Anit-Virus help for all of us??????
Thought this is on topic for the group with all the new virii and new problems out there. Would anyone here consider sending this out to all customers? Later, Jim Last week at the Comdex show in Las Vegas, Computer Associates International, Inc. (known to the world as CA) teamed up with Microsoft Corp to provide "qualified" Windows home computer users with a no-charge, one-year subscription to CA's eTrust EZ Armor antivirus and firewall desktop security suite. The move is designed to encourage home users to increase the protection of their Windows systems and CA has stated that the company will aggressively promote the offer as part of Microsoft's "Protect Your PC" campaign. SNIP The EZ Armor software carries a value of $49.95 and the free subscription offer for will be available for download until June 30, 2004 and comes complete with one year of personal firewall and antivirus protection including daily virus signature updates. http://www.it-analysis.com/article.php?articleid=11450
McBurnett, Jim writes on 11/24/2003 9:29 AM:
Thought this is on topic for the group with all the new virii and new problems out there. Would anyone here consider sending this out to all customers?
Most if not all computers that are sold (branded ones at least) do come with an antivirus + "personal firewall" (aka snake oil firewall, as vernon schryver keeps saying on news.admin.net-abuse.email and elsewhere) package, with 6 months to a year of free updates. What, if anything, is new about this? srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
On Mon, 24 Nov 2003, Suresh Ramasubramanian wrote:
Most if not all computers that are sold (branded ones at least) do come with an antivirus + "personal firewall" (aka snake oil firewall, as vernon schryver keeps saying on news.admin.net-abuse.email and elsewhere) package, with 6 months to a year of free updates.
If most if not all computers that are sold include antivirus + personal firewalls, who is selling all the computers being infected with worms, virus, malware?
** Reply to message from Sean Donelan <sean@donelan.com> on Mon, 24 Nov 2003 13:29:57 -0500 (EST)
On Mon, 24 Nov 2003, Suresh Ramasubramanian wrote:
Most if not all computers that are sold (branded ones at least) do come with an antivirus + "personal firewall" (aka snake oil firewall, as vernon schryver keeps saying on news.admin.net-abuse.email and elsewhere) package, with 6 months to a year of free updates.
If most if not all computers that are sold include antivirus + personal firewalls, who is selling all the computers being infected with worms, virus, malware?
You know that the best AV program in the world isn't going to amount to a hill of beans if the user doesn't 1. download updates, 2. run the occasional scan [1], and 3. pay for more updates past the 1 year mark (for those for which this is a requirement). Firewalls at least tend to be a bit more hands off... and I'd like to hear more about the "snake oil" parts. Doesn't the 1/2wall that XP ships with default to "disabled?" As for Malware... right now neither firewalls nor AV programs seem to stop it's installation. Personally I wish that there was something that we could install on customer machines that would absolutely and totally block the installation of net.net stuff, to the point of deleting any installation files that have been downloaded. [1] When cleaning a customer's Nachi infected machine, I discovered that the installed copy of NAV was completely up to date - but a system scan hadn't been run since July 2002. -- Jeff Shultz Loose nut behind the wheel.
Jeff Shultz writes on 11/24/2003 1:46 PM:
Firewalls at least tend to be a bit more hands off... and I'd like to hear more about the "snake oil" parts. Doesn't the 1/2wall that XP ships with default to "disabled?"
Interesting reading here - http://groups.google.com/groups?q=vernon+schryver+snake+oil+firewall -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
I tend to encourage people to use PestPatrol for the malware on windoze boxes. Suresh Ramasubramanian wrote:
Jeff Shultz writes on 11/24/2003 1:46 PM:
Firewalls at least tend to be a bit more hands off... and I'd like to hear more about the "snake oil" parts. Doesn't the 1/2wall that XP ships with default to "disabled?"
Interesting reading here - http://groups.google.com/groups?q=vernon+schryver+snake+oil+firewall
On Mon, 24 Nov 2003 10:46:26 -0800 "Jeff Shultz" <jeffshultz@wvi.com> wrote: | Personally I wish that there was something that we could install | on customer machines that would absolutely and totally block the | installation of net.net stuff, to the point of deleting any | installation files that have been downloaded. The latest version of Zone Alarm Pro does stop all applications from accessing the net outbound unless specifically authorised, and it does check the executable by checksum to make sure it hasn't been changed. Of course, this doesn't cope with the clueless who are willing to click on just about anything, particularly if it looks cute, but the one good point about Zone Alarm Pro is that it requires a separate authorisation before any executable is allowed to access an external site on Port 25. -- Richard Cox
* Richard@mandarin.com (Richard Cox) [Mon 24 Nov 2003, 20:30 CET]:
The latest version of Zone Alarm Pro does stop all applications from accessing the net outbound unless specifically authorised, and it does check the executable by checksum to make sure it hasn't been changed.
Right up to the moment the end user, annoyed by the continuous popups, authorises mshtml.dll - which is used by several malicious-by-design worms (including Outlook). -- Niels.
The latest Zone Alarm Pro also invites subscribed users to participate in creating a more robust solution.... -Henry Niels Bakker <niels=nanog@bakker.net> wrote: * Richard@mandarin.com (Richard Cox) [Mon 24 Nov 2003, 20:30 CET]:
The latest version of Zone Alarm Pro does stop all applications from accessing the net outbound unless specifically authorised, and it does check the executable by checksum to make sure it hasn't been changed.
Right up to the moment the end user, annoyed by the continuous popups, authorises mshtml.dll - which is used by several malicious-by-design worms (including Outlook). -- Niels.
On Mon, Nov 24, 2003 at 02:31:42PM -0800, Henry Linneweh wrote:
The latest Zone Alarm Pro also invites subscribed users to participate in creating a more robust solution....
