US-CERT Says Microsoft's Advice On Downadup Worm Bogus 290
CWmike writes "Microsoft's advice on disabling Windows' 'Autorun' feature is flawed, the US Computer Emergency Readiness Team (US-CERT) said today, and it leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack. US-CERT said in an alert that Microsoft's instructions on turning off Autorun are 'not fully effective' and 'could be considered a vulnerability.' The flaw in Microsoft's guidelines are important at the moment, because the 'Downadup' worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows' Autorun and Autoplay features."
Non-Windows User Here (Score:5, Insightful)
Re: (Score:2)
Aren't you shocked that Autorun on USB class device (key) is enabled by default?
Re:Non-Windows User Here (Score:4, Informative)
I would be, if it was true. It isn't. Autoplay, something completely different that was introduced in XP is there for USB devices but not Autorun. Autoplay requires user interaction to do anything, which is why the whole folder icon fooling people is a big deal.
If I get you to click on a link that says you get $1000 for clicking on the link but it really installs software (requiring more clicks to approve) and you do it anyway - and keep confirming it, over and over, I'd say it is your own fault.
Re: (Score:2)
Autorun also works if the flash drive pretends it's something else, like a USB CD drive. Then Windows will allow autorun. There are entire lines [u3.com] of USB drives that have this (mis)feature.
Re: (Score:2)
Funny is, they copy everything from OS X regarding ease of use but they don't stop a second and think why Apple, the king of usability stayed away from autorun/auto play. Doesn't Apple have a similar feature? Of course, if you set a special bit/file (not sure, Roxio Toast and Apple does it), it auto opens a Finder window when CD/DVD inserted only showing its contents and nothing else.
If it wasn't shouting "security/stability risk", Apple would put that feature back in MacOS days.
Re: (Score:2)
Re: (Score:3, Informative)
To default turn it off you might have to. You can just hold shift and disable it temporary when you plug something in until the detection is finished.
Except it can still autorun in response to other events than plugging it in, like single clicking the drive or some applications that look for devices periodically.
Re: (Score:2)
Re:Non-Windows User Here (Score:5, Insightful)
that doesn't really provide true protection against all AutoRun attacks.
USB/flash drive-based attacks typically work by creating an autorun.inf file that replaces the default action for that device. by default, XP would simply prompt the user with a list of AutoPlay actions to take (with the AutoRun-specified action selected) when the drive is plugged in. if you "disable" AutoRun, then that menu won't pop-up, but that is arguably more dangerous; the reason being that when the AutoPlay menu pops up the user has a chance to see that an unfamiliar action has been added/selected.
if a computer-savvy user plugs in their iPod/PSP/thumbdrive and the AutoPlay menu shows some strange new action and program icon, they are going to be suspicious. they will likely select the "Open folder to view files using Windows Explorer" action to browse the volume and probably detect the malware and autorun.inf file.
now, a typical scenario when AutoPlay is disabled is that a user will plug in an infected flash drive, open up My Computer, and proceed to double-click on the removable volume to open it for browsing. however, whether or not AutoPlay/AutoRun is enabled, an autorun.inf file can replace the default action for that volume. and this time the user has absolutely no warning (unless the malware author is dumb enough to replace the volume's icon and advertise the presence of the virus). i mean, how often do you actually right-click on a volume to select "Open" from the context menu or to check its default action? most people are in the habit of simply double-clicking on a drive icon to browse its contents.
then there's the matter of dual-filesystem flash drives. because Microsoft places the interests of the RIAA ahead of the interests of their customers, they've used AutoRun to implement a rather dangerous DRM mechanism. if CDFS is detected on any removable volume, Windows automatically assumes that it is a protected CD and will launch any program specified by autorun.inf. this functionality will work whether or not you have configured Windows to allow AutoRun or not, and you cannot bypass it by holding down the "shift" key. but that can only be expected when you have DRM that's designed to "protect" the system from its user/owner.
Re: (Score:2)
Re:Non-Windows User Here (Score:5, Informative)
Is it really true that you have to edit the registry to turn off autorun? There isn't any clicky? Amazing.
No it's not true. There are lots of ways to do it. The registry editor is just installed by default and pretty simple if you already know how to use it. TweakUI is a free addon Microsoft Powertoy that's worth having and gives you some control back.
http://www.annoyances.org/exec/show/article03-018 [annoyances.org]
http://antivirus.about.com/od/securitytips/ht/autorun.htm [about.com]
Re:Non-Windows User Here (Score:5, Informative)
There's a right and wrong way to disable Windows Autorun [theregister.co.uk]
How to correct "disable Autorun registry key" enforcement in Windows [microsoft.com]
Re:Non-Windows User Here (Score:4, Informative)
Re: (Score:2)
... and pretty simple if you already know how to use it....
