The Cost of Computer Naivete

wiredog writes "What happens when you put an unprotected Windows 98 box on a broadband connection? Two perspectives from two reporters for the Washington Post (frr,yyy): The User's " an odyssey that has taken $800 and roughly 48 man-hours over nearly three weeks" and Digital Doctor's "Her PC was in such bad shape, it required 10 1/2 hours of surgery to restore it to working condition.""

Re:reg only?

[Vacuum Sux]

It's said "Washington Post (frr,yyy)" Free Registration Required, Yadda Yadda Yadda.

Wow fdisk is really slow...

[ellem]

10.5 hours to run:

C:\>fdisk /mbr

And reinstall W2K?

Damn that tech was milking it.

Hard to believe!

[callipygian-showsyst]

Her PC was in such bad shape, it required 10 1/2 hours of surgery to restore it to working condition.

C'mon now! IF runing Spybot S&D and Microsoft's own repair process didn't fix it, you could have just reinstalled Win98.

Total time, 2 hours MAX!

Bull

[Jozer99]

I run a computer repair service for home users. I routinely see 98 and Me machines that have been on broadband with no protection (hardware or software firewall) for months. I do not know what kind of surgery these people performed to fix these machines, but short of taking a microscope and tweezers and flipping all of the bits on the hard drive over, there is no way it could take 8-10 hours. When I encounter a machine like this, the operating system is composed of more infected files than non-infected files (ok more Non-Microsoft infected files than Microsoft infected files in the case of Me). Virus scanning is usually impossible due to system stability, and getting rid of the viruses does nothing because there are so many it takes most of the system files with it. I usually just tell people to back up as much as possible, boot with my trusty DOS boot disk (try doing that with a USB drive on older computers), reformat and reinstall. The whole process takes maybe 4 hours on a 400 Mhz machine, not 10.

Re:To be fair to Microsoft

[garcia]

To be fair, if you installed a stock version of Slackware from 1996 on the net, without a firewall, you would be subject to known exploits either in the kernel or the userland programs that were included in the stock distribution.

Nuke it from orbit. Only way to be sure.

[frankie]

Sheesh, here at the office, if IT is called to disinfect a PC, we'll spend maybe an hour to twiddle with SpyBot, RegEdit, etc. If it isn't clean by then, we fdisk the beast, reinstall from master image, firewall, windows update. Way less than 10 hours.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Mantra

[Anonymous Coward]

That should read "fdisk, format reinstall ..."

fdisking a drive you just formatted creates a waste of time. Examples are left as an exercise for the reader.

The fact is...

[jb_nizet]

It's now a major pain to install a windows system from scratch, using the original CD.
You now have to
- think about getting the latest service pack first
- think about getting a firewall with its license key (love it when the firewalls ask to be registered before working, and need an internet connection to be registered!),
- think about getting an anti-virus (same story)
- then install the system (disconnected from the network, of course, so forget about "configuring an internet account" during the install)
- install the service pack
- install the firewall and the anti-virus and make sure that they're running
- go to windows-update and patch your system
- start to play.

This is an impossible task for 99% of the regular windows users, who don't even know what a firewall is and how to configure it. There have been improvements in the installation process of OSes and applications, in order to make it possible for reg. users, but all these efforts have been ruined by virus and worm writers.
And I'm not even talking about spyware, adware and spam...

Re:To be fair to Microsoft

[stratjakt]

I know what it installed by default. It installed your ethernet, brought it up, installed telnet, brought it up, and left you to log in with NO ROOT PASSWORD. Thats the uber-secure linux of the past.

Install that old slackware while connected to broadband, and if you decide to take a coffee break before logging in and setting the password (or if you forget to do it, or miss that line item in the install instructions) and you're fucked.

Hell, those were my Uni days. We'd have a ball in the computer lab watching the one TA (total stereotype smelly bearded hippy geek with a bad attitude) install some new linux terms, and we'd race him (and beat him!) every time to log in as root and do various stupid things.

Hell, I'd wager on 7 out of 10 student machines on the campus net never did get a root password set.

If not "idiots" at least "barely competent".

[khasim]

So, you talk to someone who's having problems with her Win98 machine on a broadband connection.

#1. Advise her to go out and purchase an inexpensive hardware firewall.

#2. Advise her to go out and purchase a decent CD-rewritable burner and a few rewritable CD's.

#3. Backup all of her data.

