back to article Unpatched Windows PCs own3d in less than four minutes

An unpatched PC is likely to last just four minutes on the internet before being attacked and compromised. The time it takes for a PC to get itself owned varies by operating system and what activities a user engages in - but even allowing for this, putting an unpatched Windows PC directly onto the net in the hope that it …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Happy

    Oh well.

    It wouldn't happen to a Mac.

  2. Chris Jones-Gill
    Unhappy

    Never enough time

    Funny how there is never enough time to do a job properly, but there is always enough time to do it again.

  3. Anonymous Coward
    Stop

    On the merry-go-round again...

    OK, here we go again....

    As you enter, please take a ticket. Please select one of the following.

    1. "My Windows is better 'cos it's got the latest security patches straight from MS!"

    2. "My Linux box would not get onwed, 'cos it's got open source code I can check!"

    3. "My Apple box is rock solid and would never get owned, it's so secure!"

    Thank you for your patience, your rant will be along soon.

  4. nforcemac
    Thumb Up

    The answer is easy......

    Buy a mac..........

    /me giggles to himself like a girl!

  5. Avi
    Joke

    Standard Linxy comment

    <standard wouldn't-happen-with-open-sauce-comment>

  6. Anonymous Coward
    Stop

    Dumb ass "experts"

    "personal firewall before connecting systems to the net"

    Prey tell, how does the average home user download the personal firewall (I'm guess they are on about standard, non SP2 XP machines).

    Bit like the "Tech Support" pillock who many years ago, kept telling me to download the drivers for my modem, so that I could connect up...

  7. Gareth Jones Silver badge

    Hold on a mo...

    What sort of eejit would connect a computer directly to the net in the first place? Surely it would be sitting behind a firewall at the very least?

  8. a walker

    Security experts advise

    "Security experts advise using a NAT (network address translation router) and personal firewall before connecting systems to the net"

    Given that most Network Address Translation Router include a Firewall which stops traffic originating on the internet from reaching the internal network. After recently upgraded my Router/Firewall I can also limit the outgoing protocols that can be sent onto the internet. So what benefit is obtained by having a personal firewall?

  9. Anonymous Coward
    Anonymous Coward

    Casper the Friendly Ghost

    Why put anything in an exposed position? If it's going to spend its life behind a hardware firewall anyway, why build it outside, and if it's not, then "(mis-)management" should be politely told that the machine will not be supported if it's not correctly protected. If it needs doing "ASAP" then it should have been planned sooner: your planning fuckup is not my emergency.

  10. Ryan
    Stop

    I would think...

    that this is only relevant to people with USB modems?

    Anyone doing fresh installations probably has a home router anyway!

  11. adnim

    About right.

    Several months ago out of curiosity I setup Windows XP SP1 as fresh install on VMware using a Debian host, XP was configured with a static IP set up in the DMZ. An Agobot variant owned its ass so quickly I actually laughed. I rarely ever find anything funny, as in funny ha ha, about using a Microsoft OS.

    Credit where it is due though, XP SP3 after so many years of patching, fixing and updating has now reached such a level of stability, reliability and possible security (I don't use IE, Windows mediaplayer or messenger). That I find it a pleasure to use. I still wouldn't leave it open to the Internet though. In fact I don't leave anything open to the Internet 'cept my Honeynet.

  12. Eddie
    Stop

    4 minutes - enough time to own windows /and/ boil and egg....

    I remember way back when, I was re-installing windows XP on a machine at home - and within no more than about 1 minute I got the windows system process initiating a shutdown (Blaster?)

    I cancelled the shutdown, downloaded the patches, burnt them to CD, and re-re-installed, this time offline, and didn't go back online till I was as convinced as you can be of windows security

    If it's taking hackers 4 mins to own an unpatched Windows box, they're slacking.

  13. This post has been deleted by its author

  14. Scott
    Paris Hilton

    Not surprised

    Did an XP rollout a few years back - unpatched SP1 machines, still connecting over dial-up. Within seconds of being issued an IP address by the RAS server you would start getting pop-ups. At that time, the simple addition of SP2 would have solved most of the problems. Unfortunately the clever souls that created the builds were convinced SP2 "breaks everything", and the clever users kept clicking on the 'Ok' button. Still, fixing their mistakes kept me in a job for a while.

    Paris - because she knows all about getting own3d on the internet.

  15. TimM

    NAT

    A NAT router with no open ports to allow inbound traffic to said PC would probably be enough to keep it safe until it's service pack & patched up. Plus ensuring the only web site you go to is Windows Update.

    I wouldn't trust in one of those freebie 'trial' copies of Norton that comes shipped with OEM distributions that are likely years out of date out of the box and will spend hours downloading masses of bloat to cripple your PC just to get it up to date, and then you realise you need to get rid of it and install a decent AV/firewall solution before you've even had a chance to patch Windows.

  16. ben

    Yeah own3d

    Own3d, what a totally Mexico phrase dude. Or issit geek speak used by shorditch twats that live for youtube videos of grannies getting run down in hysterical circumstances... pwnage!

  17. Anonymous Coward
    Thumb Up

    Who owns the risk?

    "This best practice can create tensions between management, who want new systems up and running as quickly as possible, and security admins."

    Very simple way around this. Give this form with something like the following to managment.

    I _____________ accept that by not following best practises recommended by the ________ (insert company name) Information team I put at risk the security of any finanical or customer data that our company holds and the availability of our systems. I accept that any fines, notification or bad publicity attibuted to these actions will be a direct result of these actions and that by signing off on this risk accept any action that the company or regulatory authorities may take against me.

    SIgned __________________________

    Works Everytime

  18. Kerberos

    Really?

    How on earth did a corporate IT department manage to screw up that badly and put an unpatched machine out there?

    1: They only have a 7 year old disk?

    2: Are they unable to slipstream the installer with SP2

    3: Can't they just download SP2 and keep it on CD?

    4: The corporate machines are unfirewalled and un-natted?!?!?

    5: Don't you install from images anyway?

