Sasser Worm Takes Down UK's Coastguard 733
jonman_d writes "The Sasser worm has recently disabled the computer systems of Britain's Coastguard. Naturally, this event raises even more doubts over the reliability of Microsoft software in critical systems. Moreover, it raises questions of responsibility: if the worm writer is caught, can he be held at least partially responsible for any deaths that occured during this outage?"
He should be (Score:5, Insightful)
It wouldn't be murder per say, but definitely manslaughter. If they catch the guy, I hope the full force of the law comes down on him.
Safety Critical Systems (Score:5, Insightful)
However, it's not just the software at fault. Whoever implemented the system was sharing a network with other people's machines in some way, without a firewall. There is fault spread out here, between microsoft, the lifegaurds IT people, and the virus writer.
The real question is (Score:5, Insightful)
Why did the the UK Coastguard allow this to happen? The Sasser worm is 100% preventable if your system is properly patched and firewalled.
Re:He should be (Score:5, Insightful)
if the virus writer is the "terrorist" then the coast guard admin is the idiot who ignored the "we're coming to bomb $building at $time on $day in a $colour van with registration $reg" message.
Hmmmm (Score:3, Insightful)
Methinks. (Score:2, Insightful)
Replace "outage" with "outrage".
There is no way in hell an important insitution should put up with shit like this. If any arbitrary piece of code that gets sent around could bring my companys systems (as often as it is the case about WIndows XXX) to its knees I'd start seeing red about what the software manufacturer was spending its time on.
And choose a different supplier.
Re:Safety Critical Systems (Score:4, Insightful)
Critical Services Should Use Hardened Systems (Score:5, Insightful)
Re:The real question is (Score:1, Insightful)
MacOS X ships with *0* ports open.
Just generally ... (Score:5, Insightful)
With that, are they off the hook? No way. If they are caught, there are lots of laws they could be charged with, some of which are felonies. Murder, or even manslaughter, are not among them, however. At least, not under this limited hypothetical.
Re:If the programmer at Microsoft... (Score:1, Insightful)
Sasser FUn! (Score:5, Insightful)
I figure i've taken 40 some Sasser Calls. Each call takes about 7-10 minutes to clean it off and all that. So you figure, 320 minutes or 4 hours of my time. That comes to costing my company something like $40 odd dollars. Now multiply that 40 some by the thounsands of techs just like me who have to do the same thing.
I almost can't blame the customers for doing this. Ever try just updating windows xp over broadband? Takes forever. Now try pulling down 50 some megs of critical updates over a freaking dialup modem. Remember - not a *single* major PC manufacturer I know of installs ANY critical updates on their home pc's they sell to the end user. Nothing. Nada. Dell, HP, Compaq, etc. I've ranted about how irresponsible and stupid this is before and i'll continue to do so now
I dearly, sincerly wish that Microsoft would actually build not only a real firewall into their products or/and shut off unneeded services to the internet. I also wish manufactures would actually ship their machines with all the critical updates installed. I also want a pony.
This outbreak isn't as bad as blaster was but still. I'm no MS hater, I understand their product code base is massive and keeping track of all that and bug fixes takes an enormous amount of money and time but they *seriously* need to work on security. I would estimate virus cleanup and spyware sucks up 10-15% of my time at work.
Re:If the programmer at Microsoft... (Score:5, Insightful)
That's an interesting point, which my college CS prof demonstrated to good effect. He asked the class one day - "How many of u expect your cars to be engineered such that they will run safely and properly 99.9% of the time?" Everbody's hand's go up. "How many of u think that if there is a life-threatening fault in the car, the engineers responsible for building it should be held accountable?" Everbody's hand goes, up, along with a few grunts of "DUH!". Then the next question: "How many of you feel that if mission-critical software, like the stuff that runs airplanes, fails, the programmers should be held accountable too?" Silence.... granted writing code ain't quite like building a car, but he got his point across. He wanted to bring home the fact that most software comes with the rider that it won't just one-day break. This applies to non-M$ as much as M$, though with a lot less frequency....
Re:If the programmer at Microsoft... (Score:2, Insightful)
Naturally, this event raises even more doubts over the reliability of Microsoft software in critical systems. Does it? Maybe it should raise some doubts over hiring admins that don't understand a firewall is important, can't figure out how to implement Microsoft SUS in their environment to auto-apply patches, can't properly secure their machines, etc.
I blame 'Microsoft only' consultants for this. (Score:5, Insightful)
I offer one reason why this doesn't happen too often, particularly in the UK. Way too many 'technical consultancies' for institutions like the coastguard are staffed by MCSEs with no proper computer science knowledge who just install Windows XP on every machine, set up 'Internet Connection Sharing', and leave. They wouldn't even dream of putting a non-Windows box on a network!