The latest Zone Alarm also creates a nice ddos to your ISP's dns servers if lockup.zonelabs.com can't be resolved (as we found out the hard way here in europe after the Above downtime). -- Cliff Albert | RIPE: CA3348-RIPE | https://oisec.net/ cliff@oisec.net | 6BONE: CA2-6BONE | PGP Fingerprint = 9ED4 1372 5053 937E F59D B35F 06A1 CC43 9A9B 1C5A
Being that I wasn't paying attention, heres the message I accidentally responded to in private e-mail rather then the list... --------- ----- Original Message ----- From: "Jeff Shultz" <jeffshultz@wvi.com> To: <nanog@merit.edu> Sent: Monday, November 24, 2003 1:46 PM Subject: Re: Anit-Virus help for all of us??????
You know that the best AV program in the world isn't going to amount to a hill of beans if the user doesn't 1. download updates, 2. run the occasional scan [1], and 3. pay for more updates past the 1 year mark (for those for which this is a requirement).
Thats how they make money off of the antivirus stuff - the yearly subscriptions. Many people just go out and buy a new version of Norton whenever their defs expire (yeah, I've done that before for my personal machines, as sometimes they improve the detection stuff between versions - like Norton 2002 adds script protection and better e-mail virus filtering). The only completely and utterly free with no catches or nagware antivirus software I know of is clamav. But, its only for UNIX/Linux (although people have gotten it working in cygwin - I might just package it up for people and make an installer for it). Has an autoupdate script as well. If someone spent the time to play with it, who knows, it might be able to do realtime scanning. Its pretty fast too.
Firewalls at least tend to be a bit more hands off... and I'd like to hear more about the "snake oil" parts. Doesn't the 1/2wall that XP ships with default to "disabled?"
Yep, though in SP2 for XP, it will be turned on by default, IIRC. I actually like McAffee Personal Firewall Express (given away free by AOL to all of their users), have it installed on my mothers' Win98SE desktop and works like a charm. Not that many features or controls, so its slightly less confusing, but then again, you can't do very complicated stuff with it either, so its not good for everyone, but for someone like my mother, its more then enough. I just can't stand personal firewalls on my machines though - they have this nasty habit of either slowing down the machine, or causing issues with the various tools I run. Being that my primary machine is a PII 266mhz laptop, I really can't handle a personal firewall dragging down my laptop.
As for Malware... right now neither firewalls nor AV programs seem to stop it's installation. Personally I wish that there was something that we could install on customer machines that would absolutely and totally block the installation of net.net stuff, to the point of deleting any installation files that have been downloaded.
[1] When cleaning a customer's Nachi infected machine, I discovered that the installed copy of NAV was completely up to date - but a system scan hadn't been run since July 2002.
Spybot SD is a nifty program, installs some protection against malware that gets delivered by IE, and is generally good at ripping it out if it does get in. One thing that many people don't realize (from my personal experience) is that contrary to popular belief, Win98SE is a good all around desktop OS to use. It can run most things like productivity apps and games, and with 128-256MB of RAM, its quite fast even on an old laptop like mine. Unlike XP, it doesn't have a million services running, nor does it have the nasty UPnP stuff from WinME. I've run my Win98SE laptop with Norton Antivirus 2002, Outlook Express, and K-Meleon 0.8 (even with its more annoying bugs) as my primary browser and have never gotten infected by one of these mass mailing worms, or the DCOM exploits, or IE exploits, etc. The one thing I should mention though - I have a user, long time friend of mine, I got her setup with WinXP last year, patched her, then installed Norton Antivirus 2002, set it to autoupdate and do weekly scans (which, btw, are on by default, but I check nonetheless), and turned on the XP firewall and set it to block all inbound but RDP (so I could do remote management if she needed it). I also turned off auto-updating of Windows patches (since I've had situations where my customer's machines have been trashed because of bad/faulty patches). The machine survived the RPC/DCOM exploit nightmares as well as rounds of Outlook Express exploits with no problem. I only recently fully updated her machine with the latest patches (I didn't want to neglect her machine, but being my recent bout of health problems and personal issues left me with no choice). Even if users don't take advantage of the built in windows update because its risky, you can still make sure that you have (autoupdated) AV and the XP firewall, and you *should* be ok for the most part. All you need to do is make sure it is turned on. On a side note.... I've been developing some a little GUI tool which automate the process of securing a machine - run it, it turns on the XP firewall, turns off Windows Messenger service, asks for antivirus CD and auto installs it quietly (only works with norton right now) with all the important options turned on, has the option of downloading a list of latest patches from our web server, and then downloads them from microsoft (regardless of if it was installed already, as I have found that sometimes Windows Update thinks a patch is installed, when its really not), then quietly installs them without user interaction, then forces the user to reboot. Its got some 'issues' in its current implementation, so I'm not comfortable with releasing it into the wild for people yet. That and the fact it only works on XP. It isn't *that* hard to put something together for your less cluefull customers, as long as they agree to some sort of release of liability before running it. Not always possible, but who knows. -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
Brian Bruns wrote:
One thing that many people don't realize (from my personal experience) is that contrary to popular belief, Win98SE is a good all around desktop OS to use. It can run most things like productivity apps and games, and with 128-256MB of RAM, its quite fast even on an old laptop like mine. Unlike XP, it doesn't have a million services running, nor does it have the nasty UPnP stuff from WinME.
I agree! I don't run much M$Windows, with the exception of dual boot for occasional games, but I stopped at 98SE, having had problems with everything later. Unfortunately, I cannot keep my relatives and customers from buying new machines with XP, the worst thing I've seen yet. -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
On 24.11 18:20, William Allen Simpson wrote:
Brian Bruns wrote:
One thing that many people don't realize (from my personal experience) is that contrary to popular belief, Win98SE is a good all around desktop OS to use. It can run most things like productivity apps and games, and with 128-256MB of RAM, its quite fast even on an old laptop like mine. Unlike XP, it doesn't have a million services running, nor does it have the nasty UPnP stuff from WinME.
