Fog Creek Software
Discussion Board




Profoundly screwed up Windows computers

Since this spring I've been filling in some unbillable time with freelance tech support.

So far I have encountered three customers, all of them home users running Windows XP, who have had virus infestations that I have been absolutely unable to deal with on-site.

The general characteristics: Every such user has kids in the family who use the family computer.  Every such computer seemed to act, even when I got done with anti-virus scans, like it contained a "poltergeist". When I've had to do the entire job at the customer's location and I've run into
"unsolvable" issues, I've simply gotten their computer to a point where they could get basic control to check their email, for instance, but warned them that they really needed to reinstall Windows from scratch.

One customer computer would not log into Windows. When you clicked on the user icon it would sit there for a second and return to the mass login page. I wound up taking this cistomer's system back to my office, removing the hard drive, installing it to a seconary computer in my office, and scanning it with MacAfee from my "good" installation. Finally I had to do a "full reinstall" of XP so at this point the customer has a brain dead XP installation.

One thing I am skeptical about is the abiity  for someone who owns "only" one computer to stay running notwithstanding any problems. The viruses I am seeing apparently avoid detection by many of the commercial AV programs. In a couple of cases they got by apparently updated, current AV shields, fully patched, up to date installations, and one user even ran Ad-Aware himself.

I see the only solution to be to remove the hard drive and scan it on an uninfected computer.

I'm not exactly complaining since it's brought in some income. It could be said that what I am doing is "too" brute force since I often recommend to users to format their HD and reinstall Windows. But it's a balancing act. Do you really want to spend 3 hours on doing internet searches and applying various virus remedies that may not work, and bill the customer essentially for spinning your wheels? Above all to survive in  business you have to find ways to help the customer that you can bill for and which represent some sort of active effort to solve the problem.

The thread "anti anti virus" was interesting to me because I'm definitely seeing that virus prevention is a people problem and a social engineering challenge.

IE: most of the ways that viruses are propagated are either by disinformation, or by presenting bright, shiny things like games or porn to the user. Even the sober business users can be hosed by disinformation. The bright, shiny things will cause every snot nosed kid to disable the virus shield on the family computer "temporarily" to see what the site has to offer. How do you train someone to not do stupid things? You cant'. In fact, in the current environment I don't even know if anything short of completely locking down the customer's system would be effective. And PC users want their freedom.

Most of my customers ask how to prevent these problems. When I mention something like "use Mozilla instead of IE" I get the deer in the headlights look. I am tempted to say "quit being *you* and make the computer off limits to your kids also" but that won't exactly wash either. :/

I also believe that this domain is well above the level of "kid making a fabulous living at $25/hour." You have to charge a commercial rate in order for this work to make any economic sense and you have to have your own equipment - secondary computers, portable hard drives, etc - to support the work. 

Bored Bystander
Monday, August 23, 2004

Setup a login account for the kids where they can't turn it off or install anything. Then give the parents a different account with admin rights and a password. Or am I missing something? I've got Windows XP, 4 kids plus 3 neighbor kids all using our computer and I've yet to have a virus get past our scanner. Sure I have to run ad-aware once a week but I've never had any problems with XP itself.

Bill Nalen
Monday, August 23, 2004

Most of trouble is currently caused by spyware, my sequence is:

1.  Check for viruses
2.  Check for spyware
3.  Run Norton utilities for windows to clean up any remaining mess.

Works 99.99% of the time...

Chris Peacock
Monday, August 23, 2004

If your clients use XP, try to get them to XP pro. Then lock down the box. Each kid has their own profile, and cannot install software. The parent should be an admin, and you should reserve an admin account for yourself. Rename the parental admin account, and rename the (disabled) guest account to admin, so if someone thinks they can get in, they really didn't win the prize.

Some of the drive-by downloads are as simple (to get) as the web server sending what appears to be a .gif to the browser, but making the mime type an application. That one was caught because the "gif" or "jpg" was trying to install something and the user lacked the permissions to install software.

http://www.webmaster-toolkit.com/mime-types.shtml

One of my bus drivers has a similar problem with his boys. No one will 'fess up to disabling the firewall and getting the box hosed again, and my advice to him was to "not have the time" to take the computer to the shop to be fixed for a month. The boys start school soon, and "need" it for homework.

