Sasser Worm Takes Down UK's Coastguard 733
jonman_d writes "The Sasser worm has recently disabled the computer systems of Britain's Coastguard. Naturally, this event raises even more doubts over the reliability of Microsoft software in critical systems. Moreover, it raises questions of responsibility: if the worm writer is caught, can he be held at least partially responsible for any deaths that occured during this outage?"
He should be (Score:5, Insightful)
It wouldn't be murder per say, but definitely manslaughter. If they catch the guy, I hope the full force of the law comes down on him.
Re:He should be (Score:5, Insightful)
if the virus writer is the "terrorist" then the coast guard admin is the idiot who ignored the "we're coming to bomb $building at $time on $day in a $colour van with registration $reg" message.
Re:He should be (Score:4, Insightful)
Don't forget the 'oh, and please leave the gate open or we'll have to go somewhere else'.
Yes, it is partially Microsoft to blame as well - which twit thought it would be a good idea to have ports open by default with services listening to whatever crap other computers might send? You really have to trust your programming to allow something like that. If it's not actually necessary, why do it?
Re:He should be (Score:5, Insightful)
Okay, so the Free Software folk invariably have patches out within hours of an exploit being discovered, but this hole has already been patched too.
The onus is on the virus writers (and Script Kiddies etc) who write malicious code and to some degree on people not maintaining their systems.
Not locking your front door doesn't give you the right to blame the door-making companies when you get burgled. You can still blame the burglars, but you're out of luck if you claim insurance since it's your own fault.
It's different if there aren't any patches, and I'm well aware that Microsoft have their problems and need to be more secure, but I still stand by my judgement that they can't be held responsible for every virus outbreak that happens!
Re:He should be (Score:5, Insightful)
Whether or not my neighbor is to blame for having been robbed (which I don't believe he is), the point is: if my neighbor's computer is hacked and starts to attack mine, that's when we start to have a heightened sense of his responsibility in the matter.
Re:He should be (Score:3, Insightful)
What if the door company advertised their doors in a way that led you to believe that the door was locked when a design flaw meant it wasn't? And when the design flaw was pointed out to them, they mentioned it with a free fix on their website, but did nothing else? And a hundred thousand people were all robbed on the same night? In meatspace, people would be screaming for blood. I think the a
Comment removed (Score:4, Funny)
we should be (Score:5, Insightful)
A solution to this problem has been around for weeks now, yet one or more of these system were left unpatched. So yeah, the virus writer surely bears some responsibility, but then again so does the coast guard. And even if an MS OS did not exist at all and these folks had been running linux, if there were a similar exploit floating around in the wild would the admins who left this door open have fared any better then?
You can't hold MS responsible for the incompetence of the coast guard admins. Yeah, their software had an exploit - but they also had a solution available and it's not like this was any kind of secret. I hate to be this trite, but it's appropo here to remind everyone what "mama" always said: stupid is as stupid does...
Re:we should be (Score:3, Interesting)
Solutions (Score:5, Insightful)
MS has a "windows update" feature. It doesn't take a genius to enable it. Now, granted this feature can cause headaches if you have a large number of systems to update, but you can also perform similar processes under your own control (if you are an admin) and yet this wasn't done. Turn off all those ports? It doesn't take a genius to download the shavlik lockdown tool linked to by MS itself that will "audit" your system and close any unused ports. It also doesn't take a genius to click to e-eye for an external audit.
There are so many ways to fix these systems it's nuts. Yeah, they require a tiny bit of effort - one would think that's why the British taxpayers pay these administrator's salaries.
I'm no shill. I run both windows and linux, although I've been using windows a LOT longer and am, therefore, more able to exploit it. So are a lot of people, which makes it that much more vulnerable. And yet my own linux firewall was hacked one time because... tada... I was running a version of Smoothwall, didn't know the distro or what I was doing, and in the setup config the SSL port was left open and the service running and no explanation was made of the significance of this. As a result my "firewall" was owned within days, zone alarm disabled on one of my (unpatched) windows boxen, and (in short) the entire network became owned. I migrated to IPCOP then reloaded and patched the windows box, just a little wiser and smarter.
Just as so many here are fond of saying "slashdot doesn't have just one mind" I'll remind others who are dumping on MS over this there have been and are plenty of linux distros, and not all of them uniformly secure or stable "out of the box."
Holding the software maker responsible for something like this is as stupid as holding the coca-cola company responsible when some idiot pulls one of their vending machines over onto himself. Would you be so quick to call for heads on a stake if this were a network of Redhat boxes? How about a few dozen Suse desktops? It doesn't matter what OS you are using, problems like this almost always come down to one thing: PEBKAC.
Re:we should be (Score:4, Informative)
- More bugs
- Have to keep fixing things that are not being used at all, but that can't just be uninstalled/disabled.
For example, on my (FreeBSD in this case) Open Source OS based server, I can simply ignore patches for web browsers, mail clients, and generally any gui based program since they are not installed or at least not functioning, and definitely not listenign to the outside world without me havign set it up that way very explicitly.
I do have to watch a very specific shortlist of products that need to be kept uptodate, and I'll get a message on my phone in case a critical bug in one of those products is published in any of the known ways.
Having this shortlist of products (FreeBSD core, openssl, openssh, Apache, PHP) makes it very managable, and in the end I don't have to update things that often.
