Oh well.
It wouldn't happen to a Mac.
An unpatched PC is likely to last just four minutes on the internet before being attacked and compromised. The time it takes for a PC to get itself owned varies by operating system and what activities a user engages in - but even allowing for this, putting an unpatched Windows PC directly onto the net in the hope that it …
OK, here we go again....
As you enter, please take a ticket. Please select one of the following.
1. "My Windows is better 'cos it's got the latest security patches straight from MS!"
2. "My Linux box would not get onwed, 'cos it's got open source code I can check!"
3. "My Apple box is rock solid and would never get owned, it's so secure!"
Thank you for your patience, your rant will be along soon.
"personal firewall before connecting systems to the net"
Prey tell, how does the average home user download the personal firewall (I'm guess they are on about standard, non SP2 XP machines).
Bit like the "Tech Support" pillock who many years ago, kept telling me to download the drivers for my modem, so that I could connect up...
"Security experts advise using a NAT (network address translation router) and personal firewall before connecting systems to the net"
Given that most Network Address Translation Router include a Firewall which stops traffic originating on the internet from reaching the internal network. After recently upgraded my Router/Firewall I can also limit the outgoing protocols that can be sent onto the internet. So what benefit is obtained by having a personal firewall?
Why put anything in an exposed position? If it's going to spend its life behind a hardware firewall anyway, why build it outside, and if it's not, then "(mis-)management" should be politely told that the machine will not be supported if it's not correctly protected. If it needs doing "ASAP" then it should have been planned sooner: your planning fuckup is not my emergency.
Several months ago out of curiosity I setup Windows XP SP1 as fresh install on VMware using a Debian host, XP was configured with a static IP set up in the DMZ. An Agobot variant owned its ass so quickly I actually laughed. I rarely ever find anything funny, as in funny ha ha, about using a Microsoft OS.
Credit where it is due though, XP SP3 after so many years of patching, fixing and updating has now reached such a level of stability, reliability and possible security (I don't use IE, Windows mediaplayer or messenger). That I find it a pleasure to use. I still wouldn't leave it open to the Internet though. In fact I don't leave anything open to the Internet 'cept my Honeynet.
I remember way back when, I was re-installing windows XP on a machine at home - and within no more than about 1 minute I got the windows system process initiating a shutdown (Blaster?)
I cancelled the shutdown, downloaded the patches, burnt them to CD, and re-re-installed, this time offline, and didn't go back online till I was as convinced as you can be of windows security
If it's taking hackers 4 mins to own an unpatched Windows box, they're slacking.
This post has been deleted by its author
Did an XP rollout a few years back - unpatched SP1 machines, still connecting over dial-up. Within seconds of being issued an IP address by the RAS server you would start getting pop-ups. At that time, the simple addition of SP2 would have solved most of the problems. Unfortunately the clever souls that created the builds were convinced SP2 "breaks everything", and the clever users kept clicking on the 'Ok' button. Still, fixing their mistakes kept me in a job for a while.
Paris - because she knows all about getting own3d on the internet.
A NAT router with no open ports to allow inbound traffic to said PC would probably be enough to keep it safe until it's service pack & patched up. Plus ensuring the only web site you go to is Windows Update.
I wouldn't trust in one of those freebie 'trial' copies of Norton that comes shipped with OEM distributions that are likely years out of date out of the box and will spend hours downloading masses of bloat to cripple your PC just to get it up to date, and then you realise you need to get rid of it and install a decent AV/firewall solution before you've even had a chance to patch Windows.
"This best practice can create tensions between management, who want new systems up and running as quickly as possible, and security admins."
Very simple way around this. Give this form with something like the following to managment.
I _____________ accept that by not following best practises recommended by the ________ (insert company name) Information team I put at risk the security of any finanical or customer data that our company holds and the availability of our systems. I accept that any fines, notification or bad publicity attibuted to these actions will be a direct result of these actions and that by signing off on this risk accept any action that the company or regulatory authorities may take against me.
SIgned __________________________
Works Everytime
How on earth did a corporate IT department manage to screw up that badly and put an unpatched machine out there?
1: They only have a 7 year old disk?
2: Are they unable to slipstream the installer with SP2
3: Can't they just download SP2 and keep it on CD?
4: The corporate machines are unfirewalled and un-natted?!?!?
5: Don't you install from images anyway?
I wouldn't want these IT people anywhere near any company I work for.
Given that the vast majority of home computers are behind a NAT router. 100% of unsolicited exploits will be killed in the bud.
Exploits caused by the unfortunate user navigating to the wrong web-site are more likely. But 4 minutes? Not unless the user is an inveterate porn cruiser.
How about you revise your average exploit time to months rather than minutes
This might be a more intersting article if it happened to mention what variety of Windows it refers to. For example, if "unpatched Windows" refers to say Windows XP SP1, then this revelation comes in the "duh, no s**t Sherlock" category. If however it refers to say Windows Vista without SP1 installed, then its a tad more alarmainf
You stick some old code on the net and it's had in minutes, yes i remember a pre SP2 box picking something up before i'd managed to apply updates but that was 4 years ago.