Peter
Monday, August 23, 2004

From a technical perspective, once the system is compromised at a low-enough level (eg the kernel), then anti-virus scanners are no help.  After all, they logically have to rely upon a certain number of system-level APIs to function.

It's definitely conceivable to me that anti-viruses are eventually going to be of no help whatsoever.  In fact my perception is that currently they're basically "placeboware"; ie, they have the comforting appeal of "protection," when ultimately there can be none.  The protection afforded is minimal, and usually reactionary.

At any rate, one thing I gathered from the anti-anti-virus thread is that there are simple measures (eg NAT) for protecting computers from viruses, at least at the non-social engineering level.  e.g., internet-borne worms.  Couldn't one tack on firewall/NAT-setup/maintenance as a cheap (for you) "value-add" to these "recovery" services?

indeed
Monday, August 23, 2004

It's still a social engineering and people-problem:

- The parents' account (any any admin account) MUST be password protected.

- The password must not be given to brat-units.

- The kids' accounts and any non trusted accounts must be set up as limited. So the person setting up the accounts must be aware that this can be done.

Yeah, NO PROBLEM if you stay on top of things. But that's why people's computers are screwed up. They let kids with admin privelige accounts use the computer.

Bored Bystander
Monday, August 23, 2004

Bored:

So why not sell people a "secure setup" (eg, with limited accounts for everyone, NAT, etc) as part of the recovery service, and provide EXPLICIT instructions on how to stay secure.

I can see problems such as "assholes won't follow directions," but it's a wash if you make a buck off it. :)

At any rate there's a compelling argument that perhaps computers by default should be configured by the manufacturer for "security," and the lock and key are buried somewhere in a manual. :)

After all, when these systems go haywire, it's usually the surrounding network that they attack--it's a "public good" issue as well as a "personal inconvienence" problem.

indeed
Monday, August 23, 2004

Indeed,

The only response I have to your all of excellent comments is your handle.

>> So why not sell people a "secure setup" (eg, with limited accounts for everyone, NAT, etc) as part of the recovery service, and provide EXPLICIT instructions on how to stay secure.

That is a fabulous idea. I think the limiting factor will be how much people want to spend on proactive measures *after* their one big problem has been solved.

>> After all, when these systems go haywire, it's usually the surrounding network that they attack--it's a "public good" issue as well as a "personal inconvienence" problem.

Er, indeed. I think that's what pisses me off about this situation the most. People who think they are "only victims" are also polluting the commons by hosting email/spam trojans and other fun stuff.

Thinking out loud: I believe that PCs may eventually have to contain a secondary processor running a firmware based, highly secure kernel that does nothing but provide watchdog and virus cleaning services for the "main system CPU". Almost like a mainframe. Since the same APIs and system services that anti viruses use are also corruptable by viruses.

Bored Bystander
Monday, August 23, 2004

My wife's computer (XP Pro) has been infested with dozens of viruses, trojans, etc for many months because she gave her password to the children (for the last and final time).

She only needs it to check email, browse the web, newsgroups, and word processing. The kids have clicked yes/OK to everything that ever came up on the screen.

All other computers in the house are currently running Mandrake 10 or Fedora 2. The kids also have thin-client terminals in their rooms connected to the terminal server.

She refuses to let me install Linux on her computer or convert it to a thin-client.

I refuse to fix her Windows computer.

My life has been so much simpler since I started refusing to work on Windows boxes! :-)  (even though I've missed a few little income opportunities because it).

Jerry
Monday, August 23, 2004

Bored:

"Thinking out loud: I believe that PCs may eventually have to contain a secondary processor running a firmware based, highly secure kernel that does nothing but provide watchdog and virus cleaning services for the "main system CPU"."

Right.  One interesting initiative so far has been the "biological" approach to security--profiling processes' "normal" execution paths and then flagging a warning for anything too far outside the execution bell curve.  After all, programs in their normal course of execution rarely have a good reason to execute the stack (in theory).

Provided this tech. were sufficient for "day-to-day" home users, it'd probably make a pretty compelling hardware module.

As it is all the industry is doing to address these problems on a hardware level, really, is the bogus "Trusted Computing" platform--which is basically just a vehicle for enabling broad-based DRM.  It probably will stop viruses to some extent, but the tradeoffs for acceptance and implementation will be very high.  TCPA is a "boil the ocean" scheme if ever one existed.

