Virus Knocks Out U.S. Visa Approval System 439
GillBates0 writes "According to this story and many others, the State Department's electronic system for checking every visa applicant for terrorist or criminal history failed worldwide late Tuesday because of a computer virus, leaving the U.S. government unable to issue visas. The virus crippled the department's Consular Lookout and Support System, known as CLASS, which contains, among others, names of at least 78,000 suspected terrorists. It was unclear which computer virus might have affected the system. But a separate message sent to embassies and consular offices late Tuesday warned that the Welchia virus had been detected in one facility. Welchia is an aggressive infection unleashed last month that exploits a software flaw in recent versions of Microsoft Windows."
Does the state dept. read /. ??? NO (Score:3, Insightful)
1.) Use a firewall to block unnecessary access from the external network
2.) Patch Windows often
3.) Use anti-virus software and update the definitions often
I would have thought that the State Department would at least do these minimums (to keep its systems "safe from evil-doers"), but I guess you can't even expect that much from government work.
Re:Does the state dept. read /. ??? NO (Score:3, Funny)
Re:Does the state dept. read /. ??? NO (Score:2, Insightful)
Should be:
2.) Use Linux.
Re:Does the state dept. read /. ??? NO (Score:2, Insightful)
The answer, whether it's windows, linux, unix, bsd, plan 9, or even a commodore 64, is patch early, patch often, test, and pray.
Re:Does the state dept. read /. ??? MAYBE (Score:2, Insightful)
Re:Does the state dept. read /. ??? MAYBE (Score:2, Insightful)
Ultimate control hinders flexibility. If you want to fill out your application for a visa, send it by mail which will be handled by hundreds of people, to receive your visa which will be mailed to you, again handled by hundreds of people, rather than create a network which will allow someone to remotely access the information that they need in an environment more t
Re:Does the state dept. read /. ??? NO (Score:5, Insightful)
Re:Does the state dept. read /. ??? NO (Score:5, Insightful)
Day after day, example after example, the world is inundated with successful attacks.
We can say, "Well, people are stupid... They should know not to click on attachments," The reality is though, that "1 in 7" users have problems with the power button.
There is no future security in blaming the end user. It's high time that we look at the systems that allow this type of invasion, replace where necessary, and train the users accordingly.
The talk of cost becomes irrelevant when recovery costs are totalled. Just wait for the first wrongful death suit revolving around an insecure system failure.
If we insist that users are accountable, we must also demand that the corporate citizens are accountable.
Re:Does the state dept. read /. ??? NO (Score:3, Insightful)
What systems don't allow this? Paid attention to the recent bugs in OSS apps? It is the "users" - read admin's responsibility to keep up with these things. No system is immune.
Re:Does the state dept. read /. ??? NO (Score:5, Insightful)
But systems are not equally buggy. I discuss this here. [slashdot.org] No design and no development method is perfect. However, it is incontrovertible that some designs and some development methods yield software that fails less often; that fails less severely; and that fails more recoverably. We can inspect systems' behavior and say that for particular purposes, certain software is better than others. We can say this on the basis of technical facts, not merely marketing claims and promises of "support" and "warranty". We can also say it on the basis of historical evidence -- some systems have failed more often and more severely than others.
A Microsoft Exchange mail server stores users' mail in a binary database, in a proprietary format. A Postfix or Qmail mail server stores users' mail in text files in a simple directory structure. We can make a reasonable (and correct!) prediction that in case of failure, it is easier to recover the content of mail from a Postfix or Qmail system than from Exchange. And, indeed, this is borne out by the experience of administrators: a maildir can get into an inconsistent state, but it's much easier to recover it than to recover an Exchange mail database.
(Note that I'm not describing frequency of failure, but rather severity. We can also make predictions about the former, of course ....)
Security holes are, from an engineering standpoint, simply another kind of failure. We can look at design choices such as privilege separation and chrooting -- applications of the Principle of Least Privilege -- and say that some systems will fail worse than others. A program that can't access files outside of /home/myprog cannot scribble on the kernel in /boot/vmlinuz. A Web server that runs as Administrator on Windows 2000 has opportunities to fail worse than a Web server that runs as www-data on Solaris.