    I wouldn't want these IT people anywhere near any company I work for.

  19. Tawakalna

    4 minutes? so what?

    I've seen Windows boxes get pwned by nastiness within 60 seconds, as have many other people (Blaster, Nimda etc) 4 minutes isn't even trying!

    so where's the news angle?

  20. Jerry
    Stop

    NAT Router??

    Given that the vast majority of home computers are behind a NAT router. 100% of unsolicited exploits will be killed in the bud.

    Exploits caused by the unfortunate user navigating to the wrong web-site are more likely. But 4 minutes? Not unless the user is an inveterate porn cruiser.

    How about you revise your average exploit time to months rather than minutes

  21. Nik Simpson
    Thumb Down

    Need to be specific about what version of Windows!

    This might be a more intersting article if it happened to mention what variety of Windows it refers to. For example, if "unpatched Windows" refers to say Windows XP SP1, then this revelation comes in the "duh, no s**t Sherlock" category. If however it refers to say Windows Vista without SP1 installed, then its a tad more alarmainf

  22. Anonymous Coward
    Jobs Horns

    The Apple Solution...

    Apples answer to this is to sell you the same operating system plus service pack every year (how many times has the average mac user bought OSX since XP was released?)

    If MS 'retired' the original XP and charged for XP2 would we be having this discussion? Thought not...

  23. Scott
    Coat

    Infection

    We'll it takes me about 4 minutes to "infect" my missus and that includes the fag, so i ain't surprised.

  24. David Wilkinson

    Autopatcher

    Autopatcher is a handy utility to download and install all those patches you need to have applied prior to connecting to the internet.

  25. Sarah Bee (Written by Reg staff)

    Re: Infection

    How crude.

    *resists 'fag' joke with heroic effort*

  26. Daniel Bennett
    Alert

    4 Minutes?

    Eh?

    I must be loved then, because ive had my system on the internet for up to a month and finally getting around to getting antivirus and stuff revealed nothing...

    And there was no firewall either..

    Wooo i'm loved i'm loved

  27. Anonymous Coward
    Flame

    Oh what a surprise

    You stick some old code on the net and it's had in minutes, yes i remember a pre SP2 box picking something up before i'd managed to apply updates but that was 4 years ago.

    I'd be very very surprised if you got the same result with an XP SP3 box and anyone that installs from SP2 media and then casually browses the net before a visit to MS update deserves what they get.

  28. Anonymous Coward
    Anonymous Coward

    Gee, ever think about slipstreaming?

    I've been putting up servers over the past week. Prior to starting, I slipstreamed SP2 into my copy of Windows Server 2003 R2. I've also slipstreamed SP3 into Windows XP for our clients.

    For those who cannot follow a web article on how to do it, one can download a free copy of nLite to do it for them; it's stone-dead simple. I get that a home user might not get this, but for anyone in any IT department not to ought to mean an instant boot through the door to the unemployment line.

  29. A J Stiles
    Paris Hilton

    *Yawn*

    Why, in the name of all that is sane and sensible, would **any** operating system ship with a port that allows the machine to be controlled remotely without authentication **open by default** ?

    That was pretty basic stuff even in 2001, before they found the second hole in OpenBSD.

  30. Anonymous Coward
    Boffin

    NAT Router

    @Jerry

    Actually I think you'll find the majority of home users have Windows machines with the cheap USB broadband modem supplied by their ISP. Therefore no NAT. It used to be that you only got the benefit of a proper router if you subscribed to a 'wires only' service and bought your own. I know thats changing these days, but how much?

  31. Doug Glass
    Go

    Computer Needs

    Regardless if I build it, re-build it, repair it, clean it up or just install software, I tell everybody the same thing. You have to treat computers like babies: you have to feed them what they need an periodically clean their smelly behinds.

    One day I gave my "computer responsibility" statement and the recipient replied, "Why?". I just looked at her as she further commented, "I have you".

    I've come to believe it's not a matter of people knowing what to do; they're flooded with that sort of stuff. It's a matter of priority and what's important to them. And in my experience, admittedly limited, few people treat their computer as if it's anything other than just a box full of electronic parts. Can you imagine that? They treat them like toasters, stoves, MP3 players and etc. When it gets mucked up bad enough they buy a new one. I don't know why I expect otherwise; we've created a throw away society and its inhabitants have learned well.

    Windows Installation (SP3 slipstreamed) takes about 20 minutes and about 10 to install a firewall and antivirus. So it's not time in my worthless opinion, it's priority and for most people proper computer maintenance is not only low priority, it's something they can pay someone else to do. Or in the case of a few I know, just turn the damn thing off and go play with their kids.

    And given my last installation of Ubuntu had more than 100 updates this scenario is not limited to M$ products.

  32. vahid
    Happy

    Old windows techies backing windows again i see

    I would like all of you techies to step back with all your advices comments on without firewall and NAT and all that nonsense.

    Just imagine you are 65 computer illiterate and want to go online with you new pc.

    Obvously it requires patching ? whats a patching asks the 65 year old ?

    you the 65 year old phones provider gets on broadband and in the post is your USB dongle (since none of them are going to send you a broadband router unless you ar paying extra)

    so the 65 year old goes online and in 4 minutes he is infected he spends another few months spreading infection deeper and further in OS.

    MS should have done better than this by now.

    for a start with all that profit (that don't go into no MS fanboys pockets) they could have created CD for online access so all people using the OS at all levels who sign up with a provider get this CD sent to them........

    Secondly do they actually test any of their products before going live surely all thes excess open ports there should be a hardening package or go online utlitiy ? go through lock down ports not required..

    No more advice for the bull of all OS's MicroShaft... sign up with us and we will shaft your day with lots of time spent on analysing why our OS sucks.

    I have a dream and in this dream microsoft no longer exists. :)

  33. MrWeeble

    The version they were testing needs more info

    Looking at the PDF thesis, I don't speak German so I have no idea what version they were testing. However doing a find on the string Windows, suggests they were testing versions of windows as far back as Windows 3.11 and NT4.0 and the only reference to Service packs seems to be "Windows XP SP1+, 2000 SP3". If that is the newest version they are testing, quite frankly I don't care - that these OSs are not secure is 5 years out of date to be classed as "news".

