The BBC's Honeypot PC

Alex Pontin writes, "This article from the BBC shows how vulnerable XP Home really is. Using a highly protected XP Pro machine running VMWare, the BBC hosted an unprotected XP Home system to simulate what an 'average' home PC faces when connected to the internet." From the article: "Seven hours of attacks: 36 warnings that pop-up via Windows Messenger. 11 separate visits by Blaster worm. 3 separate attacks by Slammer worm. 1 attack aimed at Microsoft IIS Server. 2-3 "port scans" seeking weak spots in Windows software." The machine was attacked within seconds of being connected to the Internet, and at no time did more than 15 minutes elapse between attacks.

Well Duh!

[fluffy99]

So we've learned that putting an unprotected windows box on the internet is a bad idea - well duh! It probably doesn't help that they didn't bother with any updates, or turning on the firewall.

Re:Well Duh!

[Anonymous Coward]

The thing is, users do this EVERY DAY. So it is an important excercise. People here on Slashdot may know how to keep themselves protected, but I talk to Windows users ALL THE TIME who have their computer sitting on a broadband connection with no idea how to protect it (no hardware firewall, no spyware protection, whatever virus protection was bundled with the machine [but likely not updated with the latest signatures]).

It's still a HUGE problem. So, maybe it's a no-brainer for you, but it isn't for the average user.

Indeed, AC

[QuaintRealist]

All of the "well duh" folks miss the point. There are a lot of people out there with reinstall CDs for older machines. When their machine gets hit with malware, many of them "reload" windows and some of these head for Microsoft update.

The point is that they are too late - they're perfectly likely to get hit before update can protect them, and perfectly likely to get hit with something as bad as what they had before.

This really is a problem.

Re:

[networkBoy]

Bingo,
Even something as basic as NAT through a cheapie router will buy them all the time they need to connect to windows update.
It won't protect them from malicious connections once infected but because most all routers ignore incoming connection attempts the user is at least protected till patched (assuming the first thing they do is Windows Update, not pr0n surf).
-nB

Re:

[drinkypoo]

FWIW it's not that they ignore incoming connection attempts, it's just that they don't route between the internet and the inside network (they do NAT, but that's not QUITE the same thing) and unless a port is forwarded, there is no open port, and the connection fails. And anyway, if the device supports uPnP, then Windows is likely to open ports on it :P

Yeah, that works.

[QuaintRealist]

I had some "friends of friends" who were running the reinstall loop due to malware. I gave them an old but locked down linksys router to connect through. Problem solved, but many don't know to do this sort of thing...

One of the local medical offices "needed SP2" for some software they ran on a closed local network of 4 or 5 computers (i.e. totally unconnected to the internet). Somebody with just enough knowledge to be dangerous hooked the computers (one at a time) directly to a DSL line usually used for

Re:Indeed, AC

[Mister Whirly]

And this is why they should be letting a professional set their stuff up. If you knew nothing about cars, would you try to put an engine together and then drop it in by yourself, or would you take it to a mechanic? Most people seem to understand that, why should it be different just because we are talking about computers? Nothing like having your system owned as a way to hammer this point home. I certainly don't take the crass view of "well they get what they deserved for being ignorant" - but how do you combat naiveté among people? Especially with a technical subject that most people's eyes just glaze over when you start talking patches and firewalls? I think most folks just figure they can save $100 by setting it up themselves....Big mistake....

Re:

[Mister Whirly]

"When you buy a car, most people expect to insert the key in the ignition and put their foot on the accelerator. They don't expect to be handed the components and a 900 page manual and be expected to assemble it themselves."

Yet when the same people are handed computer components and manuals that they don't understand, they somehow think that they CAN assemble it themsleves. That is where the problem lies...

"Why can't the average user go into a shop, buy a computer, bring it home and expect it to work -

Re:

[smilerz]

Actually, new Windows systems come with the firewall on by default. None of the attacks that the BBC witnessed would have had an effect.

Re:

[tomhudson]

Yes, and every day there are users out there who use the password "password". Was that tested as well?

I'm happy to report it was, and only 20% of Windows users used "password" as their password, making it only the third-most-popular password. The two most popular ones were "qwerty" and "12345", in that order. The least popular password, with just one example, was "i heart bill gates" - on Steve "the Chair-man" Balmer's box.

Re:Well Duh!

[jacquesm]

The BBC is not exactly known for being beginners at IT, they're the people that brought a lot of us (including me) into the age of personal computing with their BBC Micro Computer.

