Stop Christmas-Gift PCs From Feeding Worms 416
An Anonymous Reader writes "If you recently set up a new PC with Windows XP,
or if you had the pleasure to do a 'reinstall from scratch,' you probably found that many XP systems as they are shipped today are not patched against common issues like Blaster. Given that these worms are still going strong, it doesn't take long for a new system to be infected. In particular, if you have to connect it to the Internet to download all the patches.
Well, help is in sight. The SANS Institute released a paper entitled Windows XP: Surviving the First Day." (Read on below.) Update: 12/24 17:59 GMT by T : Thanks for reader Bill Curnow for the updated link. Update: 12/24 19:15 GMT by T : Besides the workaround suggested below, Roblimo has a good suggestion on avoiding the first-day-of-Windows altogether.
"With many screen shots, it will walk you through the procedure to enable the XP firewall and downloading the patches without getting infected while doing so. This could be the (free) stocking stuffer that may save Christmas for your folks ;-). Given that its probably to late now to start downloading your favorite Linux distro."
But if you do have the time and bandwidth, and you're stuck on Windows, a nice live-CD distro like Knoppix or Mepis means you can download patches without racing the worms, and install your patches while offline. (And if you have time to download 50MB, you have time to grab Damn Small Linux.)
Bad link. (Score:5, Informative)
Check those links, people.
Re:Bad link. (Score:5, Informative)
Rus
Re:Bad link. (Score:5, Funny)
it's been clobbered by blaster.
Re:Bad link. (Score:3, Informative)
Easy (Score:5, Informative)
Right click on your internet connection, choose "Properties"
Click "Advanced"
Click the box to turn on the firewall
Voila. You are safe from Blaster.
As an added precaution, deselect "Client for Microsoft Networks" from all interfaces except any you really need it on.
Re:Easy Alternative (Score:4, Funny)
Re:Easy Alternative (Score:5, Interesting)
Re:Easy Alternative (Score:3, Funny)
So what you're saying is, when your getting screwed by Microsoft, and they don't have the common courtesy to give you a reach around; I should go ahead and give myself one?
Seems like a great idea to me! Thanks
--
Re:Easy Alternative (Score:5, Informative)
What, you're saying that not a single Linux web browser supports cookies? A "data-mining" cookie is just a cookie to track you as you browse the web - one set by an advertising site such as doubleclick. They work just as well whatever OS you're running.
6. Use your new shiny computer as you're pleased
Well, y'see, it pleases me to run games like Dungeon Siege, Postal 2, Warcraft 3, and a whole host of others that don't have native Linux versions (don't mention Wine, please). It also pleases me to write code in C# (again, forget mono, it's not nearly there yet). Until Linux provides me the means to do these things, it'll always be my secondary OS, Windows will be my primary, and "advice" to secure my PC by wiping Windows and installing Linux will be treated with the contempt that it deserves.
However, none of those bugs/holes will expose your PC to worms such as Blaster
You are of course aware that the first internet-borne worm utilised a buffer overflow in sendmail to infect computers? Don't go getting over-confident - true, I can't think of any Linux-targetting worms at the moment, but it's been done before, and it will be done again.
Re:Easy Alternative (Score:4, Insightful)
Why do people make statements such as this? We all know that mods can be biased, the system is imperfect, and karma really doesn't matter. What does matter is having the ability to state one's opinions/beliefs and being able to defend them.
(tig)
Re:Easy Alternative (Score:3, Funny)
Well, the only way to ensure not being marked as a troll is to tell the mods to go ahead and mark them as troll.