I'd be very very surprised if you got the same result with an XP SP3 box and anyone that installs from SP2 media and then casually browses the net before a visit to MS update deserves what they get.
I've been putting up servers over the past week. Prior to starting, I slipstreamed SP2 into my copy of Windows Server 2003 R2. I've also slipstreamed SP3 into Windows XP for our clients.
For those who cannot follow a web article on how to do it, one can download a free copy of nLite to do it for them; it's stone-dead simple. I get that a home user might not get this, but for anyone in any IT department not to ought to mean an instant boot through the door to the unemployment line.
@Jerry
Actually I think you'll find the majority of home users have Windows machines with the cheap USB broadband modem supplied by their ISP. Therefore no NAT. It used to be that you only got the benefit of a proper router if you subscribed to a 'wires only' service and bought your own. I know thats changing these days, but how much?
Regardless if I build it, re-build it, repair it, clean it up or just install software, I tell everybody the same thing. You have to treat computers like babies: you have to feed them what they need an periodically clean their smelly behinds.
One day I gave my "computer responsibility" statement and the recipient replied, "Why?". I just looked at her as she further commented, "I have you".
I've come to believe it's not a matter of people knowing what to do; they're flooded with that sort of stuff. It's a matter of priority and what's important to them. And in my experience, admittedly limited, few people treat their computer as if it's anything other than just a box full of electronic parts. Can you imagine that? They treat them like toasters, stoves, MP3 players and etc. When it gets mucked up bad enough they buy a new one. I don't know why I expect otherwise; we've created a throw away society and its inhabitants have learned well.
Windows Installation (SP3 slipstreamed) takes about 20 minutes and about 10 to install a firewall and antivirus. So it's not time in my worthless opinion, it's priority and for most people proper computer maintenance is not only low priority, it's something they can pay someone else to do. Or in the case of a few I know, just turn the damn thing off and go play with their kids.
And given my last installation of Ubuntu had more than 100 updates this scenario is not limited to M$ products.
I would like all of you techies to step back with all your advices comments on without firewall and NAT and all that nonsense.
Just imagine you are 65 computer illiterate and want to go online with you new pc.
Obvously it requires patching ? whats a patching asks the 65 year old ?
you the 65 year old phones provider gets on broadband and in the post is your USB dongle (since none of them are going to send you a broadband router unless you ar paying extra)
so the 65 year old goes online and in 4 minutes he is infected he spends another few months spreading infection deeper and further in OS.
MS should have done better than this by now.
for a start with all that profit (that don't go into no MS fanboys pockets) they could have created CD for online access so all people using the OS at all levels who sign up with a provider get this CD sent to them........
Secondly do they actually test any of their products before going live surely all thes excess open ports there should be a hardening package or go online utlitiy ? go through lock down ports not required..
No more advice for the bull of all OS's MicroShaft... sign up with us and we will shaft your day with lots of time spent on analysing why our OS sucks.
I have a dream and in this dream microsoft no longer exists. :)
Looking at the PDF thesis, I don't speak German so I have no idea what version they were testing. However doing a find on the string Windows, suggests they were testing versions of windows as far back as Windows 3.11 and NT4.0 and the only reference to Service packs seems to be "Windows XP SP1+, 2000 SP3". If that is the newest version they are testing, quite frankly I don't care - that these OSs are not secure is 5 years out of date to be classed as "news".
Yup, I remember that happening to me 4 years ago when I got broadband installed at home.
The Telewest technician had just got the cable modem installed, then we plugged in the Pre-SP2 laptop and blam... Windows would shut down with an intrusion before I could even get online for the updates. Unplugged the network connector and of course the computer started up just fine. Needless to say, the technician didn't have a clue what was going on.
Had to take the computer into work to connect to the firewalled network there to get the updates.
What version of XP, what service pac? What about Vista and OSX?
I know when I bought my new Mac the updates were over 500 meg. I use a wireless router but what would have happened if I had connected straight using an ethernet connection?
The web sites listed are not very useful either.
As someone who has owned Macs since the days of the Mac Plus I don't buy this Mac's don't get infected crap.
“Obvously it requires patching ? whats a patching asks the 65 year old ?”
but i have the same problems with my Ubuntu box that rolls on patches seemingly day after day and not all of them without issue.
As i said this isn't really an issue with an XP SP3 or Vista install now is it?
The risk is even less if you run your box as an ordinary user not as an admin, i've been running like this for three years with few issues (non secuity related), ALL of them caused by poor software not Windows.
And that's coming from someone who is not just a Windows admin (Novel/Linux as well) and can look objectively at a situation, i also deliver training so i know the headach of using multiple platforms.