It would also really help a lot if MS patches didn't break so much and so often. I can remember virtually every case where a FreeBSD patch managed to messup my system over the last 8 years, and the last one goes back to the 3.x era some years ago. It seldom happens, and its in fact so exceptional that I can run the risk of it happening on my production servers. The risk and consequences are waaay smaller then the much more likely breakins that would result if I dont apply the patches.
At any rate, it doesn't take much time, and it is very clear what I have to watch and patch to keep secure. That is one of the main problems with Windows, even when you are a competant admin, you have so many things to watch, and keep discovering new things all the time.
Yes, I do believe that MS can be blamed for that problem. Such a system is not suitable for anything other then connecting to an isolated and trusted local area network. THe fact that windows uses IP for many LAN orriented services makes the problem a lot worse.
Re:we should be (Score:4, Interesting)
MS should bear the blunt of the blame. For as much revenue that is generated by their products you would expect them to have a better product by investing into it. By no means though is MS the sole bearer of the blame. The organization that chooses to use the OS and the administrators that don't keep up with the OS maintenance also share some of this responsibility.
Re:He should be (Score:3, Interesting)
Hmmm
How about any unpatched operating system is officially unsuitable for this sort of thing.
Yes blame can and should be placed on MS for the design and security features of their software however a large portion of blame should go to the individuals and organisations that do not regularly update their systems.
As linux takes off in the corporate world I expect there will
Re:He should be (Score:5, Insightful)
However, this isn't another situation and, if their machines had been properly firewalled (can someone please explain to me why any ports other than those for servers running in a DMZ should be visible over the net, because I'll be damned if I can think of any) they wouldn't have been infected. Hell, if they had zonealarm running on all the boxes they'd be safe even if they don't have a decent firewalls between their LANs and the net.
Yes, Microsoft isn't without blame (maybe if they made patches that didn't crap all over your machines life would be better) but in this case sloppy admins have struck again.
Re:He should be (Score:3, Interesting)
Re:He should be (Score:5, Insightful)
Operating systems are designed to be just that...an operating system. No matter how secure they make it, there will be some dirty virus writer out there that shatters that security. Now, I think it is good business practice for software companies to protect the best that they can against hackers, scripts, viruses, etc. However, that really isn't the business they are in... security. The deplorable human state has forced them into this position, but I pose the question: is it fair?
I mean, back to your car reference: If you drove through a bad neighborhood and a guy runs out, beats your window in with a baseball bat, and steals your backback, is the car company responsible for not making unbreakable windows? (pun intended) This would probably be laughed out of court, so I don't see how we can really blame the Operating System companies for a lack of security when all they are selling is an operating system.
Now, again, I think that they should secure it to the best of their ability... and that some of the security holes I have seen are ridiculous. And, if they tout complete security as a feature, then they are taking on that part of the business.
But, and correct me if I am wrong, I don't think most companies advertise 100% security anymore for this very reason. Because that is just a pipedream.
If someone breaks into my house, I am not suing the person who built my house. I am buying a security system (firewall) and using it. However, I assume that this isn't 100% effective, either.
Just I thought. I could be wrong.
Re:He should be (Score:5, Insightful)
Sadly, though, people still insist upon hounding the easy target. Look at the plight of the tobacco companies. I smoked for ten years, and let me tell you: I never met a smoker who did not know that smoking was bad for them, even potentially fatal. Unfortunately, once they've succumbed to the big C, their survivinng heirs go nuts and sue everyone remotely connected with their deaths.
This is true in aviation, too...half the price of a new plane just covers the manufacturer's liability insurance. Surviving heirs seem to insist upon driving another nail into their dead spouses' favorite hobby whenever the poor slob augers in.
How the gun companies have managed to, ahem, dodge the bullet in this regard so long is beyond me.
Anyway, I think it's obvious that you cannot have a completely secure OS unless you bury it in a box somewhere and don't let it talk to anybody. Fat lot of good it would do anyone then.
String the little vandals up, they deserve it. I think most of these little punks do it for the power trip, anyway (Dude, we shut down the Eastern Seaboard power grid, huh, huh). Let them have a little taste of the responsibility that comes with power.
Maybe we could lock them in a little room with a bunch of REAL worms...
Re:He should be (Score:4, Interesting)
If someone breaks into my house, I am not suing the person who built my house.
Even if the lock and indeed the whole of the front door is pathetic, has known vulnerabilities and the maker still touts it as secure with the well-known chairman of the company that built the house (door, lock and all) having announced a big push for increased security almost two years ago? How is the buyer of that house supposed to know that his front door is made of a material that looks like steel and feels like steel but offer about as much protection from burglars as Aerogel?
Microsoft claims Windows is secure. It isn't.
Re:He should be (Score:3, Insightful)
Re:He should be (Score:3, Insightful)
It's not so simple as 'microsoft is accessory to manslaughter' though. I'm sure the Microsoft EULA says it's not for use in safety-critical applications. People need to "vote with their feet" and switch to other products if they want secure systems, then MS may address the problem.
Re:He should be (Score:3, Interesting)
Actually, there'd probably be people pointing fingers at everyone else. Was the problem with the gun, or the bullet? Maybe the problem was caused because you didn't keep the gun in proper care. Maybe the gun was old and out of date.
Re:He should be (Score:5, Interesting)
if the gun exploded in someones hand then that would be a result of a defect, and something that is not caused by a malicious user. Slam Microsoft all you want, nothing wrong with that, but realize this specific incident would not have happened with out a malicious user.
The analogy is still wrong.
