Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Symantec Claims They Knew About Slammer In Advance 646

truthsearch writes "Wired is reporting 'Symantec claims to have identified the Slammer worm that ravaged the Internet during the last weekend of January hours before anyone else did. Symantec then shared the information only with select customers, leaving the rest of the global community to get slapped around by Slammer.' I'm not bothered I didn't know Slammer was coming, but Symantec has a moral responsibility to inform the public if it thinks millions will be affected." It isn't clear to me how Symantec could know, hours in advance, about a worm which took ten minutes to spread throughout the entire Internet, unless they had something to do with its release. Update: 02/14 16:54 GMT by M : Wired has their math wrong; Symantec apparently had at most 20-30 minutes of early warning. Symantec claims in this press release that they discovered the worm "hours before it began rapidly propagating".
This discussion has been archived. No new comments can be posted.

Symantec Claims They Knew About Slammer In Advance

Comments Filter:
  • Big Surprise (Score:3, Insightful)

    by Anonymous Coward on Friday February 14, 2003 @11:17AM (#5302351)
    Do you honestly believe that all the viruses come from joe sixpack sitting in his basement with nothing better to do?
    • by Feral Bueller ( 615138 ) on Friday February 14, 2003 @01:48PM (#5303945) Homepage
      I had the opportunity to interview with Symantec about 5 years ago, for the Norton Anti-Virus unit.

      It's safe to say by your post that you haven't.

      To post the assertion that these guys have anything to the propagation and dissemination of viruii is retarded - not only do they have to contend with regular build issues, feature requests, etc. - but they also have to keep up with the dozens of virii released into the wild on a weekly basis. The heuristics involved in developing the software necessary to *fix* an already infected (sometimes by multiple virii) is pretty impressive. There's no *good* reason why any of these engineers would intentionally create more work for themselves -- they don't need any.

      Additionally, they aren't the only game in town as far as anti-virus software. They would be out of the fame in a New York minute if they were ever found to be involved in disseminating virii, intentionally or not.

      Please turn off your computer and go back to your "X-Files" reruns.

      P.S. - The coolest thing about the interview was when one of the Senior Engineers showed me the Quarantine Room, where they research different virii and repairing the damage.

      • by lvdrproject ( 626577 ) on Friday February 14, 2003 @02:32PM (#5304358) Homepage
        Ok, i haven't reached the bottom of this page yet, but i'm willing to bet a couple dozen posters made this same mistake.

        The plural of "virus" is "viruses". Aside from that, Latin plurals end in "i", not "ii". For example, "magus" becomes "magi", not "magii". The notion of Latin plurals ending in "ii" probably comes from such words as "radii" (plural of "radius"). The reason "radii" has two "i"s is because "radi-us-" becomes "radi-i-".

        "In antiquity the word virus had not yet acquired, of course, its current scientific meaning; rather it denoted something like toxicity, venom, a poisonous, deleterious, or unpleasant agent or principle, or poison in the abstract or general sense. [...] Nouns denoting entities that are countable pluralize (book, books); nouns denoting noncountable entities do not (except under special circumstances) pluralize (air, mood, valor). The term virus in antiquity appears to have belonged to the latter category, hence the nonexistence of plural forms." (taken from here [perl.com]) Also, "viri" is Latin for "men", so that's not it either. The word is "viruses".

        I know i'm coming off like a jerk here, and normally i don't post just to criticise someone's spelling, but "virii" is a plague. It's because of mistakes like this that we have two words for "disc", and the bizarre spelling of "Thames" (i.e. people trying to make English correspond to its Latin/Greek roots). Anyway, i just thought i'd point that out. That word really bothers me (which i guess is somewhat sad).

        Sources:
        - http://dictionary.reference.com/help/faq/language/ v/virus.html [reference.com]
        - http://www.perl.com/language/misc/virus.html [perl.com]

        PS: Otherwise an interesting post, heh.

        • by fishbowl ( 7759 ) on Friday February 14, 2003 @05:52PM (#5306038)
          People say "virii", not because they think they are speaking latin, but because they think it
          sounds good. They think it expresses what they want to mean.

          Look at the whole damned French language for an example of what happens when people spend a few centuries speaking what they think is latin. :-)

          So the problem is not that you are right or wrong, but rather, that the people you would like to persuade do not care for your argument.

          It's like the people who wish media would stop using "hacker", or that slashdotters would use "GNU/Linux" when they say "Linux"... The argument is sound, and compelling, but is completely lost on those it seeks to influence! Not only do they not care, they actually prefer to stick with their chosen usage! You'd do just as well to argue that "virus" should be a mass noun or a possessive state of being: It has virus. (Like "milk" -- en français, il vaut mieux qu'on dit du virus).

          I wouldn't hold my breath waiting for "virii" to go away -- these people don't even CARE that some English words have latin roots!

          Hey, that makes me wonder if there is any other language whose plurals are formed with a final -i or -ii?

          Now, if someone DOES buy the argument that latin usage should influence English, I wonder if it is important to note that "virus" in latin refers to "poison"... I'm standing by my argument that it should be a mass plural, not a count plural!