A guy decided he would install windows on his machine, he had previously been running linux, and due to some tests he had been running his machine was on the outside of the firewall on one network interface, and in the DMZ on the other.
He forgot to unplug the machine from the net, before he installed XP (I believe service pack 2, but it might have been 1, I don't recall).
The machine was hacked and compromised, before he even managed to log in on the console, on the last reboot, after the installation has run.
So yes it does happen, and it is almost certain it will happen if you don't keep a NAT in front of your machine.
I would not install a windows machine with any kind of network connections active. If patches have to come from the net, then at the very least keep it behind a NAT router/firewall, if you do not want problems.
Even better, download all patches using a secured patched machine, or even better pull them down with a non windows system, and create a patch disk, before you even think of starting a network connection on the newly installed machine.
I prefer to use other operating systems to pull down windows patches, because their vunerablility is not the same as windows, and if the pull down carries a probe, they hit a wall, due to the heterogeneous systems. Then I scan the data for vira/trojans/known root kits, before I transfer it to a CD or the machine that is to use it.
Paranoid - You might say, though I prefer to call it experience with microsoft products :-).
Unix based systems I do slightly different, I remove all network services, before putting a network cable on, and thus make the machine non-responsive to incoming data and then pull down patches.
Gee, this is really what irritates me about computers. You've got a simple requirement: bring up a new machine securely. A pretty basic requirement for a computer.
The security people in the article recommend the purchase of a computer to protect your computer -- something called a "NAT router with firewall". Apparently there's no chicken-and-egg problem with this idea.
The previous poster recommends yet another product, with its own meaningless terminology ("slipstreaming"?) and hours to be wasted. Oh, and the need for another computer to prepare the CD with. And that computer was installed and nLite downloaded from the Internet without chicken-and-egg issues just how?
Both Ubuntu and Fedora look simple enough to bring up with all updates applied. But here's the rub, they don't do this by default. That's right, the secure alternative isn't the default.
It looks nearly impossible to bring up MacOS with all updates applied. The saving grace here being that MacOS doesn't have a huge number of open ports running insecure protocols when it starts, so there's a good chance for the updates applied after boot to win.
In short, all OSs currently suck for Joe Average doing an installation on a unfiltered Internet connection. And you're not going to be able to hide Joe Average behind that NAT gateway anytime after ISPs roll out IPv6 to customers.
(arrogant self-important geeky voice) "My free open source operating system is the mutts nutts, bow down to the almighty Linux, the sun shines out of it's posterior"
(arrogant designer type know-nothing bozo) "Macs are just so amazing, we can't be own3d, Steve Jobs is a minor deity"
(Joe Public windows user) "I'm running windows 2006 with interweb explorer AOL thing, the sales guy says so long as I've got a virus wotzit I'm safe, plus I've got a BT home rooter."
Paris because she was own3d in less than 3
"As someone who has owned Macs since the days of the Mac Plus I don't buy this Mac's don't get infected crap."
If you'd have plugged an unprotected Mac into the internet without a firewall, you would be quite safe today. No-one (up to now) has a remote exploit for the Mac. Yes, of course you should patch your Mac and run behind a firewall, but today, there's nothing to fear.
Macs don't get exploited remotely. That's not crap, that's just the state of affairs today. Tomorrow this could change, but today, that's just the way it is.
"The risk is even less if you run your box as an ordinary user not as an admin, i've been running like this for three years with few issues (non secuity related), "
my experience from a windowsinstall the initial user is admin ! there is no requirement to put in a root password to install anything...
"ALL of them caused by poor software not Windows."
Ahem thats why ubuntu debian and all the rest of them have central repositories so there is no need to go to http and download 3rd party software which is the source of a lot of the issues...
Two main flaws in windows if you ask me.. This is not evident in Linux
Also 1 last issue - FS partitions Linux install ok if your a noob all goes in one but for me its always been things like home get own parition - so sure format OS partition as much and as often as you like - your data is safe unlike c:\Documents and Settings\Blah
"spaces in folder names is not clever either by the way"
lol
>>Within seconds of being issued an IP address by the RAS server you would start getting pop-ups. At that time, the simple addition of SP2 would have solved most of the problems. Unfortunately the clever souls that created the builds were convinced SP2 "breaks everything", and the clever users kept clicking on the 'Ok' button. Still, fixing their mistakes kept me in a job for a while.
erm why not just disable the Messenger Service on windows
Non pop ups then
takes 5 sec's to fix
I like installing XP with out SP's , its fun trying to update windows before blaster popped up shutting down the pc lol
In my city (Cincinnati, in USA) my ISP gave me a NAT router as a matter of course, a little Cisco box the size of a paper back book. That little router has NAT built in, I didn't have to do *anything*. Naturally I have a dynamic IP, but that's never been an issue.
I'll admit the phrase "on the internet without a router" leaves me puzzled. How, exactly, does one get to the internet without either A) an ISP to handle all the messy details (home users) or B) a considerable effort on the part of the IT department (corporate users).
