Invisible Malware Install 65MB Large 381
Paperghost writes "Words fail me with this one - don't have the .NET framework on your PC to utilise the adware maker's technology? No problem, they'll download it for you without you knowing. The problem is that it's a sixty-five megabyte install." From the article: "...the size of the .NET framework to download can vary drastically depending on what extras you have - don't forget the service packs, SP1 is an extra 10 or so MB in size. But I'm actually understating the amount of space used when installed, as .NET can total up to 100MB."
Re:dialup (Score:3, Informative)
Marc Lucovsky! (Score:5, Informative)
Consider the .NET framework for a second. Suppose you wrote something innocent like a screen saver, written in C# based on the .NET framework. How would you as an ISV "ship your software"? You can't. Not unless you sign up to ship Microsoft's software as well. You see, the .NET Framework isn't widely deployed. It is present on a small fraction of machines in the world. Microsoft built the software, tested it, released it to manufacturing. They "shipped it", but it will take years for it to be deployed widely enough for you, the ISV to be able to take advantage of it. If you want to use .NET, you need to ship Microsoft's software for them.
Who said Microsoft does not know how to ship software anymore?! Let the trojan authors take care of that!
Re:Are we sure... (completely offtopic) (Score:4, Informative)
Mod parent down... -1: Incorrect (Score:3, Informative)
Re:a lot of space (Score:5, Informative)
the actual size of the
So once it's done its thing and installed
Re:Are we sure... (completely offtopic) (Score:2, Informative)
Re:Are we sure... (completely offtopic) (Score:1, Informative)
Re:Are we sure... (Score:3, Informative)
Re:Are we sure... (Score:2, Informative)
Figured this would happen... (Score:2, Informative)
The fact that it is "malware" and not a "virus" only means that some commercial use has been made of the virus.
I hope this is a single event, but I fear we have not seen the last of this troubling development.
Re:NewDotNet (Score:3, Informative)
Re:NewDotNet (Score:3, Informative)
http://new.net/ [new.net]
You can take your tinfoil hat off, now.
the problem is the malware (Score:5, Informative)
The real problem here is that somehow these machines installed malware. The problem could be that they are running IE, it could be that the malware is exploiting a bug, etc.
There is a simple solution: run Linux instead. That will protect you from both malware and
does anyone understand the original story? (Score:2, Informative)
Re:zerg (Score:1, Informative)
Re:zerg (Score:1, Informative)
In future maybe you should have at least know what you're talking about before spreading FUD.
Re:65 MB without the user knowing? (Score:5, Informative)
Re:A simple solution (Score:3, Informative)
I've found that I need administrative access to do a lot of the things that I need to as a developer. I do these things many times a day. On linux I would just sudo when I needed it. I think you can run commands as a different user on windows too, I did try it once but kept hitting problems. There's no 'man' command! DOS documentation sucks. I haven't found the equivalent of a sticky bit that I can use for my build scripts that need admin access. A lot of Windows apps are built from visual studio which doesn't have a GUI to switch to admin access for parts of the build. The philosophy is just not there - yes we should push for it. When I was developing for macos in a much bigger company the windows team used to be more sorted in this respect - but then there was a big IT department to support them - developers can't afford to spend too much of their time on system admin. Some developer's are into it and some aren't. The lead programmer on my current team is so not into it (but he is a brilliant programmer) - to make things easy for him he has domain admin - everyone knows his password! No I won't say where I work! We don't have an IT department. I think big companies that can afford IT staff do tend to be better over stuff like this.
I don't think many people would start an X session as root in linux. A lot of people will only switch to root as needed. Some are better than others about being fussy about what they do as root. (I bet a lot of people compile their kernels as root) On Windows on the other hand it is very common to login to the graphical environment as admin. A lot of the admin tools have GUI. I think both Windows and linux could be made better by making it very awkward (impossible out of the box) to start an X session / login to Windows as an admin user. I have seen new linux users start X sessions as root....normally to get things set up (often being used to Windows)....but then sometimes things don't work for them as normal users and they just give up and always login as root!
I suppose I might be guilty of the same laziness when it comes to being a new Windows user - but I'm not being paid to admin my machine....In fact I use a linux box to mail and surf so as to lower risks a bit - we were asked to find ways of avoiding Outlook - so I found an old PII and blatted gentoo on it. There is a big difference between Windows and Linux though...a lot of install stuff is done on the command line on linux. Most big distro's make it clear you're being an idiot for running X as root. I haven't seen a linux distro that doesn't make you, or strongly advise you to create a normal user account as well as a root account. Having groups as well as users makes things a lot more flexible. Unix has always been a multi-user environment. Windows just hasn't been designed that way. You've got to laugh.