          It is easy to make the case against "virii" from the latin "virus" -- it is not "virius" therefore not "virii" in the plural.

          My advice is to write and speak with proper usage, correct others when they ask you to proofread their copy, and not expect anyone else to upgrade their literacy in

          What's next on your agendum? ;-)
  • makes it worth it (Score:3, Insightful)

    by Anonymous Coward on Friday February 14, 2003 @11:18AM (#5302354)
    thats what makes the extra special account worth it.if they told everyone, then whats the point in paying for the extra notice?

    (not that I agree with not telling everyone, that just seems to be the why)
    • Symantec lies (Score:5, Interesting)

      by helix400 ( 558178 ) on Friday February 14, 2003 @12:42PM (#5303269) Journal
      Symantec has a bad history of not telling current customers about their viruses. When they discover a virus, they first take a few days to figure out a fix, and when they find a fix...THEN they announce it as "Discovered". Sure makes them look good when they claim to discover and fix most viruses the same day

      I saw this first hand. When Opaserv variants were coming out almost weekly last fall, Symantec was very slow to acknowledge their existance. A few people I know sent them executables of a new variant on October 19. Finally, on October 23, they announced they "Discovered" it...4 DAYS AFTER WE SENT IT TO THEM! Those Symantec liars didn't even tell us that they discovered it, but they're working on a fix. No, they sat on the virus for 4 days! (Want proof? Check out Symantec's Oct 23 discover day for brasil.pif, here [symantec.com], and compare that with the Oct 19 date that many of us first noticed that virus on this discussion sire here. [computing.net]) And of course, following true to Symantec policy, they claimed to have released a fix either the day of discovery or the the next day...to show they're working hard for their customers.

      Stupid liars.

      • Re:Symantec lies (Score:3, Insightful)

        Stupid liars.

        Liars maybe, but stupid they are not.

      • Re:Symantec lies (Score:4, Interesting)

        by CrazyDuke ( 529195 ) on Friday February 14, 2003 @09:04PM (#5306904)
        I experienced this on what should have been routine for them by now, yet another sub7 varient. I didn't know it was sub7 at the time other than it did basically what the sub7's before it did. I tried it on a dummy box, and it waltzed past Norton Antivirus. I verified the infection when my firewall started complaining about illegal requests from the trojan phoning home. I submitted the executable as packaged, discribed its infection stratagy, removal guide, and packaged it all in a nice little email explaining that I had the latest and greatest patches and list for their current corporate version antivirus. This took me about 3 hours total, from research, infection, tracing, removal, verifying removal, formating a report, and submiting it.

        About a month an a half later, I get a terse email from Symantic, stating that they already knew about sub7 and that they had had the definitions for a month now. They recommended that I should keep my antivirus updated more often. This was conveyed in a nice little way that sounded like I was some AOL newbie that couldn't tell the left from the right mouse button. Needless to say, I am no fan of Symantic now.
  • by digitalgimpus ( 468277 ) on Friday February 14, 2003 @11:18AM (#5302360) Homepage
    Just wait til next week!

    HA HA HA HA HA [silence]
    HA HA HA HA HA [silence]
    HA HA HA HA HA [silence]
    • by Sun Tzu ( 41522 ) on Friday February 14, 2003 @11:43AM (#5302680) Homepage Journal
      Anti-virus companies have a huge conflict of interest in that they sell 'protection' against anonymously produced virus threats. These, and firewall producers, are precisely the same companies that benefit the most from malware and network-borne threats of all kinds.

      I would think that they would be more careful about raising people's suspicions about their prior knowlege of absurdly fast propagating worms.

      Maybe they are believers that 'any publicity is good publicity' -- even in their business.

      Send us your Linux Sysadmin [librenix.com] articles!

      • Anti-virus companies have a huge conflict of interest in that they sell 'protection' against anonymously produced virus threats. These, and firewall producers, are precisely the same companies that benefit the most from malware and network-borne threats of all kinds.

        That same claim can (and has) been leveled against the defense and intelligence industry for some time now. If we don't believe there to be a threat, then we (any given 'we') will not pay for a defense against that (non) threat. The point you make, however valid, isn't really all that new.

        I'm not in any way trying to flame you, however...I'm just pointing it out because it seems interesting to see how once again it's the same old story (life, that is) with a new wrapper on it.

  • by xinit ( 6477 ) <rmurrayNO@SPAMfoo.ca> on Friday February 14, 2003 @11:19AM (#5302365) Homepage
    If you think about it, the best advertisement for an anti-virus package is massive data loss caused by Evil Virii (tm). "Well, you should have backed up AND scanned with our priciest product...."
  • Devil's Advocate (Score:5, Insightful)

    by govtcheez ( 524087 ) <govtcheez03@hotmail.com> on Friday February 14, 2003 @11:19AM (#5302368) Homepage
    What "moral responsibility" did they have? They're a big company, and their sole purpose is to make money - they're not trying to save the world. They're trying to get richer.
    • by garcia ( 6573 )
      not only that, but common legend says that virus companies create most of the viruses themselves to make sure they stay in business.
    • Re:Devil's Advocate (Score:5, Interesting)

      by Pxtl ( 151020 ) on Friday February 14, 2003 @11:25AM (#5302446) Homepage
      Idunno - I like this quote:

      "If I witness a felony but refuse to call 911 because the victim hasn't paid me money to do so, I'm technically an accessory to that crime, not to mention a really rotten citizen."