Brain surgery and rocket science are also easy if you already know how to do these. To those that don't have the ability, the time, nor the desire to go to the trouble of learning the arcane art of registry editing, the best thing to do is to choose an OS that doesn't have a registry and is not subject to any of the nearly 100,000 instances of malware made specifically for hapless Windows users. There is little or nothing that the intelligent users
Re:Non-Windows User Here (Score:5, Interesting)
Brain surgery and rocket science are also easy if you already know how to do these
Let me get this straight. You're comparing opening up regedit, browsing through a tree of values, and modifying one with brain surgery and rocket science??? You call it "the art of registry editing". I could teach any even semi-competent person how to use regedit in an hour max assuming nothing more than windows knowledge.
As for the abomination that is the windows registry I agree it's awful and for more than just the reasons you point out, but it's no harder to change a single registry entry than to change an ini file field value. I wouldn't compare the use of notepad to edit an ini file to brain surgery or rocket science either.
Re: (Score:2)
...I could teach any even semi-competent person....
That wasn't my point. Anything is easy once you know how to do it, including rocket science. There are some people intelligent and motivated enough to learn it. There are after all rocket scientists who are still merely human. I have no doubt that you can teach a person to use regedit. The question is one of wanting or needing to, just to keep a computer secure. There are automobile owners who also learn how to rebuild their engines or automatic transmissio
Re: (Score:3, Insightful)
You're comparing opening up regedit, browsing through a tree of values, and modifying one with brain surgery and rocket science???
Hey! `FOR I = 1 . 10' once crashed a space probe.
Apparently it *is* beyond rocket science.
Re: (Score:2)
For games, there are dedicated devices that are cheaper and better.
Says the one that hasn't seen a new game on new hardware connected to a very large TV screen... I'm not arguing about cheaper, but don't try to tell me a console is better.
Re: (Score:2)
brain surgery and rocket science
Funny you should say that; I think a comparison between the registry and a command line interface is pretty valid. Powerful if you know how to use it, dangerous if you don't, and a lot of people use it only when given specific instructions (a specific key or command) by someone else.
Re: (Score:3, Informative)
run services.msc OR Ctrl Panel -> Administrative Tools -> Services
stop and disable service: Shell Hardware Detection
No more auto-run or auto-play
Re: (Score:2)
Bingo!
It does not matter the name,
if software executes beyond user control.
Auto-run, auto-play.
It should be called Auto-Blackmagic.
Re: (Score:2)
When I set up a Windows XP computer, I use TweakUI [microsoft.com] to disable autorun for all drives and all media types.
I hope that is sufficient...
Re: (Score:2)
http://en.wikipedia.org/wiki/AutoRun#The_AutoRun_disable_bug
This bug has been fixed in security updates issued in July 2008. For Windows Vista and Windows Server 2008 the relevant Knowledge Base Article is 950582[24] with further details in the security bulletin itself.[25]
For Windows XP, Windows Server 2003 and Windows 2000 the relevant Knowledge Base Article is 953252[26] with details and links to the OS specific patches available from that page. Windows 95 and Windows 98 are not affected.
Note that these are not installed via auto-update, nor do they show up in Windows Update. Also, http://support.microsoft.com/kb/953252/ [microsoft.com] is broken because it points to KB950582 for the XP fix, but KB950582 says it's Vista-only. Microsoft should re-release these as automatic updates. They don't turn off auto-run, but they allow you to turn it off.
Re: (Score:3, Funny)
You clearly underestimate the necessity of such a useful feature as autorun. Sure, Microsoft innovates in this area, but the feature is becoming more common in all devices.
My cell phone has auto-answer. My dvr has auto-record. My paper shredder even automatically runs when you put paper in.
There is a downside of course. The auto-run on the disposal has mangled a fork and a few spoons. The auto-run on the table saw was the most disconcerting, but if you're on your toes about precautions nothing bad wi
Autorun has always been a vulnerability (Score:3, Insightful)
It makes me feel a bit dizzy every time I think that this "feature" is enabled by default. It's a feature in the same way that an online banking system might feature login without a password, "just type your name to instantly access your account!" It saves the user a tiny hassle against an opportunity for absolute catastrophe.