Thankfully these worms and virus attacks are showing up these idiotic 'we only touch Microsoft stuff' agencies for what they're worth. Any decent technical consultant should be able to advise companies on the right hardware and software to use, independent of vendors.. so it might be Microsoft on the client end, and UNIX on the back end.. but no, the UK (at least) is filled with MCSE ridden agencies who get totally lost when they don't have a 'Start' button to click.
a reminder... (Score:2, Insightful)
it would be reliable for critical system if... (Score:1, Insightful)
so in that scenario there would be NO excuses for having the system outdated.
Devil's advocate (Score:5, Insightful)
The obvious one is the good old Microsoft. This has been beaten to death so many times that I am not going to delve into it...
The other group to consider is the people who have been infected. They have partially brought any problems upon themselves. This happens because of many things including the choice they made to run the system was vulnerable, the choice to not patch promptly (if a patch was available), the choice to not better secure their critical systems, etc.
Blaming the virus/worm authors and the author of the vulnerable software is easy (and absolutely right), but people really need to start looking beyond that and realise that it is really their decisions that are the core issue. If you don't want to be vulnerable to Windows virii/worms then don't run Windows. If you need to run Windows, secure it. If is a critical app, pay some serious attention to it...
Basically, I am advocating a bit of responsibility for ones own destiny...
Re:If the programmer at Microsoft... (Score:3, Insightful)
No - the Coast Guards IT department is at fault. (Score:5, Insightful)
Re:"no danger to the public" BBC (Score:2, Insightful)
Paper? what paper? oh! ePaper!
nope, our laptop got the virus last night. Sorry, WE CAN'T RESCUE YOU UNTIL WE GET OUR LAPTOP FIXED!
Boy, im not optimistic tonight.
-Grump
Re:Methinks. (Score:2, Insightful)
Re:Oh, for ----- sake (Score:5, Insightful)
I think that there is a difference between going down occasionally and going down every week.
BTW, that is Mr. Nerd to you.
Re:Just generally ... (Score:3, Insightful)
On the other hand, one could take the Patriot Act into consideration, at least in the U.S. If it were shown that the attack was intentional to take down the system of rescue personnel, this could consider an act of terror and thus the virus writers could be tried as terroritsts.
We must also consider the administrator who did not patch the system. He might not be legally held responsible, but I am sure that his bosses will see this another way.
In the U.S., the virus writers probably wouldn't be prosecuted for software-caused manslaughter (because of the limited liability thing), but they would still get charged with felonies, as you pointed out.
The U.K, on the other hand... that is something different entirely.
The question is, if the Virus Writers themselves even came from the U.K.
Wouldn't they be prosecuted under their country's laws unless expediated? Which, since we don't know who they are, this question shall remain unanswered.
Doesn't everything? (Score:5, Insightful)
doesn't everything? seems to me that it get stretched more than a rubber band.
The message is simple (Score:5, Insightful)
Re:"no danger to the public" BBC (Score:5, Insightful)
The computer mapping system (I presume) is easier to use than the paper maps. So if someone's missing and it takes (say) an extra 5 minutes to get the map out, plot drifts and currents and say "we'll search here", and the searchplane passes overhead 4 minutes after the boat has sunk without trace... is this still safety critical? If an extra life could have been saved if you had the computer system up?
Re:I blame 'Microsoft only' consultants for this. (Score:3, Insightful)
Someone always manages to bring an infected laptop inside the firewall.
Those 'technical consultancies' need to include keeping the systems patched in that TCO they love to rant about so much.
Re:Leave MS out of this (Score:2, Insightful)
This isn't a car. Not only do they not give you the full package, they can force the vendors with a license into not giving it to you as well.
"You can't package that, it's against our license."
Re:He should be (Score:4, Insightful)
Don't forget the 'oh, and please leave the gate open or we'll have to go somewhere else'.
Yes, it is partially Microsoft to blame as well - which twit thought it would be a good idea to have ports open by default with services listening to whatever crap other computers might send? You really have to trust your programming to allow something like that. If it's not actually necessary, why do it?
Re:Leave MS out of this (Score:2, Insightful)
Whatever happened to isolation? (Score:5, Insightful)
Re:Just generally ... (Score:1, Insightful)
Re:He should be (Score:5, Insightful)
Operating systems are designed to be just that...an operating system. No matter how secure they make it, there will be some dirty virus writer out there that shatters that security. Now, I think it is good business practice for software companies to protect the best that they can against hackers, scripts, viruses, etc. However, that really isn't the business they are in... security. The deplorable human state has forced them into this position, but I pose the question: is it fair?