  34. Simon Harris
    Stop

    @Eddie & @AC

    Yup, I remember that happening to me 4 years ago when I got broadband installed at home.

    The Telewest technician had just got the cable modem installed, then we plugged in the Pre-SP2 laptop and blam... Windows would shut down with an intrusion before I could even get online for the updates. Unplugged the network connector and of course the computer started up just fine. Needless to say, the technician didn't have a clue what was going on.

    Had to take the computer into work to connect to the firewalled network there to get the updates.

  35. Hud Dunlap
    Unhappy

    Not enough information

    What version of XP, what service pac? What about Vista and OSX?

    I know when I bought my new Mac the updates were over 500 meg. I use a wireless router but what would have happened if I had connected straight using an ethernet connection?

    The web sites listed are not very useful either.

    As someone who has owned Macs since the days of the Mac Plus I don't buy this Mac's don't get infected crap.

  36. Anonymous Coward
    Anonymous Coward

    @ vahid

    “Obvously it requires patching ? whats a patching asks the 65 year old ?”

    but i have the same problems with my Ubuntu box that rolls on patches seemingly day after day and not all of them without issue.

    As i said this isn't really an issue with an XP SP3 or Vista install now is it?

    The risk is even less if you run your box as an ordinary user not as an admin, i've been running like this for three years with few issues (non secuity related), ALL of them caused by poor software not Windows.

    And that's coming from someone who is not just a Windows admin (Novel/Linux as well) and can look objectively at a situation, i also deliver training so i know the headach of using multiple platforms.

  37. Anonymous Coward
    Thumb Up

    merry-go-round

    Oh - yes, I'll take an option 1 and a couple of option 2's please.

  38. Michael Nielsen
    Linux

    I saw this happen already in 2002/3

    A guy decided he would install windows on his machine, he had previously been running linux, and due to some tests he had been running his machine was on the outside of the firewall on one network interface, and in the DMZ on the other.

    He forgot to unplug the machine from the net, before he installed XP (I believe service pack 2, but it might have been 1, I don't recall).

    The machine was hacked and compromised, before he even managed to log in on the console, on the last reboot, after the installation has run.

    So yes it does happen, and it is almost certain it will happen if you don't keep a NAT in front of your machine.

    I would not install a windows machine with any kind of network connections active. If patches have to come from the net, then at the very least keep it behind a NAT router/firewall, if you do not want problems.

    Even better, download all patches using a secured patched machine, or even better pull them down with a non windows system, and create a patch disk, before you even think of starting a network connection on the newly installed machine.

    I prefer to use other operating systems to pull down windows patches, because their vunerablility is not the same as windows, and if the pull down carries a probe, they hit a wall, due to the heterogeneous systems. Then I scan the data for vira/trojans/known root kits, before I transfer it to a CD or the machine that is to use it.

    Paranoid - You might say, though I prefer to call it experience with microsoft products :-).

    Unix based systems I do slightly different, I remove all network services, before putting a network cable on, and thus make the machine non-responsive to incoming data and then pull down patches.

  39. Glen Turner

    Gee, ever think about slipstreaming?

    Gee, this is really what irritates me about computers. You've got a simple requirement: bring up a new machine securely. A pretty basic requirement for a computer.

    The security people in the article recommend the purchase of a computer to protect your computer -- something called a "NAT router with firewall". Apparently there's no chicken-and-egg problem with this idea.

    The previous poster recommends yet another product, with its own meaningless terminology ("slipstreaming"?) and hours to be wasted. Oh, and the need for another computer to prepare the CD with. And that computer was installed and nLite downloaded from the Internet without chicken-and-egg issues just how?

    Both Ubuntu and Fedora look simple enough to bring up with all updates applied. But here's the rub, they don't do this by default. That's right, the secure alternative isn't the default.

    It looks nearly impossible to bring up MacOS with all updates applied. The saving grace here being that MacOS doesn't have a huge number of open ports running insecure protocols when it starts, so there's a good chance for the updates applied after boot to win.

    In short, all OSs currently suck for Joe Average doing an installation on a unfiltered Internet connection. And you're not going to be able to hide Joe Average behind that NAT gateway anytime after ISPs roll out IPv6 to customers.

  40. Roger Lancefield
    Linux

    I wish I could join in with the excitement...

    ... but unfortunately my operating system, being free, wasn't supplied with this feature. No joy in the repositories either. Is there a commercial add-on available?

  41. Anonymous Coward
    Anonymous Coward

    I did this in 2002

    I needed to reinstall a system, plugged it into the cable modem direct, opened windows update, couldn't find it. Took far less than 4 minutes that time. That was when I first bought a NAT firewall, to get that box up and running.

  42. Anonymous Coward
    Paris Hilton

    Queue standard Linux fanboi response

    (arrogant self-important geeky voice) "My free open source operating system is the mutts nutts, bow down to the almighty Linux, the sun shines out of it's posterior"

    (arrogant designer type know-nothing bozo) "Macs are just so amazing, we can't be own3d, Steve Jobs is a minor deity"

    (Joe Public windows user) "I'm running windows 2006 with interweb explorer AOL thing, the sales guy says so long as I've got a virus wotzit I'm safe, plus I've got a BT home rooter."

    Paris because she was own3d in less than 3

  43. Jared Earle
    Go

    @Hud Dunlap

    "As someone who has owned Macs since the days of the Mac Plus I don't buy this Mac's don't get infected crap."

    If you'd have plugged an unprotected Mac into the internet without a firewall, you would be quite safe today. No-one (up to now) has a remote exploit for the Mac. Yes, of course you should patch your Mac and run behind a firewall, but today, there's nothing to fear.

    Macs don't get exploited remotely. That's not crap, that's just the state of affairs today. Tomorrow this could change, but today, that's just the way it is.