#4. Wipe the drive and partition it into 3 segments. OS/swap-n-temp/data.

#5. Re-install the OS and apps. Patch. Configure. Google toolbar is she must use IE. etc. Anti-virus set to auto-update every hour and auto-delete infected files (see #7 before you start screaming).

#6. Copy her data back to the machine. Make sure it is in the data partition.

#7. Show her how to backup the data partition onto the rewritable CD's. Inform her that here hard drive WILL fail sometime in the future and that this is will keep her data safe from that.

These are the basic steps whenever I'm asked to fix someone's computer. And it does not take 10.5 hours. Like you said, 1.5 hours tops.

Re:To be fair to Microsoft

[moonbender]

Both 2000 and XP have a command line application called netstat - I'd have thought it imitates the GNU netstat...? It certainly was useful to me a couple of times.

Re:To be fair to Microsoft

[maximilln]

Both 2000 and XP have a command line application called netstat - I'd have thought it imitates the GNU netstat...? It certainly was useful to me a couple of times

It's pretty useless without process tracking. Sure I can see all the connections, so is that connection to that odd numerical IP from the latest banner ad/popup or is that a trojan?

Right now, as I look at the netstat list (-a 1), I see about 12 entries that I can't identify and I have no chance of ever tracking what on the system is causing them.

Netstat never shows any connections when I use Wordpad.exe, but the TCP and IP byte counts both go up.

Re:To be fair to Microsoft

[airConditionedGypsy]

There is an application called fport by Foundstone that adds this capability.

And I think XP and W2k3 has the -O option (or -o, i can't remember) that allows a PID to be reported also.

Despite the existence of this utility, it is the fact that it is 'hidden' ... the typical user has no way of knowing what their box is doing with reference to the net (and the new networking tab in the task manager is a start, but people have no frame of reference for what is normal).

It's really a user education problem, not a technology problem. The capabilities are (now, at least) there.

Re:Slow computer!

[Chuck Bucket]

I know, I know, don't feed the trolls, but if more ppl would read things like this: Dispelling the myths of Gentoo Linux, an honest review [lxer.com]: more ppl would know what they were talking about in regards to Gentoo.

Oh, and CAN WE GET A GODDAMN GENTOO TOPIC ICON ON /. PLEASE!

CVB!@#$%^&*()

Making ghost images

[Alioth]

You don't need any stinking non-Free software to make ghost images.

Here's how you do it:

0. Set up a recipient (either a second hard disk, a machine on the network - whatever - I do it over the network)
1. Boot Knoppix on the machine you want to ghost.
2. Mount the destination.
3. dd if=/dev/hda bs=128K | gzip > /path/to/image.gz

To restore:
0. Set up the source.
1. Boot Knoppix on the machine you want to install.
3. Mount the source.
4. gzip -dc /path/to/image.gz | dd of=/dev/hda bs=128K

Tips: Overwrite any free space on the machine you want to ghost with a huge file filled with 0x00, then delete the file. The disk image will compress much better as you've scrubbed the deleted files.

I use a system like this to ghost many machines at a time (an image server can easily deal out 30+ images at once). It'd cost a fortune to license many copies of ghosting software - with Knoppix and a very small shell script, I've got an automated system which will do many machines at once. (A typical 40GB fresh WinXP install with our apps compresses to under 1GB with gzip).
If you're doing WinXP, remember to either make a Sysprep build or use something like System Internals free (open source but not truly free) tool to change the SID and hostname of the machine when it's booted the first time. (This is the approach we use due to the limitations of sysprep).

Re:Neatly illustrated

[Apathetic1]

I suspect those were worm requests (W32-Nachi tries to overflow the buffer that handles SEARCH requests in IIS), rather than a particular person attempting to 0wn your webserver. I had to start filtering the request strings out of my log files becaues they were filling up the /var partition every two weeks.

Re:To be fair to Microsoft

[Anonymous Coward]

-b Displays the executable involved in creating each connection or
listening port. In some cases well-known executables host
multiple independent components, and in these cases the
sequence of components involved in creating the connection
or listening port is displayed. In this case the executable
name is in [] at the bottom, on top is the component it called,
and so forth until TCP/IP was reached. Note that this option
can be time-consuming and will fail unless you have sufficient
permissions.

Re:To be fair to Microsoft

[sw155kn1f3]

you obviously have non-standard netstat...
standard is:
netstat -o

Email to Kathleen Day

[Phil Wherry]

I saw this in the Washington Post yesterday and thought it interesting enough to send the reporter (Kathleen Day) a note, which follows, summing up my thoughts on the matter. I haven't heard anything back yet (and I don't necessarily expect to).