Say a gun manufacturer manufactures a gun that will work for most people most of the time, and failures only involve reloading, no actual damages. This same gun, through poor engineering, has a weakness in the barrel that can only be affected by a certain type of ammunition. The manufacturer doesn't consider this important because nobody manufactures that type of ammunition, it's worthless ammo.
So someone handcrafts the ammunition that will exploit the flaw, sneaks into your house and loads your gun with it, then escapes without leaving any trace other than the ammo in the gun.
Now the gun blows up in your hand. Who's at fault?
Even stretched to the limits as the analogy is, there's one primary difference between this analogy and the actual topic. For guns there aren't thousands of individuals building ammunition specifically designed to ruin the guns and possibly hurt the people firing them. For computers, there are. If this were to happen for real with a gun manufacturer, the manufacturer would be acquitted of all charges, because he had a reasonable expectation that what became an engineering flaw through exploit would not ever be a problem. Not so with the OS producer. They have a reasonable expectation that their OS will be attacked, and the more market share they have, the more this expectation resembles waiting for the sun to rise, i.e. you *know* it'll happen.
The OS producer must bear some responsibility for it, for the same reason a car manufacturer must bear some responsibility for injuries sustained in a car accident due to safety systems not well-engineered. Even then, we tend to forgive the car manufacturer, because accidents aren't supposed to happen, and there's usually some idiot at fault.
I'm all for pointing at Windows and saying it sucks any day of the week, but I'm not so sanguine to blame microsoft for the script kiddie that wrote the virus. It's grey area, there. And let's not forget that our beloved GPL disclaims all warranties as well...
Re:He should be (Score:5, Insightful)
As with most of the EU you cannot disclaim liability for death and some forms of injury, whatever you write on the license. (Nowdays "Not verified for use in safety critical systems" seems to have become an accepted way of ensuring the liability lands on the user though).
Considering the car analogy
You can be liable if you make a car with dodgy
brakes (unsuitable product, forseeable that it will cause an accident)
You can be liable if you knowingly drive a car with bad brakes (because its forseeable that this will cause an accident)
and you are most definitely going to get into trouble if you empty a bucket of oil over the road surface (aka writing the worm)
firearms manufacturers..... (Score:5, Insightful)
The big problem is software got a compoletely 100% "free ride" in the beginning, it was allowed to be sold with zero warranties, I guess to get the business off the ground or something. Or maybe... I dunno, can't think of a good reason really. They just slap got away with something no other industry has as far as I know. You can't sell a 1 cent stick of gum without it having actual and implied warranty to it.
This deal was way back when it first really took off (I really need to research this now,it's gonna bug me why they got such a sweet deal), now it's been decades. DECADES. Untold hundreds of billions of dollars in pure profits. Huge numbers of wealthy people and businesses involved with it. It's "mature" now. Time to insist on "profitable" software to have warranties, and hold the manufacturers liable for obvious defects. They have "Get out of any Responsibility" EULAs, but still "enjoy" full ME ME ME IT'S ALL MINE MY PRECIOUSSSS protection "under law" for "Intellectual Property" and make tons of cash, well, that is teh obvious suck now and ayone can see that.
It's one or the other, if the software makers want to treat electronic digits as some sort of extremely valuable commodity product, with PATENTS on it even, which they sell at a very, very good profit, they need some sort of a minimum consumer warranty applied to them, or strip them of their profitability, one or the other. Enough's ENOUGH on the free ride they get. The software industry is "mature" enough to treat those business people as normal adults, same as anyone else in any other industry.
We NEED a class action suit in general against free ride EULAs across the board for for-profit software, and it needs to go to the supreme court and be won.
I am surprised as all get out with all the other litigation that goes on in our society that a set of profitable businesses who have gotten hosed over and over and over again by these obvious defects haven't challenged those EULAs as being absurd and illegal in the first place. Name another industry that would dare to put out such a "contract" for consumers and have it accepted. It's quite absurd, they'd be laughed at, but "software" is now the biggest example of legal "conware" there is.
And YEP, I could care less if it meant that "releases" slowed to a crawl, wouldn't bother me one bit or byte. Consumers want quality, few if any defects, they just been faked out that crapware is "good enough" and the industry as a whole has all colluded to profit off of crap and conware. It's just plain stupid, and ethically wrong. We can see now that software is so "embedded" in our society that you can't really say now that "no one is effected" when defects show up. it can get downright dangerous, and it certainly costs consumers tons of cash to keep fix and repaired stuff that shouldn't be shipped broken in the first place. We need less patches, and more "it don't need to be patched" software
I don't know about Britain... (Score:5, Informative)
Doesn't everything? (Score:5, Insightful)
doesn't everything? seems to me that it get stretched more than a rubber band.
Re:Doesn't everything? (Score:5, Funny)
doesn't everything? seems to me that it get stretched more than a rubber band.
Questioning the intent of the Patriot Act falls under section 14 of the Patriot Act. I hope you don't have anything to hide terrorist, because the FBI are on their way.
Re:Doesn't everything? (Score:3, Funny)
and some clause in the Patriot Act doesn't everything?
seems to me that it get stretched more than a rubber band.
Why do you hate freedom?
Re:I don't know about Britain... (Score:5, Interesting)
I don't believe that it should be used in such as way, but if it is used to go after the "good" guys, then why not the bad as well?