I agree wholeheartedly. if haveto(M$) use(W98SE); I recommend that at home to all local primary schools. They often do not have the latest hardware but some of them even run it on the latest hardware now. This and frequent reloads of standard clean disk images tends to keep things clean and operational. The image loads from a *nix server are routinely done by 10-year-olds. Unfortunately this is not a really long term strategy. I expect apps that are essential to the schools but do not run on W98SE in the not-too-distant future. I guess they will have to find loads of money and buy macs then. ;-) Daniel
Daniel Karrenberg wrote:
I recommend that at home to all local primary schools. They often do not have the latest hardware but some of them even run it on the latest hardware now. This and frequent reloads of standard clean disk images tends to keep things clean and operational. The image loads from a *nix server are routinely done by 10-year-olds. Drivers are getting harder and harder to find for Win9x - even stuff that was supported last year, seem to have "lost" the drivers from the manu sites "we don't support Win9x anymore" *sigh*
Unfortunately this is not a really long term strategy. I expect apps that are essential to the schools but do not run on W98SE in the not-too-distant future. I would be surprised. The upgrade treadmill is mostly there as a money-tree for the manus - provided you haved xxx licences for office 9x, xxx licences for Windows 9x and supported hardware, you could probably go on indefinitely. (Who can name a feature they use more than once a month in Word or Excel post-97 that wasn't in 97? and most of those seem to have been third-party available plugins that M$ have built into later versions) My biggest problem with 9x boxen (and we support 400 here) is printer drivers; printers wear out faster than anything else in an office environment, and the latest and greatest don't come with 9x drivers any more (but often generic or older drivers still work - I don't think this will always be true though)
School apps are a world of their own anyhow - writers will target the platforms available as that's where the sales are, not the platforms M$'s games division writes for. In the 486 days you could *still* buy new software for the BBC micro in the UK - simply because so many schools still had them. Expansion of your machine pool would be a nightmare though - you can't buy versions of office or windows behind the leading edge any more, and regardless more and more seem to require "activiation" by being on the web (not a good idea for an unpatched win9x box running unpatched office suites, but then, isn't everyone on the web now?) perhaps a migration to linux is in order? after all, its free(ish), doesn't care too much about marketing deadlines, and if you start them young enough, KDE or Gnome is certainly is no harder to learn than windows.
Dave Howe wrote:
perhaps a migration to linux is in order? after all, its free(ish),
doesn't care too much about marketing deadlines, and if you start them young enough, KDE or Gnome is certainly is no harder to learn than windows.
Why stop at an intermediate step but migrate to free OS while we are at it? Like FreeBSD, NetBSD or OpenBSD. Pete
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Daniel Karrenberg Sent: November 25, 2003 3:42 AM To: William Allen Simpson Cc: nanog@merit.edu Subject: Re: Anit-Virus help for all of us??????
On 24.11 18:20, William Allen Simpson wrote:
Brian Bruns wrote:
One thing that many people don't realize (from my personal experience) is that contrary to popular belief, Win98SE is a good all around desktop OS to use. It can run most things like productivity apps and games, and with 128-256MB of RAM, its quite fast even on an old laptop like mine. Unlike XP, it
doesn't have a
million services running, nor does it have the nasty UPnP stuff from WinME.
I agree wholeheartedly.
if haveto(M$) use(W98SE);
Have either of you actually followed this advice? Win98SE is totally useless as a desktop OS due to the archaic GDI/USER resource limits. When one average consumerish app (eg: a media player) eats up 10% of those resources, one window in an IM program eats up 2%, etc... it does not take much to bring down an entire system. Last time I was running Win98SE (which is about 3 years ago), it took about 20 minutes after booting while running boring normal apps to get to a dangerously low resource level (30%ish free). That machine got totally unstable needing a reboot after about 3 days. On the same hardware (with additional RAM), Win2K could easily run 3-4 weeks and run any app I wanted just fine. So, some people might say I'm a power user, but the average users I know these days tend to multitask at least a web browser, an IM client with a couple open windows, some bloated media player, perhaps a P2P app, and some office app. This is already stretching Win9X to its limits, and I would expect it to be worse (code just gets sloppier...) than it was three years ago... No wonder people think Windows is unreliable. 98SE may be preferable from a security-from-external-threats POV, yes, but for any type of real use, it's useless. Not to mention the other quirks, like needing to reboot to change network settings, the lack of any local security (or even attempt at local security), etc. I'll take rebooting every week or two for the latest XP security patch any day over rebooting every day or two because Win98SE is an unreliable piece of poorly designed legacy junk. The way I see it, there are two uses for 98SE (or 95, 98, Me, etc) in the modern world: 1) People who use their computers as game-only machines (or who dual boot a real OS for non-game purposes) 2) Advertising for $OTHER_OS, where $OTHER_OS can be Win2K, XP, or your favourite Linux distro with KDE, GNOME, etc. Anything that actually WORKS reliably. Vivien -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
----- Original Message ----- From: "Vivien M." <vivienm@dyndns.org> To: "'Daniel Karrenberg'" <daniel.karrenberg@ripe.net> Cc: <nanog@merit.edu> Sent: Tuesday, November 25, 2003 9:39 AM Subject: RE: Anit-Virus help for all of us??????
Have either of you actually followed this advice?
Win98SE is totally useless as a desktop OS due to the archaic GDI/USER resource limits. When one average consumerish app (eg: a media player) eats up 10% of those resources, one window in an IM program eats up 2%, etc... it does not take much to bring down an entire system. Last time I was running Win98SE (which is about 3 years ago), it took about 20 minutes after booting while running boring normal apps to get to a dangerously low resource level (30%ish free). That machine got totally unstable needing a reboot after about 3 days. On the same hardware (with additional RAM), Win2K could easily run 3-4 weeks and run any app I wanted just fine. So, some people might say I'm a power user, but the average users I know these days tend to multitask at least a web browser, an IM client with a couple open windows, some bloated media player, perhaps a P2P app, and some office app. This is already stretching Win9X to its limits, and I would expect it to be worse (code just gets sloppier...) than it was three years ago...