Lol (Score:2, Informative)
Re:Are we sure... (Score:2, Informative)
You shouldn't need to call the CG..thats the point..it will figure it out. It doesn't release objects right away b/c it might need them later..
Re:Are we sure... (completely offtopic) (Score:2, Informative)
For those of us that occasionally program in C# with .NET this is a bigger pain that you know. The two most descriptive keywords of the programming environment really are meaningless nothing-words in the Web's (normally) best search engine.
Hmmm... have you tried searching Google for C# lately? ".net" and "net" do indeed return the same results, but the results for "C#" and "C" are very, very different.
Google search for C# [google.com]
Google search for C [google.com]
Re:zerg (Score:4, Informative)
Any normal user account in windows cannot write into the Windows folder where
Re:Still complaints about Java JRE size? (Score:3, Informative)
Your point does remain that the JRE is smaller than the
Re:65 MB without the user knowing? (Score:1, Informative)
Long story short:
Lame sysadmin notices spike in bandwidth.
Lame sysadmin can't read own proxy/firewall logs.
Lame sysadmin somehow discovers that his users voluntarily downloaded a streaming-video app which downloads/quietly installs .NET during installation.
Lame sysadmin writes badly-worded rant showing a) his own inability to properly lock down his network b) his misunderstanding of bandwidth and disk space constraints c) his inability to communicate clearly.
Slashdot reader skims lame sysadmin's blog, thinks 'Aha, another way M$ sucks!' and submits article.
Slashdot editor skims submission & lame sysadmin's article, thinks same thing, slaps incredibly misleading title on top, and posts it.
Slashdot readers respond.
Hilarity ensues.
Re:Symbiotic viruses (Score:3, Informative)
Re:A Different Worm (Score:3, Informative)
First of all, security features that exist on Windows that are never used by anyone don't contribute to Windows being architecturally more secure than anything else, because if you start making those arguments, we can start talking about capabilities and SELinux and all sorts of security features that exist for the Linux kernel that people don't often use; and if we do that, you essentially immediately lose. You can't say, "Windows, when people use all sorts of exotic security features, is more secure than Linux, presuming that none of Linux's exotic security features are in use, and therefore, Windows is more secure than Linux." I mean, I hope you can see the holes in your own argument. They're big enough to drive a truck through.
Plus, I'm not a zealot, bub. You picked the wrong guy to flame. I'm quite aware that the NT kernel's low level ACL structure is superior in design to the UNIX root/normal user paradigm. You're talking to an old VMS hand.
However, as you yourself pointed out, basically no operating systems limited by such a simple security model anymore, and this includes Linux. ACLs are part of the POSIX spec and SELinux style policies are supported out of the box in the 2.6 kernel series.
The difference is habit; UNIX has always been multi-user (well, except for the very early research versions) and so UNIX utilities have been designed to work with as few permissions as possible, for security reasons. Security is a much bigger deal on a multi-user system, for obvious reasons. This philosophy persists to this day in the UNIX world, and application designers generally don't make GUIs that run as root -- hell, lots will refuse to run as root.
On the Windows side of things, we're coming from Win95 and earlier, DOS. It doesn't matter that Microsoft ripped out the DOS crap and put in the vastly improved NT kernel with all its security features. Software vendors developing for MS platforms were used to being able to mess with anything on the system, and they continued to do so. Worse, most installs of Windows default to a user with Admin access (that logs in automatically, no less). It's a matter of culture. Convincing Windows users to run as non-administrator is hard because a) they aren't used to it and b) almost nothing runs, because in the old days, there was no Admin user, and most modern Windows apps share code with their Win95 ancestors. This shouldn't be hard to understand.
Windows is far less secure than GNU/Linux, for lots of reasons. Very few people that know what they're talking about doubt the quality of the NT kernel (although putting the GDI in ring 0 was stupid, and a major reason NT 3.5 was so much more stable than 4). But unfortunately, as RMS is always trying to point out, there's much more to an OS than just the kernel. Windows, as a whole, suffers from a history of not caring about security. Its users are only now starting to care; its application developers don't seem to care; no one seems to care.
This is not true in GNU/Linux.
And as for GNU/Linux being a fort, who said that? UNIX-like OSs have always been caught with their pants down when compared to systems like VMS, MVS, and EROS. Within the UNIX world, pretty much any one of the BSDs blows the pants of Linux (except perhaps Mac OS X, if you can call it a BSD).
But it remains far, far more secure than Windows.
And as for the whole "Why isn't Apache more vulnerable than IIS" line, I wouldn't have brought it up, because I think it's a bit silly. But your attempt at refuting it is even more ridiculous. You're comparing Apache2 to IIS 6? I believe the reason people always bring up the Apache vs. IIS argument is because Apache has more marketshare than IIS, but is attacked less.
Most Apache ins