Lately, it seems, the DMCA is trying to become the all-encompasing way to prosecute anyone who peeks somewhere they "shouldn't." This wouldn't work if someone explicitly opened the virus and it infected the system. However, if the virus sat there and hammered at holes in the software until it wormed its way in, then I don't see why they couldn't use the DMCA against that, as well.
I wasn't really suggesting it so much as putting it out there as a thought open for discussion...
Safety Critical Systems (Score:5, Insightful)
However, it's not just the software at fault. Whoever implemented the system was sharing a network with other people's machines in some way, without a firewall. There is fault spread out here, between microsoft, the lifegaurds IT people, and the virus writer.
Re:Safety Critical Systems (Score:4, Insightful)
Re:Safety Critical Systems (Score:3, Informative)
Re:Safety Critical Systems (Score:4, Insightful)
Back to the issue of using the right tool for the right job. In many situations no "Off The Shelf" ("Commercial" or otherwise) is suitable.
From an engineering POV an Open Source System is more likely to be a good tool, even if you use some standard package/distribution as a starting point. Since you can then verify that it does what it should do and only what it should do. (A lot of malware involves use of unneeded "features".) Something which is very difficult with proprietary software since you need to take things of trust from the vendor and virtually impossible with something like Windows. Which in addition to being proprietary software contains deliberate "sphagetti code".
Re:Safety Critical Systems (Score:3, Interesting)
All the real work is done either by RAF or by volunteer lifeboats which do not get a single penny of government money. Frankly, I find it shamefull and disgusting that a country in the big 8 wich is also an island is incapable of even financing its lifeboat crews.
So frankly, if someone will wipe off the coast guard completely noone will notice. Emergency service
The real question is (Score:5, Insightful)
Why did the the UK Coastguard allow this to happen? The Sasser worm is 100% preventable if your system is properly patched and firewalled.
Re:The real question is (Score:5, Insightful)
If their Coastguard's mentality is anything their American counterpart's I can think of a damn good reason why this happened. *Support contracts*. Legendary documents written in stone that require that a specific agency do all maintance and repair of their PCs. Dispite the fact that the operator is more then able to click on the reccomended patches, doing so could get you into alot of trouble. Your not going to trust your military's computer system to enlisted folk, and chances are the officers are not aware of preventive measures. Those who are assign such tasks to contract companies.
Taking these matters on your self opens you up to a whole bunch of no fun, such as the military justice system. So one learns it's not their job... nothing will ever get done about it... and hope one's tour of duty is up reall soon before you go insane.
Re:The real question is (Score:5, Informative)
I dont speak for all military, but the Army has an entire major command dedicated to nothing but computers. Formed in 99 NETCOM has actully done a fairly good job in keeping things working. As far at threat detection, patch verification, and orders to deploy, NETCOM tends to be on a 72 hour turnaround. Given that the patch was issued April 13, its way ahead of an outbreak like Sasser. Even better, they have the authority to disconnect. The orders to patch go straight to company commanders and sysAdmins who can be repremanded if their unit goes down. Even if they give the task to a contractor, they are still liable Id hate to be the company commander who sees the brigade commander over virus outbreaks. That seems to keep them in line pretty well.
SPC Gruhn
TNOSC-K, Systems Management Branch
1st Signal BDE
"First to Communicate!"
Re:The real question is (Score:4, Interesting)
When your systems are that important, it's madness to run them unsecured. There should be strong firewalls on the networks and virus scanners on every machine. If the virus finds a way in (say a managers laptop) there's no way it should be able to spread. And vulnerable systems (*cough* Windows *cough*) should be kept to a minimum.
I know some folks say if it's behind the firewall it's safe, but as we see again and again, that's rarely the case. It's my policy to ensure *every* machine is updated as required, and the servers and Windows machines run AV software.
Re:The real question is (Score:4, Informative)
You are misinformed; the Coastguard *is* a government agency. The RNLI is a fine charity but nothing to do with this story.
Re:The real question is (Score:4, Informative)
That's not true. The coastguard is an executive agency of the Department for Transport (DfT) [mcga.gov.uk], whereas the RNLI is a charitable organisation. It is true that a lot of the sea based rescues are performed by RNLI volunteers but a lot of the coastal emergencies are tended by the coastguard itself. Helicopter rescues for example, don't involve the RNLI.
In other words, it is the Government's responsibility to hire competent administrators.
Re:The real question is (Score:3, Informative)
The Coastguard is responsible for coordinating various organizations (RNLI,RAF, RN etc.) in search and rescue operations in the UK. It is a agency of the department of transport. They monitor the emergency broadcast channels for the UK and a large section of the Atlantic ocean and often further a field. Throughout the UK they have a number of rescue teams who often get involved with more than just maritime emergencies. The RNLI as you stated is a charity, staffed almost completely by
Re:The real question is (Score:3, Insightful)
There is a UK Coast Guard service. But this is a comparativlely small organisation which monitors radios traffic for distress calls, does traffic management on busy shipping routes and coordinates search and rescue operations.
The actual rescue is usually done by the RNLI which has boats manned by volenterr crews and is funded as a charity, or, if anything airborne is required it is supplied by the airforce, (additionally police, fire brigade etc. may be called in).
The actual effect of th
Re:The real question is (Score:3, Funny)
Re:The real question is (Score:5, Insightful)
Re:The real question is (Score:5, Informative)
Re:The real question is (Score:5, Informative)
If they can't get the CD out in a few days, it's worthless. For instance, sasser? That CD would have been useless... as I still wouldn't have it.