The thing they've tried to do here is to accurately simulate what the average home user will do, and see what the consequences would be.

It's like a 17 year old nude virgin visiting the octoberfest and expecting to come away 'unscathed', I give you that much. But anybody that buys one of those HP internet ready pc's with XP pre-installed that goes home and plugs in his / her machine is doing the exact same thing.

The instructions even tell you to connect all that stuff *before* switching on in simple-to-use IKEA style no words diagrams. Don't be too quick to judge the beeb, they're pretty good at what they do.

Zero open ports.

[khasim]

Yes, that is exactly how a new user will work with his/her new PC.

Which is why Microsoft should be focusing their efforts shutting off all open ports on a vanilla installation. Just as Ubuntu does right now.

Once you've connected it and turned it on, the machine should check in and offer to download all the security patches. But it needs to offer to do this PRIOR to any of the ports being opened.

Clicking "OKAY" (repeatedly) during the initial boot/first use should result in as secure and updated a machine as

Re:

[saleenS281]

Except those HP internet ready PC's ship with XP SP2 installed, and automatic updates enabled by default...

Re:

[jacquesm]

You'd be surprised at the time stuff can sit 'in channel'.

Also, I bought one of these puppies about 3 months ago and since I had planned to install Linux on it anyway I just let it sit there for a couple of hours to see how long it would take to get infected and within two hours it was happily sending spam. (I did pull the plug at that point).

I don't recall the version of XP that was on there, but it still surprised me how quickly it went.

Re:

[jacquesm]

http://www.smh.com.au/articles/2003/09/22/10640829 36480.html?from=storyrhs [smh.com.au]

It's not my community (the Neighbours rather), but it seems there's more than just beer involved there according to the article above. It sounds like you need some confirmation before you're leaving your moms basement though ;)

Re:

[jacquesm]

I highly doubt there's malice on the part of HP involved. It's just that the time between manufacturing and hitting the consumers home is more than long enough to go through several software updates. The real problem is that early XP had no default firewall 'on' out of the box, in order to upgrade it you have to be online (sometimes for quite a while) to download security updates, or alternatively you have to know what you're doing.

But honestly, I highly doubt many of the buyers of consumer grade hardware h

Re:Well Duh!

[SlartibartfastJunior]

it's easy to say "well duh!", but when you have a brand-new out-of-the-box computer, it doesn't exactly come with instructions. My grandmother has no way of knowing she's supposed to be running a firewall, or going to get a Microsoft Security update before doing anything else. WE know these things, because we hang out on Slashdot, but they're not obvious to the rest of the world, and I applaud the BBC for bothering to put this in people's minds. Until the day Microsoft starts shipping Windows with firewalls INSTALLED and ON by default, articles like this will truly be helpful.

Re:

[Anonymous Coward]

Until the day Microsoft starts shipping Windows with firewalls INSTALLED and ON by default

Hasn't this been the case since SP2?

Maybe my copy of windows has been "enhanced" in this regard, but when I reinstall the firewall is installed and on.

Re:

[d_jedi]

Any brand new computer sold nowadays (not counting whiteboxes) comes preloaded with at least service pack 2 installed. You are prompted very shortly after taking the machine out of the box (along with other normal setup stuff, like naming your computer, and adding users..) to turn on automatic updates (which is the "recommended" setting).

Re:

[ben there...]

Until the day Microsoft starts shipping Windows with firewalls INSTALLED and ON by default, articles like this will truly be helpful.

Microsoft should really ship with all IP addresses except update.microsoft.com redirected to localhost, until you complete all critical updates.

It will never happen, but it should.

Re:

[geoffspear]

Please shut off your computer until you can prove to me you have a PhD in Computer Science and have personally designed a computer with at least 5% of the world market share. If you can't, I judge you not competent to use a computer, and you're endangering the rest of society by doing so.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[r00b]

One of the first things I do when setting up my home box is remove windows completely.

Re:

[ichigo 2.0]

And just to be safe, nuke it from orbit.

Re:

[El Torico]

So we've learned that putting an unprotected windows box on the internet is a bad idea - well duh!

Yes, the article does state the obvious, but, as most /. posters have already pointed out, your average Joe doesn't know what we regard as obvious.

My issue with the article is it didn't provide any guidance on countermeasures. A sidebar or follow-up story on basic computer security would be useful. At least in Thursday's issue they will instruct readers on identifying phishing.

Actually, I noticed this

And the moral of the story is.

[AltGrendel]

Home firewall/router software is better than nothing, and a small firewall/router hardware combo is probably better than that. Personally I perfer the Lynksys hardware.

