OSNews:

OSNews: http://www.osnews.com/story/21237/Conficker_Worm_a_Big_Letdown Exploring the Future of Computing en-us Copyright 2001-2013, David Adams adam+nospam@osnews.com Thu, 20 Jun 2013 13:33:31 GMT http://www.osnews.com/images/osnews.gif OSNews.com http://www.osnews.com No big suprise there http://www.osnews.com/thread?356244 http://www.osnews.com/thread?356244 A BBC article summed it up nicely:

Vincent Weafer, vice president of security response at anti-virus firm Symantec added: "We believe the software is geared towards making money. The characteristic of this type of worm is to keep it slow and low, keep it under the radar to slowly maximise profits over the long term."

http://news.bbc.co.uk/1/hi/technology/7976099.stmEdited 2009-04-01 14:14 UTC Wed, 01 Apr 2009 14:13:00 GMT donotreply@osnews.com (Laurence) Comments april 1 anyone? http://www.osnews.com/thread?356246 http://www.osnews.com/thread?356246 aside frmo a lame april fools "OMG the world is going to end" virus (Y2K anyone?) there could be more to it.

Yesterday marked the last day of the financial quarter. Anti virus companies are hurting just like any other industry. What would be a great way to get a bunch of people to help pad your bottom line for that quarter than a big scare to get tehm to buy new antivirus licences? "there's nothing like a war to end a depression." This wouldnt be the first time something like this has happened, i doubt it will be the last. Wed, 01 Apr 2009 14:46:00 GMT donotreply@osnews.com (poundsmack) Comments April Fools http://www.osnews.com/thread?356250 http://www.osnews.com/thread?356250 Perhaps doing nothing was the April Fools joke in itself? Wed, 01 Apr 2009 15:00:00 GMT donotreply@osnews.com (Isolationist) Comments RE: April Fools http://www.osnews.com/thread?356276 http://www.osnews.com/thread?356276

Perhaps doing nothing was the April Fools joke in itself?

Nope. Windows security is the real joke. This is not an April 1st joke, this is an ongoing joke. Wed, 01 Apr 2009 16:37:00 GMT donotreply@osnews.com (satan666) Comments RE[2]: April Fools http://www.osnews.com/thread?356284 http://www.osnews.com/thread?356284 if people had of patched their systems in October, when the patch came out, then the worm wouldn't exist. This is not a problem with Windows security, it's a user problem.

Every system gets security updates. Repeat it now:

EVERY SYSTEM GETS SECURITY UPDATES.

If you keep spouting nonsense, it'll be you that looks like the joke. Wed, 01 Apr 2009 17:03:00 GMT donotreply@osnews.com (BluenoseJake) Comments RE[2]: April Fools http://www.osnews.com/thread?356286 http://www.osnews.com/thread?356286 Ah, I've been modded down...
Here is my message to all those who modded me down: I was joking. Of course Windows security is not a joke! No way!
Or maybe I was joking when I said I was joking. I don't know anymore. Anyway, let's have a mod down party! Wed, 01 Apr 2009 17:04:00 GMT donotreply@osnews.com (satan666) Comments RE[3]: April Fools http://www.osnews.com/thread?356287 http://www.osnews.com/thread?356287 Listen BlownoseJoke,

Blaming the users for the holes in Windows security is lame. Why are there holes in the security in the first place? Wed, 01 Apr 2009 17:10:00 GMT donotreply@osnews.com (satan666) Comments RE[4]: April Fools http://www.osnews.com/thread?356290 http://www.osnews.com/thread?356290 "Blaming the users for the holes in Windows security is lame. Why are there holes in the security in the first place?"

Because the source code is not open to allow people to improve it.....

Allowing idiots to use Windows is like giving car keys to drunk drivers. (they damage themselves and others.....) Wed, 01 Apr 2009 17:28:00 GMT donotreply@osnews.com (yossarianuk) Comments RE[4]: April Fools http://www.osnews.com/thread?356293 http://www.osnews.com/thread?356293

Blaming the users for the holes in Windows security is lame. Why are there holes in the security in the first place?

Because bug-free code is impossible to write. Only agencies like NASA can write bug-free code, but that does mean that in the hypothetical case NASA were to write a general-purpose operating system, it would cost upward of 10000 EUR per copy - probably a hell of a lot more.

We are modding you down because you have absolutely no idea what you're talking about. Starting with Windows Vista (and to a lesser extent, XP SP2) Windows is a pretty damn secure operating system. The only recent case of massive failure is this Conficker thing, which doesn't count since it only affects unpatched system.