Simply put, there exist objective facts about security design, just as there exist objective facts about, say, civil engineering. Why doesn't the city construct water mains out of balsa wood and bridges out of papier-mache? It simply doesn't work very well. :)
Re:Does the state dept. read /. ??? NO (Score:5, Insightful)
You bring up a good point here. Civil Engineers are licensed professionals who are held legally accountable to follow certain well known design standards. Software Engineers on the other hand are unlicensed and expected to ensure that their designs are not well known to anyone other than their employers.
Re:Does the state dept. read /. ??? NO (Score:3, Funny)
It's so true.
*sniff, wipes tear*
I love perl.
Re:Does the state dept. read /. ??? NO (Score:3, Interesting)
Re:Does the state dept. read /. ??? NO (Score:3, Insightful)
Or play "It's a feature, not a bug". Let alone consider unstructured "sphagetti" code a good thing (whilst describing the result as "integration".)
Re:Does the state dept. read /. ??? NO (Score:3, Funny)
I once worked for an engineer who was very fond of quoting that, by definition, 50% of the population has an IQ below 100.
Re:Does the state dept. read /. ??? NO (Score:3, Funny)
What an amazing prediction of the 2000 Presidential election!
Re:Does the state dept. read /. ??? NO (Score:3, Insightful)
True, but remember that HALF of the population has below average common sense or decision making ability. =)
Re:Does the state dept. read /. ??? NO (Score:5, Funny)
4.) vi is better than e-macs
5.) In Soviet Russia, you attack Virus!
6.) People should patch their boxes bec.#J^@ATDT[NO CARRIER]
7.) Don't use FreeBSD because it's dead/dying.
8.) Apple is awesome. But I can't afford one.
9.) Imagine a Beowolf cluster of those!
10.) Patents, RIAA, Spooks, Windoze, Verisign, Politician, Spalling Checkirs; all bad.
11.) Ogg, Apple, *nix, RMS, EFF; all good.
12.) ???
13.) Profit!
PS. Mod's, go away. I'm just having fun. Don't put it up or down you fu%#d2DHATDT[NO CARRIER]
Re:Does the state dept. read /. ??? NO (Score:3, Funny)
Re:Does the state dept. read /. ??? NO (Score:3, Funny)
14) Hot grits!
15) Smoking crack for 699$
16) It's thursday, who do we hate today?
17) Imagine the implications for the pr0n industry!
18) Don't forget insensitive clod, you insensitive clod!
19) You can mod me down if you want, but....
20) And for the math impared...... 1.6miles = 1km
21) Slashdotted? Here's the google mirror.
22) But does it run linux?
Re:Does the state dept. read /. ??? NO (Score:5, Insightful)
Really this doesn't work as well as you'd think. If you have laptop users on your network, which nearly everyone does, its analagous to wearing a plastic bubble suit but having unprotected sex with strangers every weekday morning.
My office has about 60 users in it and is protected by PIX firewalls and techdata's email virus scanner. We have about 20 Windows servers in our server room (this doesn't include the many dozens of servers running Linux or Solaris, or the machines at one of our 3 colo sites), and we patch them all about once a month. Office workstations are forced to patch themselves weekly through a distributed Windowsupdate. So yeah, this should be pretty safe, right?
Well about 3 times per week some user brings in a laptop, plugs it in to the LAN, and we get some new worm running around the office LAN.
BubbleBoy (Score:2)
That explains why he's always smiling.
On a serious note, how about either not allowing in laptops or mandatory auto-update on them before allowing them onto the network? Or perhaps keep them on their own node with anti-virus scanners between it and the main network?
Re:BubbleBoy (Score:3, Interesting)
That's why firewalls are an overrated security device.
Any decently-large organization should assume that evil systems will make it onto the local network. Maybe a laptop is trojaned while it's at home. Maybe the janitor is bribed to leave a PDA in an unused jack behind a shelf. Or most likely, a regular employee wants to escalate her priviledges to make mischief (most "hacks" are insider jobs)
However the a
Re:Does the state dept. read /. ??? NO (Score:5, Insightful)
They probably do. Then a user VPNs in with an infected machine against policy, or brings a laptop in and plugs it in. This happens at my work, too.
2.) Patch Windows often
Define "often", please. It could be once a month, once a quarter. I'm sure they have change control plans.
3.) Use anti-virus software and update the definitions often
See above.