I mean, back to your car reference: If you drove through a bad neighborhood and a guy runs out, beats your window in with a baseball bat, and steals your backback, is the car company responsible for not making unbreakable windows? (pun intended) This would probably be laughed out of court, so I don't see how we can really blame the Operating System companies for a lack of security when all they are selling is an operating system.
Now, again, I think that they should secure it to the best of their ability... and that some of the security holes I have seen are ridiculous. And, if they tout complete security as a feature, then they are taking on that part of the business.
But, and correct me if I am wrong, I don't think most companies advertise 100% security anymore for this very reason. Because that is just a pipedream.
If someone breaks into my house, I am not suing the person who built my house. I am buying a security system (firewall) and using it. However, I assume that this isn't 100% effective, either.
Just I thought. I could be wrong.
Morons! (Score:5, Insightful)
From the article [independent.co.uk]:
No! Anyone with an infected machine should stop visiting Microsoft's website and never use Windows in such a critical environment as the Marine and Coastguard Agency for God's sake!
Wrong (Score:3, Insightful)
Limited liability exists only when the software was voluntarily and knowingly installed (e.g. after reading a EULA and clicking OK). So you can expect full liabilty (both criminal and civil). In many jurisdications, if a virus directly caused a death they could be charged with murder.
The admin is guilty of negligence, again both criminal (only in the case of gross negligence, which could be failing to patch a critical system), and civil (although as an employee, this usually only means losing his/her job), the employer will probably be liable to (probably civil cases only though).
Oh come on, be a man (Score:1, Insightful)
Be a man, don't send the kid to jail. He didn't destroy your house with a bulldoser, he just peed in a hole. Admit that your house was fragile, and blame *yourself* for it.
Re:He should be (Score:2, Insightful)
i really don't think ms has ever deliberately released a product that they themselves know will be exploited, so this is not intentional on their part and therefore i don't think you can say they are allowing it to happen.
negligence maybe but that would probably be difficult to prove.
also, they are fixing the problems, maybe not fast but they are doing it.
i would say if anything the coastguard holds more responsibility for using an unsuitable OS and software for the job. them and of course the virus writers.
Re:Bad Admins (Score:5, Insightful)
In reality, companies have selected Windows after being told that its administration is much easier than for competing systems. Admins only need to know which buttons to click to setup a new system. In-depth knowledge about the underlying principles is often not available, with the excuse that it was supposed to be unneccessary.
In the end, it may be better to install a system that is a bit more difficult to administer, and thus avoid the administration by unqualified personnel.
Re:Sasser FUn! (Score:3, Insightful)
Or try this: According to Microsoft 1.5m users downloaded the cleanup tool via Windows Update. This does not include users that cleaned off their systems via a third party tool from an AV vendor of course. At 10min/infection that's 15m wasted minutes or about 28 *years* of people's time wasted - and that's probably a conservative estimate. Tell me again why the current sentencing guidelines for computer crimes are too harsh...
Re:The real question is (Score:5, Insightful)
If their Coastguard's mentality is anything their American counterpart's I can think of a damn good reason why this happened. *Support contracts*. Legendary documents written in stone that require that a specific agency do all maintance and repair of their PCs. Dispite the fact that the operator is more then able to click on the reccomended patches, doing so could get you into alot of trouble. Your not going to trust your military's computer system to enlisted folk, and chances are the officers are not aware of preventive measures. Those who are assign such tasks to contract companies.
Taking these matters on your self opens you up to a whole bunch of no fun, such as the military justice system. So one learns it's not their job... nothing will ever get done about it... and hope one's tour of duty is up reall soon before you go insane.
Re:virii are a fact of life (Score:5, Insightful)
Or, even better, ship Windows with a piece of software that does that automatically? Oh, wait, they already do that...
It needs to be said again: YOUR COMPUTER IS YOUR RESPONSIBILITY! The patch for this one was available for some time (a month or so). You can't pin this one on Microsoft any more than you can blame the car manufacturer for car breakdown after you missed your scheduled service.
Isn't it about time to start introducing fines for people who propagate worms and viruses? Yes, fines for getting your machine infected. It's illegal to drive a malfunctioning car, why should it be legal to operate a malfunctioning computer? Both are a danger to the public.
Re:He should be (Score:3, Insightful)
It's not so simple as 'microsoft is accessory to manslaughter' though. I'm sure the Microsoft EULA says it's not for use in safety-critical applications. People need to "vote with their feet" and switch to other products if they want secure systems, then MS may address the problem.