Of course, we all knew this already, didn't we? The results weren't suprising to me and I doubt that any of the regular /. crowd would be either. Yes, I mean you.

Re:And the moral of the story is.

[Rob T Firefly]

We're not the target audience. Average home users probably aren't reading /., but they just might be BBC readers. Good "welcome to the real Internet" articles need to get out into the mainstream more, and I don't mean the standard "OMG INTERNETS BE AFARIAD OF PRON AND PEDOS AND ID THIEVES AND VIRUSESES IT GOING TO KILL YOU ALLS" that modern "news" seems to favor.

Re:

[rf0]

The biggest issue to the security of the system is the human sat on the chair and clicking boxes they shouldn't and installing slightly dogey software. Of course having a decent level of OS secruity helps but taking what MS is doing in Vista with prompting for virtually everything just seems to get annoying. The best solution would be training people there is no point in hacking etc but of course that will never happen as at some level its either to show that people can hack, or money related with botnets e

Re:

[kosmosik]

Yeah I *love* Linksys routers. Especially the few that pop up in my PDA using "linksys" ESSID without any access restrictions. ;)

Re:

[advocate_one]

Home firewall/router software is better than nothing, and a small firewall/router hardware combo is probably better than that. Personally I perfer the Lynksys hardware.

ah yes... nothing underlines the superiority of Linux better than an XP user having to hide behind a Linux based "Hardware" firewall/router...

Not anymore.

[Kadin2048]

ah yes... nothing underlines the superiority of Linux better than an XP user having to hide behind a Linux based "Hardware" firewall/router...

Actually, these days they're not Linux, they're VxWorks -- unless you special-order the "WRT54GL" version, which most people wouldn't do because you can't buy them at BestBuy and they cost more.

Re:

[SillyNickName4me]

They do probably exist, but I have yet to encounter such a router/firewall that doesn't allow you to forward specific ports to a machine behind it, which will solve your issues nicely without opening up everything.

better question...

[192939495969798999]

why is there such a thing as an "unprotected windows box"? Isn't this a serious fault of Microsoft that there's even a way to have an "unprotected" system on the internet? Seems to me that the microsoft firewall should be light, nimble and ALWAYS ON.

Re:

[voice_of_all_reason]

Except that once you purchase/steal software, it is yours. The firewall can be turned off at your liesure.

Re:

[ednopantz]

...light, nimble and ALWAYS ON.

pick any two.

Re:

[NatasRevol]

I'm thinking.....light, nimble and ALWAYS ON.

pick any one.

Re:

[Danga]

Seems to me that the microsoft firewall should be light, nimble and ALWAYS ON.

I do believe that the default should be for the MS firewall to be on after installation, that would have saved problems for MANY inexperienced users whose windows boxes ended up getting owned within minutes of them connecting them to the internet. The MS firewall definitely seems to be light, nimble, and does a decent job but for users like me who prefer to use a software firewall that is more customizable (I like Kerio Personal

Re:

[LordEd]

The default since SP2 is for the firewall to be on. If you turn the firewall off, you get warnings to that effect on your system tray.

Re:

[Antique Geekmeister]

Leaving such a firewall on would have crippled numerous Microsoft demos where you just turned on the box and suddenly had access to lots of network resources. Explaining to sales staff that such demoware is begging for trouble and should be scrubbed to bare metal between uses is often quite difficult: they're reluctant to break what worked last time, even though they've just connected it to a public network at a blackhat conference and are guaranteed to be infested with the latest round of worms and viruses

Re:

[julesh]

Well, first of all, of course you can switch the firewall off. You have to be able to switch it off, because there is a reason why these exploitable services are network services, and that's because in some situations you might want another machine to connect to them.

Secondly, the design fault of not activating the firewall by default was fixed with SP2. To have it disabled by default on a new install now, you'd have to be installing from an old disc.

Re:

[Blakey Rat]

The firewall (which is pretty good) is on by default on any computer bought in the last 2 years. And older XP computers typically have a firewall installed (and turned on) by the company that sold it.

Sure, the user could turn it off, but-- guess what?-- it's THEIR COMPUTER. You can turn off the firewall on your Linux or OS X machine, also. That said, Windows XP SP2 will make your life a pain in the ass if you do run it with no firewall. There are constant system tray messages reading "your system is at

Impressing

[ackthpt]

I set up a friend's new computer and installed a firewall, before attaching to to internet for the first time and he was stunned how fast the log of probes filled up. He'd never used a firewall before on his old XP machine.