I would have thought that the State Department would at least do these minimums (to keep its systems "safe from evil-doers"), but I guess you can't even expect that much from government work.
No, it's just that it's easier to assume that you are smarter than them and assume you know their network and systems.
Re:Does the state dept. read /. ??? NO (Score:3, Informative)
Define "often", please. It could be once a month, once a quarter. I'm sure they have change control plans.
I've been using Norton Corporate Edition on my networks quite successfully for some time now. A server is config'd to be the update server and all the clients are managed from it. You can push updates to all the clients either manually or schedule them to update automatically. You can even force clients that come on the network to accept
Re:Does the state dept. read /. ??? NO (Score:3, Insightful)
Re:Does the state dept. read /. ??? NO (Score:3, Informative)
Windows Means Work (Score:5, Insightful)
Re:Windows Means Work (Score:4, Insightful)
And it's not just the crappy software (Score:3, Interesting)
If you could patch non-kernel portions of the OS without rebooting, it would be a lot easier on the average Windows admin who has to argue for downtime with the internal customers.
And while you're at it, let's not install every application in the OS every time.
Solution: Ban Windows from the Internet (Score:3, Interesting)
Even if a perfectly secure OS existed (Score:2, Interesting)
Re:Windows Means Work (Score:4, Insightful)
What you mean is "Windows Means Job Security".
Think of it from the other side of the fence; if you weren't running Windows on every desktop you wouldn't need your 2+/week meetings to discuss the latest viruses and trojans.
Of course that would mean your IT budgets would be cut and people laid off as your group became more productive with less.
We can't have that now, can we?
Re:Windows Means Work (Score:2)
> that as long as Microsoft keeps making, er, crappy software, and as long as we still
> have crackers writing virii and trojans, I don't have to worry about losing my job.
Shouldn't that be: "As long as windows keeps providing us with fixes to the exploits, I'll be ok. And as long as we can sweep the other problems under the rug, I don't have to worry about losing my job"
Clearly the Kofi Annan of Slashdot commenters (Score:5, Funny)
From the parent comment: "... Microsoft keeps making, er, crappy software
I just want to say that I appreciate the tactfulness, sensitivity, restraint, and diplomacy of that remark.
Re:Windows Means Work (Score:5, Informative)
Re:Windows Means Work (Score:3, Informative)
Re:Windows Means Work (Score:2)
In two words, the argument is "resource leveling".
Specifically, business is a pile of cash, and these viruses spread the money around in the form of security jobs.
Unfortunately, you've flattened you pile of cash, and productive things you could have done simply go wanting.
Widening the scale, M$ itself is a right colossal pile of cash, and the rest of the world is tired of heaping money thereon.
How many more episodes of "Virus of the Week" does Redmond think it can stand?
Re:Windows Means Work (Score:3, Insightful)
This is analogous to saying that poor house building regulations and standards means more jobs for builders, plasterers, repairmen, plumbers etc.
It does mean more jobs, however more jobs != a good thing - you're using the wrong metrics.
Re:Windows Means Work (Score:2)
So does *NIX (Score:2)
Rus
Re:Windows Means (meaningless) Work (Score:3, Interesting)
I would really much rather design and build secure network systems than apply bandages to existing hopeless systems. If a system is available that resists viruses (like BSD or Linux), that might be a good place to start...
Oh, wait, I do have that job! And I bet I am having more fun than you. One thing is certain, my employer is not flushing as much money down the toilet as yours.
One day my j
Why why why? (Score:2, Insightful)
Why is such an important system run on Windows? This isn't an "MS sux0r5, install Linux" rant, they should use the proper systems for the job. If that tool is some open source stuff or closed source then so be it but you can't tell me that this database can only be run on Windows.
Of course "When your only tool is a hammer, every problem starts to look like a nail."
Re:Why why why? (Score:2, Informative)
"...but you can't tell me that this database can only be run on Windows"
Remember, there is no "Microsoft Access" for Linux yet
Re: (Score:3, Informative)
Damn terrorists! (Score:5, Funny)
Re:Damn terrorists! (Score:5, Insightful)
I thought the U.S.A. P.A.T.R.I.O.T act made everyone in the US a suspected terrorist. That should read "300,000,000+ suspected terrorists".