Either way, NAT is the cheapest and easiest protection there is, most routers have it built in as a matter of course. Assuming your ISP/IT department is so criminally negligent as to give you an unfirewalled/non-NAT connection to the net the fault lies with them!
This BS about management not giving IT time to properly connect a system to the net is drivel. In a corporate environment you *can't* hook directly to the net! You have to go through the local LAN--which will have a router between you and the net.
Unless, of course, you hire idiots to run your networking center...
I've had a machine that came with a pop-up at precisely 17 seconds after connecting to the internet (happened all the time) but this was Windows 98 over dialup, and fortunately it was only a pron advert (nothing malicious).
Whenever I'm called upon to sort out a machine or to install a new one for someone I always tell them that the difference in price between a router and a USB modem is a hell of a lot less than the cost of getting me out to fix the b****y thing when it goes wrong, which is usually within the first month.
</rant>
If they still insist on using a USB modem on a new (unpatched) machine I tend to connect them through my spare router initially to collect the updates then install the Modem. Takes a little longer but saves me a few trips usually.
"Just imagine you are 65 computer illiterate and want to go online with you new pc."
Im 32, no driving licence, no idea how to drive a car, but i can figure out how to "tun it on". So, i should just step up to a car, hit the gas and away we go... Sure, ill kill myself and probably someone else too, but it's NOT my fault, its the car maker's, because they made a car a clueless dumb@ss could not drive safely....
The "users are dumb/clueless/illiterate" argument has been used again and again. Still stinks. Either get an education like techies did (no, we weren't born "in the know") or get shafted and take it like a man.
In the end, like most thing in life, your problem, your responsibility, do as you see fit, and deal with whatever comes back to bite you.
Death.... complain to it that you didn't know better. Fat lot of good it will do to you...
>>"The security people in the article recommend the purchase of a computer to protect your computer -- something called a "NAT router with firewall". Apparently there's no chicken-and-egg problem with this idea."
I'm not sure there *is* a chicken-and-egg problem.
I don't recall seeing many news stories about router/hardware firewalls getting compromised.
In fact, I don't recall seeing any.
That's presumably why most people who know about them (not just security pros) would consider them a good idea, particularly for Windows users, and especially since they aren't exactly expensive.
On the other hand, my experience of *software* firewalls has been rather underwhelming, with some seeming to have a habit of just stopping working for no reason (on machines seemingly free of malware).
[Quote]
By Anonymous Coward
Posted Tuesday 15th July 2008 15:38 GMT
“Obvously it requires patching ? whats a patching asks the 65 year old ?”
but i have the same problems with my Ubuntu box that rolls on patches seemingly day after day and not all of them without issue.
[/Quote]
You do realize that you are probably >90% of the time not patching the OS, but instead applying updates to packages? Don't you?
"Also 1 last issue - FS partitions Linux install ok if your a noob all goes in one but for me its always been things like home get own partition - so sure format OS partition as much and as often as you like - your data is safe unlike c:\Documents and Settings\Blah
"spaces in folder names is not clever either by the way"
------------------------------------------
I'll agree that spaces in folder names were a silly idea, that's obviously why in Vista the Docs and Settings folder is now just Users ;-)
As you say defaults are always for noobs as you put it a default Linux install slaps everything in one area so does Windows but i've never ran a Windows box without redirecting the Documents folder to another partition or physical drive. It's an insanely easy process as well just right click and select target.
-------------------------------------------------------------
"my experience from a windows install the initial user is admin ! there is no requirement to put in a root password to install anything"
Yes but other new users that you create are basic users.
-------------------------------------------------------------
Anyway we're getting off track here the point is that pointing out that 5 years old code has flaws is pointless, ALL code has flaws it's time to fix that is important an area where i do think MS could improve.
You do not need a licencse to use a computer
You do no sit a test of compitency to use a computer
You do not break any rules by getting hacked .
AC about windows install when making your own Partition for documents and settings
What if you purchase pc from a shop with windows? does it come with seperate partitions ?
or how about when you do an install does it come up with clear consise questions about partetions etc a sepearte slot for boot seperate for swap seperate for home etc ? last time i installed windows this was not the case but then it was donkey years ago....
It's not unreasonable to expect that you ought to be able to buy a computer in a store, hook it up to the Internet, and be able to use it with no more fear of someone in the outside world being able to interfere with it... than one would be afraid of having a mechanical adding machine or a rotary-dial telephone "hacked" in some fashion.
Consumers expect their television sets, automobiles, and refrigerators, when made and sold by reputable companies, to work reliably. Why can't the makers of computers meet the same standard?
And, despite being made cheaply these days, computer hardware meets that test. Software could meet that test too. Check very rigorously for possible buffer overflows or race conditions. Do not add features that allow remote execution, like Java or JavaScript, until *after* they've been perfected - and are sitting behind two layers of sandboxing.