What bugs me is why there doesn't seem to be any decent coordinated effort to track the bots down and shut them down and to go after the perpetrators. Really, it doesn't seem that hard, it just seems like no government is interested in doing anything about it.

It IS hard

[Opportunist]

So you're trying to track down someone who's renting a server in Mongolia who allegedly sits in the Ukraine with a DNS entry made with a DNS provider in Kirgisistan which allegedly belongs to some guy in Turkmenistan.

Your turn. Lemme give you a hint from experience: Neither of those 4 targets will get you anywhere. Getting legal help in some countries is a matter of faith. Or, rather, it's about as useful as faith in some deity.

Re:It IS hard

[bill_kress]

He said an coordinated effort. Of course no one person can get anywhere, but if we just decide not to accept this, we start blocking IP ranges, force the ISPs to deal with their spammers and botnets--it wouldn't take long at all to shut down the entire problem (and 60% of the web). Then you just bring up clean PCs one at a time--forward their DNS to a page that can lead you through the process of cleaning out your PC and contains a list of services that will help.

Subsidize the creation of some decent anti-virus and service companies that can clean your computer remotely (Just don't build one nuke, that should take care of funding it for a few years)

Of course we can't take these steps proactively, humans are too short-sighted, but we WILL do something like this reactively, It's going to happen--just a matter of time.

Re:

[moore.dustin]

Aren't many self replicating or functional as an independent entity? I doubt many of these are being launched from an actual location that can be tracked down easily. Much of it is embedding in pages, spy-ware, or something similar online. You ask why there is no action taken against these bots, but the reality is that these bots are everywhere and not in one central location. One instance of a bot probably exists in dozens, if not thousands of locations.

On the other hand, what would cleaning up the net r

Re:

[AaronW]

My logs quickly fill up too. A lot of it comes out of asia, China in particular. There's one IP address that is especially bad. Doing a google search had that subnet turn up in a several year old Department of Homeland Security document. I think a lot of countries either don't care or actively encourage it.

Yawn...

[rsilvergun]

this has been done before with WinXP SP1, we already know it's insecure. But you know what? Most home users have firewalls now, if only in the form of a hardware router from their ISP, and any new users are running XP SP2. A simple firewall and a few trips to www.windowsupdate.com takes care of most problems. Now, a better article would point out who Windows Media Player will run any old code as root on your box if you've got "Obtain licenses automatically" checked. I can't believe there isn't more of a sh*t storm over that.

Re:

[baadger]

> Now, a better article would point out who Windows Media Player will run any old code as root on your box if you've got "Obtain licenses automatically" checked. I can't believe there isn't more of a sh*t storm over that.

Please elaborate...I haven't read or heard of any recently scares surrounding WMP.

Re:

[ElleyKitten]

Most home users have firewalls now, if only in the form of a hardware router from their ISP,

What ISP sends you a firewall?

Software ones sometimes free.

[Kadin2048]

Some of them send you software firewalls on the "signup kit" CD, but I don't know of any that will send you a hardware firewall/router, except as part of an occasional special promotion.

I think that Comcast Broadband's "CD 'o Crap" includes a software firewall on it, ZoneAlarm or similar, but that won't do you much good if your computer is already compromised; I assume most rootkits will just disable a firewall from inside if you install one after you've been attacked. So they're pretty much useless to anyo

Re:

[zaren]

"Most home users have firewalls now, if only in the form of a hardware router from their ISP..."

No, they don't.

I can attest that the three Windows users I know have no such protections. One plugs directly into her cable modem, and the other two still use dialup. No firewall on any of them, and no router.

Routers and firewalls are still high-end "geek" things, because, after all, my ISP will protect me! That's why I have all this nifty anti-virus software! (Note that my sister's anti-virus software had been e

Re:

[Antique Geekmeister]

You've apparently never worked in a larage university or corporate environment: the local firewalls are extremely lax, and even if the external firewalls or filtering are robust, there are just too many unmaintained and personal machines, and too many services that are being randomly connected, to rely on any local or departmental firewall for protection.

The worst are the computer science professors, who think that because you installed updates for them when they bought the machine last year that they are s

Their 'unprotected'=flawed

[i_should_be_working]

So by unprotected, they mean some old installation without any recent patches, not a patched machine with no firewall. Scared me for a moment.

I can attest (I'm sure many can) to how fast an unpatched XP machine gets hit. I have an installation disc from 2002 (sp1). When I use it I install with the ethernet cable unplugged. After install I plug in the ethernet and go straight away to Windows update but still, on the last go, within 5 minutes I got a somewhat obviously (to me) fake and malicious pop-up telling me I'd better click on it to protect my computer.