-Phil

Ms. Day:

I find it absolutely fascinating that problems such as the one you encountered are treated primarily as a user education issue. It's true that there are some things that everyone needs to know in order to use a computer. It's also true that savvy users can often avoid security mistakes. But one wonders, "Why is it that users *have* to be security-savvy in order to effectively use their computers?" I'd submit that the problems you wrote about are mostly the result of design flaws and not naivete. In many ways, I think the computer industry has set the bar far too low by blaming users for problems it has created. Put another way: what would you think if you had a car that would sometimes break down without warning if you drove it on the highway without first buying additional parts?

As I see it, there are two design weaknesses that contributed to the problems that you wrote about. First, basically anything you do on a machine running Windows is done with full administrative privileges. In one way, this makes sense: you own the machine, so you should be able to do anything you want with it. The problem, however, is that this blind trust allows malicious software to do pretty well whatever it wants. Most other operating systems (Mac OS X, Linux, and Unix) require you to take some special action (usually typing a password) in order to install software or alter the operating system. While this can't prevent you from choosing to install malicious software, it makes it quite difficult to do so unknowingly. To stretch the car analogy a little further: people can't modify your car's engine without your knowing about it because you have to open to hood in order to reach it. Computers should work the same way.

The second problem is that Windows doesn't make a strong distinction between programs (the applications that you run) and data (documents and the like). This makes several attacks a lot easier, as malicious programs can sneak onto your machine by masquerading as data when you are browsing the Internet. For most non-Windows operating systems, there's something that you have to do explicitly to say, "This is a program and it's OK to run it." If Windows has these protections, there still wouldn't be anything to stop someone from maliciously sending you data you didn't want--but your computer wouldn't be able to then run that data as if it were one of your programs.

It's a mistake to say that anything is totally secure. There have been (and will continue to be) successful attacks on operating systems other than Windows, of course. But I think it's a mistake to think that Windows has so many (and such severe) attacks just because of its dominant market position. True, it's low-hanging fruit for those with a malicious bent. But it's also so much easier to attack Windows because of the way it's been designed.

The very concept of a computer virus depends on both of these two factors. Take away the administrative powers, and the virus has little if anything to infect. Remove the confusion between programs and data, and it becomes much more difficult for malicious software to spread. Many regard it as unnecessary to run antivirus software at all on non-Windows systems. While I'm personally not sure that's a good idea, it does give one an idea of the relative security levels involved.

I think these security problems may ultimately threaten Microsoft's market position. The bad design decisions that are part of Windows weren't made because Microsoft is dumb (quite the contrary: they employ a lot of very smart developers and architects). They were made for market-driven reasons. Lots of old software (dating back to old versions of Windows and the even older days of MS-DOS) simply won't run in a more secure environment. As

Re:To be fair to Microsoft

[Anonymous Coward]

-o is PID, -b is program name. It's netstat from Windows XP Pro SP2.

Tips, and a list of known rogue spyware cleaners

[Alien54]

He went down the merry path of trying to rescue the system in order to keep customer data intact. The story is typical of someone who is entering the fray without have their tools prepared in advance. The solution always looks easier than it really is.

In his case, he needed

• a CD with all of the relevent tools and updates
• a windows boot disk with CD support
• an understanding of the windows command line in order to copy a subset of these tools to a convenient folder on the hard drive from the CD
• The knowledge to run these tools from Safe mode, and how to get there in the first place
• Include in the subset of tools one that can fix the broken LSP setup.

  [LSP or Layered Service Provider is a piece of software that can be inserted into the Windows TCP/IP handler like a link in a chain. However, due to bugs in the LSP software or deletion of the software, this chain can get broken, rendering the user unable to access the Internet. Spyware is good at this, and some cleaners leave a broken LSP behind.

  With the correct tool, the fix takes seconds. Without the tool, you need to uninstall and re-install the winsocket, or else the same with the entire network support. Otherwise you fall into the trap this poor bloke got into.]

tips - I deal with this stuff all of the time. The best data on this stuff can be found in articles at spywareinfo.net - the forums are not bad either, although spywarewarrior.com also has good forums. also good to have is this list of known rogue spyware cleaners [spywarewarrior.com], along with this list of Anti-Spyware Orphans & Outcasts [spywarewarrior.com]

My current recommended free antivirus is Avast! Home Edition [avast.com], which is very low maintenance for the home user, and requires registration for the free license. It also protect a number of common Instant Messenger clients, as well as several common P2P clients. It is better than AVG in my opinion, and detects many trojans as well as spyware.