Satan666, I know you are the person who systematically mods down almost each and every of my posts, we have insights into those things, you know. It's kind of funny that you complain about being modded down while you yourself abuse our system so thoroughly. Wed, 01 Apr 2009 17:49:00 GMT donotreply@osnews.com (Thom_Holwerda) Comments RE[4]: April Fools http://www.osnews.com/thread?356294 http://www.osnews.com/thread?356294

Listen BlownoseJoke,

Blaming the users for the holes in Windows security is lame. Why are there holes in the security in the first place?

Why are there security holes in Debian? Fedora? OS X?

Because all operating systems have holes, and all need patches. Believing that Windows is the only OS with security holes and patches issued is what's lame. Here are some pages. Read them and become at least a little knowledgeable:

List of recent security updates for Debian Stable:
http://www.debian.org/security/

Fedora 8:
https://admin.fedoraproject.org/updates/

OS X:
http://support.apple.com/kb/HT1222

FreeBSD:
http://www.freebsd.org/security/advisories.html

Windows:
http://www.microsoft.com/protect/computer/updates/bulletins/default...

Oh, and please, grow up. I didn't call you any names, I just yelled some common sense at you. Wed, 01 Apr 2009 17:58:00 GMT donotreply@osnews.com (BluenoseJake) Comments RE[5]: April Fools http://www.osnews.com/thread?356302 http://www.osnews.com/thread?356302 What makes you think NASA writes bug-free code? They just test their code, have some redundancy in their systems, and don't have to put up with malicious users. Wed, 01 Apr 2009 18:40:00 GMT donotreply@osnews.com (PlatformAgnostic) Comments RE[6]: April Fools http://www.osnews.com/thread?356307 http://www.osnews.com/thread?356307

What makes you think NASA writes bug-free code?

I've been following NASA lately. There's some really exciting stuff going on. For example, the Kepler mission is going to give us a remarkably reliable statistical map of "Earth-like" planets in their stars' "habitable zones" in just 3 or 4 years. But... as Thom asserts... it's not bug-free code[1]:

http://www.nasa.gov/mission_pages/kepler/news/keplerm-20090330.html

My assertion is that software projects, including those at Microsoft (and yeah, Mozilla), have come to expect that we won't roast them for being careless. (Hell, we heap praise upon Mozilla for being careless... after they release the fix.) And the more lax we become in our insistence upon quality, the more lax they will become in their development and release practices.

I used to despise DJ Bernstein and his attitudes. These days I'm not so sure.

[1] It is, however, well thought out and resilient.Edited 2009-04-01 19:24 UTC Wed, 01 Apr 2009 19:14:00 GMT donotreply@osnews.com (sbergman27) Comments RE[4]: April Fools http://www.osnews.com/thread?356319 http://www.osnews.com/thread?356319 Yeah.. I will blame people for not updating their system, visiting pr0n and warez sites then receiving virii which disables security updates, using pirated Windows, thinking they're smarter than the hacks out there so they don't need anti-virus or updates, etc.

OK fine your arguement about the hole shouldn't be there in the first place is true, but if we waited until every product was 100% bug free we'd still be using Windows 1.0, we'd have not have moved away from the first kernel release in Linux or have wonderful products like the iPhone or TiVo. Wed, 01 Apr 2009 20:41:00 GMT donotreply@osnews.com (flanque) Comments RE[5]: April Fools http://www.osnews.com/thread?356325 http://www.osnews.com/thread?356325

Yeah.. I will blame people for not updating their system, visiting pr0n and warez sites then receiving virii which disables security updates,

Might as well go ahead and blame people who notice that the allowed updates *observably* trash their systems more than any malware they perceive. Wed, 01 Apr 2009 20:51:00 GMT donotreply@osnews.com (sbergman27) Comments RE[6]: April Fools http://www.osnews.com/thread?356326 http://www.osnews.com/thread?356326 sbergman27, to be completely honest I have NEVER seen any update from Microsoft that trashes someone's system, either personally or professionally.

I'm in the support field and served years at the desktop level and am currently on the server level and I quite simply haven't seen it happen at all.

Maybe it has happened at some point in time but it's by no way the norm in my experience.

I do recall occassions where patches don't do what they're intended to do, but nothing to the extent where users systems are trashed.

If it were really a common problem we'd see a lot more media attention and it'd be far more commonly known within the community of people who actually participate in applying these patches on mass (thousands of machines in my case). Wed, 01 Apr 2009 20:58:00 GMT donotreply@osnews.com (flanque) Comments RE[7]: April Fools http://www.osnews.com/thread?356329 http://www.osnews.com/thread?356329

sbergman27, to be completely honest I have NEVER seen any update from Microsoft that trashes someone's system, either personally or professionally.

