Fog Creek Software
Discussion Board




Media coverage of internet worms

This is an article that is linked from google news.

http://www.newsfactor.com/story.xhtml?story_title=Other-Worms-Bypass-Microsoft-Sasser-Fix&story_id=24043&category=netsecurity

The thing that upsets me is that most of these articles make it sound like it is hopeless.  Since Microsoft hasn't provided fixes for these other worms, you are doomed to be infected. 

This is simply not true.  A simple firewall is really all it takes to mitigate the effects of 90% of these viruses.  The press would just stand up and say: BUY A FIREWALL.  USE IT. 

In my opinion this is like leaving the car door unlocked and having the change in your ashtray stolen.  You'd be lucky if the police would even take a report.  This is essentially what people do when the connect to the internet with out using a firewall.  The fact that these worms are so far spread blows my mind frankly. 

If you left your door open, everyone would assume you deserve what you get.  This is how I feel about people that connect their computers directly to the internet with out a firewall.

christopher baus (www.baus.net)
Thursday, May 13, 2004

If you see lots of red canisters on the wall by the telephone connection next time you go and see your grandma, then you know she's read Christophers advice.

"I couldn't get planning  permission for the firewall dear, but thiis extinguisher was only thirty dollars, and they said it was rated for electrical fires."

Stephen Jones
Thursday, May 13, 2004

"A simple firewall is really all it takes to mitigate the effects of 90% of these viruses"

No, 98% of viruses come in email attachments.

Ron
Thursday, May 13, 2004

And of course, after they've set up the firewall it will block them downloading the anti-virus updates :)

Stephen Jones
Thursday, May 13, 2004

"In my opinion this is like leaving the car door unlocked and having the change in your ashtray stolen. "

Another pathetically broken analogy. No, running without a firewall is like leaving your car door locked, but the vendor made all of the electronic lock openers use the same code so anyone can open your day. A firewall is hiring a guy to stand there watching your car because of a shitty car manufacturer.

.
Thursday, May 13, 2004

Microsoft should protect me from all the pathetically stupid things I may do because I'm a dumb shit and I have rights.

Big corporations should protect me from all the pathetically stupid things I may do because I'm a dumb shit and I have rights.

My government should protect me from all the pathetically stupid things I may do because I'm a dumb shit and I have rights.

My spouse should protect me from all the pathetically stupid things I may do because I'm a dumb shit and I have rights.

All the people I come into contact with should protect me from all the pathetically stupid things I may do because I'm a dumb shit and I have rights.

You should protect me from all the pathetically stupid things I may do because I'm a dumb shit and I have rights.

Society should protect me from all the pathetically stupid things I may do because I'm a dumb shit and I have rights.

My operating system should protect me from all the pathetically stupid things I may do because I'm a dumb shit and I have rights.

I'm a dumb shit and the world sucks when it doesn't do exactly what I want.

pathetic broken analogy
Friday, May 14, 2004

"I'm a dumb shit and the world sucks when it doesn't do exactly what I want."

Linux fan boys are annoying. Microsoft fan boys are even MORE annoying. Seeing all of the fawning on here by scared little kids afraid that their precious Windows skillz will be deprecated if they don't defend Microsoft at every chance is embarrassing, and truly pathetic. It also betrays how absolutely little most people know about security ("Duh! Stupid users didn't unplug from 'da network! Don't they know all software has blatant holes waiting for worms?"), and the absolute ludicrous nature of "just buy a firewall" proclamations. If there was ever some sales literature of why organizations should seriously consider zOS or BSD or even Linux to run their organizations, it's a listing of the idiotic, naive points countlessly raised in here by the tinyflacid cheerleaders.

Get back to your VB newsgroups you idiots.

.
Friday, May 14, 2004

In any voluntary network of connections there will be involuntary use of those connections.

Simon Lucy
Friday, May 14, 2004

> A simple firewall is really all it takes to mitigate the effects
> of 90% of these viruses.

No it's not. The biggest problem is people coming and going with their laptops all the time.

99% of worm related problems here (2,700 employees) have originated from the *inside* of the corporate network due to people plugin unsafe laptops.

your address is never revealed
Friday, May 14, 2004

Christopher never said you only need a firewall on the outskirts of the company network. Each machine needs its own. It doesn't end there of course. The firewall will not stop malicious email attatchments. User education is all that will help there in the end. Users will go through extraordinary lenghts to open/install "unsafe" content. They are sophisticatedly social engineered (well, if you count the promise of naked flesh as sophisticated) into taking outrageous actions to bypass all security provisions.
What will you do, forbid all dataexchange between machines?

Security does not come free. There is a tradeoff between freedom, convinience and protection. The current, IMHO positive trend, is to provide less convenience and more protection. Freedom is retained, but kept in check through better defaults and more control. The computing environment is also in constant evolution. Once we had standalone machines, then LAN's, now the ubiquitous global network. Once we had random sockets to connect to machines, then firewalls, now we have the Universal Firewall Bypass Protocol (HTTP). Our systems as well as our administrators are still playing catch-up with these changes.

We accept risks because risk taking gives us benefits. We didn't abandon cars even though the risks are incredible and the price we pay for that is horrendous. Initiatives that would trade freedom for security, e.g. Palladium, are not met with great enthousiasm.