Re:Easy (Score:3, Informative)
Not sure about Blaster but, that will still leave you open to a whole host of worms, viruses and exploits; many of which don't have patches/fixes available. ZoneAlarm [zonelabs.com] (free as in beer) seems to consistently come out as the best firewall for Home Windows PCs in labs/test/reviews. I've been running it (on a number of different PCs) for quite a while now (over a year) and the only problem I've ever had with it was because one of the services it blocked was an RPC service (pretty sensible thing to block from
Re:Easy (Score:3, Interesting)
Granted, this is on a work machine where I'm not allowed to change the settings, so maybe it can be fixed with twiddling, but I find the behavior to be extremely annoying. I much prefer ipfw on my FreeBSD box. Just my $0.02US
Re:Easy (Score:3, Insightful)
XP firewall still leaves a large number of exploitable ports open, like much of Microsoft's product range it operates on the basis of closing the stable door after the horse has bolted (i.e. fix the problem after it has already caused a problem rather than trying to anticipate problems and fix them before they go wild). ZoneAlarm Pro (the payed for version) does have an antivirus function but it is true that the basic package does not detect viruses, neither will XP firewall. It will however block those t
Re:Better yet! (Score:2)
lynx -dump "http://slashdot.org/comments.pl?sid=90474&cid=\
7803746" | sed "s/download.fedora.redhat.com\/pub\/fedora\
\/linux \/core\/1\/i386\/iso/www.gentoo.org/g" | more
(Try it...if you cut-and-paste it, it works!)
The title should have been.. (Score:5, Funny)
something wrong? (Score:5, Informative)
Try this instead [sans.org].
http://www.sans.org/rr/papers/index.php?id=1298
And they say Slashdot hates Windows (Score:5, Informative)
I usually recommend a hardware firewall, in particular the little blue Linksys firewalls. Home users can hook up their ADSL connection, plug in the firewall, and then their PC. Then as long as they don't download email until their system is patched and anti-virus is updated, they're relatively safe from most malware.
This year I've also begun recommending anti-spyware as well. It's amazing how ubiquitous that stuff's become over the past year.
Re:And they say Slashdot hates Windows (Score:3, Informative)
Except for the folks on dialup. And don't say you can't get a worm from dialup. The payloads are really tiny - it doesn't take that long on 56K. I have personally seen two computers infec
Re:And they say Slashdot hates Windows (Score:3, Informative)
Re:And they say Slashdot hates Windows (Score:2)
Re:And they say Slashdot hates Windows (Score:3, Informative)
Re:And they say Slashdot hates Windows (Score:3, Informative)
For what little it's worth, I've run a variety of Windows versions on my home machine over the last 6 years and have never been compromised. I currently run a software firewall on this box, and I'm not even being portscanned, despite having an ADSL connection running pretty-much 14 or 15 hours a day, every day.
Re:And they say Slashdot hates Windows (Score:3, Informative)
" Update: 12/24 19:15 GMT by T: Besides the workaround suggested below, Roblimo has a good suggestion on avoiding the first-day-of-Windows altogether."
They couldn't let a not-entirely-anti-MS article go, without linking to an unrelated, "run linux!" article.
Site slow, here's some quick n' dirty instructions (Score:5, Informative)
Obviously, this should be done before you plug the machine into any kind of internet connection.
-Go to Start and then Control Panel.
-Once in Control Panel, choose Network Connections
-Right click on your connection of choice (if there's more than one, do it for all of them) and choose Properties.
-Go to the advanced tab and check the Firewall check box.
If you want to know more about how to configure it and modify the settings, click the link below that checkbox for directions.
wormies worry me (Score:3, Funny)
Re:wormies worry me (Score:3, Funny)
Re:wormies worry me (Score:5, Funny)
The nice thing about flaming somebody over the internet is that you don't have to have a big dick to tell somebody they have a small one.
Re:wormies worry me (Score:3, Funny)
-If
Let's not forget... (Score:5, Informative)
Chicken and the egg (Score:5, Insightful)
Perhaps all these DSL/WiFi combo boxes will be a blessing in disguise because they all come with a firewall (on by default, with Cisco's Linksys ones
Simon
[Somewhat OT] "Not up to linux yet" (Score:3, Insightful)
c'mon, we live in a society where people can't figure out how to set the time on a VCR. You think they're going to take the time to 'learn' an OS? Most people are happy with a 4 year old system that lets them check their e-mail, save the pictures people send them, view web pages, and maybe word processing and a spreadsheet.