Yes I do follow my own advice. Back from the days when I was an OEM, I still have a box full of win98SE cd packs/licenses for when I build people new machines. Its what I put on them standard unless you ask for Win2k or XP or NT4 (or any other OS for that matter, ie Linux, BSD). I know full well about the resource limits. Its a PITA, but as long as you run a decent set of apps that don't suffer from resource leaks (Mozilla without a GDI patch does this for example) that eventually use up all GDI/USER memory, you'll be fine. I use Win98SE here all day with only one reboot needed most days, and I run WinAMP, Putty, K-Meleon, Outlook Express, Cygwin, mIRC, Xnews (which has a bad habit of crashing the whole system at times), as well as AIM, Miranda IM, SST, Yahoo Messenger, and various other tools. Thats all at once, multitasking. I know, I could reduce the clutter by letting Miranda IM do AIM and Yahoo, but thats not the point. :-) Many times, resource suckage comes from those ugly faceless background programs that run at startup. Kill as many icons as you can on the desktop and the task bar, and clean out your startup list, and you'll free up alot of GDI resources.
No wonder people think Windows is unreliable. 98SE may be preferable from a security-from-external-threats POV, yes, but for any type of real use, it's useless. Not to mention the other quirks, like needing to reboot to change network settings, the lack of any local security (or even attempt at local security), etc. I'll take rebooting every week or two for the latest XP security patch any day over rebooting every day or two because Win98SE is an unreliable piece of poorly designed legacy junk.
The way I see it, there are two uses for 98SE (or 95, 98, Me, etc) in the modern world: 1) People who use their computers as game-only machines (or who dual boot a real OS for non-game purposes) 2) Advertising for $OTHER_OS, where $OTHER_OS can be Win2K, XP, or your favourite Linux distro with KDE, GNOME, etc. Anything that actually WORKS reliably.
Lets not forget those people who just don't have the CPU power or memory to support 2k or XP. Just because something is new and 'improved' doesn't make it better. Yes, 9x has alot of legacy crap. Yes, 9x has various issues with resource usage. But sometimes, its just right. -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
The minimalist approach has support advantages as well. Because of the small image size a reimage can be accomplished quickly. For better or worse many network tools/utilities only run under win[*] requiring a windows box for many of these Win98SE fits nicely. My app load is small i.e. browser, ssh client sftp client and the inevitable Office suite. We are primarily a [*}x house here but we do need windows at times. Scott C. McGrath On Tue, 25 Nov 2003, Brian Bruns wrote:
----- Original Message ----- From: "Vivien M." <vivienm@dyndns.org> To: "'Daniel Karrenberg'" <daniel.karrenberg@ripe.net> Cc: <nanog@merit.edu> Sent: Tuesday, November 25, 2003 9:39 AM Subject: RE: Anit-Virus help for all of us??????
Have either of you actually followed this advice?
Win98SE is totally useless as a desktop OS due to the archaic GDI/USER resource limits. When one average consumerish app (eg: a media player) eats up 10% of those resources, one window in an IM program eats up 2%, etc... it does not take much to bring down an entire system. Last time I was running Win98SE (which is about 3 years ago), it took about 20 minutes after booting while running boring normal apps to get to a dangerously low resource level (30%ish free). That machine got totally unstable needing a reboot after about 3 days. On the same hardware (with additional RAM), Win2K could easily run 3-4 weeks and run any app I wanted just fine. So, some people might say I'm a power user, but the average users I know these days tend to multitask at least a web browser, an IM client with a couple open windows, some bloated media player, perhaps a P2P app, and some office app. This is already stretching Win9X to its limits, and I would expect it to be worse (code just gets sloppier...) than it was three years ago...
Yes I do follow my own advice. Back from the days when I was an OEM, I still have a box full of win98SE cd packs/licenses for when I build people new machines. Its what I put on them standard unless you ask for Win2k or XP or NT4 (or any other OS for that matter, ie Linux, BSD).
I know full well about the resource limits. Its a PITA, but as long as you run a decent set of apps that don't suffer from resource leaks (Mozilla without a GDI patch does this for example) that eventually use up all GDI/USER memory, you'll be fine. I use Win98SE here all day with only one reboot needed most days, and I run WinAMP, Putty, K-Meleon, Outlook Express, Cygwin, mIRC, Xnews (which has a bad habit of crashing the whole system at times), as well as AIM, Miranda IM, SST, Yahoo Messenger, and various other tools. Thats all at once, multitasking. I know, I could reduce the clutter by letting Miranda IM do AIM and Yahoo, but thats not the point. :-)
Many times, resource suckage comes from those ugly faceless background programs that run at startup. Kill as many icons as you can on the desktop and the task bar, and clean out your startup list, and you'll free up alot of GDI resources.
No wonder people think Windows is unreliable. 98SE may be preferable from a security-from-external-threats POV, yes, but for any type of real use, it's useless. Not to mention the other quirks, like needing to reboot to change network settings, the lack of any local security (or even attempt at local security), etc. I'll take rebooting every week or two for the latest XP security patch any day over rebooting every day or two because Win98SE is an unreliable piece of poorly designed legacy junk.
The way I see it, there are two uses for 98SE (or 95, 98, Me, etc) in the modern world: 1) People who use their computers as game-only machines (or who dual boot a real OS for non-game purposes) 2) Advertising for $OTHER_OS, where $OTHER_OS can be Win2K, XP, or your favourite Linux distro with KDE, GNOME, etc. Anything that actually WORKS reliably.
Lets not forget those people who just don't have the CPU power or memory to support 2k or XP.
Just because something is new and 'improved' doesn't make it better. Yes, 9x has alot of legacy crap. Yes, 9x has various issues with resource usage. But sometimes, its just right.
-------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org
The AHBL - http://www.ahbl.org
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Brian Bruns Sent: November 25, 2003 10:21 AM To: Vivien M.; 'Daniel Karrenberg' Cc: nanog@merit.edu Subject: Re: Anit-Virus help for all of us??????
I know full well about the resource limits. Its a PITA, but as long as you run a decent set of apps that don't suffer from resource leaks (Mozilla without a GDI patch does this for example) that eventually use up all GDI/USER memory, you'll be fine. I use Win98SE here all day with only one reboot needed most days, and I run WinAMP, Putty, K-Meleon, Outlook Express, Cygwin, mIRC, Xnews (which has a bad habit of crashing the whole system at times), as well as AIM, Miranda IM, SST, Yahoo Messenger, and various other tools. Thats all at once, multitasking. I know, I could reduce the clutter by letting Miranda IM do AIM and Yahoo, but thats not the point. :-)
Many times, resource suckage comes from those ugly faceless background programs that run at startup. Kill as many icons as you can on the desktop and the task bar, and clean out your startup list, and you'll free up alot of GDI resources.