  44. vahid
    Stop

    @ AC about my comment

    "The risk is even less if you run your box as an ordinary user not as an admin, i've been running like this for three years with few issues (non secuity related), "

    my experience from a windowsinstall the initial user is admin ! there is no requirement to put in a root password to install anything...

    "ALL of them caused by poor software not Windows."

    Ahem thats why ubuntu debian and all the rest of them have central repositories so there is no need to go to http and download 3rd party software which is the source of a lot of the issues...

    Two main flaws in windows if you ask me.. This is not evident in Linux

    Also 1 last issue - FS partitions Linux install ok if your a noob all goes in one but for me its always been things like home get own parition - so sure format OS partition as much and as often as you like - your data is safe unlike c:\Documents and Settings\Blah

    "spaces in folder names is not clever either by the way"

    lol

  45. Anonymous Coward
    Thumb Up

    @Scott RE: Not surprised

    >>Within seconds of being issued an IP address by the RAS server you would start getting pop-ups. At that time, the simple addition of SP2 would have solved most of the problems. Unfortunately the clever souls that created the builds were convinced SP2 "breaks everything", and the clever users kept clicking on the 'Ok' button. Still, fixing their mistakes kept me in a job for a while.

    erm why not just disable the Messenger Service on windows

    Non pop ups then

    takes 5 sec's to fix

    I like installing XP with out SP's , its fun trying to update windows before blaster popped up shutting down the pc lol

  46. Wolf

    Guess it's where you're from...

    In my city (Cincinnati, in USA) my ISP gave me a NAT router as a matter of course, a little Cisco box the size of a paper back book. That little router has NAT built in, I didn't have to do *anything*. Naturally I have a dynamic IP, but that's never been an issue.

    I'll admit the phrase "on the internet without a router" leaves me puzzled. How, exactly, does one get to the internet without either A) an ISP to handle all the messy details (home users) or B) a considerable effort on the part of the IT department (corporate users).

    Either way, NAT is the cheapest and easiest protection there is, most routers have it built in as a matter of course. Assuming your ISP/IT department is so criminally negligent as to give you an unfirewalled/non-NAT connection to the net the fault lies with them!

    This BS about management not giving IT time to properly connect a system to the net is drivel. In a corporate environment you *can't* hook directly to the net! You have to go through the local LAN--which will have a router between you and the net.

    Unless, of course, you hire idiots to run your networking center...

  47. Tim Schomer
    Boffin

    Same here

    I've had a machine that came with a pop-up at precisely 17 seconds after connecting to the internet (happened all the time) but this was Windows 98 over dialup, and fortunately it was only a pron advert (nothing malicious).

    Whenever I'm called upon to sort out a machine or to install a new one for someone I always tell them that the difference in price between a router and a USB modem is a hell of a lot less than the cost of getting me out to fix the b****y thing when it goes wrong, which is usually within the first month.

    </rant>

    If they still insist on using a USB modem on a new (unpatched) machine I tend to connect them through my spare router initially to collect the updates then install the Modem. Takes a little longer but saves me a few trips usually.

  48. Nuno trancoso
    Pirate

    This sort of FUD is plain bollocks... and by the way...

    "Just imagine you are 65 computer illiterate and want to go online with you new pc."

    Im 32, no driving licence, no idea how to drive a car, but i can figure out how to "tun it on". So, i should just step up to a car, hit the gas and away we go... Sure, ill kill myself and probably someone else too, but it's NOT my fault, its the car maker's, because they made a car a clueless dumb@ss could not drive safely....

    The "users are dumb/clueless/illiterate" argument has been used again and again. Still stinks. Either get an education like techies did (no, we weren't born "in the know") or get shafted and take it like a man.

    In the end, like most thing in life, your problem, your responsibility, do as you see fit, and deal with whatever comes back to bite you.

    Death.... complain to it that you didn't know better. Fat lot of good it will do to you...

  49. david wilson

    @Glen

    >>"The security people in the article recommend the purchase of a computer to protect your computer -- something called a "NAT router with firewall". Apparently there's no chicken-and-egg problem with this idea."

    I'm not sure there *is* a chicken-and-egg problem.

    I don't recall seeing many news stories about router/hardware firewalls getting compromised.

    In fact, I don't recall seeing any.

    That's presumably why most people who know about them (not just security pros) would consider them a good idea, particularly for Windows users, and especially since they aren't exactly expensive.

    On the other hand, my experience of *software* firewalls has been rather underwhelming, with some seeming to have a habit of just stopping working for no reason (on machines seemingly free of malware).

  50. Scott Patterson
    IT Angle

    Do you even understand Ubuntu?

    [Quote]

    By Anonymous Coward

    Posted Tuesday 15th July 2008 15:38 GMT

    “Obvously it requires patching ? whats a patching asks the 65 year old ?”

    but i have the same problems with my Ubuntu box that rolls on patches seemingly day after day and not all of them without issue.

    [/Quote]

    You do realize that you are probably >90% of the time not patching the OS, but instead applying updates to packages? Don't you?

  51. Anonymous Coward
    Go

    @ vahid

    "Also 1 last issue - FS partitions Linux install ok if your a noob all goes in one but for me its always been things like home get own partition - so sure format OS partition as much and as often as you like - your data is safe unlike c:\Documents and Settings\Blah

    "spaces in folder names is not clever either by the way"

    ------------------------------------------

    I'll agree that spaces in folder names were a silly idea, that's obviously why in Vista the Docs and Settings folder is now just Users ;-)

    As you say defaults are always for noobs as you put it a default Linux install slaps everything in one area so does Windows but i've never ran a Windows box without redirecting the Documents folder to another partition or physical drive. It's an insanely easy process as well just right click and select target.

    -------------------------------------------------------------

    "my experience from a windows install the initial user is admin ! there is no requirement to put in a root password to install anything"

    Yes but other new users that you create are basic users.

    -------------------------------------------------------------

    Anyway we're getting off track here the point is that pointing out that 5 years old code has flaws is pointless, ALL code has flaws it's time to fix that is important an area where i do think MS could improve.