Re:

[ArbitraryConstant]

"So by unprotected, they mean some old installation without any recent patches, not a patched machine with no firewall."

They also mentioned attacks by worms that are irrelevant if you're not running stuff like (for example) an SQL server.

Re:

[garcia]

I can attest (I'm sure many can) to how fast an unpatched XP machine gets hit. I have an installation disc from 2002 (sp1). When I use it I install with the ethernet cable unplugged. After install I plug in the ethernet and go straight away to Windows update but still, on the last go, within 5 minutes I got a somewhat obviously (to me) fake and malicious pop-up telling me I'd better click on it to protect my computer.

You're obviously confused by the definition of "average home PC". The "average" home PC us

Re:

[i_should_be_working]

You're obviously confused by the concept of posting something that relates in any way to what you're replying to. Who said anything about an "average home PC" or "average" PC user? Not me. I was merely recalling a personal anecdote of how fast an upatched machine can get hit.

Re:

[evilviper]

So by unprotected, they mean some old installation without any recent patches, not a patched machine with no firewall.

What part of "The machine was attacked within seconds of being connected to the Internet," did you not understand?

How quickly can you apply the latest service pack and all the patches to your fresh installation of Windows?

Over 2 years ago, I was hearing from several people that experienced exactly that... They were incredibly frustrated that their freshly-installed systems were being compro

Slammer? Blaster?

[krygny]

Many of these attacks were by worms such as SQL.Slammer and MS.Blaster both of which first appeared in 2003.

...

The BBC honeypot was a standard PC running Windows XP Pro that was made as secure as possible.

Wouldn't that include all patches that would specifically protect against Slammer and Blaster? Note, the article says "such as", not "similar to".

Re:

[Spad]

The BBC honeypot was a standard PC running Windows XP Pro that was made as secure as possible. This ran a software program called VMWare which allows it to host another "virtual" PC inside the host. Via VMWare we installed an unprotected version of Windows XP Home configured like any domestic PC.

Sorry but...

[Maxo-Texas]

I have windows XP and a $19 dlink router (and a lynksys before that) and I have had *zero* problems in 24 months.

So okay- a naked machine may have an issue but this is really a non-issue if you spend an extra 20 bucks for an inexpensive router with a built in firewall.

Re:

[zaren]

And you're an experienced user who knows what a router is and what to do with a firewall.

The vast majority of the computer using public isn't you.

The vast majority just plugs directly into their connection.

50% of the Internet using public still uses DIALUP.

It sounds so easy from your end, but it sounds like Klingon from their end.

Non-issue for whom?

[Kadin2048]

So okay- a naked machine may have an issue but this is really a non-issue if you spend an extra 20 bucks for an inexpensive router with a built in firewall.

And that's $20 that the average computer user doesn't understand why they should "waste" on a funny box. I mean, they already use one of those surge-strip thingies, doesn't that mean that they're protected?

Yes but...

[Harin_Teb]

Did they pass WGA?

How vulnerable Windows XP really is?

[KingGuru]

This doesn't really show how vulnerable Windows XP really is, it shows how often it is subject to attack. Since all these are (mostly at least) worms and automated attacks, that's not really different from looking at the logs on my Linux boxes, where, for instance, my apache server is quite often "attacked" by a worm looking for IIS vulnerabilities.
I like to bash MS as much as most people here, but this choice of words really misleading. True, never ever put an unpatched box un the Internet, especially if

Re:

[rs232]

"This doesn't really show how vulnerable Windows XP really is, it shows how often it is subject to attack. Since all these are (mostly at least) worms and automated attacks, that's not really different from looking at the logs on my Linux boxes,"

And where exactly are all these attacks coming from. Where are these worms and viruses hosted. What's different is all the attacks are coming for other compromised Windows boxen. Of course it's totally different, you're not being attacked by Linux boxes.

"it is

Re:

[jonadab]

Yes, I think the reported who wrote up the article didn't fully understand the research that was being done. The point of the research is to look at what kinds of attacks are out there and, especially, which ones are common, as it helps security people to know better how to protect against them. The most important take-home message from this article, as near as I can tell, is don't connect a Windows XP system to the network without SP2. I knew that already (actually, I have a strong preference for an ext

Duh

[MeanMF]

Well...I can guarantee that if you put a Linux or OS X box on the Internet that it would be attacked by exactly the same things. What's the point of this again?