You've just conceded that you reboot every day, and honestly, to do what do with Win98 SE, that's what's required. You've also conceded that how you use your system is chosen based around those resource limitations: if $BROWSER_1 uses less resources than $BROWSER_2, that's what you'll use. If Win98 SE was the only game in town, well, you could do that and curse Redmond every time you reboot. However, it is NOT the only game in town. A reasonable OS (Win2K/XP, Linux, etc) will let you run all the things you're running, and will stay up for weeks unless your hardware really sucks. Vivien -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
"Vivien M." wrote:
if haveto(M$) use(W98SE);
Have either of you actually followed this advice?
Yes.
(30%ish free). That machine got totally unstable needing a reboot after about 3 days. On the same hardware (with additional RAM), Win2K could easily run 3-4 weeks and run any app I wanted just fine.
ROFL. :-) My relatives run their machine(s) for a couple of hours and turn them off. My 3000+ customers are primarily dialup, and presumably turn them off, too. If they didn't, the Nachi infections would be much, much worse.
No wonder people think Windows is unreliable. 98SE may be preferable from a security-from-external-threats POV, yes, but
This thread primarily concerns security.
... I'll take rebooting every week or two for the latest XP security patch any day over rebooting every day or two because Win98SE is an unreliable piece of poorly designed legacy junk.
All M$ software is "an unreliable piece of poorly designed legacy junk." This is about which piece of junk to recommend to customers, that keeps support costs down, and Nachi et alia from showing up.
The way I see it, there are two uses for 98SE (or 95, 98, Me, etc) in the modern world: 1) People who use their computers as game-only machines (or who dual boot a real OS for non-game purposes)
That's me, personally, for games that are not available for Macs -- after all, GreenDragon is a Mac game company!
2) Advertising for $OTHER_OS, where $OTHER_OS can be Win2K, XP, or your favourite Linux distro with KDE, GNOME, etc. Anything that actually WORKS reliably.
Although we do run YellowDog Linux on old Mac hardware for much of our server needs, the security monitors and such run NetBSD or OpenBSD. Just had a Linux nameserver hacked the other day.... I have horrible, horrible, support experiences with 2K and XP. Every customer that I know runs XP has been infected with one thing or another. In the case of 2 DSL customers in particular, they seem to be infected again a week or two later, even tho' they swear that they applied all the patches. This has been a major pain in support costs. My brothers both run XP for Civ3 PTW, and both crash within a half hour or so, while the W98 machines just keep running that program all day, leading me to host on much slower W98 machines -- contrary to the usual instructions. So, I can personally attest to "actually WORKS reliably." -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
Sean Donelan writes on 11/24/2003 1:29 PM:
If most if not all computers that are sold include antivirus + personal firewalls, who is selling all the computers being infected with worms, virus, malware?
Er... two or three obvious reasons - there might be more. # Users not updating their virus / firewall definitions, not paying for new definitions after their year of free definitions is done. # Users leaving open windows shares, clicking on random windows attachments etc # Viruses keeping one step ahead of antivirus vendors -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
On Mon, 24 Nov 2003, Suresh Ramasubramanian wrote:
Er... two or three obvious reasons - there might be more.
# Users not updating their virus / firewall definitions, not paying for new definitions after their year of free definitions is done.
I've been looking at some statistics on infected users. One of the more interesting was "new" computer users are more likely to have infected computers than "old" computer users. A computer bought in the last 30 days may be almost twice as likely to be infected than a computer more than 1 year old.
Having sat up until the wee hours of the AM last night cleaning up virus traffic on one of my private nets (an inhouse private net at that) i was giving this some thought. It seems that as with all things, knowledge is power. While all of the machines on the floor where the net op's team lives where fine (mostly windows), the entire call center was infected (entirely windows). When i went downstairs and spoke with them i was suprised (ok not really) to find that none of them knew how to run windows update or had ever heard of the xp firewall feature. They are in the process of being jailed behind thier own nat with heavy ACL's. It's something of a difficult spot. Modern society does not hand out cars to every Tom that can afford one. They make you pass a test and obtain a license first. Why? Because if you don't know what your doing and understand some basic safety procedures, you are a danger to other people. But any Joe with $400 can get on the internet and cause havok. Now understand me here, I'm not trying to start a "we should license internet users" war here. That would be silly. The trick here lies in this: the gvmt (im speaking of US roadways here) has something to the effect of a monopoly on roads. Don't want to get thier lisence? Don't drive on thier roads.. The internet doesn't have that simplicity. So the question is: how to convince "the users" that there are things they really should know and practice in the interest of everyone's safety? Unfortunatly like everyone else, I don't have the answer. Just another way of looking at it. I have learned however that trying to fix a behavioral problem with technology generally doesn't work. Untill "the users" in general get a little smarter about thier new toy, things won't get much better. That said someone made an interesting comment pertaining to whom it was that was selling the vulnerable machines. While not particularly usefull for much, it might be amusing to get some nice granular data on infected hosts brandnames. Be entertaining to see who's default config is the least virus prone. Anyway. Just a thought i had been muddling with hehe. Sorry to clutter the list with it. If anyone wants to chat about it drop me a line off list.
Er... two or three obvious reasons - there might be more.
# Users not updating their virus / firewall definitions, not paying for new definitions after their year of free definitions is done.
# Users leaving open windows shares, clicking on random windows attachments etc
# Viruses keeping one step ahead of antivirus vendors
Ryan Dobrynski Hat-Swapping Gnome Choice Communications Like the ski resort of girls looking for husbands and husbands looking for girls, the situation is not as symmetrical as it might seem.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Ryan Dobrynski Sent: November 25, 2003 12:21 PM To: nanog@merit.edu Subject: Re: Anit-Virus help for all of us??????
like everyone else, I don't have the answer. Just another way of looking at it. I have learned however that trying to fix a behavioral problem with technology generally doesn't work. Untill "the users" in general get a little smarter about thier new toy, things won't get much better.