You can get a system that is so hosed that it will not boot, not even into safe mode, even under XP. The solution there to remove the hard drive, drop it into an external drive enclosure, and hook it up to another system where you can use scanning software to do a basic clean so you can boot in the original configuration. Once it boots you can install cleaners from safe mode, and then run cleaners from inside every user account.

Re:To be fair to Microsoft

[LetterJ]

netstat -o

gets you an extra column in the output with the PID right there. The -o option is listed right in the same list as the -a option you used in your example.

Re:Tips, and a list of known rogue spyware cleaner

[CerebusUS]

Besides, the typical "mod parent up" post, can I recommend creating a BartPE boot CD with those tools you mention on it. Then you can skip the step of mounting the hosed drive in another machine.

I used a generic BartPE disk this last weekend to copy a friend's data off a system that was so badly hosed it wouldn't let me log in.

Nice stuff.

Re:Making ghost images

[vvg]

You can also use partimage [partimage.org] instead of dd. The advantage is that partimage does not copy unused areas.

I also save the MBR and the output of fdisk -l seperately.

Beware that support for NTFS is still experimental.

Re:Making ghost images

[nine-times]

...or try g4u [feyrer.de] ("ghost-for-unix"). It has images for both floppy and CD. It's small, simple, and free. It doesn't do everything, but what it does, it does pretty reliably.

(I'm not the author or anything, but I find it a useful addition to my toolbox)

reinstall vs repair

[Anonymous Coward]

I have been fixing machines for a long time and i know that most technicians say "well, it's messed up, let's just reinstall everything. I hope you have backups." this is simply a mistake, a lazy tech who doesn't feel like dealing with the problem, or an uninformed tech who doesn't know how to fix the problem. also, it isn't so much a windows problem as it is a problem with other software. i have a win2k box that i use that has been hooked to broadband (although it is not currently) and it has run without errors for almost two years now and i haven't had to do a single reinstall or even a reboot that i can recall.
The problem is in being able to remove the software that isn't working. if the techs in the story followed symantec's instructions for removal of antivirus products from the machines, then that is the first problem because i happen to know firsthand that those instructions are largely incorrect and leave a lot of registry keys left untouched, which was probably why they were having issues with it.
I have been able to repair most of the computers that i have fixed without a reinstallation of windows. the only time i'll reinstall is if something is highly time-critical, the person's software and settings are stored in their roaming profile, and i have a ghost image or a RIS image of the machine that is tested and ready to go. otherwise, i'll do these things in this order: find the offending peices of software and destroy them manually, run adaware and a fresh install of a current copy of an antivirus program that is different from the one they were using (antivirus.com has a free online scan that's pretty good), delete all unecessary crap from hard drive (temp internet files, recycle bin, temp folders, etc.), then install all current upgrades to windows (except xp sp2, of course) and upgrade all driver files. finally, install a good firewall (like zonealarm) and antivirus program and then reinstall their software and give some instructions on where spyware comes from and how to deal with it.
Newsflash, people: script kiddiez are not just going around and breaking into people's computers randomly. it does happen occasionally, but i have had dozens of people tell me that they were hacked and i'll check things like system logs and firewall logs and various other information and of all the people claiming to have been hacked, only one of them actually was. I don't think that hackers (or crackers, as i prefer to call most of them) are to blame for as much as people give them credit for. it's mostly uninformed users and people who will install anything. our solution here should be focusing on education of the core principles of which technology operates instead of a bunch of "how to do this" and "install this, you need it" without telling anyone what that stuff does. it's kinda like give a man a fish, he can eat for a day, but teach a man to fish, etc.

Re:Making ghost images

[Pootie Tang]

I've done this technique. Although I've abandoned ghost and do this now, it has some disadvantages.

Ghost understands the filesystem which has some potential advantages. You can explore a ghost image file to see what's in it. I'm not sure how to do that with a dd image.

The main thing is I don't think ghost even attempts to read unused sectors. Zeroing out and using gzip is better than not doing it, but still slower than simply not reading them. 40 GB drives comes out as 1 GB? That's a lot of wasted time reading and compressing those sectors. Back when I was using ghost I'd backup more frequently, now it just takes too long to do periodically.