Autorun is high on my list of stuff to disable very shortly after installing a fresh copy of Windows.
And it's not like it's a secret that this is a vulnerability. There's a reason Apple abandoned this capability when it moved from OS 9 to OS X.
Microsoft deserves derision for continuing to offer and promote this feature.
If Microsoft can't be bothered by it, nor convinced it's a very, very, bad idea, then autorun should at be limited exclusively to CDs and DVDs. That would merely be a terrible idea, as opposed to a downright catastrophic one.
Does Windows Vista or Window 7 handle this differently than XP??
Re:Autorun has always been a vulnerability (Score:5, Informative)
Re: (Score:2)
Fortunately, U3 drives can be neutered.
Comment removed (Score:5, Informative)
But MS doesn't want to totally disable autorun (Score:2)
Re: (Score:2, Informative)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Autorun thing was "invented' on Windows 95 right? There were thousands of evil MS-DOS viruses back that time which are sometimes way more advanced than the Visual basic junk of today.
What makes me shrug is that fact. It is not like MS-DOS was virus free and they already had reports of windows 3.1 breaking because of DOS viruses. First thing they invent on a DOS Hybrid OS? Autorun which will run anything said on autorun.inf file. Well, lets say in Windows 95 times, a CD-R really costed too much. What about W
by taking advantage of ... users. (Score:5, Insightful)
"by taking advantage of Windows' Autorun and Autoplay features"
well no, not really.
Granted, they take advantage of the fact that...
1. there is an autorun feature. Is that so horrible? Probably not.
2. that the autorun feature pops up a display letting the user choose what to do (i.e. run the program, browse the drive, view pictures if it finds them, etc.). Again, not so bad.
3. that the autorun feature lets you customize the icon. Okay, things get a little hairy here - it's nice when the icon fits the program, but this malware uses the icon of... a folder. Just like the 'browse the disc/device' icon.
4. that the autorun feature does not have a -clear- distinction between what are autorun directives (run the program), and what are windows' built-in features (browse the drive).
The fourth is nearly inexcusable and if handled well, it would alleviate the third as well - just put a big red border around the darn thing (is one option, anyway).
In the end, though, it doesn't exploit 'autorun' directly - it exploits the fact that many users will think that the option with the folder icon with (misleading) description is the regular 'browse drive' option and click it carelessly.
Re: (Score:2)
You really do a good job, but defending "autorun" is just preposterous. This was always obviously a dire security hole, but Microsoft still (???) denies it is a bug. They responded to criticism only by adding another layer and making it harder to turn off. Automounting is a positive feature, but auto-execution by default is an anti-feature. Even if it were opt-in it would be bad design.
Re: (Score:2)
This was always obviously a dire security hole, but Microsoft still (???) denies it is a bug.
It's not a bug. It's a misfeature. There are a huge number of very good reasons to have it (half the population or so), it's just that there are stronger reasons that it's bad.
Re: (Score:3, Informative)
Microsoft introduced this when the only autorun capable device was a CD-ROM player and the only CD-ROMs where those manufactured. The idea of a "malware CD" was preposterous.
Any CD-based game for Windows was required to make use of Autorun/Autoplay in order to receive the Windows logo. It was designed to make inserting the disc with zero or minimal install operate like putting a cartridge or CD into a game console.
I am not familiar with any autorun capability on USB drives, but they have Autoplay. Autopl
Re: (Score:2)
Re: (Score:2)
there is an autorun feature. Is that so horrible? Probably not.
Yes, actually it probably is a horrible feature which hurts most precisely those whom it was meant to help (i.e. the barely computer literate people). Everyone that I know who knows about this feature or cares at all about security turns it off. At the very least, if an OS is going to include this type of feature then it should be tied in with a trusted source system, using public key cryptography and certificates for example, so that only trusted sources can use the autorun feature (assuming that is turned
Re: (Score:2)
well, presumably that's what the default "ask me what to do" option, with the program listed at the top, is supposed to effect.
but the option to set your own icon + description then makes it too easy to mislead people, currently.
=====
by the by... the CERT recommendation - http://www.us-cert.gov/cas/techalerts/TA09-020A.html [us-cert.gov] - now notes that MS have an update available for manual install (XP etc.) and/or coming up on windows update (vista, server 2003) that -does- fully close the other vectors that CERT ment
TweakUI anyone? (Score:3, Interesting)
Re: (Score:2)
Does anyone know for certain if disabling autorun on all drives using tweakui eliminates the attack vector?