Re:The real question is (Score:3, Informative)
Re:The real question is (Score:5, Funny)
So how do you remotely administer one of these machines ? Telekinesis ?
Re:The real question is (Score:4, Insightful)
You turn on the services.
The real point is that no outside software can do anything bad to a Mac machine by default, because no ports are open.
If you turn a service on, then you KNOW IT IS ON, and you KNOW YOU NEED TO CHECK IT FOR SECURITY.
We're talking consumer client OSs. The vast majority of the users never turn anything on (and by default, never get a worm).
Imagine if Windows took that same philosophy...
In general, I am perfectly happy for even server machines to be shipped with only those ports open that I manually specify, or turn on myself. It's secure by default, services on demand, not unadministered services by default. The latter is insanity in today's networks.
Critical Services Should Use Hardened Systems (Score:5, Insightful)
Patches (Score:5, Interesting)
But...
Why aren't MS patches single discrete objects? One patch for One vulnerability? That way IMHO clears the problem of a "patch" that comes up, is huge, and attempts to fix ten documented vulnerabilities (but knowing the code used in huge projects, it's possibly many dozen fixes at once).
This kind of fine grained control is what works WELL in debian for example. To update an error in ssh, download it's patch. to update an error in an x library, update that one library. Not bundled in with loads of extra crap
I suspect this is a marketing thing. MS can truthfully say they only had 4 patches in a year, when the patches in linux systems number "in the hundreds", when the reality is far different.
Even MacOS seems to be partway to the debian like approach, where there may be a dozen security updates in a year fixing a small number of vulnerabilities each. It's a consistent line of updates, instead of happening in large steps over which an admin has no control.
Re:Patches (Score:5, Informative)
apt-get update && apt-get -u upgrade
It tells you exactly what software has updates and offers to install them. It does the rest for you. Should you want to install one at a time because of potential/expected problems with upgrading them, type apt-get install package-name.
It's not tough.
-N
"no danger to the public" BBC (Score:5, Informative)
No safety critical systems were involved.
Re:"no danger to the public" BBC (Score:5, Insightful)
The computer mapping system (I presume) is easier to use than the paper maps. So if someone's missing and it takes (say) an extra 5 minutes to get the map out, plot drifts and currents and say "we'll search here", and the searchplane passes overhead 4 minutes after the boat has sunk without trace... is this still safety critical? If an extra life could have been saved if you had the computer system up?
Just generally ... (Score:5, Insightful)
With that, are they off the hook? No way. If they are caught, there are lots of laws they could be charged with, some of which are felonies. Murder, or even manslaughter, are not among them, however. At least, not under this limited hypothetical.
Re:Just generally ... (Score:3, Insightful)
Wrong (Score:3, Insightful)
Limited liability exists only when the software was voluntarily and knowingly installed (e.g. after reading a EULA and clicking OK). So you can expect full liabilty (both criminal and civil). In many jurisdications, if a virus directly caused a death they could be charged with murder.
The admin is guilty of negligence, again both criminal (only in the case of gross negligence, which could be failing to patch a critical system), and civil (although as an employee, this usually only means losing
Re:Wrong (Score:3, Interesting)
The idea of the admin being responsible intrigues me. Wha
Re:Wrong (Score:3, Insightful)
If they didn't have an admin. Managment would still be potentially liable (negligence of not having a competent admin), and civil liability would not be diminished.
Proximate cause (Score:3, Interesting)
Sasser FUn! (Score:5, Insightful)
I figure i've taken 40 some Sasser Calls. Each call takes about 7-10 minutes to clean it off and all that. So you figure, 320 minutes or 4 hours of my time. That comes to costing my company something like $40 odd dollars. Now multiply that 40 some by the thounsands of techs just like me who have to do the same thing.
I almost can't blame the customers for doing this. Ever try just updating windows xp over broadband? Takes forever. Now try pulling down 50 some megs of critical updates over a freaking dialup modem. Remember - not a *single* major PC manufacturer I know of installs ANY critical updates on their home pc's they sell to the end user. Nothing. Nada. Dell, HP, Compaq, etc. I've ranted about how irresponsible and stupid this is before and i'll continue to do so now
I dearly, sincerly wish that Microsoft would actually build not only a real firewall into their products or/and shut off unneeded services to the internet. I also wish manufactures would actually ship their machines with all the critical updates installed. I also want a pony.
This outbreak isn't as bad as blaster was but still. I'm no MS hater, I understand their product code base is massive and keeping track of all that and bug fixes takes an enormous amount of money and time but they *seriously* need to work on security. I would estimate virus cleanup and spyware sucks up 10-15% of my time at work.
Re:Sasser FUn! (Score:3, Interesting)
What's even worse is the fact that most internet users are still stuck on dialup! According to this recent article [cbsnews.com] at CBS, 3 out of 5 internet users don't have broadband.
The very issue of security patches, their sizes, and the problems for dialup users trying to download them was covered here [securityfocus.com] as well.
Re:Sasser FUn! (Score:3, Insightful)
Or try this: According to Microsoft 1.5m users downloaded the cleanup tool via Windows Update. This does not include users that cleaned off their systems via a third party tool from an AV v
I blame 'Microsoft only' consultants for this. (Score:5, Insightful)
I offer one reason why this doesn't happen too often, particularly in the UK. Way too many 'technical consultancies' for institutions like the coastguard are staffed by MCSEs with no proper computer science knowledge who just install Windows XP on every machine, set up 'Internet Connection Sharing', and leave. They wouldn't even dream of putting a non-Windows box on a network!