Of course there's NX and various other little boondoggles, but those fall into the "too little too late" category.

Personally I'd just like to see a "fire safety code" as a first step in computer security.  I think users can understand why they shouldn't be able to do certain things easily, if put into the context of "burning down the neighborhood."

As it is, though, people are barely aware of their connectedness at all.

indeed
Monday, August 23, 2004

>> After all, programs in their normal course of execution rarely have a good reason to execute the stack (in theory).

They don't !?? <BG>

Bored Bystander
Monday, August 23, 2004

BoredB,

Welcome to my home computing world.

You cannot, as so many have suggested, lock down the kids' accounts, because then none of the games will run.  And they cannot install games which they buy.

The primary purpose of the kids' computer is that they can play games.  Homework?  Yes, but that probably only takes 5% of the computers' time.  The rest is games.

"Lock down" is merely a threat that I use to keep them from doing something stupid.

Rules on the computer:
1. No running Instant messanger programs, other than GAIM (and open source version).  I've seen time and again, through the weblog provided via the firewall that viri get picked up by AOL's AIM.
2. No running IE.  Mozilla only.
3. No downloads.  Period.  The only software you install is stuff that gets paid for or I approve of.

Microsoft has done a POOR job of making user accounts administratable.  Users should be able to install software which can run on their account, without corrupting the entire user base and kernel. I've been trying to accomplish this for some time, but it seems impossible.

After about 2 years and 2 formats of the hard drive, I think everyone finally gets the picture at our house.  We've been adware and virus free for about 6 months.

Blocking known adware sites, like gator.com and anything with 'buddy' and/or 'profile' in the domain name helps catch the problem - should it occur.

hoser
Monday, August 23, 2004

Stacks should be read/write, not executable.

hoser
Monday, August 23, 2004

HD space is cheap nowadays.  If I were running a business to get rid of virii, etc., I would have a ghost of each good system install I do for a particular customer.  If they screw it up again, I can restore them super-fast to more or less exactly where they were.  However, I totally agree with the "only parents/experienced users can install".  That will prevent a LOT of mySearch toolbars and crap like that, no offense to them but that thing is annoying to me.

devinmoore.com
Monday, August 23, 2004

Executable files should not be writable. ESPECIALLY OS files. I saw a virus that patches C:\NTLDR -- why in the world would the OS allow that?

Process memory should not be readable let alone WRITABLE. What's the purpose of WriteProcessMemory?

The OS is way too permissive.

Alex
Monday, August 23, 2004

I'm with hoser. Those are the rules on my home network too. I've got active and constantly updated virus checkers running on all the machine along with a firewall. I run Adware about once a week to catch the crap that still slips through and (most significant!) IE has been banned in favor of Firebird.

Another import step was educating my kids as to what they can, and can't do (i.e.; no downloading music that isn't paid for, go anywhere near a porn site and you loose access, etc.)

It's been a couple of months since my last big cleanup. All the counter-measures seem to be working out ok. The only maintenance that seems to be required is an occassional defrag.

Tom

Tom
Monday, August 23, 2004

Interesting ... I was reading about 2 months ago about viruses that would shut down themselves to avoid detection.

Dino
Monday, August 23, 2004

"Stacks should be read/write, not executable."

Well, I think the benefit of a "profiling" scheme is that it avoids such broad mandates.  ie, if you have a super-duper optimized program (such as a game) that writes and executes code in memory (on the stack, even) on the fly, then it can just be profiled as such and pass future security tests.

But if a process normally just executes on one path, and then one day starts executing the stack, then that's a huge red flag that an overflow exploit has occurred.

It is, in essence, a process-specific Bayesian filter.  What are viruses but "spam" in your executable memory space? :)

(pardon the broad metaphor, but I couldn't resist...:))

Compare NX which basically just issues a broad edict about executability, backwards-compatibility be damned.

I do agree that, going forward, programmers shouldn't do crazy shit.  But that'll never happen.

"You cannot, as so many have suggested, lock down the kids' accounts, because then none of the games will run.  And they cannot install games which they buy."

This is a good point.  Until recently even AutoCAD--corporate, commercial CAD software--wouldn't run unless it was installed on an account with "power user" privileges.

