoft often releases patches for these types of worms and viruses, but the problem becomes that sometimes their patches end up breaking a hell of a lot more than they fix.
Companies, and government institutions cannot just patch and go. They have to test the patches on an isolated computer to ensure that EVERY SINGLE program they need to use is not affected adversly by the patches. Any idea how many MS patches for Windows alone are out there? It's a wonder IT people at companies/government are even half as caught up as they are.
Just imagine if your health insurance provider's IT supervisor just went and patched every time without testing; and one day the program they use to keep things up to date won't work because of a MS patch that broke it. Suddenly you're without health insurance. God help you if you get hurt in the time it takes for them to figure out what broke the program and try and fix it.
That's why it doesn't matter that MS releases these patches. Sometimes they fuck up a lot more than they fix, and companies and government institutions simply cannot take the risk of installing every single security patch from MS (often released weekly) because of this.
Thursdae
Re:Windows insecure? (Score:3, Insightful)
Yeah, that's probably why IIS has such a poor track record when compared to Apache. Who would try and 'sploit Apache on Linux? Nobody runs that crap.
Re:Yes (Score:5, Insightful)
What if a virus was capable of recognizing some common file types, and making a few changes?
Every so often adding or subtracting from a cell in a spreadsheet? Finding a CAD file and changing the thickness of some metal?
How about an easy one? Social Security Numbers are easy to identify - what if a virus looked for them in files, and changed a digit in a few of them at random?
What's worse than no data?
Data that you have no idea if it is correct or incorrect, and have no idea if any of your backups are correct or incorrect.
You just described my vision of hell (Score:5, Insightful)
Re:I don't pity them (Score:5, Insightful)
Unfortunately, under current laws and regulations, Microsoft is not held liable if their security patches break your system. They're also not held liable if a virus/worm hits you befor they can patch it. In fact, no matter what Microsoft's software ends up doing to your buisness, they aren't liable for anything.
So consider it Microsoft's fault all you want, but they won't be forced to do anything about it.
In the end, the company is going to want to blame someone they can do something to, which means their employees.
Thursdae
Re:People should start taking note (Score:2, Insightful)
That and a simple firewall (Score:5, Insightful)
In my case I just run a $50 router with NAT that blocks everything I don't need which makes the entire house network of around 10 computers immune from this worm regardless if they're patched or not.
This worm doesn't prove anything. Linux users need to be patching their systems as well and when it becomes mainstream it'll be the target of script kiddies as well. It's just pointing out what techs all know: people are lazy and don't care until it's a problem.
Ben
Re:WMW: Whatever McDonald's Worker! (Score:5, Insightful)
Leaving RPC open by default. As much as I like where you are trying to come from, this is indeed a Microsoft problem that they created themselves. When you have 50 FUCKING BILLION dollars in the bank, a major majority of the market, and this type of crap keeps happening, you should probably think about spending a few billion on making products that don't cost your customers insane amounts of money and lost productivity due to down time because of pathetic security and coding practices. It's just a thought.
Re:People should start taking note (Score:3, Insightful)
Most people = Windows Users.
Kenja = Geek with Windows, SGI, Solaris and Linux boxes.
However, Kenja can see the limitations of Linux and not worry about them. Most /. users seem unable to come to terms with the fact that Linux is a poor choice for most people. Countless times I've been attacked for not using Linux for a task Linux cannot perform.
Re:Yes (Score:2, Insightful)
Another good one is when doctors go to some convention and a software vendor convinces them they need some piece of software. One that doesn't work with the databases already set up, etc.
Re:Yes (Score:5, Insightful)
I don't think virus authors are the point. It's easy to make obvious statements about how childish and irresponsible this guy is, but it's not like he invented worms. There were possible and probable before he sat down to code this one. So if people die in the hospital the blame rests with the people who administer the networks, the machines and the hospital. And Microsoft. It's their responsibility.
I think the people who write these things serve a useful purpose in strengthening security - like eating dirt when you're young helps you build your immune system.
Re:You just described my vision of hell (Score:4, Insightful)
I really don't have a choice, though, so here's to hoping that people have enough sense to at least stop using Windows on mission critical systems.
Am I the only one concerned... (Score:3, Insightful)
Patches for the hole, except for Windows NT 4.0, which the company no longer supports, were put online by Microsoft.