Re:The real question is (Score:5, Insightful)
Salesmen and ethics (Score:5, Insightful)
This is the right time to promote it, and the positive aspects compared to the current solution. You will likely have an easier time trying to point out some of the flaws with their current situation.
Re:He should be (Score:2, Insightful)
we should be (Score:5, Insightful)
A solution to this problem has been around for weeks now, yet one or more of these system were left unpatched. So yeah, the virus writer surely bears some responsibility, but then again so does the coast guard. And even if an MS OS did not exist at all and these folks had been running linux, if there were a similar exploit floating around in the wild would the admins who left this door open have fared any better then?
You can't hold MS responsible for the incompetence of the coast guard admins. Yeah, their software had an exploit - but they also had a solution available and it's not like this was any kind of secret. I hate to be this trite, but it's appropo here to remind everyone what "mama" always said: stupid is as stupid does...
Re:He should be (Score:5, Insightful)
Sadly, though, people still insist upon hounding the easy target. Look at the plight of the tobacco companies. I smoked for ten years, and let me tell you: I never met a smoker who did not know that smoking was bad for them, even potentially fatal. Unfortunately, once they've succumbed to the big C, their survivinng heirs go nuts and sue everyone remotely connected with their deaths.
This is true in aviation, too...half the price of a new plane just covers the manufacturer's liability insurance. Surviving heirs seem to insist upon driving another nail into their dead spouses' favorite hobby whenever the poor slob augers in.
How the gun companies have managed to, ahem, dodge the bullet in this regard so long is beyond me.
Anyway, I think it's obvious that you cannot have a completely secure OS unless you bury it in a box somewhere and don't let it talk to anybody. Fat lot of good it would do anyone then.
String the little vandals up, they deserve it. I think most of these little punks do it for the power trip, anyway (Dude, we shut down the Eastern Seaboard power grid, huh, huh). Let them have a little taste of the responsibility that comes with power.
Maybe we could lock them in a little room with a bunch of REAL worms...
Sue Microsoft (Score:1, Insightful)
They have more cash to settle this than the virus writer. Obviously they do not want to have this kind of "using Microsoft products kills innocent people" cases fight out in court with a lot of publicity.
It's not a question of who is guilty - obviously the virus writers intention was not to kill people by disabling coast guards system, the network admins did not mean this to happen by leaving their systems wide open and Microsoft did not guarantee their OS to work in critical situations like this. The world would be better place with less stupid lawsuits, but if you are still going to sue someone, sue the one with most cash
Re:He should be (Score:3, Insightful)
In assuming security is the responsibility of the OS company, then yes, they are selling you an inferior part (which you still bought). However, I know we have insisted that it is their responsibility, but the question is: is it really?
Why exactly is it incumbant of the provider to include state of the art security when third party security programs are available? Why can't an OS company focus on its core business without branching into crime prevention?
And, with alternative operating systems available and the track record of MS insecurity, then why don't people make the switch over to another system if the OS they currently use doesn't live up to their expectations?
Yeah but the difference is ... (Score:2, Insightful)
Re:He should be (Score:5, Insightful)
However, this isn't another situation and, if their machines had been properly firewalled (can someone please explain to me why any ports other than those for servers running in a DMZ should be visible over the net, because I'll be damned if I can think of any) they wouldn't have been infected. Hell, if they had zonealarm running on all the boxes they'd be safe even if they don't have a decent firewalls between their LANs and the net.
Yes, Microsoft isn't without blame (maybe if they made patches that didn't crap all over your machines life would be better) but in this case sloppy admins have struck again.
Re:He should be (Score:5, Insightful)
Okay, so the Free Software folk invariably have patches out within hours of an exploit being discovered, but this hole has already been patched too.
The onus is on the virus writers (and Script Kiddies etc) who write malicious code and to some degree on people not maintaining their systems.
Not locking your front door doesn't give you the right to blame the door-making companies when you get burgled. You can still blame the burglars, but you're out of luck if you claim insurance since it's your own fault.
It's different if there aren't any patches, and I'm well aware that Microsoft have their problems and need to be more secure, but I still stand by my judgement that they can't be held responsible for every virus outbreak that happens!
Re:Overexagerrated (Score:2, Insightful)
However, as part of the procedure for locating vessles, they check them against paper charts.
Looks like they didnt trust PCs to start with. Now they've been proven right.
Re:The real question is (Score:3, Insightful)
There is a UK Coast Guard service. But this is a comparativlely small organisation which monitors radios traffic for distress calls, does traffic management on busy shipping routes and coordinates search and rescue operations.
The actual rescue is usually done by the RNLI which has boats manned by volenterr crews and is funded as a charity, or, if anything airborne is required it is supplied by the airforce, (additionally police, fire brigade etc. may be called in).