There's definitely an element of programmer responsibility in the security issues, above and beyond simply "statically-allocated buffer" type stuff.

Again there probably needs to be some kind of infrastructure (regulation, either private or public sector) to deal with these issues.  It's really scary to think that the worms today have yet to do any "real" damage. 

indeed
Monday, August 23, 2004

I think you may be thinking of the spyware that shuts down the spyware scanning software?

Peter
Monday, August 23, 2004

Like the spyware that rewrites the hosts file so that spyboy can't contact home and download the latest updates?

www.MarkTAW.com
Monday, August 23, 2004

*spybot

www.MarkTAW.com
Monday, August 23, 2004

I'm not sure what business you're in, but if you're selling the computers or able to sell things to them then I suggest Ad Aware professional (so it has an active scanner running all of the time),  decent AV piece of software and a firewall, maybe zone alarm.

Removing privileges from the kid's pc's is generally not an option.  In a large number of families the kids are
a) the ones going to use the pc most
b) the ones that know how to use the computer most (even if they do stupid things)

Asking users to use different software to standard MS software might be difficult.  I'm not saying it has it's merits, but the users you are talking about are probably more at home with MS products and will be very reluctant to change.

Perhaps install some spam filtering software (spambayes is quite nice, though it might not be ideal for what you're doing).

Produce a document, maybe two sides (any longer and people won't read it) about how to stay secure.  How to run Windows update, how people farm message boards for e-mails and why not to give away your e-mail address to every man and his dog.

I think a combination of active measures and user education is the best bet.

Steven
Monday, August 23, 2004

I wrote about this exact same topic a while ago.  And I hear you, and I feel your pain.  The only thing I would mention beyond my original post is that AdAware doesn't get everything, and neither does Spybot S&D.  It sounds like an easy thing to say, but I was just working on another system (for the third time) and I noticed that there were 5 or 6 things that AdAware hadn't picked up that I had to manually detach.  Ick.


see thread: http://discuss.fogcreek.com/joelonsoftware/default.asp?cmd=show&ixPost=128900&ixReplies=31

pds
Monday, August 23, 2004

Virus detection is overrated. These days, you need a firewall. Esp one the detects outbound traffic like Zone Alarm.

You don't need XP Pro to set up accounts. You can do it with Home and I've done it so my account has privledges, but my wifes and daughters don't. The only problem is that some programs won't run without admin.

Miles Archer
Monday, August 23, 2004

If the game can't run without admin priviledges that means one or more of the following:
Someone left debug code in (debug needs admin rights for some reason), all it takes is 1 dll compiled with debug instead of release.
The software is trying to do something it shouldn't like writing to the cd to see if its a legit copy or not.
More and more of the newer games are installing kernal mode drivers to implement copy protection, those would have to be installed with admin, but should be able to run under limited accounts.
Have you used the "run as" for the games so that the limited user can have escalated rights for the games that have to have it?

Peter
Monday, August 23, 2004

A lot of older software won't run as user. You can upgrade to power user or better use compatibility mode, but there is no way a normal user can set up the latter.

Stephen Jones
Monday, August 23, 2004

Yep.  A lot of times it's just because the software has a single settings store, in HKEY_LOCAL_MACHINE, instead of using HKEY_CURRENT_USER.

indeed
Monday, August 23, 2004

I plan to make a dual-boot computer for my kid.
1) Windows with no networking (as simple as disabling DNS?) for games. The Internet will not work here. Period. Luckily, he doesn't play Internet-play games (MMORPGs, UT, etc.), just local games--Harry Potter, RR Tycoon, Need for Speed, etc.
2) Boot to Linux & run FireFox for the Internet.
And if he screws around, gets the network working under Windows, and downloads a bunch of spyware, then it's wipe and reload, this time Linux only--no more games.

null fame
Monday, August 23, 2004

I agree with you BoredB about the problems seeming to stem from kids who persist on installing every fricken ActiveX plugin under the sun. My neighbour had issues with his W2K machine - his kids use MSN and had also unwittingly installed about 3 different browser toolbars resulting in spyware and other trojans trashing (I kid you not) his business computer. I spent about 1 hour trying to purge the demons from his machine using Spybot and Adaware to no avail.