Thankfully these worms and virus attacks are showing up these idiotic 'we only touch Microsoft stuff' agencies for what they're worth. Any decent technical consultant should be able to advise companies on the right hardware and software to use, independent of vendors.. so it might be Microsoft on the client end, and UNIX on the back end.. but no, the UK (at least) is filled with MCSE ridden agencies who get totally lost when they don't have a 'Start' button to click.
Re:I blame 'Microsoft only' consultants for this. (Score:3, Insightful)
Someone always manages to bring an infected laptop inside the firewall.
Those 'technical consultancies' need to include keeping the systems patched in that TCO they love to rant about so much.
Re:I blame 'Microsoft only' consultants for this. (Score:3, Insightful)
If you're talkin
Also affected Deutsche Post (Score:3, Interesting)
Due to stricter securities setting (because of Sasser) this was not possible for hours.
Devil's advocate (Score:5, Insightful)
The obvious one is the good old Microsoft. This has been beaten to death so many times that I am not going to delve into it...
The other group to consider is the people who have been infected. They have partially brought any problems upon themselves. This happens because of many things including the choice they made to run the system was vulnerable, the choice to not patch promptly (if a patch was available), the choice to not better secure their critical systems, etc.
Blaming the virus/worm authors and the author of the vulnerable software is easy (and absolutely right), but people really need to start looking beyond that and realise that it is really their decisions that are the core issue. If you don't want to be vulnerable to Windows virii/worms then don't run Windows. If you need to run Windows, secure it. If is a critical app, pay some serious attention to it...
Basically, I am advocating a bit of responsibility for ones own destiny...
No - the Coast Guards IT department is at fault. (Score:5, Insightful)
Stop Blaming the Victims of Microsoft's Fraud (Score:5, Insightful)
I find this propensity for blaming the victim to be very disturbing. Microsoft has been fraudulantly representing their system as both stable and secure, just as they have been fraudulantly representing their system as less expensive than their competitors' products (GNU/Linux, OS X, *BSD, etc). This is a matter of public record
Now, one can argue that the technical staff of the coast guard should have known better (so too should every victim of every fraud perpetrated), but the fact that they didn't is hardly negligence on their part, when their vendor misrepresents their product's security on a daily basis.
I can't belive that people who put together systems that perform life critical functions cannot be held liable for the choices they make
I dont think the OS choice is relevent.
Clearly the data do not support this. Mac OS X is demonstrably more secure than windows, both systematically through an architectural analsys, and through historical emperical data (number of exploits, timeliness of patches, effectiveness of patches, etc.). Ditto for the various flavors of BSD, ditto for Linux, ditto for IBM's various mainframe operating systems, and the list goes on.
Clearly, as the underlying architect and definition of a system's security design, policy, and implimentation, the operating system is the single most relevant design choice one can make.
Its the setting up of a system that is exposed to the internet. Systems on which peoplses lives depend have no business being connected to unsecure systems - they should be dealing ONLY with the data needed to perform their task.
That is unrealistic. Systems which are networked together can save lives. A ship is in trouble and automatically reports its position for rescue, allowing the crew to get on with the more immediate task of not drowning. A hospital computer notes a patient's decline and automatically notifies other systems, which notify the appropriate physicians and medical staff. Proper implimentation is critical, of course, but the "cut the cable" solution is nonsensical, particularly when reasonably secure alternatives such as Linux, Mac OS X, and *BSD exist and are well proven.
The worm writer, and Microsoft's fraudulant representation of their operating system as stable and secure, are the primary culprits in this fiasco. It is time we stopped blaming their victims, and held the perpetrators responsible instead.
Re:No - the Coast Guards IT department is at fault (Score:3, Insightful)
OK so it was a worm which took down the systems this time which is something you can protect against but at the end of the day you shouldn't rely on any computer system without a manual backup process ( if it is possible to implement one ) which can take over for saf
The message is simple (Score:5, Insightful)
You can lead a horse to water... (Score:4, Informative)
MS's Security Bulletin on April 13th [microsoft.com] (this is a week before Sasser "hit".) Microsoft did their job, but can the UK Coastguard do theirs? Apparently not... It is so easy to point the finger at the provider or some anonymous joe on the Internet, but it is so hard to take responsibilty for your own lack of action. It's the UK Coastguard's job to apply their patches in a timely fashion so that the services they render can be reliably delivered.
It's possible to get these notices emailed to you as soon as they're available. These people should be fired, er wait.. in UK... sacked.
- Mind
Slow Down the Security Patch Cycle? (Score:3, Interesting)
This case would seem to support the reasons made in the computerworld article about slowing down the security patch release cycle.
Re:You can lead a horse to water... (Score:3, Informative)
It's easier said than done, though.
Does anyone really trust MS Updates anymore? There've been to many horror stories of Updates breaking other stuff for 100% of Windows Admins to trust Windows Update immediately.
Plus there are the basic "rules" about never installing something on a production machine until you're sure it doesn't break anything, combined with never installing anything until someone else has dicovered all of the bugs.
Put these together, and it becomes hard to risk putting patches on anym
Whatever happened to isolation? (Score:5, Insightful)
Morons! (Score:5, Insightful)
From the article [independent.co.uk]:
No! Anyone with an infected machine should stop visiting Microsoft's website and never use Windows in such a critical environment as the Marine and Coastguard Agency for God's sake!