Now, to keep this from being completely off topic
Re:[Somewhat OT] "Not up to linux yet" (Score:3, Interesting)
There are a LOT of people in this situation, and they are the perfect candidates for using Linux. They have a fixed set of needs. Give them a preinstalled and preconfigured Linux box, and they treat it like a fixed-function appliance.
I'll skip the long details, but my 57 year-old mother got so fed up with Windows' unreliabilit
Re:Chicken and the egg (Score:2)
This sounds a lot like the reasoning used to detain terrorism suspects and witnesses using secret evidence.
It's not just XP (Score:3, Informative)
Some might argue that WinXP comes with the Best Before date already expired, but there's a lot of CDs for many OSs out there with "open security". (The main problem with standard XP is the stupid requirement to phone home to register before downloading the patches to make it safe to be on the net in the first place.)
Re:It's not just XP (Score:5, Informative)
That's FUD. XP gives you 60 days to activate your copy of windows. During those 60 days, Windows is fully functional and allows you to connect without any activation related troubles.
Re:It's not just XP (Score:2)
Need for Microsoft patch CD (Score:5, Interesting)
People should return non-patched systems that are shipped from the manufacturer, and return systems where the install CDs don't put them to the same patch level they are shipped with.
while this isn't a cure-all solution to the patch mania that is necessary, but will go a long way to help bring up the baseline security of all these end-user hosts on the internet.
Re:Need for Microsoft patch CD (Score:3, Insightful)
Linux CDs for checkout at the local public library (Score:3, Interesting)
No enough people have the broadband or fast enough download capabilities to handle file sets that above a few megabytes.
Having the inexpensive CD-R sets available for checkout at the local public library would go a long way to solving the distribution problem of the general public.
Plus the local Linux group could keep the circulating distributions current and the latest patches available.
Re:Linux CDs for checkout at the local public libr (Score:2)
Have you seen the disclaimer of liability that GPLed (and most other Free) software carries? It's pretty damned heavy-duty.
If you can show me a US case in which a distributor of Free software was forced to offer support to a customer who had no separate and paid-for support contract, then perhaps I'll consider your argument to have merit. At present, though, I disagree that the l
Re:Need for Microsoft patch CD (Score:2)
Re:Need for Microsoft patch CD (Score:2)
Re:Need for Microsoft patch CD (Score:2)
Re:Need for Microsoft patch CD (Score:4, Informative)
Microsoft does have patch CDs.
In North America, Office Service Packs can be obtained free of charge on CD-ROM. Order Office Service Packs on CD-ROM [microsoft.com]
They also have a free CD as part of the Security Resouce Kit (the technet website, not the book). http://microsoft.order-4.com/securitykit [order-4.com]
I have a webpage with more home broadband security information [chebucto.ns.ca].
First day? (Score:3, Interesting)
Due to some oddities in the purchasing orders for new hardware this year, it ended up that some of us unix guys were tasked with hauling new windows boxes around the workplace for people. We weren't expected to set them up, just unpack, plug em in, and turn em on. Ignorant of how vulnerable windows boxen are, we did just that, doing the silly clicky crap that any OEM relase makes you do, and walked off.
Within ten minutes, the traffic sniffers the security team has up were getting alarms caused by the machines we had set up and their ports got blackholed in about 15 minutes. One of the machines was already being used as a spam relay, the rest all had whatever viruses are still floating around.
Was quite an eye opener, I'd thought those viruses were over and done with and weren't a cause for concern anymore. Made me wonder how much bandwidth is being wasted that we don't even acknowledge. Spam is easy because it generates email.. but there's this underlying background noise sucking up bandwidth that you don't even see.
Course us "unix guys" had a good laugh over it, patting ourselves on the back in true bigot fashion over how secure unices are. But later that afternoon the nfs server that serves our home directories puked it's guts up so it put us in our place pretty quick.