No, the solution seems to me to increase the liability involved. If a couple of people who neglected to take care of their computers got hauled into court and made to pay a fine and/or spend a few weeks in a jail cell, and if the mainstream media got to watch (and didn't take a "those poor people" stance that makes the whole initiative look bad), things would change. Fact is, if I don't properly maintain my brakes on my car and I crash into something/someone, there will be legal consequences enforced with the full coercive power of the government. If I don't properly maintain my computer and as a result, it harms someone else (eg: by allowing others to use it for DDoSing that other person's network), there should also be serious legal consequences. And just like saying "Oh, I didn't know brakes weren't supposed to last for 150000km" wouldn't be an acceptable excuse for my poorly-maintained car harming others, neither should "I didn't know that computers needed security regular updates" be an excuse for me to have a virus/trojan/etc-infected computer that harms others. Yes, this is a political solution, but this is a political and social (and economic, to a lesser extent) problem, not a technological one. When technology has the potential to cause harm, it (except for computer technology) is regulated to limit the amount of harm that is done. Vivien -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
I would hate to blame the users here. In most organizations it is the role of the IT Dept to manage the workstations and not end users. Severely restricting users privileges is often a good thing, at least from the perspective of being able to control what gets installed on the machines in question. Having consistent hardware and software images also helps (where rooted boxes are quickly re-imaged), as well as having a good distributed anti-virus solution. -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Ryan Dobrynski Sent: Tuesday, November 25, 2003 12:21 PM To: nanog@merit.edu Subject: Re: Anit-Virus help for all of us?????? Having sat up until the wee hours of the AM last night cleaning up virus traffic on one of my private nets (an inhouse private net at that) i was giving this some thought. It seems that as with all things, knowledge is power. While all of the machines on the floor where the net op's team lives where fine (mostly windows), the entire call center was infected (entirely windows). When i went downstairs and spoke with them i was suprised (ok not really) to find that none of them knew how to run windows update or had ever heard of the xp firewall feature.
On Tue, 25 Nov 2003 13:21:36 EST, Wojtek Zlobicki <wojtekz@idirect.com> said:
I would hate to blame the users here. In most organizations it is the role of the IT Dept to manage the workstations and not end users.
Remember that Joe Sixpack's IT Dept may not be available past 9:30PM because it's a school night.... Yes, in large organizations, it's the IT Dept's problem. However, I'm fairly sure that the vast majority of PC's are home/SOHO/small company boxes that don't have an IT Dept. I know for a fact that a music store I do a lot of business with had their computer (singular) set up by a college kid who got paid in guitar gear and then split town. It's worked for 4 years, and the store owner figures it will cost him another guitar to get it fixed if it ever breaks. :)
Sean Donelan wrote:
If most if not all computers that are sold include antivirus + personal firewalls, who is selling all the computers being infected with worms, virus, malware?
Just got a new off the shelf PC, manufactured on 13th Nov 2003. Comes with NAV2003 and virus definitions from late 2002 installed. This is on a model that has been shipping for less than two months. Probably is not worth mentioning that windowsupdate provided with 10+ critical and 10+ other updates (the OS had Service Pack 1 installed) The box should have been labeled "don´t connect this device to the public internet". Pete
On Mon, 24 Nov 2003 22:24:58 +0200, Petri Helenius said:
that windowsupdate provided with 10+ critical and 10+ other updates (the OS had Service Pack 1 installed)
The box should have been labeled "don´t connect this device to the public internet".
Question: What speed access is needed to guarantee "mean time to download patches" is significantly less than "mean time to probed by packet-to-0wn" (significantly == 20x lower still gives a 5% chance of getting 0wned while patching)?
Valdis.Kletnieks@vt.edu wrote:
Question: What speed access is needed to guarantee "mean time to download patches" is significantly less than "mean time to probed by packet-to-0wn" (significantly == 20x lower still gives a 5% chance of getting 0wned while patching)?
Since windows updates are downloaded only from one server at a time, none of those servers are connected to the public Internet at high enough speed. Pete
Valdis.Kletnieks@vt.edu writes on 11/24/2003 3:43 PM:
Question: What speed access is needed to guarantee "mean time to download patches" is significantly less than "mean time to probed by packet-to-0wn" (significantly == 20x lower still gives a 5% chance of getting 0wned while patching)?
That'd have to be very fast indeed, given that only one windows update mirror is used at a time, and patches are downloaded and applied in sequence. Two ways to get at least some safety - # Machine behind NAT while it is being updated # Patches preferably downloaded onto a CD and applied offline -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Suresh Ramasubramanian wrote:
Valdis.Kletnieks@vt.edu writes on 11/24/2003 3:43 PM:
Question: What speed access is needed to guarantee "mean time to download patches" is significantly less than "mean time to probed by packet-to-0wn" (significantly == 20x lower still gives a 5% chance of getting 0wned while patching)?
That'd have to be very fast indeed, given that only one windows update mirror is used at a time, and patches are downloaded and applied in sequence.
Two ways to get at least some safety -
# Machine behind NAT while it is being updated
NAT is not a security feature, neither does it provide any real security, just one to one translations. PAT fall into the same category. Just cause your broadband router (ahem, switch) vendor states that NAT (in reality PAT) as one of their security 'knobs' does not make it in any way a security feature when implemented. Only thing that might benefit is IPv4 address space. Make a NAT Translation to a workstation (nothing else) and see if you can still carryout some of the exploits making the rounds. NAT and PAT do not prohibit any TCP/UDP connections to egress. Most broadband providers still perform a NAT translation downstream, is it helping alleviate any of the attacks/compromises? NOT!!!!!