      Corporations are determined to have the same rights as citizens - then they have responsabilities too. That being said, how many times have we heard about a company trying to keep the holes in their own software secret from the security community? This isn't very different.

      A company's duty to itself is to make money - but companies are allowed to exist by the government of the people - and so all companies, profitable or otherwise, have the responsability to act for some vague concept of greater good. Usually this rule can be generally ignored, after all, the fact that they generate money is good for the economy. The exception occurs they did something dead-obvious-bad. Keeping a threat to the whole internet a secret pretty much falls into that category.
      • by Bilbo ( 7015 ) on Friday February 14, 2003 @12:14PM (#5302967) Homepage
        > The exception occurs they did something dead-obvious-bad.

        Aside from the obvious question of, how could they have known, hours in advance, of a worm that took essentially ten minutes to bring down major portions of the Internet, how could they have known the extent of damage that the worm could potentially have on the Internet?

        The 911 illustration is not exactly valid. If I see someone in the act of commiting a crime, I have a pretty good idea what the outcome will be. On the other hand, if I overhear someone talking about commiting a crime, the line becomes a lot more fuzzy, because I don't know if the crime will ever be committed, or if it will be successful.

        You get a vague idea that there's a new Internet Worm on the loose, and you warn your customers. It's not until later that it hits you that, "Ohmygosh, this is the big one!"

    • by Scrameustache ( 459504 ) on Friday February 14, 2003 @11:25AM (#5302448) Homepage Journal
      No, "it" is a big company, "they" are employees and officers. Individuals with a moral, and sometimes legal, obligation to do what is right.

      The same way that if I walk in their offices and pass out, I would expect them to call an ambulance and perform first aid, not to steal my wallet (to get richer).
    • And that's the problem. It's that lack of an inherent feeling of moral responsibility that gives these corporations and America in general a bad name. A corporation may exist for a purpose, but it consists only of human beings. Without people there's no company. People have moral responsibilities, but it's often forgotten in the context of a company. But since a corporation is nothing but a group of people those morals shouldn't be forgotten. Generally people should expect them to be responsible. It's that attitude of "they're in it only to make money, so that's ok" that keeps it the way it is. Look down on them for a lack of moral responsibility and their sales will drop.
  • moot point (Score:5, Insightful)

    by JohnLi ( 85427 ) on Friday February 14, 2003 @11:19AM (#5302370) Homepage
    Is'nt this a silly point anyway, as there was an available update that could have prevented the entire situation months before? I know it wasn't in a service pack, but why is it symantecs responsibility to get you to update your software?
    • Re:moot point (Score:3, Interesting)

      by hughk ( 248126 )
      The big gotcha is how many people even knew their systems were vulnerable? Sure if you have SQL Server, you know about it. What about the baby-SQL though (SQL--), it is hard to even get configuration level acces to it because it gets installed as part of applications.
  • by jpsst34 ( 582349 ) on Friday February 14, 2003 @11:21AM (#5302390) Journal
    I knew about Slammer in 1988 [imdb.com]. (Take a look at Jim Brown's [imdb.com] character.)
  • Moral obligation? (Score:5, Insightful)

    by nakhla ( 68363 ) on Friday February 14, 2003 @11:21AM (#5302391) Homepage
    Since when does Symmantec have a moral obligation to do anything? They're a corporation. Their service is to detect and prevent network attacks. If you are willing to PAY for the service, then you get the benefits of it. If not, then it sucks to be you. Ford's service is making cars. Are you saying that Ford has a moral obligation to give me one, even though I haven't paid for it?
    • by phil reed ( 626 ) on Friday February 14, 2003 @11:23AM (#5302430) Homepage
      The Internet is a cooperative enterprise. It behooves all the users to play nice with each other. Symantec evidently decided that their customer base was a higher priority than playing nice with everybody else. That's fine, and they are welcome to make that choice. They then get to live with the consequences, including the one where everybody else decides not to play with Symantec because of their attitude.
    • Agreed (Score:5, Insightful)

      by Adam9 ( 93947 ) on Friday February 14, 2003 @11:27AM (#5302479) Journal
      I don't see why people expect companies to donate information that costs them to find. They could've used this info in two ways, the way I see it. First, is to share it to their corporate customers who pay to have this kind of early warning. Second, release it to the media, CERT, and other organizations and make sure they "advertise" that Symantec found it first.

      So they chose the first. Big deal. Do you really think even a majority of these sysadmins would have firewalled their MS SQL server hours before it would be infected? Doubtful. If they didn't apply the patch from July of '02, then they're not going to immediately respond in a few hours to patch an impending threat.

      • Re:Agreed (Score:4, Insightful)

        by enjo13 ( 444114 ) on Friday February 14, 2003 @11:51AM (#5302745) Homepage
        Let me us an extreme example..