Re:

[Macka]

But the attacks would fail for a number of reasons. First and foremost because the attacks are targeted at Windows not Linux or OS X. Secondly OS X has a very capable built in Firewall thats always on. I can't speak for Linux because that will be up to the person who built it. Though my default Ubuntu 6.06 installation had no firewall enabled at install time, nor any option to configure or enable one before you get onto the internet and download the bits with synaptic.

where are all the attacks coming from ..

[rs232]

"Well...I can guarantee that if you put a Linux or OS X box on the Internet that it would be attacked by exactly the same things. What's the point of this again?"

The point is thet the Internet is infested with compromised Windows boxen. Ok, where are all the compromized Linux web servers. Assuming they are running Apache under Linux. According to Netcraft [netcraft.com] Apache usage is at roughly 980,00,000 while IIS is at 490,00,000. Why don't we see an equivalent number of compromised Linux servers.

Yet another mo

Re:

[MeanMF]

Neither is a properly patched XP system.

Not just Windows

[pavera]

I love linux, but alot of this stuff pretty much pertains to anything on the internet. Do you have a linux box on the public net with SSH open? I gaurantee you are getting more than 1000 attempted logins per day. This article talks about alot of "attempted" attacks, well my linux machines on the net get port scanned at least 10 times a day, any box that has ssh running on the default port is being dictionary attacked pretty much 24/7. Sure the linux boxes aren't being turned into zombies, and I'm not sending out boatloads of spam, but my apache servers get hit with IIS attacks regularly. Putting a box with open ports on the net gaurantees you will be attacked. It doesn't matter if its linux or windows.

The difference is with windows you will probably get hacked, with linux you at least have a fighting chance.

Re:Not just Windows

[julesh]

Do you have a linux box on the public net with SSH open?

Yes.

I gaurantee you are getting more than 1000 attempted logins per day.

Uh, no. On the occasional day I get a sustained attempt to guess a username/password combo, and such an attempt may well get up to 1,000 attempts, but in the last 4 days' log (all I keep), I don't see any such attempt. There were a couple of attempts on my FTP server, but it looks like the attacker closed the connection as soon as they saw the welcome banner; scanning for a particular server/version in the connection report, I guess.

Re:

[xlv]

Do you have a linux box on the public net with SSH open? I gaurantee you are getting more than 1000 attempted logins per day.

You could install something like DenyHosts on your server. This will cut down the attacks as after 5 failed attempts the IP is banned for a while. At least it will reduce the size of the log file.

A Premium of Paying Vicitms

[demo9orgon]

Despite all the Microsoft apologists who will wring their hands and point out that certain things were not done in order to safety the Microsoft honeypot, the genuine service this article demonstrated is that people who turn on their new computer with its Microsoft operating system connected to the Internet are vulnerable to exploits which are automated and exist in abundance, ready to pounce upon current Microsoft operating systems.

Even if you're a master of Microsoft "anti-ware" solutions and tweaks, what happens when someone who isn't takes a few wrong turns with their OS? It's toast, or worse, enslaved and used as a resource the end-user is paying for.

I stopped using Microsoft operating systems to directly connect to the Internet nearly 10 years ago, when the sophistication of the exploits had developed to the point where it was no longer safe to use any Microsoft OS online. Since then it really hasn't gotten much better, has it?

I think it's a shame that the company with the fattest pockets can't be bothered to get it right yet still demands to be on every PC made.

Re:

[ElephanTS]

couldn't agree more. I mean, step back and look at this situation: it's utterly ridiculous. The trouble is the geneal public are not sophisticated enough to see this as primarily MS's problem brought about by bad design decisions.

Re:

[demo9orgon]

Hey, it's not a high-horse...it's a soapbox. :-)

Agreed, all old OS's are weak somewhere. But what happens to grandma when her doting son hands her his old boxen with XP with expired "Anti-" ware on it? Grandma entertains keyloggers with insights into the wicked subterfuge of bridge groups, quilting, what happened at the store checkout queue, or just how awful the last family gathering was; and all the while her machine is merrily testing basic-auth at a pornsite somewhere while she wonders why everything s

C'mon, I hate MS but this is FUD

[Opportunist]

The BBC ain't a computer biz company. They wanted a story. And what's a better (tech) story in the age of phishing and spam than "OMG TROJANS!"?