Did you read that article [politechbot.com] on politechbot.com that they wouldn't let some guy wearing a little button that read "Suspected terrorist" fly on an airplane?
Re:Damn terrorists! (Score:3, Interesting)
Some guy being John Gilmore:
http://freetotravel.org/terrorist.html [freetotravel.org]
You're right: there are 300 million suspected terrorists. But their names don't need to be stored - they took a hint from verisign, and just used a wildcard.
Select * from americans where police_badge = NULL;
Priceless! (Score:4, Funny)
Oh, *that* VISA.... (Score:5, Funny)
Damn! (Score:2)
78.000 suspected terrorists? (Score:3, Interesting)
Re:78.000 suspected terrorists? (Score:3)
We'll, if Steven owns ten guns and threaten a government official, that's equivalent to two terrorists (5 guns / threat == 1 terrorist).
Please call the MPAA [mpaa.org] if you want to learn more about this new branch of mathematics.
Re:78.000 suspected terrorists? (Score:3, Funny)
<soup="nazi"> NO VISA FOR YOU!!! </soup>
Re:78.000 suspected terrorists? (Score:2, Funny)
Its only 78.
The computer added the precision on so if the terrorists blow themselves up they can count the pieces.
Re:78.000 suspected terrorists? (Score:3, Insightful)
Re:78.000 suspected terrorists? (Score:3, Informative)
Seems that when someone applies for a visa, gets checked out and denied, they get added to CLASS.
Shut down on purpose, not failed.... (Score:5, Interesting)
Re:Shut down on purpose, not failed.... (Score:5, Insightful)
Not by much, since both have the effect of putting a stake through the heart of user productivity for however long it takes to exorcise the virus from all the systems.
~Philly
Re:Shut down on purpose, not failed.... (Score:2)
Uh..... If the network is shut down to prevent infection, then you have fewer PCs on which to do a full re-format and re-install of the OS. Even with a drive image, this takes a long time. This means more work for the IT folks. So even if you left the network up to let the visa-processing folks do their work, you'd be making more work fo
Re:Shut down on purpose, not failed.... (Score:2)
When is the Gov't gonna learn (Score:4, Interesting)
And BTW, firwall WON'T in and of themselves stop this kind of attack. Sure firewalls are your first line of defense, but all it takes is someone that has a notebook that is infected from home, a business trip or somewhere ELSE to bring it as a 'trusted' device on your clean network and BOINK, you are infected internally.
How about: When are YOU gonna learn? (Score:2, Interesting)
Want to sue over buggy code? (Score:5, Interesting)
Actually, Business Week had an article [businessweek.com] about that a couple days ago, which I submitted last night (it was rejected). The author closed with (paraphrasing) "Maybe it's time some big customers refused to buy software without some sort of guarantee."
These last few worms and e-mail viruses seem to have become the collective last straw. The unwashed masses are finally beginning to grouse about buggy software-- the tide is slowly beginning to turn against onerous "no liability" EULAs coupled to expensive software that is critical to business.
A few years ago, Microsoft was very quick to whine that any delay in the release of Windows 98 forced on them by the government would hurt the U.S. economy and/or bring about the end of the world as we know it. Well, what about all these businesses who have to eat the costs of cleanup and lost productivity every time there's another Windows worm? Nooooo, that doesn't hurt the economy at all, does it?
~Philly
Firewalls?? (Score:3, Interesting)
Honestly issuing visa's is just way to importiant to trust to a closed OS with known security flaws, with at least one major one a month.
MS is so entrenched in the gov now that its kind of scary, that one day a order might come down to homeland security that some town is nothing but terrioriests and should be arrested, then taken to cuba. Meanwhile some hacker in the assend of the planet wiring a virus to gain entry to the gov systems is laughing his ass of at Ma and Pa being taken to a Marine base in another country.
Re:Firewalls?? (Score:3, Insightful)
Re:Firewalls?? (Score:2, Interesting)
CLASS isn't an access database running on a windows server. It's running on big iron, probably Oracle, or perhaps not even a RDBMS at all, but a custom data store solution.
Anyhow, the virus didnt take the system down. They took the system down to inspect the network.
If one box on the network got r00t3d, then a r337 h4x0r could use it to query the system.