# Patches preferably downloaded onto a CD and applied offline
I know Microsoft has a product that allows you to donwload patches to a centralized server (within your infrastructure) and let's you patch your internal systems from it. Heard our MS admins talking about it a while back.... -- Gerardo A. Gregory
Gerardo Gregory writes on 11/24/2003 4:20 PM:
NAT is not a security feature, neither does it provide any real security, just one to one translations. PAT fall into the same
It is not a cure all and I never said it was one. It cuts the risk down a little, is all.
Most broadband providers still perform a NAT translation downstream, is it helping alleviate any of the attacks/compromises? NOT!!!!!
A lot of it is because of infected hosts in a subnet searching around for open windows shares on IPs around it.
I know Microsoft has a product that allows you to donwload patches to a centralized server (within your infrastructure) and let's you patch your internal systems from it. Heard our MS admins talking about it a while back....
Sounds like a good thing to have around. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
On Mon, 24 Nov 2003 16:25:36 -0500 Suresh Ramasubramanian <suresh@outblaze.com> wrote:
Gerardo Gregory writes on 11/24/2003 4:20 PM:
NAT is not a security feature, neither does it provide any real security, just one to one translations. PAT fall into the same
It is not a cure all and I never said it was one. It cuts the risk down a little, is all.
Dan Senie called me on this one once, and he was right. 1-to-1 NAT is not much of a security feature. Port NAT (PNAT) does, *as a side effect*, provide a measure of meaningful security. as Dan pointed out to me, the code required to implement PNAT is nearly identical to the code required to provide a state keeping firewall similar to what might be done with OpenBSD's PF or Linux's IPTables packages. it doesn't provide the additional useful features of such firewalls, but it does do the minimum. now the consumer PNAT appliances have other issues, and of course PNAT often breaks protocols that make end to end assumptions (which is why i don't like it), but the "not a security feature" thing is not really accurate. the security feature is a side effect, and wasn't the original intent of PNAT, but that doesn't mean it's not there. richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
In reality, PAT provides 99.99% of all firewall protection, so if some _very smart whitehat gay_ is writing _PNAT is not a firewall_, this means only, that he is very far from reality. Show me, please, any attack, addressed to the PNAT based system? PNAT is not enioough for a firewall to be a full featured firewall - it is true; but PNAT provides the same protection, as any firewall (it just do not allow inbound connections, so you can not expose any service). 1 - 1 NAT, of course, do not provide any protection. But the _MOST_ important part of all enterprise firewalls (I mean -not most complex, but those which protects 99.99% of their users) is just PNAT. Of course, it is true _untl_ we are talking only about _direct_ network level attacks. What many people missed is that, in _real_ word, network level firewalls is not enough for the protection, if you use _standard_ software, you are exposed to worms, viruses and other, application level, dangers (and firewalls can not help here too much). Of course, PNAT applianses created a very strange protocol meaning - if protocl can not work thru PNAT, it 'is not a protocol' - you can not use it in many cases... And, on the other hand, the better is protocol security, the worst is this protocol for PNAT - in reality, secure protocol can not be multi-connection one /as FTP or H.323/. ----- Original Message ----- From: "Richard Welty" <rwelty@averillpark.net> To: <nanog@merit.edu> Sent: Monday, November 24, 2003 1:39 PM Subject: Re[2]: Anit-Virus help for all of us??????
On Mon, 24 Nov 2003 16:25:36 -0500 Suresh Ramasubramanian
<suresh@outblaze.com> wrote:
Gerardo Gregory writes on 11/24/2003 4:20 PM:
NAT is not a security feature, neither does it provide any real security, just one to one translations. PAT fall into the same
It is not a cure all and I never said it was one. It cuts the risk down a little, is all.
Dan Senie called me on this one once, and he was right.
1-to-1 NAT is not much of a security feature.
Port NAT (PNAT) does, *as a side effect*, provide a measure of meaningful security.
as Dan pointed out to me, the code required to implement PNAT is nearly identical to the code required to provide a state keeping firewall similar to what might be done with OpenBSD's PF or Linux's IPTables packages. it doesn't provide the additional useful features of such firewalls, but it does do the minimum.
now the consumer PNAT appliances have other issues, and of course PNAT often breaks protocols that make end to end assumptions (which is why i don't like it), but the "not a security feature" thing is not really accurate. the security feature is a side effect, and wasn't the original intent of PNAT, but that doesn't mean it's not there.
richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
On Mon, 24 Nov 2003 15:20:59 CST, Gerardo Gregory said:
I know Microsoft has a product that allows you to donwload patches to a centralized server (within your infrastructure) and let's you patch your internal systems from it. Heard our MS admins talking about it a while back....
Two words: Joe Sixpack. Phrased differently - the sites that have enough clue and infrastructure to deploy that product are not, in general, the sites that are getting whacked the first time their single box connects to the net.....
Funny you mentioned ol' Joe... An article on the paper today stated that only 33% of U.S. citizens are "Tech Savvy". Meaning allot of Joe's out there are clueless.... I bet ol' Joe's AV signatures where last updated in 98 or 99... :) G. Valdis.Kletnieks@vt.edu wrote:
On Mon, 24 Nov 2003 15:20:59 CST, Gerardo Gregory said:
I know Microsoft has a product that allows you to donwload patches to a centralized server (within your infrastructure) and let's you patch your internal systems from it. Heard our MS admins talking about it a while back....
Two words: Joe Sixpack.
Phrased differently - the sites that have enough clue and infrastructure to deploy that product are not, in general, the sites that are getting whacked the first time their single box connects to the net.....
-- Gerardo A. Gregory Manager Network Administration and Security 402-970-1463 (Direct) 402-850-4008 (Cell) ------------------------------------------------ Affinitas - Latin for "Relationship" Helping Businesses Acquire, Retain, and Cultivate Customers Visit us at http://www.affinitas.net
NAT is not a security feature, neither does it provide any real security, just one to one translations. PAT fall into the same category.