Default settings are a blessing and a burden (Score:2, Insightful)
Re: (Score:3, Funny)
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package omgponies
Hey... That didn't work.
Re: (Score:2)
They do, it's called Windows Server 2003 with WSUS installed =)
Or you could.... (Score:2)
Re:I'm a linux what's a worm? (Score:5, Informative)
November 2: The Morris worm, created by Robert Tappan Morris, infects DEC VAX and Sun machines running BSD UNIX connected to the Internet, and becomes the first worm to spread extensively "in the wild", and one of the first well-known programs exploiting buffer overrun vulnerabilities.
Re:I'm a linux what's a worm? (Score:5, Funny)
Re: (Score:2)
for a bigger shocker, the first PC (not in sense of IBM) virus was a Mac Virus. "In the home" , Richard Skrenta 1982. It is a joke got out of hand.
I really hope nobody/no company codes a virus/worm for operating systems which are considered "super secure" by their clueless users. Results would be disastrous as there is almost no security software running on such systems.
RANT / was(Re:I'm a linux what's a worm?) (Score:5, Insightful)
chkrootkit, tripwire, clamav, shorewall, john-the-ripper, and snort run on a lot of systems considered super secure by their users.
Some people consider their systems super secure because they know they are not they guess they are.
The question on freebsd-security a few years ago was what was the best way to avoid denial of service attacks if you are logging to lpr. (one of the obvious suggestions is do not log repeated messages, just the number of times the message has repeated. this will increase the work required to kill your server by running through all the paper and hanging until more boxes of paper are fed to the printers.)
That was the same list that made me realize that you should not have passwords on multiuser systems, or servers in general.
Do you really think that people use passwords like this
makepasswd --char=32 --count=10
CLWwBsm1c15IFadg4KTjrHhCBjFP8RNI -- for slashdot
RLQaXqSEfRHgLnwjjbgoJU5y4Uya2hM6 -- for gmail
NebgFMATH990vB8US8CE4zMgeR7uum02 -- for Administrator
SFa0qT5nIQuLYtTsq44I8336ghEBApiD -- for user account
smcruMr8rzE6PFHzus8AmPcIoKNFy0Rh -- for facebook
L6wynpgAHoINdQm2CWwXdfSiJrBzQ8YG -- for myspace
Q3D1JBVXtgPNNo4bm16WAcKPMhox8s6C -- for banking
L1hEhuisoFcnoyGEYxPYqW8Hq4Qs2EmY -- for retirement account
2RqaobNEKyQIIoUVoFPty6EruLQhVE0F -- for work login
s0zJFsLiWCSN0e5fCEvpi48GV4D0PjyH -- for paypal
Phishing sites are one of the best ways to effectively get the information and tools needed to illicitly act on behalf of someone else.
At some point public key logins via ssl will become the norm, until then, passwords will be the week point in most systems.
Realize that even though debian had the ultra limp ssl keys generated it was still seems to be more productive to use password guessing than trying to try brute forcing an almost known key. Passwords suck that bad.
I would not be surprised if a sizable number of systems (more than 10%) in Arizona could be broken into this week with a dictionary attack of:
cardinals
cardina1s
Cardina1s
For those that want an analogy, imagine zoning laws that required NORAD style doors on all buildings and twenty percent of the population deciding that it is stupid and refusing to lock their doors. You would have a situation similar to the computer landscape today.
Re:RANT / was(Re:I'm a linux what's a worm?) (Score:5, Funny)
Do you really think that people use passwords like this
makepasswd --char=32 --count=10
CLWwBsm1c15IFadg4KTjrHhCBjFP8RNI -- for slashdot
RLQaXqSEfRHgLnwjjbgoJU5y4Uya2hM6 -- for gmail
NebgFMATH990vB8US8CE4zMgeR7uum02 -- for Administrator
SFa0qT5nIQuLYtTsq44I8336ghEBApiD -- for user account
smcruMr8rzE6PFHzus8AmPcIoKNFy0Rh -- for facebook
L6wynpgAHoINdQm2CWwXdfSiJrBzQ8YG -- for myspace
Q3D1JBVXtgPNNo4bm16WAcKPMhox8s6C -- for banking
L1hEhuisoFcnoyGEYxPYqW8Hq4Qs2EmY -- for retirement account
2RqaobNEKyQIIoUVoFPty6EruLQhVE0F -- for work login
s0zJFsLiWCSN0e5fCEvpi48GV4D0PjyH -- for paypal
Hey! How come you know all the combinations to my luggage?