  52. Cameron Colley

    Learn how to use it or fuck off.

    MS's biggest crime is letting people who have no idea how to use a computer think that they're superusers.

    If you can't use Linux then you can't actujally operate a computer -- you can only play games produced by Microsoft and Apple.

  53. vahid
    Happy

    @ By Nuno trancoso & @ AC about windows install

    You do not need a licencse to use a computer

    You do no sit a test of compitency to use a computer

    You do not break any rules by getting hacked .

    AC about windows install when making your own Partition for documents and settings

    What if you purchase pc from a shop with windows? does it come with seperate partitions ?

    or how about when you do an install does it come up with clear consise questions about partetions etc a sepearte slot for boot seperate for swap seperate for home etc ? last time i installed windows this was not the case but then it was donkey years ago....

  54. John Savard

    It's not unreasonable

    It's not unreasonable to expect that you ought to be able to buy a computer in a store, hook it up to the Internet, and be able to use it with no more fear of someone in the outside world being able to interfere with it... than one would be afraid of having a mechanical adding machine or a rotary-dial telephone "hacked" in some fashion.

    Consumers expect their television sets, automobiles, and refrigerators, when made and sold by reputable companies, to work reliably. Why can't the makers of computers meet the same standard?

    And, despite being made cheaply these days, computer hardware meets that test. Software could meet that test too. Check very rigorously for possible buffer overflows or race conditions. Do not add features that allow remote execution, like Java or JavaScript, until *after* they've been perfected - and are sitting behind two layers of sandboxing.

    Put the important parts of the operating system in ROM, and the rest of them on a separate read-only hard disk - that gets made writeable by a *physical switch* on the computer case during OS installation! Prevent dialers by only having modems with buttons for dialing on them (yes, you can program in your ISP's number for one-button dialing, but you do that from the modem front panel, not from your computer, which has no way to access that function _at all_).

    One could make computers as secure as people expect, with simple instructions that would ensure this made them only slightly more complicated to use. Perhaps many computer users are not the computer experts they ought to be; but surely the big computer companies are the ones truly without excuse?

  55. jai

    pwn3d

    if you're going to try and be hip and with it and down with the kids in your titles, at least get the 1337 nomenclature correct, innit :)

  56. This post has been deleted by its author

  57. Brian Whittle

    blame the pc vendors

    years ago when the Sasser worm had been doing the rounds for a couple of months. I got a call from a customer who had bought a Pc from PissyWorld plugs it in bungs in the disc to get Bt Dial up it connects to get her details and set up the account and the pc starts shutting down. Then every time it rebooted it would start to shutdown again. All it needed was Pissyworld the give the costomers a floppy with the M$ patch on is and to say before you go on the internet install the patch on the floppy.

    this was sometime in the summer in 2004 and you can bet the PC had SP1a and nothing more on it

    Maybe the venders can't be expected to keep the PCs upto date before they sell them but the Sasser worm was so prevalent that it should have been a special case.

    The local vendors who hand build PCs and in my case make sure that they are upto date before going to the customer may be a bit more expensive but price isn't everything

  58. Anonymous Coward
    Flame

    Well that shows the XP lie

    I've had plenty of unprotected NT4 and 2K machines on the net without problem with either nothing or a cheesy ZoneAlarm type firewall. And those NT4 machines were never patched, because, well, you had to download and install them all by hand.

    Frankly, for what they are talking about you don't need patches if you are not browsing. All you need is a decent firewall like Kerio 2 from about 5 years ago that keeps Windows from bleeding out the 2000 odd ports it exposes to NetBIOS and such.

  59. James Butler

    @david wilson

    Routers get corrupted all the time. Anything with a network connection and write access is vulnerable.

    It seems to me that this article was targeted at those of us who build our systems, and not at those who purchase loaded gear from a retailer. Installing any OS involves patching it. This article was simply relaying the results of research performed by one company on a couple of Microsoft products. There's nothing to be learned from this unless you have never given thought to the risks of networking an unpatched system.

    I've never had a Posix system compromised during setup, but I could see how it could happen ... if there were as many malware bots actively looking for them as are constantly seeking out MS installations.

    You protect what you can and deal with the rest. The article provided a word to the wise for newbie installers, and gave the rest of us something to kvetch about.

  60. TimM

    USB modems

    USB modems are a rare bread these days I would say. Even BT wouldn't give out one of their old frogs now. a) they want to plug HomeHub, but more importantly b) the USB modems are a notorious nightmare for support as they were more than likely the main cause of connection problems. I remember even NTL used to strongly advise against connecting their modems via USB because of all the hassle it caused and would ship Ethernet cables to customers as the immediate solution regardless of what the problem really was.

    Anyway, the majority are no good for "8mb+" broadband. Yeah we know it's a myth but even to get beyond 1mb you really need a proper dedicated router/modem.

    Besides that the majority probably get wireless broadband routers for free with their ISPs (not knowing why they need one). All NATed up and ready.

    Biggest risk from ISP hardware is use of WEP encryption and default passwords, but even that's a low risk really.

    However, a company I worked for used to be anal about security, firewalls and virus scanners, but their laptops that were the only authorised ones to go onto the network would go out of the office with no firewall at all, and I'd seen one plugged direct into the net with no NAT and sure enough within minutes it had pop-ups all over.

    Though these pop ups are really nothing to write home about. Just old netbios message windows, like the kind you used to get to tell you your print job had finished.

    Another thing. Of the "clueless" who buy from PC World etc, who would really end up with a PC with raw unpatched Windows XP pre-service pack? Likely they'll be shipped with the latest service pack at least (with Vista these days anyway), which has enough lock downs to get you going. In the case of Vista, probably enough to stop you getting anywhere in the first place ;)

  61. Anonymous Coward
    Happy

    M$ of course

    By way of an attempt at humour.............

    tonight I have been running a modern AMD with XP media, and a five year old dell with XP. both behind a rather 'nice' IPCOP firewall

    the medis centre PC has crash/died 4 times in as many hours, and the vanilla XP just BSoD

    [of course, I will check to see if anything nasty got in, but]

    I aggree an unprotected PC on the imterweb wil only survive for minutes............................... but how long do they last anyway?