While it may not be a cure-all, a NAT solution offered by most entry-level routers is an effective, if incomplete security tool. While it does not prevent stupid user tricks (downloading malware, misconfiguring NAT to allow incoming connections, etc) it does stop most non-email worms in their tracks. For example, from an nmap or other scan of the IP address of my home DSL connection you would onot see any interesting ports open, even if one or more of the hosts behind the router were accessing content of some kind. Worms that spread over open shares and insecure services (windows or otherwise) do not ever hit any of the machines behind the NAT. I, of course, run other security solutions (IDS detection/etc) to keep my skills sharp, but I've pleasantly suprised at the wherewithall of my little Efficient router and it's NAT implementation. It's never allowed any unwanted traffic through from the out side (port 135 crud/etc). I always tell people that a NAT like this (rather than a 1:1 NAT or a NAT with PAT holes to allow access to servers) "keeps honest people honest". Could somebody figure out a way (TCP intercept, etc) to get to a machine bhind the NAT? I supose so, but like the blinking red light on the dashboard of your car, it makes the lazy thief move on to the next car that doesn't present the apperance of protection. -Scott -- Scott Call Router Geek, ATGi, home of $6.95 Prime Rib "These are the last days of peace in America as you know it. And we will never be the same." -Mark Morford
On Mon, 24 Nov 2003, Gerardo Gregory wrote:
# Machine behind NAT while it is being updated
NAT is not a security feature, neither does it provide any real security, just one to one translations. PAT fall into the same category. Just cause your broadband router (ahem, switch) vendor states that NAT (in reality PAT) as one of their security 'knobs' does not make it in any way a security feature when implemented. Only thing that might benefit is IPv4 address space.
Make a NAT Translation to a workstation (nothing else) and see if you can still carryout some of the exploits making the rounds.
Nor does it stop the user inviting an exploit to run on their PC, eg web download, email attachment.. based on seeing plenty of virused/exploited machines at companies I've worked at which all had AV, FW, NAT etc they still had the human factor who would override a warning because they got sent what looks like a joke email with an attached .scr that later turns out to be a new virus/worm.. Steve
On Mon, 24 Nov 2003 21:50:48 GMT, "Stephen J. Wilcox" said:
Nor does it stop the user inviting an exploit to run on their PC, eg web download, email attachment.. based on seeing plenty of virused/exploited machines at companies I've worked at which all had AV, FW, NAT etc they still had the human factor who would override a warning because they got sent what looks like a joke email with an attached .scr that later turns out to be a new virus/worm..
The average user will say "OOH! SHINY!! [clicky-click]" when offered content promising either dancing hampsters or pop stars wearing less clothing than appropriate. Any security model that doesn't allow for this is doomed to failure.
Valdis.Kletnieks@vt.edu wrote:
The average user will say "OOH! SHINY!! [clicky-click]" when offered content promising either dancing hampsters or pop stars wearing less clothing than appropriate. Any security model that doesn't allow for this is doomed to failure.
Yep. I've already told the story about my niece a few months back -- right before my eyes. The solution that's worked so far, keeping her machine clean for months: Norton AV can detect every attempt to write to an executable, and it turns off the Windows screen, takes over the display, flashes a big warning screen, and asks whether it should continue. That causes the startled niece to go running to momma to call uncle. Whatever we use has to be flashier than dancing hamsters.... Of course, anything that happens too often will just get the OK option selected anyway. -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
The average user will say "OOH! SHINY!! [clicky-click]" when offered content promising either dancing hampsters or pop stars wearing less clothing than appropriate. Any security model that doesn't allow for this is doomed to failure.
Introducing Telecomplete Security service, with antivirus, stateful content based inspection firewall, and Hamster Protection (TM) :)
On 24 Nov, 2003, at 21:20, Gerardo Gregory wrote:
[NAT and PAT] is not a security feature, neither does it provide any real security, just ... translations.
"You can't curse it if you don't know its name" -- Len Bosack on this issue, Reykjavik, March 2003.
Just cause your broadband router (ahem, switch) vendor states that NAT (in reality PAT) as one of their security 'knobs' does not make it in any way a security feature when implemented.
Oh drat. So much for Len. Sean.
** Reply to message from Valdis.Kletnieks@vt.edu on Mon, 24 Nov 2003 15:43:34 -0500
On Mon, 24 Nov 2003 22:24:58 +0200, Petri Helenius said:
that windowsupdate provided with 10+ critical and 10+ other updates (the OS had Service Pack 1 installed)
The box should have been labeled "don´t connect this device to the public internet".
Question: What speed access is needed to guarantee "mean time to download patches" is significantly less than "mean time to probed by packet-to-0wn" (significantly == 20x lower still gives a 5% chance of getting 0wned while patching)?
I tend to install the freebie Zonealarm before hooking those systems up to the Internet.... Snake-Oil they may claim, but it does seem to chop the chances of my getting wormed before getting the updates downloaded. -- Jeff Shultz Loose nut behind the wheel.
In message <200311242043.hAOKhYKL003690@turing-police.cc.vt.edu>, Valdis.Kletni eks@vt.edu writes:
Question: What speed access is needed to guarantee "mean time to download patches" is significantly less than "mean time to probed by packet-to-0wn" (significantly == 20x lower still gives a 5% chance of getting 0wned while patching)?
It's not just the download time, it's the install time. I recently upgraded a win2k box to winxp. Download was very fast -- my office has excellent connectivity. But the patch installation took so long that I had to disconnect the Ethernet cable so I could go home. --Steve Bellovin, http://www.research.att.com/~smb
participants (26)
-
Alexei Roudnev
-
Brian Bruns
-
Cliff Albert
-
Daniel Karrenberg
-
Dave Howe
-
Gerardo Gregory
-
Henry Linneweh
-
Jason LeBlanc
-
Jeff Shultz
-
McBurnett, Jim
-
Niels Bakker
-
Petri Helenius
-
Richard Cox
-
Richard Welty
-
Ryan Dobrynski
-
Scott Call
-
Scott McGrath
-
Sean Donelan
-
Sean M.Doran
-
Stephen J. Wilcox
-
Steven M. Bellovin
-
Suresh Ramasubramanian
-
Valdis.Kletnieks@vt.edu
-
Vivien M.
-
William Allen Simpson
-
Wojtek Zlobicki