Put the important parts of the operating system in ROM, and the rest of them on a separate read-only hard disk - that gets made writeable by a *physical switch* on the computer case during OS installation! Prevent dialers by only having modems with buttons for dialing on them (yes, you can program in your ISP's number for one-button dialing, but you do that from the modem front panel, not from your computer, which has no way to access that function _at all_).
One could make computers as secure as people expect, with simple instructions that would ensure this made them only slightly more complicated to use. Perhaps many computer users are not the computer experts they ought to be; but surely the big computer companies are the ones truly without excuse?
This post has been deleted by its author
years ago when the Sasser worm had been doing the rounds for a couple of months. I got a call from a customer who had bought a Pc from PissyWorld plugs it in bungs in the disc to get Bt Dial up it connects to get her details and set up the account and the pc starts shutting down. Then every time it rebooted it would start to shutdown again. All it needed was Pissyworld the give the costomers a floppy with the M$ patch on is and to say before you go on the internet install the patch on the floppy.
this was sometime in the summer in 2004 and you can bet the PC had SP1a and nothing more on it
Maybe the venders can't be expected to keep the PCs upto date before they sell them but the Sasser worm was so prevalent that it should have been a special case.
The local vendors who hand build PCs and in my case make sure that they are upto date before going to the customer may be a bit more expensive but price isn't everything
I've had plenty of unprotected NT4 and 2K machines on the net without problem with either nothing or a cheesy ZoneAlarm type firewall. And those NT4 machines were never patched, because, well, you had to download and install them all by hand.
Frankly, for what they are talking about you don't need patches if you are not browsing. All you need is a decent firewall like Kerio 2 from about 5 years ago that keeps Windows from bleeding out the 2000 odd ports it exposes to NetBIOS and such.
Routers get corrupted all the time. Anything with a network connection and write access is vulnerable.
It seems to me that this article was targeted at those of us who build our systems, and not at those who purchase loaded gear from a retailer. Installing any OS involves patching it. This article was simply relaying the results of research performed by one company on a couple of Microsoft products. There's nothing to be learned from this unless you have never given thought to the risks of networking an unpatched system.
I've never had a Posix system compromised during setup, but I could see how it could happen ... if there were as many malware bots actively looking for them as are constantly seeking out MS installations.
You protect what you can and deal with the rest. The article provided a word to the wise for newbie installers, and gave the rest of us something to kvetch about.
USB modems are a rare bread these days I would say. Even BT wouldn't give out one of their old frogs now. a) they want to plug HomeHub, but more importantly b) the USB modems are a notorious nightmare for support as they were more than likely the main cause of connection problems. I remember even NTL used to strongly advise against connecting their modems via USB because of all the hassle it caused and would ship Ethernet cables to customers as the immediate solution regardless of what the problem really was.
Anyway, the majority are no good for "8mb+" broadband. Yeah we know it's a myth but even to get beyond 1mb you really need a proper dedicated router/modem.
Besides that the majority probably get wireless broadband routers for free with their ISPs (not knowing why they need one). All NATed up and ready.
Biggest risk from ISP hardware is use of WEP encryption and default passwords, but even that's a low risk really.
However, a company I worked for used to be anal about security, firewalls and virus scanners, but their laptops that were the only authorised ones to go onto the network would go out of the office with no firewall at all, and I'd seen one plugged direct into the net with no NAT and sure enough within minutes it had pop-ups all over.
Though these pop ups are really nothing to write home about. Just old netbios message windows, like the kind you used to get to tell you your print job had finished.
Another thing. Of the "clueless" who buy from PC World etc, who would really end up with a PC with raw unpatched Windows XP pre-service pack? Likely they'll be shipped with the latest service pack at least (with Vista these days anyway), which has enough lock downs to get you going. In the case of Vista, probably enough to stop you getting anywhere in the first place ;)
By way of an attempt at humour.............
tonight I have been running a modern AMD with XP media, and a five year old dell with XP. both behind a rather 'nice' IPCOP firewall
the medis centre PC has crash/died 4 times in as many hours, and the vanilla XP just BSoD
[of course, I will check to see if anything nasty got in, but]
I aggree an unprotected PC on the imterweb wil only survive for minutes............................... but how long do they last anyway?
So, your computer at home was connected to the internet without any kind of protection, and you got what appeared to be a remote exploit, or at least some kind of potentially malicoius code run on the machine.
You then took it into work and exposed your works network to your machine?
"Well, I've got home, locked the house doors, and set the alarms. Now, I'm going to juggle with nitroglycerine because what with the doors being locked and the alarm being on, I must be safe, right?"
Do they do the IT equivelnt of Darwin awards yet?
Steven R
It's not unreasonable to expect that you ought to be able to buy a computer in a store, hook it up to the Internet, and be able to use it with no more fear of someone in the outside world being able to interfere with it... than one would be afraid of having a mechanical adding machine or a rotary-dial telephone "hacked" in some fashion.