CT scanners at major hospital affected (Score:5, Interesting)
The danish newspaper Ingeniøren [www.ing.dk] reports that the Sasser virus attack affected the danihs hospital, Herlev Sygehus. The hospital had to cancle scheduled CT-scannings because the scanners crashed. Also MR-scanners were affected, though no scannings were canceled.
"We do actually have a firewall, but aparently it hasn't been updated enough" sais radiographer Jan Bovin. "It was the scanners running Windows 2000 and XP that were affected, the MR-scanners running Linux had no problems," he sais.
The original story is here [www.ing.dk] (in danish).
It appears that the consequences of the Microsoft monopoly are getting worse. Are there any linux-run hospitals?
"real" businesses hit too (cf BA) (Score:4, Interesting)
http://tinyurl.com/3h7fb
If I were a Linux vendor I would be all over BA and other victims pitching my stuff.... I know this is a bit wrong but hey Business is business and I am sure I would get these guys attention FAST!
Salesmen and ethics (Score:5, Insightful)
This is the right time to promote it, and the positive aspects compared to the current solution. You will likely have an easier time trying to point out some of the flaws with their current situation.
Sasser Frazzed (Score:4, Interesting)
As soon as the last batch of updates were released - starting about half an hour after I read about the updates on
Which is why it's f*cking galling that I checked our server's update history this morning and there are sixteen critical updates still waiting to be loaded, because the IT guys say we don't need them and, y'know, we shouldn't worry about it.
Aaagh!
Delta Airlines (Score:5, Interesting)
Although I think they've denied it in public, Delta Airlines was also brought down over the weekend by this worm. I have a friend who came to Church panting, out of breath because he was late and had to rush. He works at Delta and said he had been there since Saturday patching and cleaning machines. Right after services he was going back.
The system effected was one that calculates passenger and cargo weight so it can be distribuited evenly through out the aircraft. It's one of those systems that's easy to forget. It's not like air traffic control or reservations or something people would consider "critical".
It's scary but ironic that a small forgotten local sub-system can bring down a billion dollar corporation and inconvience tens of thousands of people. It was local to Atlanta, used at the ticket counter and for flights leaving Atlanta but, bring down the hub and the entire operation is effected.
Examples of how weight/balance causes crashes. (Score:4, Interesting)
Some examples from the British AAIB archives:
12 Jan 1999: Fokker F27-600 crash nr Guernsey. [dft.gov.uk](load moved)
18 Sep 1996 Boeing 737-4Q8, G-BSNW [dft.gov.uk] (Uncommanded roll due to incorrect fuel balance).
18 June 1972 Trident G-ARPI crash after takeoff at Heathrow [dft.gov.uk] (Weight and Balance as a contributory factor).
Comment removed (Score:5, Informative)
Know your systems and do not rely on a firewall (Score:5, Informative)
If it's not running, it can't be exploited!
Network security? (Score:3, Interesting)
Shouldn't there be a bit better security in an essential service such as that? Why are people allowed to bring insecure machines in, and plug them into the network? Shouldn't they have 24/7 administration? Shouldn't someone have seen a report about Sasser, and patched their machines? We're not talking about Mom & Pop ISP here, we're talking about a branch of a nations military. Why are people coming in with laptops from home, and being allowed on the same network with an essential infrastructure? Haven't their admins read any books on secure networking? What about firewalls between the essential infrastructure machines, and the compromisable network? The way the story sounds, people take their laptops home, browse the Internet, and come to work and plug in pretty much anywhere. I suppose there's more than one CCSP on staff saying "hey boss, told you so" err, maybe "Sir, remember those security recommendations I made last year? May we implement those now?"
monoculture problems (Score:3, Interesting)
But also caused with the massive MS Windows monoculture (cf market dominance).
It's times like this that running 3 O/S's at work for the users desktop helps. But then i get stuffed by patching and trying to find tools that cover all my bases....(or run three tools!).
Natja (Score:3, Insightful)
I think the bigger issue here is why systems like this, even relatively non-critical ones like the UK Coast Guard's mapping system, are running Windows. I would think that an organization like the CG would be able to get their vendors to develop applications for whatever OS they were running. Agencies set some criteria and contractors meet said criteria. If they were running say Linux I don't think it is far fetched to believe that some contractor would be able to develop the required mapping software for it. The CG might be running COTS software that runs only on Windows but I don't find that likely. I'd welcome an answer however.
Windows is known to be an extremely insecure system despite Microsoft's claims. While Service Pack 2 might magically fix all sorts of problems it is not available to end-users yet. Those magical fixes don't mean much to the here and now. It looks as if Windows' vulnerabilities are costing companies quite a bit of money and eating into their bottom line. I would have thought by now Windows would be on its way out the door in many organizations since their competition such as it is can do many of the same tasks either cheaper or more reliably.
Where was the British CG CERT during this? (Score:3, Interesting)
Microsoft has verified that the worm exploits the Local Security Authority Subsystem Service (LSASS) issue that was addressed by the security update released on April 13
I work for the US Army. We knew about this way before the patch came out just by monitoring bugtrack. Less than 72 hours from the bug being confirmed by our service CERT, we firewalled access to this kind of thing. The patch was confirmed for deployment almost 48 hours after the patch became available. If it was not deployed 96 hours after the order, we shut the node down until we can confirm its patched and ready to rejoin the network. The impact of Sasser on our networks? Almost ZERO.