        Lets say your run a business cleaning up crime scenes (Such business really do exist). You find out, hours before, that someone is going to walk into a mall and just open fire. Do you A) Tell your friends not to go to the mall, and make sure that you just happen to be around before the massacre occurs? or B) do you call the police?

        Go with option A and you are an accessory to the crime and you go to jail. Even IF it was good for business.

        The same thing occured here. If in fact symantec KNEW about the transimission of a crime before it occured, then they most likely broke the law by not contacting the proper authorities. Would it have prevented Slammer? Nah.. but it doesn't change the fact that YES they are completely required to share this information. The issue of morality is irrelevant, this is an issue of law.
    • by Quixote ( 154172 ) on Friday February 14, 2003 @11:32AM (#5302550) Homepage Journal
      OK, then why do companies like Microsoft bitch and moan about individuals releasing exploits before they have had time to "study" the bug (read: sit around and do nothing) ?

      "Moral responsibility" is a two-way street: if you (the company) expect me to have some, then show some towards me too.

    • I think there is a moral obligation. Knowing about a virus is, essentially, knowing about a crime that is about to be or is being committed. They at least had an obligation to report anything they know to legal authorities, short of proprietary solutions.
    • by tjwhaynes ( 114792 ) on Friday February 14, 2003 @11:35AM (#5302578)

      Ford's service is making cars. Are you saying that Ford has a moral obligation to give me one, even though I haven't paid for it?

      No - get the analogies right. If I, as a car servicing firm, knew of a part in a Ford car that could fail and cause the car to go off the road at random and I only let my best customers know, I would be sued for screwing around with peoples lives.

      Not that I have any sympathy for either MS or Sympantec - Symantec gets to make money off the loopholes in MS's operating system in a strange almost parasitic relationship. The only thing that isn't clear to me is which company is the host...

      Cheers,

      Toby Haynes

      • by liquidsin ( 398151 ) on Friday February 14, 2003 @12:25PM (#5303090) Homepage
        Maybe you should get *your* analogies straight. Everyone is acting like Symantec did something horribly wrong. Let's not forget that there has been a patch available for this since july of last year. So if we must make analogies, how about this one:
        I, as a mechanic, know that cars made by Ford had a recall (say for something like tires...). Now, of course it's in my best interest to inform *my* customers, but am I "morally obligated" to stop every passer-by on the street who's driving a Ford and tell them?

        The point is, Microsoft admitted there was an issue and fixed it six months ago. Why is it Symantec's obligation to remind us all to secure our servers?

    • When there is talk in Congress about making cyber-crimes punishable by life-imprisonment, Symantec has a resposibility to warn the masses about Internet threats. They have a reputation as "the anti-virus company" and as such they have to live up to that reputation. To say that they will sit on information that they know will disrupt millions of people, businesses, and educational instituitons andonly provide warnings to the people that pay them is admittance or extortion.

      "GIVE US THE LOOT, OR YOUR PC WILL NOT BOOT!"

      Prosecute them.

    • by dh003i ( 203189 )
      WRONG. They had a LEGAL obligation to report this. Releasing a virus onto the internet to infect other computers is a FELONY -- a CRIME. If you witness a crime and don't call 911, you're an accessory to the crime. Symmantec had a LEGAL obligation to report this obvious CRIME to the authorities. Because they didn't, they are an accessory to the crime.
    • by dpilot ( 134227 ) on Friday February 14, 2003 @12:01PM (#5302852) Homepage Journal
      Do we really hold corporations to such low standards?

      Do you hold your friends or family to such low standards?
      Do you hold other members of your community to such low standards?
      Do you hold your elected officials and their appointees to such low standards?

      This came up during the hearings for Edwin Meese for Attorney General. The Attorney General is the highest Officer of the Law in the land. For him to merely say, "I have been convicted of no crimes." is not ANY sort of endorsement for the office. It's barely a qualification.

      When we rant against the poor and welfare, we argue that putting a safety net under these people will encourage them to fall into it, and not try to better themselves.

      Isn't the law really an ethical and moral safety net? So is it any wonder that *some* sink to the net, just like some poor do with welfare? But the real problem comes when we EXPECT people and corporations to sink to the net, take for granted that they will, and dont' see a problem with that situation.

      Businesses are a member of the community, too. I'd expect them to behave as ethically and civilly as any person. With a business, I only have my words and money as tools to 'encourage better behavior.'
    • by lildogie ( 54998 )
      Two words:

      Protection racket.
  • by FyRE666 ( 263011 ) on Friday February 14, 2003 @11:21AM (#5302394) Homepage
    I can see them spending a lot of time in court issuing statements like that. Since the worm cost [insert random() x billion] dollars in lost business according to the press litigation seems inevitable.

    It's more likely that their customers, since they must have some interest in security, had already installed firewalls and not left SQL server open to the entire internet though...
  • by Max Romantschuk ( 132276 ) <max@romantschuk.fi> on Friday February 14, 2003 @11:21AM (#5302397) Homepage
    OK, I don't get it... How does Symantec going "We knew all about it but we didn't tell you" make Symantec look good in any way? I know I get annoyed when people behave like that... So anyone have a thought on exactly how this benefits Symantec?
  • Timezones? (Score:5, Insightful)

    by remmy1978 ( 307916 ) on Friday February 14, 2003 @11:22AM (#5302408) Homepage
    From the article:

    "According to Symantec spokesman Yunsun Wee, Symantec issued an alert about Slammer to DeepSight Threat Management System subscribers "at approximately 9 p.m. PST on Friday, Jan. 24."