  62. Tim Cowley

    let's not forget mac 10.2

    ... which shipped without its firewall turned on. Pathetic.

  63. Steven Raith
    Paris Hilton

    @Simon Harris

    So, your computer at home was connected to the internet without any kind of protection, and you got what appeared to be a remote exploit, or at least some kind of potentially malicoius code run on the machine.

    You then took it into work and exposed your works network to your machine?

    "Well, I've got home, locked the house doors, and set the alarms. Now, I'm going to juggle with nitroglycerine because what with the doors being locked and the alarm being on, I must be safe, right?"

    Do they do the IT equivelnt of Darwin awards yet?

    Steven R

  64. kain preacher

    @By John Savard

    It's not unreasonable to expect that you ought to be able to buy a computer in a store, hook it up to the Internet, and be able to use it with no more fear of someone in the outside world being able to interfere with it... than one would be afraid of having a mechanical adding machine or a rotary-dial telephone "hacked" in some fashion.

    Consumers expect their television sets, automobiles, and refrigerators, when made and sold by reputable companies, to work reliably. Why can't the makers of computers meet the same standard?

    The difference is you don't have people coming into your home trying to break your tv,fridge or car.

    Out of the box it does work. Would you blame the car manufacture if you install radio that killed your electrical in the car ?? Would you blame the auto manufacture if some steals your car ???

  65. Anonymous Coward
    Stop

    Yes, but...

    Look, much as I hate rising to the defense of Windows, this is about a network probe of some sort equaling a compromise which, of course does not necessarily follow.

    Unless I am greatly mistaken - and I am often greatly mistaken - what it does show is that unsolicited network activity believed to be aimed directly at windows systems (lets say 1, every 35 minutes) is on the order of 20 times that believed to be aimed at unix systems (1, every 700 minutes) which, given that the install base is about 10:1 in Windows' favour, is probably worse than it should be.

    Basically, if you had an imaginary unix system vulnerable to all vulnerabilities that the probes ascribed to unix systems were targeting, and an imaginary windows system vulnerable to all the vulnerabilities that the probes ascribed to Windows systems were targeting, and then you ascribed the remaining non-specific probes proportionately between the two, and you connected both to the internet with no boundary protection, then hit yourself with a great big lump of wood you idiot. You probably built your own car out of thirty years of Ford manufacturing defects. Yes, your arse is wet and the electrics make your pacemaker skip. Sky blue. Flowers pretty.

    Now the disproportionate activity on the windows front is another thing all together. Newsworthy, it may well be. Now I may justifiably resume my slightly hypocritical, slightly self loathing, stance of deriding Windows while still being partially dependent on it.

    Oooh! I AM a dirty boy! Tell me I'm a dirty boy!

  66. Trix
    Boffin

    What OS?

    Yeah, a bit more reporting would be nice. What OS/patch level on the box?

    As for the morons here going on that they can have a windows box pwned in a minute or so, have you not heard of the concept of "average"? The *average* time a box is compromised is apparently 4 minutes - which of course means that individual boxes could take seconds or days to be compromised.

  67. Simon Harris

    @ Steven Raith

    The story was just meant to illustrate the catch 22 problem of setting up a Pre-SP2 PC with a standard domestic broadband connection. You needed the connection to get the updates, but the problem the updates were supposed to solve came over the connection before the updates arrived. It wasn't meant as a step by step guide to fixing it, so I skipped to the end of the story with the comment about getting the updates over a more secure connection without filling in all the middle bits about scanning and cleaning up the PC first.

    I don't remember there being any nitroglycerine left at that point!

  68. Rosuav
    Gates Horns

    USB modems are around

    I have a roaming connection that consists of a USB GPRS modem (which sticks by velcro to the back of my laptop's lid). There is no way to install a hardware firewall. Four minutes? The first time I used this connection with a (throw-away) fresh, unpatched XP, it took somewhere between 20 seconds and 20 minutes to be compromised - I didn't time it properly. The second time, it took two minutes. Each time, that system got so infected that I didn't dare do ANYTHING serious with it, but just repartitioned and reformatted the disk as soon as I got home.

    A hardware firewall / NAT router is probably 99% of the solution. If you have an unpatched Windows system, though - or even a patched one, though it's less critical there - a personal software firewall is a good way to protect against rogue code from web sites etc, and also helps contain problems if you do get them. It does help.

    Yes, all operating systems get updates. If you don't like that idea, I'm sure someone can find you a copy of MS-DOS version 1; or maybe you'd rather go for QDOS? But Windows has a lot of problems that allow external attackers to take control of your system, whereas other operating systems have much less critical faults. I'd like to see anyone try to argue that Linux security holes are as much of a problem as Windows holes.

  69. William Morton

    Its about time MS mailed all registered users a new secure version of installation media

    Like I said, all those people who bought the retail version should should be allowed to have a new version of installation media with all the patches applied. This is MS's fault they can't write a secure OS so they should have to pay to put it right.

  70. William Morton

    @ Ryan

    And anyone using cable modems without firewalls, or even the masochists updating via dialup. MS are still making people pay for their "male chicken" up

  71. Matthew Hale

    Then again

    I've had several boxes (XPSP2 no AV, no nuffink) on and offline for the last year or so, with maybe a load of spyware, but nothing that can't be broken easily enough, and I have suffered very little. It's very simple - keep the stuff that matters to you on external static/optical/mag media, use virtual O/S that run in RAM with no HDD, or just blow away and reimage the box every Sunday. Hardly much effort, and a lot cheaper than worrying about keeping up with licenses for bloated AV/Firewall shit.

    If you want to do anything questionable or anything which could be used against you in any way, do it from a public access point or hijack some peons AP.