Of COURSE you get plastered with portscans and worms hammering against the "well known" ports. That's normal. Welcome to real life on the 'net. You think it's different for my *nix Machine? It's not. My firewall-log is getting flooded with kids and worms trying to find some unprotected ports, trying to connect to 21, 22, 23, 80 and so on, just to see if there's anything running they could use. The real question is, how many successful attacks did happen? Saying XP is insecure because a billion people hammered at its doors is FUD. When a million of those make it in, though, it's a different matter.

And yes, an unpatched WinXP is insecure. It simply is. Get a router and you're set against 99% of the external problems you may face. But then you still should not use the machine to access anything on the net, because some of the tools you're using (IE and Office being the two key players today) has known (and party unpatched) security issues that may cause execution of code when you're not really careful and know what you're doing.

In a nutshell, going online with a MS product that's not well firewalled and using anything but alternative software for the access of online resources is grossly negligent IMO.

How many succeeded?

[140Mandak262Jamuna]

Yeah, there are bots and they keep sniffing. That is not news. How many of these known attacks actually succeeded? If none, it is pretty good. If one, "Redmond, we have a problem". I assume they OS they simulated was the one that gets shipped right now, not some original unpatched pre SP2 WinXP. If it was an old OS that is not being shipped by OEM vendors currently, then the test is bogus. It is anti MSFT FUD. All FUD is bad, whether it is anti-MSFT or anti-Linux.

Interesting

[The Cisco Kid]

... that while they call attention to an obvious problem, they don't suggest any solution.

do Linksys Routers/Firewalls help?

[kisrael]

I usually am actually behind a Linksys Wireless Firewall/Router. Does that tend to help this kind of problem, or am I being pwned and not realizing it?

Re:

[Antique Geekmeister]

It helps a lot: but the firewall itself may be vulnerable. Check it for available updates.

A lot of Windows machines get zombied pretty fast these days, by fascinating web security vulnerability hacks when the owners go web browsing even for legitimate materials and the hacks are installed on "owned" servers. These zombies then open up a port to designated controller machines on the outside for control by remote entities such as spammers using the machines to send the spam from unblocked netwrks. It's a seri

Re:

[cr0sh]

kisrael, I am with 'Geekmeister on this, too - check for updates. The best way to do this is to google " exploit" - so, for your case, you would google "Linksys exploit", and see what returns. I have personally bought three different used NAT routers from Goodwill (each cost under $10.00 used!), and before hooking them up, I checked for exploits (I currently use a homebrew P90 Freesco box) - all of them had an available exploit, and only one of them had an update to correct the exploit. On two of them, the

Is this "average?"

[chaboud]

I have to question the blind assertion that this is the average user. Can one even establish a mean (or median) user on a number of different behavioral axes?

This is a common myth among users and developers alike. I regularly hear "the majority of people aren't going to do that," but it's as silly to base design decisions on what the supposed majority will do in one case as it is to claim to be representative of the "average user" with one system. The BBC uses such vagaries as "However, at least once an

Nice Fearmongering

[Effugas]

I saw a great ad for an Antivirus product recently. "Finally, protect your users from the Melissa virus!"

Dude, it's 2003, they want their security holes back.

I'm not going to mince words: This story is BS. Lets take the money quote here:

However, at least once an hour, on average, the BBC honeypot was hit by an attack that could leave an unprotected machine unusable or turn it into a platform for attacking other PCs.

Really? Once an hour, something that'll remotely own XPSP2, just being leaked out over the Internet?

"Seven hours of attacks: 36 warnings that pop-up via Windows Messenger. 11 separate visits by Blaster worm. 3 separate attacks by Slammer worm. 1 attack aimed at Microsoft IIS Server. 2-3 "port scans" seeking weak spots in Windows software."

OK, Windows Messenger service is disabled in XPSP2...Blaster hasn't worked in years, Slammer never even hit XP Home by default (you had to install Visio), IIS isn't even available for XP Home, and port scans aren't too relevant when you have a firewall on by default.

What a completely worthless story. You know, we have enough actual security problems going on (the glacier of cross site scripting exploits, what's going on in the online banking realm) that whinging about long solved problems is not only irresponsible; it's dangerous.

Re:

[Anonymous Coward]

The BBC runs hundreds of linux servers, I suspect they are aware of it.

I call BS

[jacquesm]

installation procedures for RealOne on the BBC [bbc.co.uk]

I Wished all broadcasting corporations were as 'backwards' as the Beeb.

Re:We have a Love connection.

[Lave]

From my experience the Beeb runs a large amount of linux articles. And is quite vocal about free open source alternatives (a benefit of not being funded from corporate sponsors). For evidence try typing "linux" into their search engine. It gives you 49 pages of hits for the whole of bbc.co.uk, 9 pages of which come from just the "news" section.