    Most of the rest of the Internet didn't spot Slammer until shortly after midnight EST on Saturday, Jan. 25th."

    Accounting for timezone differences between EST and PST, would this not make the two times much closer to each other?
    • Re:Timezones? (Score:5, Insightful)

      by fname ( 199759 ) on Friday February 14, 2003 @11:31AM (#5302537) Journal
      Yup. So, Symantec forgets abouts time zones and starts congratulating themselves for their good work. Wired forgets about time zones and reports on Symantec's irresponsible acts. A Slashdot reader breezes through the article and submits it, whilst forgetting about time zones. Slashdot editor, rushing to post the article, forgets about time zones and posts the news item.

      Shame on Symantec. Shames on Wired. Good thing we have the good folks at Slashdot to keep the news in perspective.
    • Re:Timezones? (Score:3, Interesting)

      by Speed Racer ( 9074 )
      Especially since the virus didn't even debut until 12:30 AM EST on 25 Jan, according to the article. Either everybody noticed it before it was actually released or the times listed in the article are FUBAR. Either way, the Symantec spokesman is full of doublespeak.
    • Re:Timezones? (Score:3, Informative)

      by Davorama ( 11731 )
      Which article were you reading? Here's what it's saying now.
      "Within 10 minutes of debuting at 5:30 a.m. (UTC) Jan. 25 (9:30 p.m. PST, Jan. 24), the worm was observed to have infected more than 75,000 vulnerable hosts," the researchers' report read in part. "Thousands of other hosts may also have been infected worldwide. The infected hosts spewed billions of copies of the worm into cyberspace, significantly slowing Internet traffic, and interfering with many business services that rely on the Internet."

      According to Symantec spokesman Yunsun Wee, Symantec issued an alert about Slammer to DeepSight Threat Management System subscribers "at approximately 9 p.m. PST on Friday, Jan. 24."

      The first posts about Slammer appeared on major security discussion lists about an hour later, at roughly 1 a.m. PST, according to security consultant Ken Pfeil."

  • So? (Score:5, Insightful)

    by fobbman ( 131816 ) on Friday February 14, 2003 @11:22AM (#5302411) Homepage
    Heck, Microsoft released a patch to fix this problem in June of 2002. Windows sysadmins had 6 months notice that it was a problem.

    I don't mean to sound like a troll or the least bit insensitive, but if the Windows sysadmins aren't keeping their servers patched then that's the sysadmin's fault. The finger of blame should be pointed right at the mirror. Keeping their servers updated and safe is their JOB, unless they have a security specialist, in which case it's their job.

    • Re:So? (Score:4, Informative)

      by phil reed ( 626 ) on Friday February 14, 2003 @11:31AM (#5302531) Homepage
      Have you even looked at those patches? Microsoft patches, especially in a system like SQLServer, have a tendency to break running code. So, you can't just fling it onto a production server. Further, the bug exists in a database component that gets installed with a whole lot of other Microsoft software (like Visio, a CAD-like program). And reading the "how to install this patch" instructions would scare off almost everybody -- it's not automated like Windows Update.


      Sorry, but installing patches is a non-trivial exercise.

    • Re:So? (Score:3, Insightful)

      by stratjakt ( 596332 )
      Yep.

      And plenty of unix admins still running insecure versions of apache, ftpd, and openssl.

      MSFT has no monopoly on laziness, percieved or real.

      A big part of it is the propellerheads releasing the MS-hotfixes or OS-patches dont realize that in an enterprise environment you dont always have the time to bounce a server, apply the patch, test, validate all code that was running prior to the patch.
    • Re:So? (Score:3, Interesting)

      by Matty_ ( 74368 )
      I think we can pretty much assume that most informed administrators would patch the security hole on their systems.

      My guess is that the vast majority of Windows administrators do not subscribe to Microsoft's security advisories list and were not aware that they needed to fix a problem. This is probably due to shear ignorance and/or lack of responsibility.

      Furthermore, tons of Windows servers are sitting out there which don't have anyone administrating them and keeping them up-to-date.

      A lot of small companies simply don't want to pay someone a service contract to maintain such things, but GOD FORBID they don't get to have their expensive Exchange/File/Print server.
    • Re:So? (Score:3, Interesting)

      by WNight ( 23683 )
      If Microsoft was better at releasing bug fixes in small packages, so that you could keep your server do exactly that it does now, but without a buffer overflow, people would update more often.

      Most admins are pretty trusting with Apache patches. Give them ten minutes of testing, mainly insure you didn't overwrite something during the install, and you're ready to go live. MS patches are larger and unwieldly. MS software also tends to have more unpredictable interactions than unix software. As a consequence, Unix admins who patch at all, tend to trust updates and patch more quickly. Of course not everyone will patch, many people have toy webservers they don't really admin, but that's beyond the scope of this.