One tip, you can use the GPL Eraser [heidi.ie] program to zero out spaces on windows. It's more thorough than the "big zero file" technique. It will clear cluster tips and can also zero out the swap file (swap clearing is done by windows, but it lets you turn that feature on). Mainly intended as a secure delete, it requires minor configuration to write zeros.

There are some linux tools that are more like ghost, but I haven't played with them. Last I looked NTFS wasn't supported very well. For now I just keep my windows partition small (10 gig or less) and use dd.

should have reinstalled...

[runamok1]

Why would a computer technician spend that much time trying to bring a box with windows 98 back from the dead? 1. Find out what applications they use and make sure you have all cds and cd-keys. 2. Make note of all hardware (especially ethernet card drivers) for driver purposes. 3. Find out what email they use (all users) and all passwords and settings for all. 4. Find their documents, images, mp3s, etc. 5. Buy a new HUGE hard drive for $70.00. 6. Partition new drive so the 2nd partition is big enough to hold all the data from the old HD. 7. Copy data from old drive to new drive's 2nd partition using the image tools that came with the HD. 8. Install a fresh copy of windows 98 on the new HD's 1st partition. Install firewall and antivirus software. Get updates. Install all the apps. 9. Set up email, copy documents, images, etc. 10. I would probably then try to make a copy of the new first partition to the old hard drive after wiping it first. Working your ass off to remove spyware that it takes 3 programs to "mostly" uninstall is a losing battle. This crap is insidious. Especially when you are dealing with a win 98 install that is older than 6 months or so. The spyware folks are well aware of ad aware et all and are making serious efforts to not be detected, etc. Final notes. Several years ago I used to work for a company as a pc tech. We charged $79.00 an hour and the average virus call would take at least 2 hours. I hated taking money from little old ladies and family's with teenagers. The REALLY depressing thing is that I spend a few hours fixing my friend's computers. Come back in a few months and they have crap on them again. Un-fing-believable. Are these @$$holes actually making ANY money from all this? Are they really going to benefit from observing my slashdot and p0rn habits? Or popping up vi@g@r@ ads for a healthy 29 year old? It just seems so pointless.

Re:Trying too hard.

[eclectro]

For those that need to work in a windows enviroment, I recommend xxcopy [xxcopy.com].

Print out the instructions for "disk cloning". Once you have done it once, it is very easy to do again. You can then make a "clone" of your harddrive install, so when Win98 turns to mush for one reason or another, you can reformat and re-clone. Best of all, you don't have to spend a dime for it and you get all the functionality of Norton's ghost.

I have found that W98 requires a re-install once a year, and that there is no way around it. For those that haven't moved to linux yet, I highly recommend Xandros. While it does not come with the firefox browser, it is easy eonough to install.

I have told my entire family (and all those that they send to my door with their various MS "windows problems") that I no longer support microsoft windows operating systems, and will stop supporting microsoft apps shortly as well.

By no means am I a linux fanboy. It's just a question of being practical. I can't spend all my time de-worming/reinstalling everybody's computer when a viable alternative is at hand now.

Re:Slow computer!

[Crudely_Indecent]

hey now, I could do a GRP install (binary packages) of Gentoo in less than 3 hours.

I don't.....but I could.

Re:Making ghost images

[Exocet]

Uhhhh yeah. Using DD when tools like Partimage are available is basically just silly. I have used Partimage most recently to back up a WinXP SP2 data partition (NTFS of course) and then proceeded to destroy it, recreate it and then restore the data via Partimage. No problems.

In the era of 30 to 120+ GB HD's I do not have the time or patience to wait for DD to back up non-existant data unless it's for a serious (law enforcement is involved) situation.

Someone else mentioned making a boot floppy. Bah! I'll make a Knoppix ISO and hit knoppix 2 at the boot options screen if I don't want the pretty GUI but I do want most every tool I could possibly have a need for vs. the limited functionality boot floppy.

Re: Slow computer!

[Sj0]

Here's something which you might want to try:

Make www.windowsupdate.com and v4.windowsupdate.com trusted sites, then crank up the security settings for the internet zone. No html forms, no downloads, no activex, no vbscript, no java...

It cripples IE so much that you can't even use it by accident. Not so useful if you're out of the habit of typing things into the address bar of file manager windows, but very useful if you have others using your computer who ust don't listen. ;)