All of our responce is coordinated by the US Army CERT (ACERT). Where did the British Coast Guard equivelent do? Is there such a thing? This is preventable, especially given the time from patch to exploit. Its not like this sprang up overnight. Even then, dont they have a team that monitors this stuff and has authority to order massive disconnet? It seems that MS is not at fault, the British CG CERT failed them here. If they did try to prevent this, what failed them? Anitvirus? Admins who failed to patch? Lack of informing them downrange?
SPC Gruhn
TNOSC-K, Systems Management Branch
1st SIG BDE
"First to Communicate!"
Don't blame the script kiddies (Score:4, Interesting)
It's like placing a coin on a railway track to see what happens to the Queen's face when a train runs over it, and ending up derailing the train
This is an excellent opportunity to sow seeds of change. Open people's minds to the possibility that there might be an alternative to Windows. Ask questions. Did they know there were vulnerabilities? Well, did they not look at the source code? [the what?] The source code -- you know, the human-readable form of the code that can be examined and modified. What scrutiny did you subject the source code to? [but that's a secret!] What -- you bought a locked box that you knew you weren't going to be allowed to look inside, and you didn't get even the tiniest little bit suspicious that somebody might be trying to hide something from you?
Every piece of food you buy is clearly labelled with a list of the ingredients. {this was actually used in an anti-drug propaganda advertisement in the mid-1990s, till some bright spark suggested that surely legal drugs would be properly labelled and the problems caused by not knowing what was in pills and powders were merely a side-effect of prohibition}. The analogy between Microsoft and Tom Lehrer's Old Dope Peddler [aol.com] is a strong one. Give out free samples {educational licence discount}, get people hooked {file format lock-in}, watch the little puppets dance to your tune.
For my part, I have pledged never again to work with Windows, ever. At all. The only repair I will ever again do to a Windows box is to install Linux on it -- barring that, I will simply unplug the power cable, leave it unplugged and consider that an improvement. The time has already come when I would sooner forego a computer altogether than touch Windows.
All kinds of stupid interruptions (Score:3, Informative)
Why?
Apparently the system that reads my credit card number around four times a week for the past year has been running unpatched and unfirewalled.
Coool! Thanks, Stop & Shop IT!
Hmmmm (Score:3, Insightful)
Re:If the programmer at Microsoft... (Score:5, Insightful)
That's an interesting point, which my college CS prof demonstrated to good effect. He asked the class one day - "How many of u expect your cars to be engineered such that they will run safely and properly 99.9% of the time?" Everbody's hand's go up. "How many of u think that if there is a life-threatening fault in the car, the engineers responsible for building it should be held accountable?" Everbody's hand goes, up, along with a few grunts of "DUH!". Then the next question: "How many of you feel that if mission-critical software, like the stuff that runs airplanes, fails, the programmers should be held accountable too?" Silence.... granted writing code ain't quite like building a car, but he got his point across. He wanted to bring home the fact that most software comes with the rider that it won't just one-day break. This applies to non-M$ as much as M$, though with a lot less frequency....
Re:If the programmer at Microsoft... (Score:3, Insightful)
Re:If the programmer at Microsoft... (Score:3, Interesting)
According to the insurance company, HELL YEAH!
Cooper
--
This truth probably doesn't come as shocking news to any of you,
and if it does then you're stupid and I hate you.
- Everything Can Be Beaten -
Re:Oh, for ----- sake (Score:5, Insightful)
I think that there is a difference between going down occasionally and going down every week.
BTW, that is Mr. Nerd to you.
Re:Oh, for fuck sake (Score:5, Interesting)
According to Wikipedia [wikipedia.org] Elk Cloner [wikipedia.org] was the first virus to be caught "in the wild" i.e. outside of a research lab. It ran on Apple II systems, more than likely because MS-DOS was barely capable of running programs at the time.
Also, lets keep things in context, Sasser can install and execute itself remotely without any user interaction -- there is a big difference between that and booting from a random floppy disk or logging in as root, downloading, chmod +x virus, and executing
Re:Bad Admins (Score:5, Insightful)
In reality, companies have selected Windows after being told that its administration is much easier than for competing systems. Admins only need to know which buttons to click to setup a new system. In-depth knowledge about the underlying principles is often not available, with the excuse that it was supposed to be unneccessary.
In the end, it may be better to install a system that is a bit more difficult to administer, and thus avoid the administration by unqualified personnel.
Re:Bad Admins (Score:3, Interesting)
Don't have any services running on any ports unless the computer owner has explicitly asked for them.
Here's a question. Suppose I buy a new computer and I want to connect it to the internet over dialup to activate my copy of Windows XP. I now have to hunt around a bunch of menus to turn on the inbuilt firewall before I can do this. Then I have to download some megabytes of patches to make it safe. At a per bit cost that's ridiculous.
That's just not acceptable.
Re:virii are a fact of life (Score:5, Insightful)
Or, even better, ship Windows with a piece of software that does that automatically? Oh, wait, they already do that...
It needs to be said again: YOUR COMPUTER IS YOUR RESPONSIBILITY! The patch for this one was available for some time (a month or so). You can't pin this one on Microsoft any more than you can blame the car manufacturer for car breakdown after you missed your scheduled service.
Isn't it about time to start introducing fines for people who propagate worms and viruses? Yes, fines for getting your machine infected. It's illegal to drive a malfunctioning car, why should it be legal to operate a malfunctioning computer? Both are a danger to the public.