    People worry about the wrong things mostly...if someone wants to steal your identity, or fuck you over somehow, I'd be far more concerned about the criminal element in government and their quango buddies than some nerd with a few hijacked boxes and some scripts. Once your biometric data goes onto the NIR, and some crook in authority has access to it, that's it for life. You can't change your fingerprint or retinal signature.

    Four minutes? Four minutes till some relatively harmless piece of code gets installed which does what exactly? Makes your PC run slow? Makes it unstable? Uses some of your bandwidth? Just blow it away and start again.

    Obviously it makes sense to protect yourself online as much as possible, but the ramifications of not doing so are likely to be trivial. Unless you consider having to reinstall an OS as some kind of crisis - in which case you should really probably sit under a large tree and have a good hard think about life.

  72. Michael Nielsen
    Linux

    It is very cheap to protect your computer

    Routers with NAT/Firewall functionality can be obtained from about 10pounds and up, I myself am using one that cost about 29 pounds, and is about 4 years old.

    Default configuration of these is to deny all, unfortunately they also enable UPNP.

    Make sure you disable UPNP, as (afaik) it allows software to create holes in your firewalls, and unfortunately this feature is enabled in almost all cheap firewalls. As I understand it, UPNP provides a way to go through a firewall (from the internet - the wrong way), and thus opens your system to attack, and requires no security to alter the firewall protections.

    I recommend these cheap routers as a solution to all who own a computer, and doesn't know much about computers, as it goes a very long way to securing your system, and is a very cheap way to avoid problems. Ofc firewalls do not protect against malware downloads.

  73. Anonymous Coward
    Anonymous Coward

    @ vahid

    "What if you purchase pc from a shop with windows? does it come with seperate partitions ?"

    From a good shop yes, from Dell, HP and the rest i doubt it, some Acers seem to.

    "or how about when you do an install does it come up with clear consise questions about partetions etc a sepearte slot for boot seperate for swap seperate for home etc ? last time i installed windows this was not the case but then it was donkey years ago...."

    No, but then (and i can only comment on Fedora and Ubuntu) i only remember seeing those options when manualy configuring an install just the same as Windows. If you let it auto partition you get a seperate swap and the rest /home /var and so on are all stuffed in one partition.

  74. Scott L. Burson

    Has been true for years

    This was already the case five years ago. I guess it's good to keep reminding people of it, though.

  75. fluidlyunsure

    ping Vahid

    Hey wait a minute Vahid. Making the 65+ crowd sound like a bunch of imbeciles.

    While I'm not there yet (I've got another 15 years or so), I'm a member of a computer club where the average age is in its 70's. You go to GRC.COM and the newsgroups are crowded with retirees. There was even a recent thread where people talked about teaching senior citizens (including their parents) Linux. One guy said one of his first senior citizen students who has used most main distributions and stuck on fedora was having their 101st birthday.

    Next time you use a group as an example of stupidity, find out more about them first.

    BTW: what about the Taterf worm?. The WBE id10+s that turn off their AV and PFW for a performance boost and download a bunch of cracked software that infects their machine. Of the 330 million MS found in the 1st week, I doubt if very many of them were senior citizens.

  76. Anonymous Coward
    Coat

    @Stu Reeves

    "(I'm guess they are on about standard, non SP2 XP machines)."

    Non SP2 machines aren't "standard" by any stretch of the imagination - any version of XP that isn't SP2 or better is at least 5 years old!

  77. Doug Glass
    Thumb Up

    All Us Stupid Seniors

    RE:ping Vahid

    By fluidlyunsure

    As a retired baby boomer, thanks. Well said

  78. Peter Bradshaw
    Unhappy

    So I have under 4 minutes?

    My wife's HP machine came with XP and SP1, and ran for years without problems. Recently it has crashed repeatedly and often all the way down, and after many re-installations of the OS, assisted recently by my (fairly cheap but not free) SP2 disk from M$, I decided the problem has to be the hard drive going south. The machine is capable of doing all the things we need, and much of our software and even hardware is not Vista-compatible, in particular the HP scanner for scanning her artwork is no longer made, and had compatibility problems with SP2 until I got patched for that, and our WordPerfect is not Vista-ready.

    Yes, I am over 65, but first used a computer in 1963/4 (paper-tape input, printed output, no graphics, wrote my own near-machine-code programs), have designed ICs for decades, both before and with computer software assists, but now I am wondering if I am just not getting the OS updated fast enough on the re-installs. My ISPs assign an IP when I connect (yes, I have been involved in IEEE 802.3 committees, so I know what an IP is), but how do I protect against being "own3d" before I have the updates downloaded? And if I go on a business (or other) trip, how does my (non-techie) wife handle it?

    I do like the idea of M$ providing an updated installation disk, since they originally put the holes in the OS. But would they do that for XP? Moon$Hine dreaming!

  79. Doug Glass
    Thumb Up

    A Little Help

    http://grc.com/default.thm

    These can help

    The DCOMbobulator 1,634,863 downloads.

    DCOMbobulator allows any Windows user to easily verify the effectiveness of Microsoft's recent critical DCOM patch. Confirmed reports have demonstrated that the patch is not always effective in eliminating DCOM's remote exploit vulnerability. But more importantly, since DCOM is a virtually unused and unneeded facility, the DCOMbobulator allows any Windows user to easily disable DCOM for significantly greater security.

    Shoot The Messenger 2,144,420 downloads.

    Even before the latest DCOM/RPC vulnerability (see above), many Windows users were being annoyed by "pop-up spam" notices appearing on their desktops. This intrusion is also facilitated by an exploitation of port 135. Our free "Shoot The Messenger" utility furthers the security of Windows by quickly and easily shutting down the "Windows Messenger" server that should never have been running by default in the first place.

    UnPlug n' Pray 2,837,124 downloads

    As originally urged by the FBI, and still urged by prominent security experts, our UnPnP utility easily disables the dangerous, and almost always unnecessary, Universal Plug and Play service. If you don't need it, turn it off. (For ALL versions of Windows.)

    XPdite 1,090,543 downloads.