Re:First day? (Score:3, Informative)
Once I got the patches, virus protector, and ad-aware installed, everything was fine, but still, there was a reason I wanted to do a clean install.
Re:First day? (Score:3, Interesting)
Re:First day? (Score:3, Funny)
Come on, Al! Give it up already!
Re:First day? (Score:2)
This has increased my public requests for microsoft to send postcards or CDs to people who have registered their product. Since this is mandatory (is my understanding, I don't actually have XP installed because I refuse to buy a new copy of windows each
Re:You "unix" guys really oughtta setup a firewall (Score:2)
I feel for the home user... (Score:5, Insightful)
Those poor home users who are not technically savvy are pretty screwed. They won't be able to figure out *nix and don't want to pay the bucks for Apple.
Microsoft should offer (no not MSN) a method for new Windows machines to dial direct for patches before connecting to the Internet.
This method should be over ridable for the safer crowd.
Re:I feel for the home user... (Score:2)
Re:I feel for the home user... (Score:2)
Re:I feel for the home user... (Score:2, Insightful)
what are you retarded or something?
Taken two minutes ago from apple and dell:
Apple emac 800 $USD shipping included
Dell dimension 2400: 771$USD shiping included
My brand new ibookG4 costed 1350, Canadian (with edu discount).
That's like, what, 7 bucks american?!?
Re: (Score:2, Funny)
Sadly enough (Score:2, Interesting)
Re:Sadly enough (Score:3, Informative)
The Easy Way (Score:2, Insightful)
Jaysyn
Re:The Easy Way (Score:2, Funny)
Re:The Easy Way (Score:2, Flamebait)
Think of the productivity boost they'll have with no games to play!
just say no (Score:2)
Install from stratch... (Score:3, Interesting)
PDF file too large to download (Score:2)
An actual solution (Score:2)
text version for you to download (11K) [telus.net].
It looks like its all there but no guarentees.
The basis for a TV reality show (Score:5, Funny)
Now, that is what I call a reality show.
Re:The basis for a TV reality show (Score:2)
Re:The basis for a TV reality show (Score:2)
Re:The basis for a TV reality show (Score:2)
I'll happily take your money.
I am just doing this myself (Score:2)
The long-life of the Blaster worm is the ISPs faul (Score:2)
Re:The long-life of the Blaster worm is the ISPs f (Score:5, Insightful)
The fault is all the users who didnt patch there systems
I dont know about you but when my ISP starts port filtering I get pissed off , that my decision to make not theres (stupid monkies blocked of port 20 through 25 . I had to run ssh on a different port!)
Re:The long-life of the Blaster worm is the ISPs f (Score:2)
Well, yes but what happens when the ISP's network is flooded with worm traffic? They really don't have much choice.
Re:The long-life of the Blaster worm is the ISPs f (Score:2)
Wouldn't it be much better to just disable the ports where virus floods are coming from and have an auto-dialer call up the customer and tell them their computer is infected, giving them a phone number to call once the system is fixed? Then they would be aware of their problem and probably take some more measures in the future to prevent it...
Here on the Hell Desk... (Score:5, Interesting)
It's sad and irresponsible to let these people wander onto the Internet with their unprotected Windows computers like dogs wandering onto the freeway.
Re:Here on the Hell Desk... (Score:2, Insightful)
If we use a car idea model, that would be the difference between calling the DMV/BMV to ask how to change your oil, or have them explain why it's important to do so.
Update sizes need to be reduced. (Score:2)
Mirror, just in case (Score:2, Informative)
xpsurvivalguide.pdf [compuliant.com]
The first day? (Score:2)
That's all well and good.. but how do you survive (suffer?) Windows XP after the first day? ;)
My father had to fight to install XP (Score:2, Interesting)
He finally had to resort to getting the guy that gave him XP to make a CD up of the patches so he could actually use XP on the net.
Personally I just have to say thanks to my linux firewall.