The actual effect of the outage doesn't seem to severe as computers are not extensively used. Radio and telephone being perfectly adequate to coordinate this sort of stuff.
Natja (Score:3, Insightful)
I think the bigger issue here is why systems like this, even relatively non-critical ones like the UK Coast Guard's mapping system, are running Windows. I would think that an organization like the CG would be able to get their vendors to develop applications for whatever OS they were running. Agencies set some criteria and contractors meet said criteria. If they were running say Linux I don't think it is far fetched to believe that some contractor would be able to develop the required mapping software for it. The CG might be running COTS software that runs only on Windows but I don't find that likely. I'd welcome an answer however.
Windows is known to be an extremely insecure system despite Microsoft's claims. While Service Pack 2 might magically fix all sorts of problems it is not available to end-users yet. Those magical fixes don't mean much to the here and now. It looks as if Windows' vulnerabilities are costing companies quite a bit of money and eating into their bottom line. I would have thought by now Windows would be on its way out the door in many organizations since their competition such as it is can do many of the same tasks either cheaper or more reliably.
Re:Wrong (Score:3, Insightful)
If they didn't have an admin. Managment would still be potentially liable (negligence of not having a competent admin), and civil liability would not be diminished.
Re:He should be (Score:5, Insightful)
Whether or not my neighbor is to blame for having been robbed (which I don't believe he is), the point is: if my neighbor's computer is hacked and starts to attack mine, that's when we start to have a heightened sense of his responsibility in the matter.
Stop Blaming the Victims of Microsoft's Fraud (Score:5, Insightful)
I find this propensity for blaming the victim to be very disturbing. Microsoft has been fraudulantly representing their system as both stable and secure, just as they have been fraudulantly representing their system as less expensive than their competitors' products (GNU/Linux, OS X, *BSD, etc). This is a matter of public record
Now, one can argue that the technical staff of the coast guard should have known better (so too should every victim of every fraud perpetrated), but the fact that they didn't is hardly negligence on their part, when their vendor misrepresents their product's security on a daily basis.
I can't belive that people who put together systems that perform life critical functions cannot be held liable for the choices they make
I dont think the OS choice is relevent.
Clearly the data do not support this. Mac OS X is demonstrably more secure than windows, both systematically through an architectural analsys, and through historical emperical data (number of exploits, timeliness of patches, effectiveness of patches, etc.). Ditto for the various flavors of BSD, ditto for Linux, ditto for IBM's various mainframe operating systems, and the list goes on.
Clearly, as the underlying architect and definition of a system's security design, policy, and implimentation, the operating system is the single most relevant design choice one can make.
Its the setting up of a system that is exposed to the internet. Systems on which peoplses lives depend have no business being connected to unsecure systems - they should be dealing ONLY with the data needed to perform their task.
That is unrealistic. Systems which are networked together can save lives. A ship is in trouble and automatically reports its position for rescue, allowing the crew to get on with the more immediate task of not drowning. A hospital computer notes a patient's decline and automatically notifies other systems, which notify the appropriate physicians and medical staff. Proper implimentation is critical, of course, but the "cut the cable" solution is nonsensical, particularly when reasonably secure alternatives such as Linux, Mac OS X, and *BSD exist and are well proven.
The worm writer, and Microsoft's fraudulant representation of their operating system as stable and secure, are the primary culprits in this fiasco. It is time we stopped blaming their victims, and held the perpetrators responsible instead.
firearms manufacturers..... (Score:5, Insightful)
The big problem is software got a compoletely 100% "free ride" in the beginning, it was allowed to be sold with zero warranties, I guess to get the business off the ground or something. Or maybe... I dunno, can't think of a good reason really. They just slap got away with something no other industry has as far as I know. You can't sell a 1 cent stick of gum without it having actual and implied warranty to it.
This deal was way back when it first really took off (I really need to research this now,it's gonna bug me why they got such a sweet deal), now it's been decades. DECADES. Untold hundreds of billions of dollars in pure profits. Huge numbers of wealthy people and businesses involved with it. It's "mature" now. Time to insist on "profitable" software to have warranties, and hold the manufacturers liable for obvious defects. They have "Get out of any Responsibility" EULAs, but still "enjoy" full ME ME ME IT'S ALL MINE MY PRECIOUSSSS protection "under law" for "Intellectual Property" and make tons of cash, well, that is teh obvious suck now and ayone can see that.