      Unix software also tends to be smaller and call other programs instead of doing everything in one executable. As long as the interface between the two works, you can keep your bug testing isolated to the segment you're patching. (Upgrade PHP, run PHP tests, not full webserver-and-CGI tests.)

      Don't forget that MS themselves weren't in full compliance with this patch. There's the ability to auto-install updates, but they didn't for some reason. You'd think their admins would be the best, that they'd know all the tricks.
  • by TopShelf ( 92521 ) on Friday February 14, 2003 @11:22AM (#5302414) Homepage Journal
    This sounds like Wired trying to stir up a controversy from scratch. Besides, what would have been the impact of them posting a warning a few hours earlier? If an admin saw the notice before the widespread nature of Slammer was known, would they instantly apply patches that they hadn't already installed for one reason or another? I doubt it...
  • Hmm.. (Score:5, Insightful)

    by zulux ( 112259 ) on Friday February 14, 2003 @11:23AM (#5302417) Homepage Journal
    ..... unless they had something to do with its release.

    I have wondered why a lot of these Microsoft-worms never seem to have a destructive payload. If you imagine a script-kiddie working hard in his mom's basement, you'd think he'd add a payload of some sort.

    (hell, if I had the inclenation and the time to create a virus, I'd atleast change the Windows statup .JPG to the 'gentleman who is affiliated with goats.')

    It's almost like these Microsoft-worms were desingned to create panic and purchasing action, but no legalally actionable damage.

    Just a rambeling thought.

    • Re:Hmm.. (Score:5, Insightful)

      by Bastian ( 66383 ) on Friday February 14, 2003 @11:33AM (#5302562)
      I see two possibilities:

      1) It was done for hack value, not vandalism.

      2) With how many Windows computers there are out there, a simple worm has the ability to cause more than enough trouble.

      As for Slammer not having a payload, that's because it was designed to fit in a single 505-byte UDP packet. There wasn't room for a payload.
    • Re:Hmm.. (Score:5, Interesting)

      by Pxtl ( 151020 ) on Friday February 14, 2003 @11:36AM (#5302613) Homepage
      I've always noticed that too. The fact that there's never any large-scale loss really does encourage the idea that its not your garden-variety blackhat. When I was a kid, your computer contracting a virus meant that you could kiss all your files goodbye. These days, it means your connection will be lagged and maybe some e-mail sent. All ILOVEYOU even did was delete some jpgs and mp3s. I'm surprised that none of these worms don't wait for an hour or two(for the computer to finish spreading) then wipe the machine or something - or maybe begin spewing the contents of the SQL database onto the 'net (heaven forbid credit card #'s be in there).

      I always say when something like this happens - at least the attacker wasn't going for raw damage.
  • very intriguing (Score:3, Interesting)

    by greechneb ( 574646 ) on Friday February 14, 2003 @11:23AM (#5302422) Journal
    Nothing better to increase your business like having something that scares potential customers.

    How many windows users that you know that have virus protection software that came with their pc and has never been updated? They won't upgrade their virus software until they learn that it is necessary.

    When do they find out it is necessary? When someone hits the web with a massive worm/virus. If nothing massive happens for a while, I'm sure antivirus companies are losing money. What better way to spike sales than by creating panic?
  • by kaosmunkee ( 198798 ) on Friday February 14, 2003 @11:25AM (#5302456)
    From the article...
    According to Symantec spokesman Yunsun Wee, Symantec issued an alert about Slammer to DeepSight Threat Management System subscribers "at approximately 9 p.m. PST on Friday, Jan. 24."


    Most of the rest of the Internet didn't spot Slammer until shortly after midnight EST on Saturday, Jan. 25th.
    So explain to me again how they knew about it before anyone else? -kaos
  • by Akardam ( 186995 ) on Friday February 14, 2003 @11:28AM (#5302482)
    At least from a "We're a company, we exist to make money" standpoint. Symantec maintains that privledged list precisely so they can make money - they offer a "tell you before I tell anyone else" service, and people are obviously willing to pay for that.

    Besides, I highly doubt Symantec is the cause of slammer, and because of that, they don't have any moral obligation to let anybody know about it. On top of that, we're talking about a matter of hours, not days or weeks. They probably told their clients "Uh, we think something's coming, so watch out". I highly doubt they would have had specifics.

    Not trying to flame here or anything, but let's be a little realistic. If anyone's to blame, it should be Microsoft, for releasing the buggy program in the first place, or the sysadmins for not applying the paches, yadda yadda yadda.
  • PST vs. EST (Score:3, Insightful)

    by shawn.fox ( 461873 ) on Friday February 14, 2003 @11:29AM (#5302500)
    From the article:

    Symantec issued an alert about Slammer to DeepSight Threat Management System subscribers "at approximately 9 p.m. PST on Friday, Jan. 24." Most of the rest of the Internet didn't spot Slammer until shortly after midnight EST on Saturday, Jan. 25th.

    For those of you who don't know the difference, EST is 3 hours ahead of PST. Thus DeepSight identified Slammer at about the same time as the 'rest of the Internet'
  • Troll? (Score:5, Insightful)

    by fobbman ( 131816 ) on Friday February 14, 2003 @11:30AM (#5302507) Homepage
    "According to Symantec spokesman Yunsun Wee, Symantec issued an alert about Slammer to DeepSight Threat Management System subscribers "at approximately 9 p.m. PST on Friday, Jan. 24."