    A Critical Security Vulnerability Exists in Windows XP. (Surprise) Actually, as we know, there are many, but we'll handle them one at a time. This particular vulnerability allows the files contained in any specified directory on your system to be deleted if you click on a specially formed URL. This URL could appear anywhere: sent in malicious eMail, in a chat room, in a newsgroup posting, on a malicious web page, or even executed when your computer merely visits a malicious web page. It is already being exploited on the Internet.

  80. marc bolan
    Dead Vulture

    'fraid not chaps

    I noticed how much slower my pc[the one I'm typing on now]was after installation of all of the Microsoft updates, and that seemed somewhat counter productive. So...

    I decided to run a little experiment.

    I reinstalled windoz, went to the update site and installed everything I reasonably considered neccessary BUT made a point of NOT installing anything with "security" and /or "critical" in it's description.

    The experiment continues.

    I like the ladies.hahahaha

    I also visit sites which deal with controversial subjects.

    I go where the hell I want on the net.

    I run zonealarm free firewall.

    About every couple of weeks do an online scan and occasionally d/l a free antivirus, update it and run a full scan.THEN UNINSTALL.NO "WATCHERS".

    Now not to piss on Bill's bonfire but....whats a virus again?

    Have none.

    Have had NONE. AT ALL.

    Security my bottom.

    "Update"........ experiment has now been running for over a year,and will continue.

    Security my arse.

    The vulture = the death of common sense.

    Now ya'all have a nice day now.

  81. Keith Milner

    @Michael Nielsen re UPnP

    Most of the "UPnP is bad" commants come from a distinct lack of understanding of security issues and practice.

    Sure there are potential security vulnerabilities with some UPnP implementations, and in some environments (e.g. company network) you probably don't want it but that's more for staff policy reasons than because of security issues.

    In most cases, UPnP can be MORE secure than not having it. It's absolutely true UPnP allows a PC on your network to open ports on your firewall, but if you're PC has been "pwn3d" then it's a bit late anyway, and it pretty damn trivial for the virus/trojan to create connections to the Internet without UPnP.

    Assuming your PC isn't infected, UPnP allows you to run certain software apps without having to do permanent port-forwards on your firewall.

    It doesn't take a rocket scientist to understand that an on-demand, randomly allocated open port is more secure than a permanent, fixed port (or, worse still, port range) which is always open even if it's not needed.

  82. vahid
    Happy

    @ all over 65

    sorry no offense was made. It was just an example for people who think on a professional level and comment on this level rather than looking at the problem from someone who has basic knowledge :)

  83. Tim J
    Linux

    @Cameron Colley

    Go fuck yourself Mr Colley. You said...

    "MS's biggest crime is letting people who have no idea how to use a computer think that they're superusers.

    If you can't use Linux then you can't actujally operate a computer -- you can only play games produced by Microsoft and Apple."

    Most people have better things to do that learning all the ins and outs of Linux... actually, let me rephrase that - I'm no Linux hater, indeed full respect to the penguin aficionados out there - but people have different priorities. I spend a significant part of my life working, writing carefully written reports amongst other things, and outside that time I swim almost every day, enjoy cycling, watching football and playing it (badly), cooking, reading, seeing friends, volunteering, going to galleries, making love (to someone other than myself), and generally doing stuff that doesn't involve being sat in front of a small screen.

    And now you tell me that basically I shouldn't be allowed to use a computer because I don't know how to use Linux - how stinkingly elitist and full of shit is that. I keep my Windows fully patched and scan for malware of all sorts regularly using a variety of different tools and observe good computing practice, and help my friends and family to do the same.

    When I step back and take a look at this I do wonder whether a Mac would be a better idea, as a computer that would entail less time fannying about making it work as opposed to more. You're merely confirming my suspicions about Linux - that it is an operating system that you need to get highly involved in. I want to get highly involved in things other than my computer's operating system.

  84. Anonymous Coward
    Boffin

    Not so long ago

    There were computers which had their OS on a chip called ROMs (Read Only Memory) which couldn't be erased easily (you could fry 'em with static, I spose) then some bright spark decided (as there was a chip shortage) to bung the OS on hard disks. This, in my 14 year old mind was a recipe for disaster, but hey, folk wanted to make money. Anyway, us youngins should be doffing caps to the seniors, as it was they who started all this computing nonsense off. It's been fun over the last 30 years faffing about with biscuit tins of electronics and getting it all to work. The floppy disk is dead, if that's the case, why are they still being sold?

  85. Andrew Wigglesworth

    Woosh, the sound of the real point going straight over peoples heads.

    The point of the research was not "lets prove that it's not a good idea to put an unpatched Widows computer on the net". After all, these computers were *meant* to invite infection.

    This experiment demonstrated in a simple (headline grabbing) manner that despite over ten years of the Windows security industry and many fixes by Microsoft there are still so many *already* compromised Windows computers on the net that that a honeypot computer will be infected extraordinarily quickly.

    Look at the research, these attacks weren't being made from some bunker in Siberia, the vast, vast majority were from the same net block that the computer was connected to. ie. ordinary peoples computers connected to the same ISP.

    So forget about how great your computer practice is, or how you think people "ought" to use computers, it's not about *you*.

    This is a peek into the real world of millions of Windows systems herded into botnets, spreading worms, compromising peoples privacy and security, degrading peoples experience on computers and the internet, and a certain part of the computer industry that seems either unwilling or incapable of solving it.

  86. pctechxp

    @AC - 65 year old

    That is the biggest load of garbage I've ever read.

    The idea of patching of Windows, Linux, Mac OS or whatever is to correct problems/plug holes that weren't known about when the OS was released or have been introduced as a result of previous patching/new features.

    What you are referring to is a Linux Live CD but bear in mind that hardware that requires specific drivers may not work if the driver isn't present on the CD.

    If my memory serves me correctly OEMs are not permitted to make their own build CDs anymore (as in the days of Win 95 so thats why there is no slipstreaming but there is nothing to stop you make your own build DVD :)

This topic is closed for new posts.

Other stories you might like