Re: what's a worm? (Score:5, Informative)
The machine took out more than a lot of mail servers, bringing them to a grinding halt for the duration.
Re: (Score:3, Informative)
Perhaps it's more accurate to say that the Morris Worm did not carry a destructive payload. It's true that it brought down more than a few servers, but that was only because it spread so rampantly without -- as with many modern worms -- any kind of rate-limiting logic.
Re: (Score:2)
It was a afterthought?
I swear in many places it wasnt a thought at all.
Re:I'm a linux what's a worm? (Score:4)
The system was designed to be open by default... not secure. Security was ALWAYS an afterthought.
I don't think I'd say it was an afterthought, that implies they believed it was important to address, once discovered late.
The closer reality seems to be that they acknowledged the issue and determined it made a better feature than vulnerability.
Like the windows autorun on media insert that's making Downadup so successful as of lately. Amazing they STILL haven't axed that. This isn't a case of them being late with a fix, this is a case of them refusing to fix it.
Re: (Score:2)
Re: (Score:2)
... that UNIX systems were the first to learn how to protect against worms as a result.
Interesting.
Do you know when they became self-aware and launched biological viruses after (or was it before) learning to protect against man-made worms?
Re: (Score:2)
And you neglect to point out that it did nothing and that UNIX systems were the first to learn how to protect against worms as a result.
It did nothing except propagate, which was bad enough, but its primary entrance vector was sendmail binaries compiled with unfortunate debugging code that was effectively a passwordless root login.
So what was the primary lesson to be learned? Binaries distributed without source code and not rebuilt on a server under a watchful eye are a bad idea - true.
Re:I'm a linux what's a worm? (Score:4, Funny)
There's a new sound, the newest sound around
The strangest sound that you have ever heard
Not like a wild boar or a jungle lion's roar
It isn't like the cry of any bird
But there's a new sound, it's deep down in the ground
And everyone who listens to it squirms
Because this new, new sound so deep under the ground
Is the sound that's made by worms
Re: (Score:2)
I thought worms only lived in the dirt and my dogs ass
I've never heard Windows described quite that way.
Re: (Score:3, Funny)
Try working in software support then.
I've heard it called much worse.
Re:News? (Score:5, Interesting)
Sometimes they come out with something good....I think.
But they've always been completely screwed up on anything whatsoever to do with autorun.
It was a bad idea from the start, and it's just managed to get worse.
Re: (Score:2)
I don't mean "just now managed to get worse with this attack."
I mean "only got worse and worse - never better - through the entire time since it was introduced."
Re: (Score:2)
Re: (Score:3, Insightful)
Vista is the most secure windows OS, probably. "most secure" != "secure".
This worm is evidence that they still have a long way to go.
Re: (Score:3, Insightful)
Comment removed (Score:5, Insightful)
Re: (Score:2)
Windows makes it way too easy for morons to do their thing.
Put any of those three types on Linux and lets see how much damage they can do.
In all three, no matter what they do, the core system remains fully intact.
Comment removed (Score:5, Insightful)
Re:Windows itself is a vulnerability. (Score:4, Interesting)
Re: (Score:3, Informative)
SELinux goes a long way toward containing viruses, as long as the distro maintains decent default policies. For example, only files from the Mozilla packages should be able to modify ~/.mozilla/ or any files in that directory, and Fedora's SELinux policy puts those files in their own context.
So, when I want to use vi to edit one of the text files that are used to configure Firefox, I can't?
Although this might be more secure, I call it just a pain in the ass. Most of the SELinux policies fall into this category, although a few are just a pain in the ass without being any more secure. Add the following to your .bashrc to work around one of them:
iptables-save() {
/sbin/iptables-save $* | cat -
}
If this same sort of hack works with the Mozilla SELinux policy, then all you would need to do is re
Re: (Score:2)
See how much of *anything* they could do.
That's not a good thing.
Re: (Score:3, Insightful)
Re:Windows itself is a vulnerability. (Score:5, Informative)
Which is just not feasible sometimes. Every few weeks, someone I am working with -- yes, some of us must work with others on our computers -- brings me some files on a thumb drive. I have no choice but to plug that drive into my computer and deal with it, other than not getting my work done at all.
"Putting them in a limited user account and putting a good AV to scan whatever folder they are downloading crap to usually does the trick."