Needless to say his machine needed a reinstallation of the OS but I couldn't be bothered telling or assisting him because he's the sort of person who expects favours like that for free.

He has since bought a new computer.

TheGeezer
Monday, August 23, 2004

Geezer, a side comment: funny how many people attach absolutely no value to the labor and hassle involved in restoring a system. It's pretty much insulting unless you get rude with people.

Now, if a neighbor had offered to mow my lawn a couple of times (say) in exchange for an OS install, then maybe...

Bored Bystander
Monday, August 23, 2004

Turbo Tax for tax year 2003 required admin rights to run.

It was progbably this way because, as "indeed" said TT wanted to write all-user settings to the registry.

Or maybe it was because of lazy programming by those Quicken folks. 

At least this year you did not have to install adware to get Turbo Tax to run.  Last year (tax year 2002) Turbo Tax would not run without an included crap program hitting the internet.

XYZZY
Monday, August 23, 2004

Turbo Tax is reputed to write to the disk's boot sector as a copy-protection scheme: for example http://www.geek.com/news/geeknews/2003Feb/gee20030214018676.htm

Christopher Wells
Monday, August 23, 2004

I've been burnt too many times to bother with helping people for "free" or volunteering my time. I don't think I'd help anyone outside of immediate family solve computer related problems for anything other than cash.

Case in point - I once installed a new HDD in a PC for someone - after hours and hours of mucking around reinstalling the OS all I got was 2 bottles of cheap red wine. Particularly galling considering they'd actually told me that I'd be inline for the keys to their holiday home for a week!!

TheGeezer
Monday, August 23, 2004

Bored:

Here's a suggestion.

1) Install Linux
2) Install VMware workstation
3) Install whatever flavor of Windows inside the Virtual Machine
4) Have the users install their software while keeping the VM disconnected from the NICs
5) Snapshot the VM install

Problems arise?  Restore from the snapshot.

And you get to wean them onto Linux

dir at badblue com
Monday, August 23, 2004

>Here's a suggestion.
...
>Problems arise?  Restore from the snapshot.
>And you get to wean them onto Linux

Badblue, that's an enticing proposition. But most clients at this level are trying really, reeeeealllly hard to get me pushed out the door as quickly as possible to minimize the billings while getting as much "fixed" as possible. A physical comedian like Robin Williams could act this scenario out really well.

Seriously: VMWare and Linux for Joe Home User: you serious? I mean, it would definitely keep me in work for anyone who buys it...

Bored Bystander
Monday, August 23, 2004

Great thread. I am seeing these problems as well - practically every non-technical person I know has asked me in the last few months to diagnose a crippled computer. No detection software finds this stuff. Reformat and reinstall is the solution with often a complete loss of all data.

See it on computers with firewalls and antivirus and everything up to date with the latest patches, so it's not worms. Also many of these people say they never click on questionable email attachments and I believe them.

Where the problem is is in software they are downloading. Both legitimate software from sites based in la la land, stuff from supposed open source projects that no one has really reviewed closely, and also stuff from file- ahem 'sharing-services'. This is where a lot of the stuff comes in - a recent study found that nearly half the illicit software available contained trojans or viruses.

The people are willfully downloading software that is infected. Software formally installed and then launched on your computer has access to things a worm writer can only dream about. And the users are more than happy to give them that access and no matter how many hours of virus removal at $100/hr or how many files lost forever, the users can't give up tehir addiction to free software.

Tony Chang
Tuesday, August 24, 2004

If the kids want to play games then buy them a console.

John Topley (www.johntopley.com)
Tuesday, August 24, 2004

>> The people are willfully downloading software that is infected. Software formally installed and then launched on your computer has access to things a worm writer can only dream about.

It's like any consultative situation. The client has major problems and they deny that they did anything to create the problem. And they don't see themselves as right in the epicenter of the problems they've created.

Almost every user that has come to me with this type of situation claims that nobody in the house did anything "bad", but kids ALWAYS use the screwed up computer.

Bored Bystander
Tuesday, August 24, 2004

Check out software such as Clean Slate and Fortress from here http://www.fortres.com/.  I have also used their main competitor but the name escapes me.

David Burch
Wednesday, August 25, 2004

*  Recent Topics

*  Fog Creek Home