Source: Channel NewsAsia [channelnewsasia.com]
There are A LOT of companies still running NT on both servers and workstations, last time I was in a major server room at Big Blue, well I won't name clients, but several large name clients have NT based server solutions. Yes I know blocking certain ports will stop it from getting in, but there is still potential for many NT systems not to have those ports blocked now, or in the future.
Re:Are systems behind a NAT modem/router safe? (Score:3, Insightful)
And this is all assuming that no one in your org has a laptop - our machines are all patched. 'Ceptin' for a person who's personal laptop appears on the network, and who went on vacation three weeks ago.
Fortunately, all of our machines are long patched, so even if this person had decided to plug in after seeing the 'funny behavior' on the laptop, it wouldn't have been able to get far on our LAN.
Most home machines which are behind NAT "routers" don't do port filtering outbound. So if a kid gets something bad when she's at school and comes home to the DSL feed a) your XP box is infected and b) you've got two machines searching the net for further targets over your DSL feed.
Let me count the ways.... (Score:5, Insightful)
1. Companies may still be evaluating it before putting it on their production servers. So if their e-commerce site went down because of this patch would you also say "screw them for not testing properly?"
2. "Road Warrior" laptop users who tech support hasn't had a chance to update yet.
3. Home users who dutifully update their virus scanners, pay Norton, and are careful not to open wacky attachment but have no idea about how remote exploits worked.
4. Failed patches and false positives.
5. New computers straight from dell or whomever that bundle and auto-setup everything except autoupdate. Hmmm, that sounds like a big problem to me.
6. "Early victims" who were infected well before the patch was available or before their computers could download it automatically.
7. The technical clueless that have no idea what a virus is or let alone a worm is. Who's job is it to teach them the ins and outs of security? Maybe MS could make a more secure product or at least put as much effort into alerting the user about security as it does trying to break competitors. Crazy, I know.
Apache is a brick (Score:2, Insightful)
I run Apache precisly because it doesn't do anything extra. Lack of functionality doesn't make it more secure than something of greater functionality. It's apples and oranges. As someone else mentioned, Apache has modules that open up the same/similar vulnerabilities as IIS.
IIS gets hacked from remote administration exploits and the fact it's tied in the to OS. Which is precisly why I dumped Linux which stupidily ties in FTP to the OS.
App accounts should NOT be system accounts. If I want to have the same user and pass for HTACCESS, FTP, SMTP, POP3, and VNC, I'll set up the seperate programs handling them to have the same user and pass in their respective account files. I don't want the OS to handle all the passwords. When you do that, then getting a password means you have access at some level to the OS which leads to escelation hacks. The intelligent way where say an FTP count has nothing to do with a system account, getting a username/pass only gets you into the FTP account.
If you get a password for my mail server, worst case you can read my e-mail. If you get a password for FTP, worst case you can change some files.
Ben
Re:People should start taking note (Score:2, Insightful)
There isn't a heck of a lot of good engineering design software for Linux. There never will be in the form of Open Source. It's software that costs $2-30,000 per seat. You know, software for grownups, not dilletantes who browse the web and 'admin' common commodity tasks like web servers. We can't all just sell stuff and/or present it for sale. Somebody has to design it.
Admins without a clue... (Score:5, Insightful)
"I'm unaware of the [Microsoft] patch being available," said David Hugel, the deputy chief administrator of the MVA. "I've talked to our IT people and we weekly update the virus protection we do have, and this just happened to fall between those points when we had updated it and we didn't have the [new] update available yet."
How about downloading security patches, too?
Re:You just described my vision of hell (Score:3, Insightful)
And the alternatives are better? Doesn't matter which system you're on, you have to stay up to date with this stuff.
Re:We Got Hit (Score:5, Insightful)
Like it or not, Windows systems need a solid antivirus policy in place; even if you filter at the firewall/mail gateway/web proxy, viruses will still find a way into your network.
Re:People should start taking note (Score:5, Insightful)
The solution? We should all donate to WINE. When Windows programs run without problems on Linux, we'll have full interoperability and be ready to take the world over.
Re:Speaking of Money (Score:2, Insightful)
But thanks to blind acceptance of all-encompassing EULAs, this argument is a lost cause anyway.
This guy ruined it for the rest of them (Score:5, Insightful)
Let's try to imagine if it carried a Chernobyl-like payload, or the feared root name server DDoS. Man, that's scary. So, the first one with an exploit ruins it for the rest, as at least some of the world finally realizes that it needs to patch, rendering the real killer-virus less effective, should it ever see the light of day.