Umm... simple solution that EVERYONE should use... (Score:2)
Just uhh... use a router/firewall. Problem solved
Freee Hardware Firewalls (Score:2)
And a cdR with the latest Service Pack/Security Patches.. ( and make it auto-run for the newbees )
What would that cost a vendor.. 10 bucks tops?
Use a fucking router? (Score:2, Funny)
So don't read email, visit non-update sites or open your ports below say 1000 to the outside world.
Wow I'm a fucking genius. Since most homes have multiple computers anyways you will want a cheapo 100$ router anyways.
Praise me!
patching xp (Score:2, Insightful)
I can just imagine how inexperienced people getting new computers for Christmas will feel, especially on dial up connections. When your excited about a new machine, wh
No kidding (Score:2)
I had to nuke & rebuild my parents' machine this past Thanksgiving. I set up a dial-up connection on it and proceeded to the Windows Update site.
Firewall (Score:3, Interesting)
Computers don't get viruses, users do.
windows update on disk (Score:2)
It would be nice if you could go to the windows update page and download a zip file of all the updates necessary for a fresh install (maybe it requires a CD key or something so it knows what to give you).
Use another computer that is safe to DL this zip and burn it onto a CD, then you can be guarenteed to have your windows box up to
Protect Yourself Before Screwing With The Net (Score:3, Informative)
Although Windows users incur a higher risk due to the ubiquity of the product. all operating systems are vulnerable to oen degree or another.
Personally, I am unable to install Windows and download the updates without being infected with at least one virus. When I need to install Windows, the first thing I do is to disconnect the machine from the internet. After the install, I set up my internet connection, enable the Windows firewall, and reboot. Then I download the minimim number of updates needed to install the current version of the Norton antivirus/firewall product. Then I disable the Windows firewall and install Norton.
The first widespread Linux virus will do damage to the OS' reputation beyond any reasomable limits. Consumer Linux distributions should disable all servers and activate a simple firewall by default. Give the user the option to turn it , not on.
Re:Protect Yourself Before Screwing With The Net (Score:2)
Not sure about other distros but, if you tell SuSE 8.1 or above (possibly lower versions as well) that you're going to be running as a Home/Desktop then it will turn off most of the services and setup a firewall by default. The only downside of this is that if you then want to turn FTPd on so you can copy files off you Windows box onto the Linux box over the internal network then it can be a bit of a swine to set up until you work out the exact combination of settings you have to set.
Stephen
OEM responsibility (Score:2)
Another idea would to simply put the machine in a safe boot mode when the machine first comes up. This basically blocks all incoming traffic, and then attempts to connect to the MS site. Either v
Re:OEM responsibility (Score:2)
As for safe mode, last time I tried, safe mode disabled all networking, period. That was Win98, however. Perhaps XP is better on that score.
The Best Christmas Present (Score:5, Insightful)
Compare that to a godawful dialup VNC session on a home shopping network XP box where I needed to fix blaster and the person didn't know how to get to system settings.
I sold a mac that day with "Guess what, buy a mac and you will never have to deal with this again."
(and I won't either, to myself) That's why it is the best Christmas present you can give yourself, if you are the designated "computer-guy". Not having to deal with other people's XP is worth its weight in Half-Life Gold, Al Franken, and Myth II: Soulblighter.
Microsoft Makes it Easy! (Score:2)
Microsoft's patching system makes it a snap to update your computer. Under Linux I have to groan over long and cryptic commands like "apt-get dist-upgrade" and lumber off to get a snack while my system is automatically updated. With Windows Update and a CD writer you can get a clean, protected computer with just a few easy steps. Allow me to elaborate.
I run a Windows 2000/Redhat 9 system. I got sick of reinstalling the OS and every single driver, recustomizing, etc, everytime Windows started acting u
Roblimo fud (Score:3, Insightful)
Roblimo has a good suggestion on avoiding the first-day-of-Windows altogether.[link to article]
Right, until his daughter/granny buys a webcam from the store and wants to hook it up and use it, etc. Or she wants to use x program that only runs on Windows. Grannies and relatives buy lots of this stuff off shelves at the store. The Sims, nearly another other quality game on the planet? Probably isn't going to run on Linux, is it?