So you are simply wrong.

Re:I have plenty of reasons to dislike Microsoft..

[advocate_one]

it WASN@T a fscking test... it was an article showing just how fscking dangerous it is to put an unprotected box on the internet... fer fecks sake... next week they let it get infected just to show what happens...

Re:I have plenty of reasons to dislike Microsoft..

[jfengel]

Strictly, they said the attack was aimed at IIS, not that the attack was successful.

In fact, it's not clear from the article that ANY of the attacks were successful. If that's true, it doesn't really matter how many attacks there were, and it doesn't make Windows any less safe than Linux or VMS, for that matter. Only the successful attacks matter. (You've got to shut down the Messenger, to be sure, but I'm pretty sure that comes turned off now, and it was a stupid feature in the first place.)

Sure, it sucks

Re:

[penix1]

Strictly, they said the attack was aimed at IIS, not that the attack was successful.

Strictly, they said one (1) attack was for IIS.

In fact, it's not clear from the article that ANY of the attacks were successful. If that's true, it doesn't really matter how many attacks there were, and it doesn't make Windows any less safe than Linux or VMS, for that matter. Only the successful attacks matter. (You've got to shut down the Messenger, to be sure, but I'm pretty sure that comes turned off now, and it was a stu

where are all the attacks coming from ..

[rs232]

"This is a pretty bogus test. Obviously they didn't install security updates before going about their business,", not already in use

"we installed an unprotected version of Windows XP Home configured like any domestic PC."

"made apparent by the fact that the system was vulnerable to viruses that came out over 3 years ago", not already in use

But these three year old attacks were still coming from other already infected machines on the Internet. Are all these infected machines running three year old software.

was Re:I have plenty of reasons to dislike Microsoft..

Re:I have plenty of reasons to dislike Microsoft..

[joe 155]

whilst I will take your point about updates I have found a problem simlar to this personally and I think that you judge them too harshly. When you have a computer which is band new the first thing you will do is connect to the internet. It would take a couple of hours to download the updates for XP up to this point, especially if your on an old service pack (I must admit I don't know if they now sell them with SP2 or not...), even if you get it with the newest service pack if your on a 128K connection a c

Re:I have plenty of reasons to dislike Microsoft..

[Rik Sweeney]

Obviously they didn't install security updates before going about their business

they were probably trying to download them...

Re:I have plenty of reasons to dislike Microsoft..

[julesh]

This is a pretty bogus test. Obviously they didn't install security updates before going about their business, made apparent by the fact that the system was vulnerable to viruses that came out over 3 years ago.

You know what: most people don't install the updates. Unless they're prompted to during installation, which was added with SP2.

Re:I have plenty of reasons to dislike Microsoft..

[idontgno]

Obviously they didn't install security updates before going about their business

Yes. But the machine came under attack within seconds of connection. Best case, you're downloading worms and MS updates simultaneously. The barn door will be closed...right on the horses' departing derriers.

And IIRC, this is the first thing Windows will do upon connecting to the internet.

In other words, quite possibly too late.

They also mention IIS.... does home version even ship with IIS???

No, but worms don't know that. I

Re:

[Hakubi_Washu]

And that help isn't to be frowned upon, it makes surviving the best-case-scenario (just fallout) a lot easier, because you don't get so much radioactive stuff sitting inside your body, slowly poisoning it, when the place is already taken by something more or less harmless. In any worse case, I fondly think of the instructions a friend of mine got about the ABC-foil (designed for duck&cover-excercises) during military training: "When you see the flash, hold the sheet in front of yourself. It'll make sure

Re:

[Hakubi_Washu]

Well, continuing this joke is kinda lame, but then the Germanium in these basement walls is known as a laughing-inhibitor...

Re:

[julesh]

Portmappers are for network file systems

Maybe that's what you use it for, but generally speaking portmappers are for discovering how to connect to specific RPC services. Windows includes a number of RPC services that are useful on a LAN, the same as many Unix-type systems do.

Re:

[RonnyJ]

A lot of people seem to be mistaking what this article shows.

It's not showing how weak an unpatched XP machine is, they're instead logging the attacks that are still happening on the Internet daily, and then showing the frequency of them. For instance, they logged 11 attempts in 7 hours from the Blaster worm. If, as some people are suggesting, they were just placing an unpatched machine on the Internet, the machine would have restarted from the very first Blaster attack.

Re:

[theguru]

With a whole lot of 15 minute samples, and very few 15 second samples, then toss in some rounding, and there you go.