    Most of the rest of the Internet didn't spot Slammer until shortly after midnight EST on Saturday, Jan. 25th."


    Uhh...that's about the same time isn't it Sparky?

  • by Junta ( 36770 ) on Friday February 14, 2003 @11:32AM (#5302544)
    Probably not. Those forewarned took it seriously because they pay for the service. If Symantec had said that a huge attack was imminent and to block the port and patch your SQL servers, how many people do you think would have listened? Of those who listened, how many of those have processes in place so that the requisite network or software changes would have required approval that would have come too late to do any good?

    The people who paid for the warning are going to take it very seriously, but aside from that, I would wager that there would be enough doubt about the validity that measures wouldn't have been taken anyway. Patching the server has the obvious implication for many mission critical databases of a potential restart and potential for undesired change in functionality, so patching in many cases would require a testbed server and evaluation, which this warning provided insufficient time for. Blocking the port, or disabling that part of SQL server, for those with it enabled without needing it, means they need to understand what it does or does not do for them. If they already knew, they would have disabled it sooner, so you can't say they would immediately realize and shut it down.
  • no morals (Score:4, Insightful)

    by DuckWing ( 19575 ) on Friday February 14, 2003 @11:35AM (#5302580)
    In order for Symantec to have a "moral obligation" you must first assume that Symantec has Morals to begin with. They do not. It's that simple.
  • by kbindera ( 259608 ) on Friday February 14, 2003 @11:36AM (#5302606)
    My Magic Eight Ball predicts of a future exploit of a buffering problem in Microsoft software.

    How can you know this stuff Magic Eight Ball!!
  • by DaBunny ( 56964 ) on Friday February 14, 2003 @11:36AM (#5302609)

    According to Symantec spokesman Yunsun Wee, Symantec issued an alert about Slammer to DeepSight Threat Management System subscribers "at approximately 9 p.m. PST on Friday, Jan. 24."

    Most of the rest of the Internet didn't spot Slammer until shortly after midnight EST on Saturday, Jan. 25th.


    Ummm..."shortly after midnight EST" is pretty damn close to "approximately 9 p.m. PST"! It doesn't sound like Symantec had much advance knowledge at all.
  • They knew nothing (Score:5, Insightful)

    by doc_traig ( 453913 ) on Friday February 14, 2003 @11:38AM (#5302627) Homepage Journal
    It's a marketing gimmick to get less savvy IT managers to think that going with Symantec will get them ahead of the game. They're burning themselves twice: they'll alienate the infosec community that rightfully believes that knowledge of a potential devastating exploit gained in advance of its use should be shared, and they'll make very poor relationships with customers who fall for this kind of marketing and never have their expectations met down the road.

  • Obligations (Score:3, Insightful)

    by tarsi210 ( 70325 ) <nathan@@@nathanpralle...com> on Friday February 14, 2003 @11:38AM (#5302628) Homepage Journal
    root@yourcompany:$ ./karma_burner --reply=ON --moderators=ON

    If Symantec had a moral/ethical obligation to warn the rest of the world about Slammer before it was released, don't they also have an obligation to warn the rest of the world that if you're using a POS, buggy, perpetually frought with nastiness operating system that you're bending over and just asking for it anyway?

    Fact is, even if they had said something, 50% of the world would have laughed because they're not running Windows, 5% of Windows sysadmins would have been at the consoles sweating it, and the rest of the world would have stayed in the recliner because they don't keep up with security updates anyway OR they have their heads so far up Gates' ass that they couldn't possibly believe it.

    Personally, I sat back and laughed. How about you?
  • Symantec.... (Score:5, Insightful)

    by wowbagger ( 69688 ) on Friday February 14, 2003 @11:46AM (#5302707) Homepage Journal
    Symantec.

    The same Symantec who's Norton Anti-virus product is prominently featured in a rash of spams in my inbox?

    The same Symantec who claims to follow up on reports of this to spamwatch@symantec.com? That never seems to lead to any sort of actions?

    The same Symantec who just changed their auto-renewal to cost people more money IN THE MIDDLE OF THE RENEWAL CYCLE?

    Huh, who'd'a thunk it?

    Glad I use somebody else's [redhat.com] anit-virus software [linux.org].
  • by DaytonCIM ( 100144 ) on Friday February 14, 2003 @11:52AM (#5302762) Homepage Journal
    It isn't clear to me how Symantec could know, hours in advance, about a worm which took ten minutes to spread throughout the entire Internet, unless they had something to do with its release.

    Libel - A false publication, as in writing, print, signs, or pictures, that damages a person's reputation. The act of presenting such material to the public.