There is a lott still to do to get the balance right, and it will never stop. Articles like the one linked offer no contribution whatsoever.

Just me (Sir to you)
Friday, May 14, 2004

The reason people succumb to social engineering isn't because they are stupid, it's because the people writing the worms are clever.

Look at some of the virus messages that have come into my inbox.
"Your email account is over the limit. Messages may no longer be received  Please click on this link to ocntact the administrator" from "adminstrator@your company.com"
"INTERNET ABUSE. I noticed that you have visited illegal websites.
See the name in the list!" from "abuse@gov.us"

Then there are the legitimate hyperlink names that link to another href which is in fact the attachment that came with the message or another virus they are hoping is already there.

And maybe half of the viruses are coming from people you know, because their email addresses have been spoofed.

Of course people click on attachments. It's what you do with icons; you click on them to open them People also eat hamburgers, without giving them to the food taster or the dog or the analytical chemist first to see if they are poisoned. They turn on the light switch in the house without checking first to see that nobody has attached a lorry ful off dynamite to the electric circuit, and although people here check the underside of their cars for bombs for a week or so after every terrorist attempt, I have yet to see anybody check to see that they haven't rerouted the exhaust so they will die of carbon monoxide poisoining in a traffic jam.

And how many of you have followed MI5's advice to defeat terrorism by trimming the rose bushes?

Stephen Jones
Friday, May 14, 2004

"Christopher never said you only need a firewall on the outskirts of the company network. Each machine needs its own."

A basic TCP/IP firewall is an external system when your system gives you inadequate control - for example to run a Windows XP workstation configuration that has zero listening ports (which, in my opinion, should be the default. And then if you decide to enable external features like file sharing a policy of lease privilege is used). We resort to firewalls because the software itself doesn't offer us the functionality to only listen for localhost connections, and in some cases won't even let us disable it without breaking parts of the system. If you recall, as an aside, when Windows 2000 was in beta Microsoft ran a test of Windows 2000 sitting naked on the internet, because ultimately any system should be able to do this.

Dennis Forbes
Friday, May 14, 2004

Right that's it - either I'm loony or the rest of the world is...

I thought Stephen was taking the mick with the MI5 gag but no: http://www.mi5.gov.uk/output/Page167.html .  No.4 - "keep garden areas free from dense shrubbery"

I give up. 

a cynic writes...
Friday, May 14, 2004

«No.4 - "keep garden areas free from dense shrubbery"»

It's nothing new.

Whenever a castle was built, the land around was cleared of trees, bushes, etc.

It's just aplying ancient wisdom.

However, I did notice the chaps at the MI5 forgot another important item for safe housekeeping - the moat, either filled with water and crocodiles, or a dry moat, with the electrified metal spikes at the bottom.

:)

Paulo Caetano
Friday, May 14, 2004

Possibly Paulo. 

Unfortunately I doubt you can get a "Licence to Crenalate"* as part of planning permission and in any event I'm not sure I could get away with taking potshots at the neighbours, even if they did look like international terrorists.  Or script kiddies for that matter. 

*If this isn't how it's spelt it's certainly how it's pronounced.

a cynic writes...
Friday, May 14, 2004

OK, where I work - a US State government agency - we have two firewalls (one between the main IT agency and the internet, the second protecting our internal network from the dumb shits in other state agencies).  Our corporate email system (Novell's Groupwise) has a dedicated spam filter on it.

We still get the odd virus infection - a few Netskys.

The cause - stupid users with web mail accounts (Hotmail, Yahoo mail, etc) who download the attachments send to them and then wonder why things go wrong.

Yes, software vendors should be made responsible for product defects - just like any other manufacturer.

Yes, people should use firewalls on all internet connections (recall the AIDS advertising campaigns regarding condom usage - the one I liked was "if it's not on, it's not on.")

But if boils down to people being properly educated on how not to get their computers infected with virii, and taking responsibility for their actions.

Ken Ray
Friday, May 14, 2004

These articles are FUD, pure and simple.  I'm sorry, but a firewall COULD protect most users from these worms.  Allowing incoming connections to client machines is just insane.  Also email attachments are not worms.  Worms spread via open ports, not by the user actively executing them.

I don't support Microsoft in the least bit, but at the same time, they aren't to blame for every problem.  I don't believe the car door analogy is that bad.  Car users are expected to understand basic level of security, and so should computer users.

I hate the grandma analogies.  If grandma can by a computer and hook it up to the internet, she can by a firewall as well.  Dell could sell it to her at the same time they sell here the computer.

christopher baus (www.baus.net)
Sunday, May 16, 2004

> Linux fan boys are annoying. Microsoft fan boys are even MORE annoying.

If that is directed at me, you obviously don't know me.  Also the thought that using a different OS is going to solve anything is foolish. 

christopher baus (www.baus.net)
Sunday, May 16, 2004

Your wrong about the distinction between a virus and a worm.

If you don't allow incoming connections by default then you can't install a cloned image remotely. And sysadmins don't like spending the day walking rom one office to another, and Finance likes paying them to do so even less.

Firewalll's need configuring. Even something simple and user friendly like Zone Alarm still requires somewhat knowledgeable decisions (should your grandma find out all about svchost or know what IP range to allow if the proxy server changes?).

Stephen Jones
Monday, May 17, 2004

*  Recent Topics

*  Fog Creek Home