Well, personally and professionally, the number one reason I have heard from people for turning off updates is that a previous one "trashed their system". Maybe it did. Maybe it didn't. But you really can't blame people who feel helpless anyway from taking an "If it works, don't fix it" attitude. Wed, 01 Apr 2009 21:04:00 GMT donotreply@osnews.com (sbergman27) Comments RE[8]: April Fools http://www.osnews.com/thread?356330 http://www.osnews.com/thread?356330 Maybe, but I would argue that a more compelling reason to disable automatic updates in a corporate environment is to give the opportunity to test it before it is released to the masses. It'd be completely stupid to assume they'll always work thus testing beforehand is an absolute requirement.

That doesn't distract from the fact that the chances of an automatic update "trashing" a system is very very low.

As for at home, though I haven't checked every single patch, I am pretty confident that a restore point is created before the patche(s) are applied. I wouldn't be suprised if the overwealming majority of home users don't even know what this means and just assume their systems are toast.

Though not without exception, the updates from Microsoft are quite thoroughly tested. Having said that they cannot cover all possible situations some user's get their systems into, but it's pretty darn good. Wed, 01 Apr 2009 21:16:00 GMT donotreply@osnews.com (flanque) Comments RE[7]: April Fools http://www.osnews.com/thread?356332 http://www.osnews.com/thread?356332 Oh, I have. Anyone remember what happened, initially, when you tried to install IE7 on XP via Windows Update, and you got unlucky enough to have it error out half-way through the installation? That caused one hell of a mess on any system affected. Been there, done that. It was fixed fairly quickly, but not quickly enough to prevent a lot of people's systems from getting screwed up.
Plus, Microsoft's method of releasing updates and additional patches leaves a lot to be desired. What, may I ask, is the point of having .NET Framework and then on top of it have to download hotfixes or service packs (.NET is merely an example here, there are others)? Novel idea, why not, when a service pack is released, repackage the whole thing with the service pack slipstreamed into it? Leave the hotfix up for those who've already installed the base package, but for those who didn't, we wouldn't have to run cycle after cycle of windows update checks to make sure we've got all the patches, meanwhile having to deal with their temporary files that are left over and weren't deleted when they should have been? Wed, 01 Apr 2009 21:39:00 GMT donotreply@osnews.com (darknexus) Comments RE[5]: April Fools http://www.osnews.com/thread?356338 http://www.osnews.com/thread?356338 And for fun

OpenBSD ( the uber secure OS)

http://www.openbsd.org/security.html Wed, 01 Apr 2009 22:32:00 GMT donotreply@osnews.com (Bill Shooter of Bul) Comments RE[5]: April Fools http://www.osnews.com/thread?356345 http://www.osnews.com/thread?356345

Because bug-free code is impossible to write. Only agencies like NASA can write bug-free code

I assume that your irony levels are somewhat on the high level there!? Wed, 01 Apr 2009 22:58:00 GMT donotreply@osnews.com (NiceGuyEddie) Comments RE[6]: April Fools http://www.osnews.com/thread?356348 http://www.osnews.com/thread?356348 That can also happen to any OS, just like the xorg update that trashed Ubuntu a few versions back. Wed, 01 Apr 2009 23:02:00 GMT donotreply@osnews.com (BluenoseJake) Comments RE[7]: April Fools http://www.osnews.com/thread?356349 http://www.osnews.com/thread?356349

That can also happen to any OS, just like the xorg update that trashed Ubuntu a few versions back.

I'm not sure what your point is.

You might as well go ahead and blame people who notice that the allowed updates *observably* trash their systems more than any malware they perceive.Edited 2009-04-01 23:09 UTC Wed, 01 Apr 2009 23:09:00 GMT donotreply@osnews.com (sbergman27) Comments RE[7]: April Fools http://www.osnews.com/thread?356355 http://www.osnews.com/thread?356355 Of course it can. I was merely pointing out that I have seen a Windows update hose the system, and that it is certainly possible. Thu, 02 Apr 2009 00:11:00 GMT donotreply@osnews.com (darknexus) Comments It's still young http://www.osnews.com/thread?356359 http://www.osnews.com/thread?356359 Boy a worm barely crawls out of its egg and everyone expects to see beautiful spotted wings. Why not let it graze peacefully on hard disk data until it reveals how poisonous it truly is?