When I used to repair computers, I found that doing this invariably led to questions like, "Why can't I install [insert well known program name here]?" Windows systems really are not oriented toward this sort of security for single users who cannot just call up their helpdesk whenever they need some software installed.
"If you put these types on OSX or Linux they would break just as much as they do on Windows. They would just be loading "Hot_Pron_codec.dmg" or "killer_tune.sh" instead of an
Except that in OSX and Linux (and BSD and Solaris and all *nix systems) files have to be explicitly declared executable. A user receiving LatestPopSong.mp3.sh would just sit there confused and asking, "Why does it keep opening this song in a text editor? Why does my music player keep getting confused?" In distros that enable SELinux, you can have even more security -- for example, a policy that prevents programs which are not part of Firefox from writing to the Firefox configuration, which would prevent typical virus-installing-keylogger-in-web browser attacks that seem to be so common today; such a policy could be maintained by the distro packagers themselves; in fact, Fedora already gives the
Yes, if administered by experts, Windows can remain secure even when connected to the Internet, I will not deny that. Most single user Windows installations are not administered by experts, and unlike big name Linux distros, Microsoft does not have thousands of people tuning the Windows security policies, nor do they have tens of thousands (perhaps hundreds of thousands) of people fixing bugs.
Re: (Score:2)
Sure, you can create such a security policy in Windows, but it is not done by default.
Really? A per-application policy? That's cool! How do you do it?
Re:Windows itself is a vulnerability. (Score:4, Interesting)
Except that in OSX and Linux (and BSD and Solaris and all *nix systems) files have to be explicitly declared executable.
There was an outbreak of malware a while back that required users to open a password-protected zip file, and execute the contents within.
You really think having to set a file +x, or running it from a commandline with 'bash file.sh' is really going to slow them down ?
Re: (Score:2)
Any tips on how to get these people to accept the switch though? I'm trying my hardest with a guy I work with, he just cant seem to handle the transition. I got him a gmail account, set it up to retrieve his other accounts mail, explained the benefits (considerable, considering he pays way too much for metred internet access and is constantly receiving large attachments he usually doesnt need to open but Outh
Re: (Score:2)
> large attachments he usually doesnt need to open but Outhouse downloads them anyway
> every idea I've tried comes to nothing
You're quite the wizard, gosh he's lucky to have you helping him out.
Outlook, like every other frikken mail program, has a setting to download just the headers until you dblclick to view the message. Search on "Outlook download headers". Don't call it Outhouse, because, y'know, the search won't work that way. Am I getting too technical for
Re:Windows itself is a vulnerability. (Score:5, Interesting)
If you put these types on OSX or Linux they would break just as much as they do on Windows.
You had me up to that line. I have managed 4 desktop computers at a youth drop-in center for a year and a half now. We have all three of your types using these machines on a nightly basis.
On my first day all four computers ran xp Home with the youth using just the guest account. All four computers were heavily infested with you-name-it. The hard drives never stopped churning and the router lights never stopped blinking, 30 minutes after logging out.
I spent that first evening exorcising the demons on what appeared to be the worst of the four stations. I gave it a clean bill of health, tightened up security here and there, and called it a night. I decided that night that I would clean out one machine per week.
I went back for round 2 a week later and the one I had cleaned the week previous was back to its original state.
I spoke to the management and obtained permission and funds to do some minor hardware upgrades on the office computer. All the hard drives got pulled from the youth computers and assembled into a RAID on the office computer, on which I did a fresh default install of Ubuntu and ltsp. I created an account for every youth that wanted one and told them to have fun. I even installed limewire and showed some of them how to grab torrents using deluge and transmission.
A year and a half later and not a single breakage. No pop-ups, no churning disks, no dead family of five. I'm effectively unemployed with this organization.
Go ahead and tell me that Windows can be made secure. Yeah, I know. I work in 3 schools and it's all Windows or nothing, and the IT people (not me) have done a great job of locking things down and generally keeping things ticking. But that's far from default configuration.
no, "these types", the same ones who had 4 xp desks in a perpetually broken state, even with AV and limited accounts, haven't broken a default linux install yet.
Re:You'll still have to keep ahead of the tide (Score:5, Informative)
I remember the days pre-Windows when UNIX vendors were cursed and sworn at because they didn't patch the latest bugs quickly.
People will attack whatever operating system gives them the most bots for the buck. If the predominant OS is a UNIX, then it will be invisible .ko/.kext modules that will be the sysadmin's bane.