    Michael,
    I know you're pretty opinionated and think highly of yourself, but you may want to reconsider posting such statements as it could adversely affect you and your employer.
  • by harborpirate ( 267124 ) on Friday February 14, 2003 @11:53AM (#5302767)
    Another important point is this:

    The worm spread around the entire globe in minutes. And Symmantec didn't know about the worm in advance, they are simply saying that they knew about it before anyone else. (Which other posters have pointed out is BS - apparently journalists and corporate managers don't understand time zones)

    Which leaves us with this simple fact: even if a sysadmin had gotten and read symmantec's message immediately, it is unlikely they would have had time to block the port and/or patch their server in time anyway! They may have already been hit in the time it took them to read the virus alert.

    The fact that symmantec noticed it was happening is hardly surprising, they make money by detecting and stopping viruses. Of course they would notice when a ton of traffic on a certain port started inundating the internet.

    This whole story is a load of crap. Hopefully wired will be more do a little more research in the future into the stories they display, but somehow I doubt it.
  • by nweaver ( 113078 ) on Friday February 14, 2003 @11:53AM (#5302770) Homepage
    Slammer hit so hard and fast (doubling every 8 seconds, peak scanning rate in 3 minutes, analysis [berkeley.edu].

    An "hour" before is a preposterous claim. They might have gotten in 10 seconds before, or even a minute if the first couple of copies were on bad links, but an hour is total, complete, and UTTERLY ridiculous claims to make.

    The only way they could make the claim is if they found an extra-buggy, prerelease version. IF so, we need to know about it as it aids in understanding the author.

    My bet is they saw some unrelated script-kiddie scanning (we saw some of this in our OWN data sets) and someone in marketing is trying to say that they saw the worm 2 hours ahead of time.
  • by DaytonCIM ( 100144 ) on Friday February 14, 2003 @12:14PM (#5302959) Homepage Journal
    From the Symantec Web Site [symantec.com]:

    For example, the DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised. This combination of comprehensive up-to-the-minute attack data combined with effective solutions, patches, and countermeasures enable corporations to protect information infrastructure while avoiding downtime and lost productivity.

    It sounds to me like a Tech Security company trying to boost sales of their new Threat Management System and Alert Services by stretching the truth. And we all know the sales and marketing folks would not blink an eye at fudging facts to sell their products.

    Does this mean Symantec had anything to do with the Slammer virus (as Michael alluded to), I don't think so (and honestly to make an accusation like that is just plain ignorant).

    Just my take. Now let the negative modding begin.
  • by merlin_jim ( 302773 ) <James DOT McCrac ... ratapult DOT com> on Friday February 14, 2003 @12:21PM (#5303038)
    but Symantec has a moral responsibility to inform the public if it thinks millions will be affected.

    Symantec does not have a moral responsibility to inform the public. Symantec isn't a publicly funded corporation, or a government agency.

    You do not have a right to benefit for free from the hard work of others. Symantec's ONLY moral responsiblity is to increase value to their shareholders. This isn't the late 1990's where you can create a technology company based on the idea of giving things away for free and expect that to fly.

    Part of that responsiblity is to treat their customers right. Given a limited timeline, and the need to provide the most value possible, they chose to send an alert to some of their (presumably) biggest and best customers. I believe that Symantec worked in a very appropriate manner in this case.

    Note: I didn't read the article. I did read quite a few articles yesterday when the link was posted on hardocp.com however.
    • by Anonymous Coward
      Symantec does not have a moral responsibility to inform the public. Symantec isn't a publicly funded corporation, or a government agency.

      I think you're confusing moral responsibility and legal responsibility.
  • by RedSynapse ( 90206 ) on Friday February 14, 2003 @12:41PM (#5303258)
    At the University where I work our entire network was down for about 6 hours due to Slammer/Sapphire. This is an institution with 30,000 students and Oh happy coincidence, it was the last day to drop courses without academic penalty - which could only be done online. The problem is that each department, faculty, club, etc. runs their own servers so what ends up happening is Professor so-and-so's graduate student's cousin who once started studying for the A+ exam becomes the system administrator. Security Bulletin? Patch? Hotfix? What's that?

    Network Operations had to manually disconnect MANY servers which were just saturating the network. After doing this we got calls days later from people saying "My students are complaining that they can't access my server, any idea why this is?" So if you're expecting that every server has some crack squad of administrators scouring the net to make sure it's updated to the fullest - well sorry, it takes some people days to notice that their server isn't even on the network anymore.

    I mean you'd think people would turn on CNN and see SQL WORM RAVAGES INTERNET, and think, gee don't I have a machine running an SQL server, maybe I should check up on that? But no.

    The reality is that there was a patch available for this months before and nobody bothered to install it, I don't think a few more hours would have made much of a difference at least where I work.

  • Wake up people! (Score:3, Insightful)

    by FrankieBoy ( 452356 ) on Friday February 14, 2003 @01:43PM (#5303908)
    Who do you think is writing these sophisticated viruses and worms? Do really believe that the hundreds of new viruses that get released every month is because of some bored hackers who have nothing better to do? There are many stories of "Men-in-Black" style approaches to out-of-work developers in countries with a large high tech community. Someone shows up at your door with a big bag of money and no identity and asks you to write a particular type of virus, you might be inclined to take the money and not ask too many questions. It's called "Creating the Market".

"I've finally learned what `upward compatible' means. It means we get to keep all our old mistakes." -- Dennie van Tassel

Working...