Fog Creek Software
Discussion Board




The Internet is a radioactive environment

How long would it take for a computer purchased at an average computer store to destroyed by viruses and intruders if it was connected to the Internet without being patched or firewalled? It would not take long, for sure. Our computers must be constantly vaccinated and wear protective shielding when entering the wild, hazardous environment of the Internet.

There is no point to this post, I'm just playing around with the metaphor.

dmooney
Wednesday, September 24, 2003

I had a standard install Linux PC connected to the net unfirewalled before. It lived happily for four days or so.

Havent done the same with Windows.

Patrik
Wednesday, September 24, 2003

How long would a 3 year old child survive on a busy street without its parent?

Yes, computers are that dumb.  Yes they have alot of uses (and potential).  But they're still dumb.

GiorgioG
Wednesday, September 24, 2003

I put one outside our firewall yesterday as a test of just that. It lasted 10 min and is now not booting properly. Win 2k fully patched and updated.

Jeff
Wednesday, September 24, 2003

A co-worker was setting up a system for a friend of his.  Took less than an hour for it to be hit IIRC.

-Thomas

Thomas
Wednesday, September 24, 2003

"I put one outside our firewall yesterday as a test of just that. It lasted 10 min and is now not booting properly. Win 2k fully patched and updated. "

With all due respect, I certainly hope you don't think that is indicative of the lifespan of a computer on the Internet. Windows or not.

Mark Hoffman
Wednesday, September 24, 2003

As of 11pm tonight, my dedicated server account will be closed.  It's running windows 2003 server.  I've just removed VPN server/RAS role, so the machine is out on the internet like little red riding hood, 'vulnerable' and all.  Have at it, you have 4-5 hours to take it down, deface the default IIS6 webpage, whatever.

server IP address: 66.135.34.133

I don't think it'll go down.  I don't think a properly patched (and secured) Windows 2k/xp/2003 machine will go down if left on the dmz either.

GiorgioG
Wednesday, September 24, 2003

Re: How long would a 3 year old child survive on a busy street without its parent?

To take your analogies furthur, the streets is filled with only 2 kinds of people: with orphans with credit cards and SUVs who can't defend themselves and crackers/hackers.

Li-fan Chen
Wednesday, September 24, 2003

The Honeynet project do tests like this. I saw one report (it was a while back) where an out of the box Red Hat 6 machine lasted 15 minutes before being compromised. I'm sure an unpatched Windows box would have a similar lifespan now.

Damian
Wednesday, September 24, 2003

WTF are you talking about?!?!


1. Install Windows XP. DON'T patch it.


2. Install ZoneAlarm.

It's a simple and easy to use, personal firewall. You can use it's password-protection feature so the user can't shut it down.


3. Uninstall Outsuck Express. Install The Bat! or another good e-mail client.

The Bat! warns the user before opening potentially dangerous attachments.


4. Teach the user the following 2 things:

  a. Outsuck Express is very buggy and dangerous to use.

  b. Some e-mail attachments are dangerous. Open attachments only when it's absolutely necessary.


If you follow the 4 simple steps above, the computer will resist for at least a year.

I know mine resisted a lot more than a year, and only because of the measures above.

I reinstalled the OS not because of an attack or virus, but because I upgraded the hardware.


So, it's that simple to protect a computer connected to the "radioactive, bad, evil Internet".

Please stop spreading FUD around.

software enthusiast
Thursday, September 25, 2003

I've put a PC bare on the net (win2k) for weeks, with no issues. 

Bella
Thursday, September 25, 2003

We've been running Red Hat 7.2 on the Internet as a web/messaging server for about a year now, with constant and immediate patching.  Apache 2.0.42, Sendmail, and Resin.  No telnet, all logon communications by SSH or through SSL (for POP or IMAP access).

It hasn't been compromised as far as I know.  There's no change in performance indicating a zombie.  But the logs are full of attempts to exploit IIS vulnerabilities, relay spam, and other tricks.

Justin Johnson
Thursday, September 25, 2003

One of my clients inadvertently did this test w/ a SQL 2000 box (I warned them).  They lasted nearly a month before getting Slammed.

At another place I worked at one of my colleagues vigorously asserted that firewalls were unnecessary.  One of our security guys remotely broke into one of this guy's servers and changed his admin password.  It was the last I heard of that discussion.

Lee
Thursday, September 25, 2003

For the past two years or so, my father's been using an uprotected Windows 98 machine connected to a cable modem.  No viruses that I know of.  Of course, he only uses it for about 15 minutes at a time, three or four times a week.  But still...

J. D. Trollinger
Thursday, September 25, 2003

Did Giorgio's 2K3 machine get hacked?

Mark Hoffman
Friday, September 26, 2003

*  Recent Topics

*  Fog Creek Home