Right now, there are two main attack vectors other than the PEBKAC "hole" and social engineering. The first, a direct attack on a machine, can be mitigated by a solid firewalling router, so an attacker has to deal with a hardened attack surface before touching the more chewy machines behind it.
The second attack vector is the Web browser. It is in constant contact with untrusted code. To secure this beast takes more than just good defensive programming because even with a solid browser, a third party plugin might cause issues. It takes cooperation on multiple levels, where the OS has hooks to run the browser in a sandbox, but yet allow it to have upload/download functionality that users want. Vista's protected mode of IE7 is a great start, but all Web browsers need this protection, whether it be done by SELinux type profiles that exist in various Linux distros, or actual virtual machines that completely roll back all changes except to the bookmarks when the user is done and closes the browser session. Solving this problem will close a lot of potential security threats.
Finally, autorun just needs to go, and be replaced by a different, more secure system. Autoplay can stay, but it should never run anything other than showing the root of a CD or DVD, or pulling up a media player if a CD or DVD is inserted. In no way should an executable ever be automatically executed by default. Its just too easy these days to make a U3 flash drive with a bogus CD partition with malware present.
Re: (Score:3, Insightful)
Just because you've never noticed them doesn't mean you've never gotten a virus. Modern viruses are more intended to be quiet and do their spamming/backdoor thing these days, since users who find them may attempt to remove them.
And no, antivirus is not much protection.
Re: (Score:3, Funny)
Microsoft supplied the software that allows people's computers to become infected, then gave them false information leading them to believe they're safe, when they're not really.
Suspicious...
Yeah, it's almost like they value convenience over security (having autorun), and don't know how to write perfect bug-free software like the space shuttle people do (look at the "Update:" at the end of the advisory, the fix instructions should have worked, but they don't without a patch).
Re:Hmmm... (Score:5, Insightful)
Although Microsoft has not formally recommended that users disable Autorun as an anti-Downadup measure, most security companies and researchers have in light of the autorun.inf infection vector.
The "recommendation" referred to is almost two years old [microsoft.com] and has nothing to do with the worm. Article is a troll pretty much. One support article is for disabling Autorun on CD-ROMs, while the other is for Autoplay. Neither was created specifically to support Downadup as far as I can tell.
So no, not really suspicious at all. Bad on the "researchers" who have pointed to those articles for protection.
Re:Hmmm... (Score:5, Interesting)
um, what are you talking about? if there is a worm going around that exploits the AutoRun, then naturally the thing to do would be to disable AutoRun. so why is it bad on the researchers for advising people to disable a feature that makes their system more vulnerable to an ongoing security threat. and how is US-CERT or ComputerWorld "trolling" by pointing out that Microsoft's instructions for "disabling AutoRun" doesn't actually disable AutoRun?
Microsoft is the one who created a feature that is now an active malware infection vector. they are the ones who set this feature to be enabled by default. and they are the ones who made it near impossible to turn off (without downloading additional software). and to make things worse, they release inaccurate advice on how to "disable" this feature, which could potentially lull users into a false sense of security.
Re: (Score:3, Interesting)
Microsoft is the one who created a feature that is now an active malware infection vector.
Microsoft is the one who recreated a feature that is an active malware infection vector.
There, fixed that for you. Executing anything coming from the outside by default has ALWAYS been a horrible idea.
How many decades has it been since we all disabled uux and such from our UUCP configurations?
Now, GET OFF MY LAWN!
Re: (Score:3)
One article is for disabling Autorun [wikipedia.org] on CD-ROMs specifically. One article is for disabling Autoplay. [wikipedia.org] Neither article describes how to stop the autorun.inf file from being processed on all removable media, nor does either article claim do to that.
This is like hitting the button that turns off your rear windshield wiper and getting furious that your forward wipers didn't turn off. Similar and related feature,
Re:Even if it doesn't work... (Score:5, Informative)
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
Basically it just associates autorun.inf with a NULL system function as the default handler.
Re: (Score:2)
Sadly, Autoplay doesn't rely on autorun.inf. The folder icon executable can still pop up on XP and Vista.
Re: (Score:2)
III. Solution
Disable AutoRun in Microsoft Windows
To effectively disable AutoRun in Microsoft Windows, import the following registry value:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
If you think you know more than the people at CERT, good luck to ya.
Re: (Score:2)
What DRM is that? (Score:4, Informative)
Seriously, what are you talking about? I see a lot of "Vista's evil DRM," tossed around, and very little in the way of specifics to back up what it does, which of course leads me to think the people doing the talking don't know what they are talking about.