Consumers expect their television sets, automobiles, and refrigerators, when made and sold by reputable companies, to work reliably. Why can't the makers of computers meet the same standard?
The difference is you don't have people coming into your home trying to break your tv,fridge or car.
Out of the box it does work. Would you blame the car manufacture if you install radio that killed your electrical in the car ?? Would you blame the auto manufacture if some steals your car ???
Look, much as I hate rising to the defense of Windows, this is about a network probe of some sort equaling a compromise which, of course does not necessarily follow.
Unless I am greatly mistaken - and I am often greatly mistaken - what it does show is that unsolicited network activity believed to be aimed directly at windows systems (lets say 1, every 35 minutes) is on the order of 20 times that believed to be aimed at unix systems (1, every 700 minutes) which, given that the install base is about 10:1 in Windows' favour, is probably worse than it should be.
Basically, if you had an imaginary unix system vulnerable to all vulnerabilities that the probes ascribed to unix systems were targeting, and an imaginary windows system vulnerable to all the vulnerabilities that the probes ascribed to Windows systems were targeting, and then you ascribed the remaining non-specific probes proportionately between the two, and you connected both to the internet with no boundary protection, then hit yourself with a great big lump of wood you idiot. You probably built your own car out of thirty years of Ford manufacturing defects. Yes, your arse is wet and the electrics make your pacemaker skip. Sky blue. Flowers pretty.
Now the disproportionate activity on the windows front is another thing all together. Newsworthy, it may well be. Now I may justifiably resume my slightly hypocritical, slightly self loathing, stance of deriding Windows while still being partially dependent on it.
Oooh! I AM a dirty boy! Tell me I'm a dirty boy!
Yeah, a bit more reporting would be nice. What OS/patch level on the box?
As for the morons here going on that they can have a windows box pwned in a minute or so, have you not heard of the concept of "average"? The *average* time a box is compromised is apparently 4 minutes - which of course means that individual boxes could take seconds or days to be compromised.
The story was just meant to illustrate the catch 22 problem of setting up a Pre-SP2 PC with a standard domestic broadband connection. You needed the connection to get the updates, but the problem the updates were supposed to solve came over the connection before the updates arrived. It wasn't meant as a step by step guide to fixing it, so I skipped to the end of the story with the comment about getting the updates over a more secure connection without filling in all the middle bits about scanning and cleaning up the PC first.
I don't remember there being any nitroglycerine left at that point!
I have a roaming connection that consists of a USB GPRS modem (which sticks by velcro to the back of my laptop's lid). There is no way to install a hardware firewall. Four minutes? The first time I used this connection with a (throw-away) fresh, unpatched XP, it took somewhere between 20 seconds and 20 minutes to be compromised - I didn't time it properly. The second time, it took two minutes. Each time, that system got so infected that I didn't dare do ANYTHING serious with it, but just repartitioned and reformatted the disk as soon as I got home.
A hardware firewall / NAT router is probably 99% of the solution. If you have an unpatched Windows system, though - or even a patched one, though it's less critical there - a personal software firewall is a good way to protect against rogue code from web sites etc, and also helps contain problems if you do get them. It does help.
Yes, all operating systems get updates. If you don't like that idea, I'm sure someone can find you a copy of MS-DOS version 1; or maybe you'd rather go for QDOS? But Windows has a lot of problems that allow external attackers to take control of your system, whereas other operating systems have much less critical faults. I'd like to see anyone try to argue that Linux security holes are as much of a problem as Windows holes.
Like I said, all those people who bought the retail version should should be allowed to have a new version of installation media with all the patches applied. This is MS's fault they can't write a secure OS so they should have to pay to put it right.
I've had several boxes (XPSP2 no AV, no nuffink) on and offline for the last year or so, with maybe a load of spyware, but nothing that can't be broken easily enough, and I have suffered very little. It's very simple - keep the stuff that matters to you on external static/optical/mag media, use virtual O/S that run in RAM with no HDD, or just blow away and reimage the box every Sunday. Hardly much effort, and a lot cheaper than worrying about keeping up with licenses for bloated AV/Firewall shit.
If you want to do anything questionable or anything which could be used against you in any way, do it from a public access point or hijack some peons AP.
People worry about the wrong things mostly...if someone wants to steal your identity, or fuck you over somehow, I'd be far more concerned about the criminal element in government and their quango buddies than some nerd with a few hijacked boxes and some scripts. Once your biometric data goes onto the NIR, and some crook in authority has access to it, that's it for life. You can't change your fingerprint or retinal signature.
Four minutes? Four minutes till some relatively harmless piece of code gets installed which does what exactly? Makes your PC run slow? Makes it unstable? Uses some of your bandwidth? Just blow it away and start again.
Obviously it makes sense to protect yourself online as much as possible, but the ramifications of not doing so are likely to be trivial. Unless you consider having to reinstall an OS as some kind of crisis - in which case you should really probably sit under a large tree and have a good hard think about life.