This is just a bit of better-safe-than-sorry administration. It really has nothing to do with Windows, except a line about a completely
Re:Firewalls?? (Score:2)
In so called mission-critical networks, you dont always push windows updates to all the systems: sometimes you just can't trust the patch. In these cases many network admins will toss up a strong firewall to protect the internal machines.
But what happens when someone brings in their home laptop with a virus on it? Well... you bypass the firewall and expose the internal, unpatched
Windows (Score:3, Funny)
When you don't patch up, the terrorists win... (Score:2)
Why not have a PSA for this spammed out to the nation for a couple months?
Though I suppose it could be disqualified as the advertised danger apparently actually exists.
Click Click Click! (Score:2)
78 THOUSAND suspected terrorists? (Score:2, Insightful)
If the US government actually cared about human lives, it would be spending this type of attention on automobile safety (50k dead a year in US) or malaria (>1 million dead a year world
Re:78 THOUSAND suspected terrorists? (Score:5, Funny)
Re:78 THOUSAND suspected terrorists? (Score:2, Interesting)
Paragraph 2: Car Safety. Answer is people keep getting bigger and bigger vehicles. Plus that number is mostly people who shouldn't have been in the gene pool anyway. Malaria. Don't live in a jungle. Cancer. Too bad we all get it. Stop smoking, stop fucking, stop eating bad foods. Easy.
78 THOUSAND out of 6.3 BILLION (Score:2)
Re:78 THOUSAND suspected terrorists? (Score:5, Funny)
Ohp - now it's 78,001.
Re:78 THOUSAND suspected terrorists? (Score:5, Insightful)
Not even remotely true, unless you only count the money spent by the federal government. There are billions spent every day on cancer research by companies big and small, dwarfing what is spent chasing terrorists.
It's like that year at the Oscars when all those wealthy actors stood up and complained that the US doesn't spend enough on the arts.
Anyway, read the Preamble.... "in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity"
No mention of curing cancer, or PBS documentaries, or midnight basketball, or time off from work to take your dog to the vet. Those things are all reasonable, but they're not the primary responsibility of government.
Note, too, the difference in wording: "PROVIDE for the common defense, PROMOTE the general welfare."
Re:Rights vs Citizen rights (Score:4, Insightful)
We have accepted standards of treatment for people we are actively at war with. People who have no apparent hostile intent should get treated at least as well.
While I agree with you that there needs to be an accepted standard of treatment for terrorist actions, similar to the Geneva Accord for wartime, the sad fact is that such a standard does not, at this time, exist.
And these people aren't being treated unfairly; we're not letting them come to the United States without explaining terrorist connections. The United States doesn't belong to the world, it belongs to us, and we can say who we do and do not want to let in.
While I do feel that there should be some oversight over who gets put on this list and how they are selected, that the list should be made publicly available, and that there should be an appeal process to be taken off the list if necessary, none of those is an inalienable right.
I don't have a right to come into your home at any time I like. I can knock on your door and ask if I can come into your home. But if we don't really know each other, and you've seen me in the neighborhood a couple times with some known violent criminals, you would certainly think twice about inviting me in.
I don't see how the United States implementing a similar policy is any different.
microsoft (Score:2, Flamebait)
I assumed that ppl who run critical services were not from that class of "Internet guys who just want to check their email and browse the web, and don't even know what a patch is".
So, my question is: Why in hell does anybody uses a system that has a track record of so many bugs, virus, crashes, etc ?
I see this more and more: A "breakthrough" is made by some stupid CEO in a companny and in a matter of weeks everything is run under windows. Why ? because it integrates be
Re:microsoft (Score:3, Informative)
Most government facilities I've been to use Windows on desktops, and big iron unix servers in the back rooms. Big mainframes that have been there since the early 80s.
There's no way this system with close to 30 million names runs on SQL Server, MySQL, PostgreSQL or any other mid-classed database system.
They shut off the network to make sure it was clean, because one infected terminal could potentially leak a whole lot of information to the wrong people.
Re:microsoft (Score:2)
well let's see, I assume you're referring to Linux? For bugs, OpenSSH has had what? 3 releases in a week to fix bugs? How bout that linux kernel that fscked your partitions on umounting, I'm sure the list goes on, but my point is, there ISN'T a system which doesn't have a track record of bugs.