So what DRM do you want to see disabled? Are you talking about HDCP, the DVI encryption? That's not MS's standard, by the way, DVD and Blu-ray players are where that's from. However, it is one of those things that you don't have to use if you don't want to. I have a Vista system connected to a monitor which has HDCP turned off (professional monitor, you can change the state manually). Means if the system required HDCP, I'd get no image. But it works fine. Reason is, HDCP is only required by Blu-ray playback software. Now you could disable it on the system, I suppose, but that'd gain you nothing. The software would just refuse to play. It wasn't as though MS said "Let's include this to fuck people." Rather it is required if you want to license Blu-ray playback.
So again, what DRM are you talking about? I'm tired of all this bitching from people who don't know what they are saying. If there is something in particular you object to, let's here what and why. Otherwise, please stop going on about thing you don't understand.
Re: (Score:2)
> Now you could disable it on the system, I suppose, but that'd gain you nothing. The software would just refuse to play.
I suppose the objection is that DRM such as HDCP only proliferates if players support it. The content manufacturers come up with a scheme, and all the little software & hardware players must come on board, because if they don't their products won't be able to play the content.
Microsoft, by virtue of its near-monopoly on the desktop, could kill a DRM scheme for the desktop simply by
Re: (Score:2)
"Microsoft, by virtue of its near-monopoly on the desktop, could kill a DRM scheme for the desktop simply by refusing to support it."
If they did that, how long would take the EU to start investigating them for abusing their monopoly position?
I don't htink they could (Score:3, Insightful)
If they don't support it, they can't play Blu-ray (and HD-DVD before that went under). Ok well what is the average consumer going to do: Blame the AACS-LA, or which ever nebulous industry licensing authority is responsible, or blame the OS maker?
Goes double since the media industry doesn't have to knuckle under. Remember most people watch movies on their TVs. While it isn't a trivial amount who watch on computers, it isn't the majority either. Thus they can get away with just selling to people with players
Re:What DRM is that? (Score:4, Informative)
Yes, and I love Vista's audio system. Wonderful implementation. Vista gets quality sound, from an arbitrary number of apps on any soundcard. It does high quality (32-bit floating point) software mixing of all audio streams. So even if you have a cheap Sigmatel integrated chipset, you get good results. No longer do you need to buy a soundcard with hardware mixing to get good sound. Likewise, you can control the volume on individual apps, regardless of if they wish to provide volume control or not. Useful for web browsers. You get sites that want to make noise at you, you just mute the browser, while still listening to music. It's resampling engine is also great. It opens up the sound card in the mode you tell it to, and resamples all audio to that. In XP if you had an old app that used a low sample rate, the soundcard would be opened in that and any other apps that played at the same time would be downsampled. Not a problem in Vista, you specify the rate, it handles the conversion.
Also works great for pro audio. WDM/KS still works just like it did before, and indeed Vista will allow KS apps to take exclusive control over the card if needed. Also ASIO works fine, it rides along side the Vista audio system and isn't affected by it. Then there's the new WaveRT mode. Not a whole lot of support yet, but form playing with it is is excellent. Extremely low latency, low CPU usage, and low glitches. Wonderful for realtime sound on sound stuff.
So personally, I think Vista's audio system is a real step up. I like the way it works with my consumer apps, I like the way it works with my pro apps.
Re:Would like to see a worm disable Vista's DRM (Score:5, Funny)
The 1 step guide to getting cheap mod points on Slashdot
1) Mention DRM
Re: (Score:2)
Why does Microsoft make it so difficult to disable auto-run? I understand that many customers may like the feature, but why not a simple control panel entry to stop it? Is it somehow tied with DRM for playing videos? I'm not just griping - they must have some reason for this, anyone know what it is?
There are people who don't want to be bothered to understand file hierarchies or the "My Computer" window. Microsoft wants to cater to these people, rather than demand that they take time to learn.
Have there been any cases where animals wandered through the automatic doors into some large store? This would be vaguely similar, a convenience feature with unforeseen side-effects.
Re: (Score:3, Funny)
> Have there been any cases where animals wandered through the automatic doors into some
> large store?
Yes, but not nine million of them.
Re: (Score:2)
Re:Concerned: Anybody else using MS Update Service (Score:3, Informative)
Unfortunately KB950582 [microsoft.com] was not classified as a required security patch for Windows XP, and consequently not included for distribution in Windows Update or WSUS.