Routers with NAT/Firewall functionality can be obtained from about 10pounds and up, I myself am using one that cost about 29 pounds, and is about 4 years old.
Default configuration of these is to deny all, unfortunately they also enable UPNP.
Make sure you disable UPNP, as (afaik) it allows software to create holes in your firewalls, and unfortunately this feature is enabled in almost all cheap firewalls. As I understand it, UPNP provides a way to go through a firewall (from the internet - the wrong way), and thus opens your system to attack, and requires no security to alter the firewall protections.
I recommend these cheap routers as a solution to all who own a computer, and doesn't know much about computers, as it goes a very long way to securing your system, and is a very cheap way to avoid problems. Ofc firewalls do not protect against malware downloads.
"What if you purchase pc from a shop with windows? does it come with seperate partitions ?"
From a good shop yes, from Dell, HP and the rest i doubt it, some Acers seem to.
"or how about when you do an install does it come up with clear consise questions about partetions etc a sepearte slot for boot seperate for swap seperate for home etc ? last time i installed windows this was not the case but then it was donkey years ago...."
No, but then (and i can only comment on Fedora and Ubuntu) i only remember seeing those options when manualy configuring an install just the same as Windows. If you let it auto partition you get a seperate swap and the rest /home /var and so on are all stuffed in one partition.
Hey wait a minute Vahid. Making the 65+ crowd sound like a bunch of imbeciles.
While I'm not there yet (I've got another 15 years or so), I'm a member of a computer club where the average age is in its 70's. You go to GRC.COM and the newsgroups are crowded with retirees. There was even a recent thread where people talked about teaching senior citizens (including their parents) Linux. One guy said one of his first senior citizen students who has used most main distributions and stuck on fedora was having their 101st birthday.
Next time you use a group as an example of stupidity, find out more about them first.
BTW: what about the Taterf worm?. The WBE id10+s that turn off their AV and PFW for a performance boost and download a bunch of cracked software that infects their machine. Of the 330 million MS found in the 1st week, I doubt if very many of them were senior citizens.
My wife's HP machine came with XP and SP1, and ran for years without problems. Recently it has crashed repeatedly and often all the way down, and after many re-installations of the OS, assisted recently by my (fairly cheap but not free) SP2 disk from M$, I decided the problem has to be the hard drive going south. The machine is capable of doing all the things we need, and much of our software and even hardware is not Vista-compatible, in particular the HP scanner for scanning her artwork is no longer made, and had compatibility problems with SP2 until I got patched for that, and our WordPerfect is not Vista-ready.
Yes, I am over 65, but first used a computer in 1963/4 (paper-tape input, printed output, no graphics, wrote my own near-machine-code programs), have designed ICs for decades, both before and with computer software assists, but now I am wondering if I am just not getting the OS updated fast enough on the re-installs. My ISPs assign an IP when I connect (yes, I have been involved in IEEE 802.3 committees, so I know what an IP is), but how do I protect against being "own3d" before I have the updates downloaded? And if I go on a business (or other) trip, how does my (non-techie) wife handle it?
I do like the idea of M$ providing an updated installation disk, since they originally put the holes in the OS. But would they do that for XP? Moon$Hine dreaming!
http://grc.com/default.thm
These can help
The DCOMbobulator 1,634,863 downloads.
DCOMbobulator allows any Windows user to easily verify the effectiveness of Microsoft's recent critical DCOM patch. Confirmed reports have demonstrated that the patch is not always effective in eliminating DCOM's remote exploit vulnerability. But more importantly, since DCOM is a virtually unused and unneeded facility, the DCOMbobulator allows any Windows user to easily disable DCOM for significantly greater security.
Shoot The Messenger 2,144,420 downloads.
Even before the latest DCOM/RPC vulnerability (see above), many Windows users were being annoyed by "pop-up spam" notices appearing on their desktops. This intrusion is also facilitated by an exploitation of port 135. Our free "Shoot The Messenger" utility furthers the security of Windows by quickly and easily shutting down the "Windows Messenger" server that should never have been running by default in the first place.
UnPlug n' Pray 2,837,124 downloads
As originally urged by the FBI, and still urged by prominent security experts, our UnPnP utility easily disables the dangerous, and almost always unnecessary, Universal Plug and Play service. If you don't need it, turn it off. (For ALL versions of Windows.)
XPdite 1,090,543 downloads.
A Critical Security Vulnerability Exists in Windows XP. (Surprise) Actually, as we know, there are many, but we'll handle them one at a time. This particular vulnerability allows the files contained in any specified directory on your system to be deleted if you click on a specially formed URL. This URL could appear anywhere: sent in malicious eMail, in a chat room, in a newsgroup posting, on a malicious web page, or even executed when your computer merely visits a malicious web page. It is already being exploited on the Internet.