She does websites for pay... what happens when she decides she needs something like Dreamweaver, or Frontpage (gag, but a lot of people still use it) or Photoshop, in those rare cases when the (superior, IMHO) The Gimp won't fulfill her needs?
Sure, you could use VMWare or some other such deal, but then you'll require a copy of Windows and you'll have spent more time and money than if you had just put Windows on the machine in the first place.
What a load of narrow-minded horseshit, Roblimo. Your job as a self-appointed Linux advocate should be telling it to the people straight, and you aren't. They'll listen to you and get burned, and won't trust you or any other Linux person, next time.
a Mac may be better for one reason: support (Score:3, Informative)
The reason would be the support network for when you do need support. Not everyone is or can afford to drop by, and saying "go check Ars Technica" isn't really helpful. IF they ever need professional support, it would be better to have actual phone and store support for the product.
Not to mention that you can actually expect to find common peripherals which will work out of the box, or at least have company-supported drivers that you can install.
Not everyone can justify the cost when you can get a new Linux box for half the price, but I wouldn't want someone spending extra on tech support (or downtime) just to save some money on the initial purchase.
Linux for Roblimo's Stepdaughters? (Score:5, Insightful)
There is no way in HELL that I'd consider giving a linux machine to a friend or relative who is light on technical ability.
I am already on call to fix the computers of my friends and family, my girlfriend, my girlfriend's best friend, my girlfriend's sister, and my girfriend's sister's girlfriend.
I'd easily double the amount of free support that I've have to give if I gave someone a linux machine. Even if most of the calls ended up being "No, I can't help you install 'Barbie goes to the beach' because the version that you have is for Windows", that is still crap that I don't want to deal with.
I'd rather burn a disk with Ad Aware and Spybot Search & Destroy and give it to people than to have to educate people on a system that they know nothing about.
So many people these days don't know a thing about DOS, so how can you expect them to take the time to learn bash? More times than I would like to remember, I had to use the console to fix a problem on one of my linux machines that just couldn't be done through X. Sometimes the problem was that I couldn't launch X.
Windows is the devil that most people know. As awful as the security is, as awful as Microsoft's business practices are, Windows is the top dog and most mundanes don't care about anything but being able to check the weather, get email, bring up a few web pages, and play some games. For most people, that is easier to do with Windows.
LK
Surviving the first day... (Score:3, Informative)
Blaster within minutes of a fresh install. (Score:3, Interesting)
Since this was a recent purchase and the after thought SP1a sticker was there, I mistakenly assumed that it would be safe against Blaster.
Regardless, I enabled the built in firewall on the external interface NIC before I connected to the internet via her ADSL.
I couldn't get it going. I was using the ISP PPPoE driver which was supposed to work, but the ISP suggested I use the built in XP PPPoE driver, which worked fine. The phone tech also said that I must disable any firewall due to the use of a heartbeat initiated at their end.
So, I reluctantly did...
Her PC had Blaster literally within a minute or two of connecting.
But here comes the funny part... to get around the 60 seconds to shutdown, I double clicked the time to set the year back to give me a chance to remove the virus and patch her system. Unfortunately, during this, I had to reboot. At this stage the 30 day registration period was still in effect because I had not registered. Upon reboot, the 30 day period was up, XP was demanding I register now without giving me the desktop! Luckily it seems that it automatically connected.
Next time I'll just set it back an hour!
This kind of crap just has not happened to me on my Apple. In the end, I enabled the firewall and she has not had a problem. It might not have happened if I knew XP better (first install), but then I gave up on Microsoft long ago.
Re:why go through all that trouble? (Score:2)
Re:Source for XP patches? (Score:2)
But seriously, they do have download links for stuff like that. I think the option is catered specifically to sysadmins with large numbers of machines. And can't you run your own internal windows update server and tell the Windows boxes to grab and install updates automatically?