It's one or the other, if the software makers want to treat electronic digits as some sort of extremely valuable commodity product, with PATENTS on it even, which they sell at a very, very good profit, they need some sort of a minimum consumer warranty applied to them, or strip them of their profitability, one or the other. Enough's ENOUGH on the free ride they get. The software industry is "mature" enough to treat those business people as normal adults, same as anyone else in any other industry.
We NEED a class action suit in general against free ride EULAs across the board for for-profit software, and it needs to go to the supreme court and be won.
I am surprised as all get out with all the other litigation that goes on in our society that a set of profitable businesses who have gotten hosed over and over and over again by these obvious defects haven't challenged those EULAs as being absurd and illegal in the first place. Name another industry that would dare to put out such a "contract" for consumers and have it accepted. It's quite absurd, they'd be laughed at, but "software" is now the biggest example of legal "conware" there is.
And YEP, I could care less if it meant that "releases" slowed to a crawl, wouldn't bother me one bit or byte. Consumers want quality, few if any defects, they just been faked out that crapware is "good enough" and the industry as a whole has all colluded to profit off of crap and conware. It's just plain stupid, and ethically wrong. We can see now that software is so "embedded" in our society that you can't really say now that "no one is effected" when defects show up. it can get downright dangerous, and it certainly costs consumers tons of cash to keep fix and repaired stuff that shouldn't be shipped broken in the first place. We need less patches, and more "it don't need to be patched" software
Re:He should be (Score:5, Insightful)
As with most of the EU you cannot disclaim liability for death and some forms of injury, whatever you write on the license. (Nowdays "Not verified for use in safety critical systems" seems to have become an accepted way of ensuring the liability lands on the user though).
Considering the car analogy
You can be liable if you make a car with dodgy
brakes (unsuitable product, forseeable that it will cause an accident)
You can be liable if you knowingly drive a car with bad brakes (because its forseeable that this will cause an accident)
and you are most definitely going to get into trouble if you empty a bucket of oil over the road surface (aka writing the worm)
Re:American mentality? (Score:2, Insightful)
The worm writer is responsible for damages caused by their disabling any system they target. Just because they target the world doesn't excuse them from the smaller impacts.
No, the great bulk of shashdotters don't write and distribute malicious code.
Re:Safety Critical Systems (Score:4, Insightful)
Back to the issue of using the right tool for the right job. In many situations no "Off The Shelf" ("Commercial" or otherwise) is suitable.
From an engineering POV an Open Source System is more likely to be a good tool, even if you use some standard package/distribution as a starting point. Since you can then verify that it does what it should do and only what it should do. (A lot of malware involves use of unneeded "features".) Something which is very difficult with proprietary software since you need to take things of trust from the vendor and virtually impossible with something like Windows. Which in addition to being proprietary software contains deliberate "sphagetti code".
Re:He should be (Score:3, Insightful)
What if the door company advertised their doors in a way that led you to believe that the door was locked when a design flaw meant it wasn't? And when the design flaw was pointed out to them, they mentioned it with a free fix on their website, but did nothing else? And a hundred thousand people were all robbed on the same night? In meatspace, people would be screaming for blood. I think the admins may have also been at fault here. But as someone else pointed out, what if they were still testing that patch?
Re:No - the Coast Guards IT department is at fault (Score:3, Insightful)
OK so it was a worm which took down the systems this time which is something you can protect against but at the end of the day you shouldn't rely on any computer system without a manual backup process ( if it is possible to implement one ) which can take over for safety critical work. Computers are complex things and can fail for a huge variety of reasons some of which should be preventable ( in this case ) and some which aren't reasonably preventable.
Re:I blame 'Microsoft only' consultants for this. (Score:3, Insightful)
If you're talking about your home network, yeah, I guess that's okay--but in a business environment (which is what you're talking about, since you mention armies of MS only consultants) what happens when your road warriors VPN in, and infect your ENTIRE FUCKING NETWORK because you thought that a simple NATing firewall was "good enough" security, and didn't bother to patch your boxes?
Don't get me wrong--what you suggest will reasonably protect you from quite a few threats--but it's NOT the panacea you make it out to be.
Re:He should be (Score:3, Insightful)
Caveat emptor if you will.
Re:Safety Critical Systems (Score:2, Insightful)
The bank offices were closed; they did not do business. No data was lost but the customers were not given service. No good.
Hogbert
Re:we should be (Score:3, Insightful)
That almost sounds like a real argument, it is not.
Both MS and those admins are responsible. MS for knowingly selling an unsafe system, and the admins for knowingly using it.
That MS systems still listen to the entire world on a whole variety of different ports is a huge part of the problem, and it not comming with a product like ZoneAlarm by default to at least mitigate the problem a bit is really a very significcant part of what makes worms like sasser go well.