Thu, 02 Apr 2009 00:44:00 GMT donotreply@osnews.com (StychoKiller) Comments RE[7]: April Fools http://www.osnews.com/thread?356361 http://www.osnews.com/thread?356361 Some of it is not just carelessness. Security bugs usually arise when people have subtle misconceptions about the contracts of the functions they call (or the functions are misspecified). You really can't get anything done if you spend all of your time reading every callgraph down to its leaves.

Microsoft (particularly the Windows team) tries its hardest to catch all of these security defects by banning certain unsafe standards, by encoding the contracts in a static anotation language that is checked by machine before code is allowed into the main branches, and by fuzzing and heavily reviewing parsers, protocols, and externally-facing code. It's still possible to miss something, however.

I wish DJB luck in 'putting the security industry out of business.' I'm afraid though that to truly do that, we'd need to ensure that all network-facing software is written by a small cadre of uber-programmers, reviewed by another set of uber-programmers, and fuzzed/tested extensively. Even if you can get Linux and Windows written by those kinds of people, you still need to deal with the third-party and LOB applications of the world who don't have the same incentives and resources. Thu, 02 Apr 2009 01:38:00 GMT donotreply@osnews.com (PlatformAgnostic) Comments RE: No big suprise there http://www.osnews.com/thread?356370 http://www.osnews.com/thread?356370

A BBC article summed it up nicely:
"Vincent Weafer, vice president of security response at anti-virus firm Symantec added: "We believe the software is geared towards making money. The characteristic of this type of worm is to keep it slow and low, keep it under the radar to slowly maximise profits over the long term."

http://news.bbc.co.uk/1/hi/technology/7976099.stm "

Couldn't we just apply his response to Symantec's own software? It seems more like exploits than upstanding utilities most of the time. I don't know of any other software that could be labeled as crashware so readily. Thu, 02 Apr 2009 04:12:00 GMT donotreply@osnews.com (bousozoku) Comments Inexcusable http://www.osnews.com/thread?356385 http://www.osnews.com/thread?356385 From the story:

among those lax people are several government agencies. The UK Ministry of Defence has been infected, including a number of Royal Navy warships (...) and the Bundeswehr (that's the German army).

Cheesh... Defence and army people should certainly know better. That is simply inexcusable from them, especially as the security hole was patched before the worm got out and all you had to do was to keep your machines up-to-date. And this is not the first time we read news like this.

Don't those people responsible for the critical army IT systems understand anything about secure computing? What if there was a serious accident with those weapons because of their lax and ignorant attitudes? What if a war broke out and the systems were expected to work? And why on earth don't they use computer systems that are well known to be much less vulnerable to malware? Too much corporate lobbing and pressure in the government and in the defence ministries? Thu, 02 Apr 2009 08:55:00 GMT donotreply@osnews.com (irbis) Comments RE[8]: April Fools http://www.osnews.com/thread?356389 http://www.osnews.com/thread?356389 "Might as well go ahead and blame people who notice that the allowed updates *observably* trash their systems more than any malware they perceive."

This is the statement I am replying to. There are always bugs, sometimes even in updates, doesn't matter about the OS. That isw my point.

Not applying updates because somebodies mother's brother's friend had their system trashed by an update is just stupid.

Updates help a hell of a lot more than they hurt. Thu, 02 Apr 2009 11:03:00 GMT donotreply@osnews.com (BluenoseJake) Comments AV companies http://www.osnews.com/thread?356393 http://www.osnews.com/thread?356393 Aren't these written by Symantec / AV companies... You know, if the tire repair business is slow, throw nails in the streets and advertise more. Thu, 02 Apr 2009 12:07:00 GMT donotreply@osnews.com (EmptiusBranius) Comments RE: Inexcusable http://www.osnews.com/thread?356516 http://www.osnews.com/thread?356516 I work as a web dev for the US Air Force and I can tell you exactly what the problem is; the whole chain of command issue. What I mean is that a guy like me has to put in a request for something and the request has to work it's way up the chain of command because the first person you asked won't give you an answer for fear of being chewed out by their superior for overstepping authority.

So up and up the request goes, and eventually, down it comes through the chain again once an answer has been given. This takes days, months, even YEARS in some cases. The IT guys in my detachment that I work with have been trying to get everyone to upgrade to IE7 and to delist Firefox as unstable for the work environment. They put that request in quite some time ago.. and I can still hear it crawling up the chain ever so slowly.... Thu, 02 Apr 2009 22:15:00 GMT donotreply@osnews.com (linux4life) Comments symantec norton http://www.osnews.com/thread?357206 http://www.osnews.com/thread?357206 I think the Norton people secretly release it to improve their software sales. Sun, 05 Apr 2009 21:03:00 GMT donotreply@osnews.com (eksasol) Comments