I noticed how much slower my pc[the one I'm typing on now]was after installation of all of the Microsoft updates, and that seemed somewhat counter productive. So...
I decided to run a little experiment.
I reinstalled windoz, went to the update site and installed everything I reasonably considered neccessary BUT made a point of NOT installing anything with "security" and /or "critical" in it's description.
The experiment continues.
I like the ladies.hahahaha
I also visit sites which deal with controversial subjects.
I go where the hell I want on the net.
I run zonealarm free firewall.
About every couple of weeks do an online scan and occasionally d/l a free antivirus, update it and run a full scan.THEN UNINSTALL.NO "WATCHERS".
Now not to piss on Bill's bonfire but....whats a virus again?
Have none.
Have had NONE. AT ALL.
Security my bottom.
"Update"........ experiment has now been running for over a year,and will continue.
Security my arse.
The vulture = the death of common sense.
Now ya'all have a nice day now.
Most of the "UPnP is bad" commants come from a distinct lack of understanding of security issues and practice.
Sure there are potential security vulnerabilities with some UPnP implementations, and in some environments (e.g. company network) you probably don't want it but that's more for staff policy reasons than because of security issues.
In most cases, UPnP can be MORE secure than not having it. It's absolutely true UPnP allows a PC on your network to open ports on your firewall, but if you're PC has been "pwn3d" then it's a bit late anyway, and it pretty damn trivial for the virus/trojan to create connections to the Internet without UPnP.
Assuming your PC isn't infected, UPnP allows you to run certain software apps without having to do permanent port-forwards on your firewall.
It doesn't take a rocket scientist to understand that an on-demand, randomly allocated open port is more secure than a permanent, fixed port (or, worse still, port range) which is always open even if it's not needed.
Go fuck yourself Mr Colley. You said...
"MS's biggest crime is letting people who have no idea how to use a computer think that they're superusers.
If you can't use Linux then you can't actujally operate a computer -- you can only play games produced by Microsoft and Apple."
Most people have better things to do that learning all the ins and outs of Linux... actually, let me rephrase that - I'm no Linux hater, indeed full respect to the penguin aficionados out there - but people have different priorities. I spend a significant part of my life working, writing carefully written reports amongst other things, and outside that time I swim almost every day, enjoy cycling, watching football and playing it (badly), cooking, reading, seeing friends, volunteering, going to galleries, making love (to someone other than myself), and generally doing stuff that doesn't involve being sat in front of a small screen.
And now you tell me that basically I shouldn't be allowed to use a computer because I don't know how to use Linux - how stinkingly elitist and full of shit is that. I keep my Windows fully patched and scan for malware of all sorts regularly using a variety of different tools and observe good computing practice, and help my friends and family to do the same.
When I step back and take a look at this I do wonder whether a Mac would be a better idea, as a computer that would entail less time fannying about making it work as opposed to more. You're merely confirming my suspicions about Linux - that it is an operating system that you need to get highly involved in. I want to get highly involved in things other than my computer's operating system.
There were computers which had their OS on a chip called ROMs (Read Only Memory) which couldn't be erased easily (you could fry 'em with static, I spose) then some bright spark decided (as there was a chip shortage) to bung the OS on hard disks. This, in my 14 year old mind was a recipe for disaster, but hey, folk wanted to make money. Anyway, us youngins should be doffing caps to the seniors, as it was they who started all this computing nonsense off. It's been fun over the last 30 years faffing about with biscuit tins of electronics and getting it all to work. The floppy disk is dead, if that's the case, why are they still being sold?
The point of the research was not "lets prove that it's not a good idea to put an unpatched Widows computer on the net". After all, these computers were *meant* to invite infection.
This experiment demonstrated in a simple (headline grabbing) manner that despite over ten years of the Windows security industry and many fixes by Microsoft there are still so many *already* compromised Windows computers on the net that that a honeypot computer will be infected extraordinarily quickly.
Look at the research, these attacks weren't being made from some bunker in Siberia, the vast, vast majority were from the same net block that the computer was connected to. ie. ordinary peoples computers connected to the same ISP.
So forget about how great your computer practice is, or how you think people "ought" to use computers, it's not about *you*.
This is a peek into the real world of millions of Windows systems herded into botnets, spreading worms, compromising peoples privacy and security, degrading peoples experience on computers and the internet, and a certain part of the computer industry that seems either unwilling or incapable of solving it.
That is the biggest load of garbage I've ever read.
The idea of patching of Windows, Linux, Mac OS or whatever is to correct problems/plug holes that weren't known about when the OS was released or have been introduced as a result of previous patching/new features.
What you are referring to is a Linux Live CD but bear in mind that hardware that requires specific drivers may not work if the driver isn't present on the CD.
If my memory serves me correctly OEMs are not permitted to make their own build CDs anymore (as in the days of Win 95 so thats why there is no slipstreaming but there is nothing to stop you make your own build DVD :)