I guess in that context, we should be grateful. It's kinda like if your're walking down the street in a bad neighborhood. Wouldn't you rather have some a**hole just slap you in the face, rather than said person walking up and shooting you?
Re:Yes (Score:1, Insightful)
For 8 years I worked for myself as an independent computer consultant. When I saw insecure networks, I sure as hell told them about it! One customer in particular I remember: He asked what I could do to tighten up the network, balked at the price, then paid more than that to have me get all (5 or 6) systems cleaned up after he was hit by some Windows worm.
If the customer refuses to fix a problem after he is aware of it, that's his problem. If you see security problems with his network and don't tell him about it, that's your problem!
Re:Speaking of Money (Score:5, Insightful)
Gates and company made Windows programs easy to integrate (DDE, OLE etc) but they NEVER took security seriously, then when they started to make a NOS and those same BAD habits followed. Remember that Windows 95 use to send your password in CLEAR TEXT over the network!!! What serious company in their right mind (in the 90's) would have designed anything that way? They ignored security to give people like you "features". Well now one of those "features" is an un-secure operating system.
I could just imagine people that own a GM car had some hacker who could use the onstar stuff to shut down their car while they were in it. Granted, I think they would be initially mad at the person who caused this, but if it happened again and again and again and again, they would probably not buy a GM car again, and their anger would turn to GM. I wonder when this type of thinking will turn to Microsoft. How many systems will have to be down for days?
Yes I realize that this can't happen with a GM car, I am just using it as an example.
By the way, did you try and get a patch from their site yesterday? That sure was fun!!! I actually managed to get one 98 system updated at around 8:00pm est.
Re:People should start taking note (Score:4, Insightful)
Don't apologise for stupid users either.
The current Windows virus problem boils down to three parties, equally at fault: The virus writer for writing the virus, the users for running the virus, and Microsoft for allowing viruses to be possible in the first place.
Don't try to paint users as helpless victims, as many of them are complete idiots and doing their best to make the problem worse.
Re:You just described my vision of hell (Score:3, Insightful)
Re:People should start taking note (Score:2, Insightful)
This will be a lesson to qute a few people.
Re:Speaking of Money (Score:3, Insightful)
Re:Speaking of Money (Score:1, Insightful)
Hmmmm, you didn't even need to do this since win98 wasn't in the attack...
Why? (Score:5, Insightful)
The fault lies in those people who don't patch the operating system with the critical updates put out by its maker.
Re:Why are all these end users .... (Score:3, Insightful)
Because they got burned once when Windows Update started sucking a serveral Gigabyte service pack over their modem connection?
Or maybe they got tired of having to wait throught the several download a patch that has to be applied seperately and reboot cycles when all they wanted to do was check the movie schedule for the local theater?
Or maybe a social engineered malware webpage changed the settings by telling them click the link and it will double thier intenet connection speed?
Or maybe they are so burned out with having to patch their system three times a week they just don't want the bother since after all it is someone else that is going to get the virus not them?
ad infinitum, ad nauseum
Re:Why? (Score:3, Insightful)
No, the fault still lies greatly in the hands of Microsoft. They build a system, market it as drool-proof, drooling idiots all over the world buy it, and those drooling idiots get burned and are still so stupid that they don't realize they were LIED TO IN THE FIRST PLACE!
So the blame is two-fold. 1) Microsoft is an unscrupulous LIAR, and 2) Microsoft's customers are stupid IDIOTS.
Thankfully, the markets are very slowly but steadily learning, and I am optimistic that Microsoft will much much smaller in five years.
Re:Why? (Score:3, Insightful)
They've spent years breeding increasingly clueless users. Think about what kind of knowledge was required to run DOS/Win3.1 versus WinXP. It's a good thing that operating systems have gotten easier to use. However, that means that the users will be less and less clueful as time goes by.
Saying the users are at fault for not applying a critical patch when there was ample warning from multiple sources is all well and good. They do deserve part of the blame. But expecting users to understand patches when they can't even understand/care many other simple administration tasks is foolishness. This isn't even taking into account people on dialup who have lots of patches from MS marked critical and don't want to blow hours at a time downloading them. Also, this patch isn't perfect - I know of several people running Win2000 that are now having issues.
Yes, users should learn to update their damn systems. No one is disputing that fact. However, MS deserves a large part of the blame for consistently releasing outrageously buggy code (including their patches), setting so many things to an insecure state by default, and breeding ignorant users but not taking care of them.