The impopular platforms don't get targetted argument is old, and if you'd just take a peak at the insane amount of malware for the Amiga platform, you'd see how stupidl;y wrong the argument is proven to be by reality.
THe only partial truth in your argument is that the admins are aslo to be blamed.
Re:we should be (Score:3, Insightful)
Just wanted to point out that in this case, the system admins that didn't patch the MS OS probably wouldn't take the time to update their OSS either.
I agree that most OSS is more secure, but if admins don't do their part, the system will be vulnerable no matter what OS or application is used. That being said, MS certainly keeps admins busier than other OS's. I find updating my UNIX systems (Solaris and IRIX) much simpler than my MS Win32s (although sometimes patching a single MS Win32 system can be easier than a single UNIX box but for labs or remote locations, UNIX is definitely easier).
Re:we should be (Score:2, Insightful)
If the person doesn't make the repairs....
Re:The real question is (Score:4, Insightful)
You turn on the services.
The real point is that no outside software can do anything bad to a Mac machine by default, because no ports are open.
If you turn a service on, then you KNOW IT IS ON, and you KNOW YOU NEED TO CHECK IT FOR SECURITY.
We're talking consumer client OSs. The vast majority of the users never turn anything on (and by default, never get a worm).
Imagine if Windows took that same philosophy...
In general, I am perfectly happy for even server machines to be shipped with only those ports open that I manually specify, or turn on myself. It's secure by default, services on demand, not unadministered services by default. The latter is insanity in today's networks.
Re:we should be (Score:2, Insightful)
Therefore, the damage would've been quite limited - sure it could've hosed the guy's home directory and stuff he'd been working on, his preferences, etc. But it wouldn't have taken out vital operating system stuff.
Solutions (Score:5, Insightful)
MS has a "windows update" feature. It doesn't take a genius to enable it. Now, granted this feature can cause headaches if you have a large number of systems to update, but you can also perform similar processes under your own control (if you are an admin) and yet this wasn't done. Turn off all those ports? It doesn't take a genius to download the shavlik lockdown tool linked to by MS itself that will "audit" your system and close any unused ports. It also doesn't take a genius to click to e-eye for an external audit.
There are so many ways to fix these systems it's nuts. Yeah, they require a tiny bit of effort - one would think that's why the British taxpayers pay these administrator's salaries.
I'm no shill. I run both windows and linux, although I've been using windows a LOT longer and am, therefore, more able to exploit it. So are a lot of people, which makes it that much more vulnerable. And yet my own linux firewall was hacked one time because... tada... I was running a version of Smoothwall, didn't know the distro or what I was doing, and in the setup config the SSL port was left open and the service running and no explanation was made of the significance of this. As a result my "firewall" was owned within days, zone alarm disabled on one of my (unpatched) windows boxen, and (in short) the entire network became owned. I migrated to IPCOP then reloaded and patched the windows box, just a little wiser and smarter.
Just as so many here are fond of saying "slashdot doesn't have just one mind" I'll remind others who are dumping on MS over this there have been and are plenty of linux distros, and not all of them uniformly secure or stable "out of the box."
Holding the software maker responsible for something like this is as stupid as holding the coca-cola company responsible when some idiot pulls one of their vending machines over onto himself. Would you be so quick to call for heads on a stake if this were a network of Redhat boxes? How about a few dozen Suse desktops? It doesn't matter what OS you are using, problems like this almost always come down to one thing: PEBKAC.
Re:we should be (Score:2, Insightful)
No, it's like the argument "Well, if you don't make sure you check your tire pressures regularly and they go flat, you might end up with a blowout".
It's not hard to install patches (perhaps by using SUS or similar), or to get a firewall.
Re:we should be (Score:3, Insightful)
If by "tires" you mean H-rated radials, and by "high speed" you mean over 130MPH, then that's all your fault. Most passenger cars ship with H-rated radials, and most car makers try to pervent such situations by providing 130MPH or less spedometers (the psychological barrier), or installing 130MPH speed governors (the physical barrier).
Still, with all this, you could potentially push your car over 130MPH and have a blowout, and it would most certainly be your fault. Now, if you had a blowout at 125MPH on the other hand...
Re:Solutions (Score:3, Insightful)
If that is all so easy, and MS is aware of it, why don't they solve the problem by locking it down before selling it?
The problem is that anyone who is selling a product that is claimed to be internet ready, and didn't properly lock it down, is simply lying, their product is NOT internet ready.
MS has known this for a decade now, and ignored it. During the same time they tried buying their way into the server market with the low cost administration argument, based on needing lower skilled administrators and it all being made 'easier'.