My sister works there. (Score:5, Informative)
Re:My sister works there. (Score:2, Interesting)
Doesn't the state department realize some people, oth
Trusted Computing (Score:2, Insightful)
Eventually MS will start pushing their Trusted Computing bullshit as the ultimate solution for blocking attacks on their own flawed products.
Oh and it will keep those nasty terrorist guys out too! Did we (MS) mention terrorists. Oh we did ok...
Heads should roll... (Score:5, Troll)
Re:Heads should roll... (Score:3, Insightful)
Just to let you know, we use Exchange, and I think all we did about the virus e-mails was scratch our head and shrug. Never had a single e-mail borne infection...
Though that didn't stop a certain unnamed director from making us send a memo out explaining why people were getting weird e-mails and why the return address was wrong etc...
In THIS case, the article mentions W
And people wonder.... (Score:3, Interesting)
Unix (whatever your favorite flavor - Linux, Solaris, HPUX, even OSX etc, was designed from the ground up to work in a networked environment. That at least gives you a fighting chance of maintaining some level of security provided you or your MIS department set the system up right (like... dont use a default root password).
If Microsoft wants to save their market share, they should start looking into a Unix-type OS. Either port BSD (they have anyway in their TCPIP stacks) or buy someone out (um, SCO maybe - or maybe I'm psychic?).
Stop trying to push a derivitive of WinNT which came from MS OS/2 launched back in the late 80's.
Sorry to rant on so much and restate the obvious, but geez. How many times before people wise up. Every time some script kiddie throws together some crap and unleashes it, corporations and governments get clobbered.
Jail time for virus authors isnt going to solve the problem, it's time to attack it at the source: Windows.
Welchia...an aggressive system patcher (Score:2)
I guess all that aggressive system patching is what brought down the visa system. At least no
monocultures suck (Score:3, Interesting)
It would be a lot harder for stuff like this to happen if they would:
- develop cross-platform applications
- use a variety of platforms
That doesn't replace having an adequate system in place for testing and installing the latest patches. It does, however, guarantee that slipping up and missing one patch won't stop you cold. It may slow your enterprise down, but stuff will still get done.78,000 suspected terrorists ? (Score:2, Funny)
no real information in article (Score:2)
It was unclear which computer virus might have affected the system. But a separate message sent to embassies and consular offices late Tuesday warned that the ``Welchia'' virus had been detected in one facility. Welchia is an aggressive infection unleashed last month that exploits a software flaw in recent versions of Microsoft Corp.'s Windows software.
T
So does this include... (Score:2)
US State Dept has no CLASS? (Score:2, Funny)
Open Source Theory (Score:2, Insightful)
Immediate term bashing aside
The reason open source is supposed to be better is that when lots more people (like 15% market share worth) run linux, then there will be more resources being used to update and error check open source software - theoretically. Comparing Linux with a small market share to windows with a large market share in terms of bugs is not appropriate, and considering the paid resources available (but maybe not used?) to Microsoft, it is amazing that open source even compares.
Not to k
First Windows at Nuclear Facilities and now this?! (Score:2)
It wasn't a computer virus! (Score:3, Insightful)
Call it what it is: A Microsoft Windows virus. Maybe if the media keeps pointing out what us /.ers already know, the general public will get it through their heads that their choice of OS makes a difference.
Demand some accountability from the vendors. (Score:3, Insightful)
I dont buy this bullsh*t people keeps spreading that its impossible. It aint, just as you can build secure bridges and houses you can make software that is much more secure than todays crap.
There hasnt been a strong enough market for secure software and its up to the consumers and govts to start demand better software.
Even open source could use a kick in the but to get their act togheter.
Compare vsftpd to some other random ftpd and youll get my drift. Security is about design and not about being bugfree.
Re:Here we go (Score:2)
You know, in the time the slashdot system calculates how long it's been since I submitted my last comment, it could have submitted this comment instead of complaining about me being too quick.
Re:Here we go (Score:3, Interesting)
Instead of wasting time being completely down, take the time to patch these system (either with distributed patching or even individuals taking the time to patch EACH machine -- oh the horror).
It's much better than not being able to issue Visas or do any other work while you have to keep your PC powered down until it is certified clean by IT.
Re:DOH! DOH! (Score:2)