Don't get me wrong btw, it is good to make things easier and to try to reduce the cost and time aspects of administration. It is utterly wrong to say you did so, give every impression you did so to the casual viewer, and then turn out to have made things more expensive and time consuming, and also having ensured companies no longer employ people skilled enough to deal with it.
Its simple, security requires people skilled in securing things. Requirements for the average home user are relatively low, and can often be provided for by standard solutions (door/window locks, alarm systems and so on for physical security of the house, a limited set of security features for the computer) and there exists no level of security that will prevent every possible problem.
IF MS would stop today with giving the impression that administratign and securing a corporate network or large network of small users (like the average isp) is simple, I'd stop putting that large a part of the blame on them. Of course they'll also need to cange their policy to a disable everything by default unless the user asks for it and has been informed about the security consequences.
As you sated correctly, not every OSS product is immune from this either, and I'm personally not very fond of smoothwall, or any of the linux based firewall packages for that matter. When I want a firewall I want either OpenBSD's pf or FreeBSD's ipfw2. On top of that, I want NO gui management or remote management of such a firewall product by default, and untill I go delve into the system to change things, no management ever using the outside port. That means no listening services whatsoever, and to get services listening on the outside port should require sufficient knowledge of the system first.
You amke me wonder btw.. WHAT ssl port was left open? SSL is usually used to encrypt/decrypt and sign the trafic for another service such as a http server. I assume in your case there was a webserver with ssl listening on the outside port?
At any rate, for a home user, get yourself a simple firewall box that simply doesn't do anything more then that, and in most cases it should be enough. It wont listen to the outside world, and it also wont allow too much flexibility that usually just results in messing up stuff
If you want the flexibility, go get the knowledge to use it or don't expect security.
as stupid as holding the coca-cola company responsible when some idiot pulls one of their vending machines over onto himself.
No, it compares to Coca-cola putting vending machines out there of which they know then when not maintaining them for 2 hours/week, they'll blow up on random customers, or spray them with cola, or cause any other random effect.
I'd understand your comparison if this was a matter of MS making casual mistakes while having a generally healthy design. They don't have a healthy design, and have known so for at least a decade and didn't fix it. You really think Coca-cola would even be in business if they ignored such problems with their products for a decade causing comparable damage?
Re:we should be (Score:3, Insightful)
Blame the writer for writing the virus, agreed, and you are right on that one.
Blame MS for unknowingly creating a system that makes it so easy to infect thousands of computers over a shared network and then for over a decade knowingly not fixing it and yet selling it as being secure, why do you have such trouble with that?
It is not the first worm/virus that happens to them, not the last either I'd bet, and they still take years to address simple and very clear problems in their design that causes this.
Blame system admins for not being knowledgable in what should be their area of expertise, what is wrong with that?
When a burgler enters my house because the lock in the door didn't prove a problem at all while the company that sold it guaranteed it to be upto all modern standards concerning its security... Sure I'll blame the burgler and hope he'll get caught and such. I'll however also blame the lock manufacteror for 1. providing me with a lousy product, and 2. lying about their product specifications. I may even blame the maintenance guy for not installign and maintaining it properly.
Re:He should be (Score:3, Insightful)
Even a year ago and before, distros (certainly Mandrake) would often end the installation process by telling you what services would be active at boot-time, and were you sure you wanted them to be?
That was often where I'd turn off anything (insecure or otherwise) that I didn't want running.
Why can't Windows do something similar?
TiggsRe:He should be (Score:3, Insightful)
Well, it is grey area. ;) I was responding more to the "I hate Micro$oft, they must be hung from the highest tree!" mentality than anything else.
There's plenty of blame to spread around, here. As other posters have mentioned, the sysadmin who installed Windows on these machines without taking preventive maintenance steps is to blame, as well as the person who made the purchasing decision to put Microsoft Windows in this installation, and also the virus writer himself.
I like some of the other analogies given, actually. The situation is more like a car manufacturer who makes a car with doors that appear to lock, but in reality don't lock. In that case, this situation is analogous to such a car that has been widely reported on not working, no consumer groups rising to defend consumer rights, so the car continues to be produced with its flaw. A buyer, probably not being able to avoid the news, still buys the car. POssibly not being aware of a recall being issued, he continues to depend on it for his business, and then whammo. The virus writer comes along and opens the door and sets fire to the interior.
It's too easy to just blame Microsoft, but I'm not saying they don't get any blame. Just make sure it gets spread around to all accountable parties, that's all. ;)
Gun Companies (Score:3, Insightful)
How the gun companies have managed to, ahem, dodge the bullet in this regard so long is beyond me.
Lots of $$$$$, which buys them plenty of puppet congressmen. Just look at the power of the NRA.