Microsoft Says Recovery From Malware Becoming Impossible 631
An anonymous reader wrote to mention an eWeek Story about Microsoft's assertion that PCs may no longer be able to recover from the most aggressive Malware. From the article: "[Danseglio] cited a recent instance where an unnamed branch of the U.S. government struggled with malware infestations on more than 2,000 client machines. 'In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast,'."
Sony (Score:5, Insightful)
no disaster recovery plan? (Score:3, Insightful)
--Taladon
This is news? (Score:5, Insightful)
Re:It's time.... (Score:5, Insightful)
I'm sure it's much harder to get malware running on OS X, but if it becomes the platform most of your potential audience are using then malware developers will just try harder to make nasties for Mac.
So, in this respect, sometimes I'm glad for Windows + IE - simply because I don't have to use it
Translation (Score:5, Insightful)
But you never could... (Score:5, Insightful)
You could never recover a compromised system reliably anyway. Once someone's got through your security to a certain level, you can't trust anything - including security tools and diagnostic information - that runs at that level or above. For a typical desktop PC or office server, that basically means you can't trust anything left on the system.
Any sort of virus removal or system clean-up after being cracked is just a calculated risk that the attack will have been completely removed, based on the fact that doing a complete rebuild of a system and restoring all the backed up data is expensive, and while not cleaning up 100% after an attack is potentially more expensive, the probability of this is low.
And no, running Linux or MacOS X instead of Windows doesn't change this, despite the number of people flippantly suggesting these alternatives. I'd have told you this earlier and saved a dozen posts, but apparently it's been 4 minutes since I last successfully posted a comment, so I can't post another one yet... ;-)
Thin Clients (Score:5, Insightful)
Whereas, if they had been using thin clients with no local storage, the only recovery action would have been on the server. And if they had been running non-Windows on the server, they wouldn't have had these infestations in the first place. A full-blown Windows PC on every desktop in an enterprise is just an expensive welfare program for MCSE types.
Reading between the lines... (Score:3, Insightful)
"When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference here."
Now those sound like the words of someone who has 'been there and done that' more than a few times. If Microsoft is having those kinds of problems with the hardware, software, and expertise they have at their disposal, imagine the kinds of problem that 'Sam's Plumbing and Heating Co.' is having.
Re:Kernel hooks? (Score:3, Insightful)
Which is worse? Allowing virtually anything to hook into the kernel (provided the running user has the rights) and potentially opening it up to rootkitting... or a user accidentally disabling all 3rd party kernel hooks which caused their anti-virus program's filter driver to stop working and not detect a more run of the mill virus causing them much pain and suffering?
Re:It's time.... (Score:4, Insightful)
I use ghost on my PC, thus when I plan on installing new software I do so, play with it, am sure I like it, then:
Restore latest clean system build image to machine,
Install target application, ensure functionality,
Create new latest clean system build image.
I store all my non-temporary data on a server PC anyway, so this is an ideal solution. One that should work in any enterprise environment as well (assuming that there are only 3-4 different builds).
-nB
Re:It's time.... (Score:4, Insightful)
Personally, I'd love to migrate us to Linux, but until I can replace CAD/CAM systems, accounting packages, design software, drawing packages, etc... that's simply not going to happen, and until it does happen I'm faced with the job of keeping our MS systems secure.
We've found that preventing web based scripts from running has kept us virus free for nearly two years now, but even then we're expecting to be hit by something sooner or later. If you're running a Microsoft network, it's worth putting a few weeks aside to get RIS / Ghost working well. Right now we're looking to take things a step further by running all our clients off a set of blade servers running virtual machines. There are cost savings to be had with the ease of maintenance and disaster recovery suddenly becomes a whole lot simpler.
Re:Sony (Score:3, Insightful)
Will it get to the point? (Score:4, Insightful)
When a *nix box gets rooted, generally standard practice says that you rebuild the box. I'm unsure if this is the case with Windows rootings. That is just the way it is.
Malware wants to be "sticky". I'm surprised it has taken this long to become truly difficult if not downright impossible to remove.
What I wonder is if people will just tolerate the unremovable malware instead of the frustration and/or time of reinstalling the OS and applications and getting everything just right all over again. It's one thing for system administrators and geeks to reinstall. It another thing entirely for the average user to have full/incremental backups or cloned drives or some set of procedures for reinstallation.
This is definitely an interesting situation.
these the guys whose registration is anti-Ghost? (Score:3, Insightful)
MS has finally awakened and smells the coffee.
but I have no cup for them any more.
Boot from CD (Score:3, Insightful)
Re:It's time.... (Score:2, Insightful)
Re:They had to design a process real fast (Score:3, Insightful)
Once you've worked with a real X11 window manager, you can never go back to the crude hacks used on other platforms. Are you talking about an icon theme or something? Maybe you're thinking of KDE circa 1998?
You're talking about "de facto standards", not standards. Standards are publicly documented and have been the prime focus of Linux systems since before day 1. Undocumented, un-POSIX-compliant applications may be popular, but they are not "standards".
A nice try, but Unix-like systems have something that we call a "security model". Except in the case of people who refuse to apply updates or do things like purposefully disabling the firewall, this provides a level of protection that most other systems simply can't rival.
Think about it for a second. Apache with Linux or BSD run a huge majority of the servers on the Web. If you wanted to deliver spyware, you'd exploit and infect these systems with a delivery mechanism. The reason malware authors have to target the client OS with email worms and things that start their own mini-webservers is that it's just too freaking difficult to compromise Unix-like systems.
Of course, as long as the majority of client systems *do* run a swiss-cheesed NT variant with the security-hackaround-of-the-week, it's entirely theoretical as to whether a widespread change in client platforms would affect malware viability in that market.
Re:Fools... (Score:2, Insightful)
As you work in the educational sector one would expect that retraining could be done in house and on the cheap. Also one would imagine that the vast majority of your users (i.e students) are to be taught how to use windows, so there is no difference as you would just teach them to learn gnome, etc. instead.
It sound like a case of you can't be bothered
Re:It's time.... (Score:1, Insightful)
Re:Fools... (Score:4, Insightful)
It's a gamble. Building the new system represents a cost (in time and labor if nothing else). Retraining staff is a cost. Finding new apps, or secure work-arounds for existing apps, represents another cost. Dealing with the transition (helpdesk, troubleshooting, whining users, fixing incompletely transitioned apps) represents yet another cost.
On the balance side is the cost of a security breech which (insert your company's worst nightmare here). Or the cost of denying all your users all your computers for a period of time while things are all rebuilt. Of course it isn't guaranteed that either doomsday scenario is going to happen; simultaneously, it isn't guaranteed that either doomsday scenario is going to be limited to a single incident.
It's called risk management.
Put another way: is it worth taking a known, calculable, solid kick in the nuts to mitigate the risk that you might be repeatedly shot in the arm, chest, or head?
What is your business worth?
Re:It's time.... (Score:3, Insightful)
Mine too. Too often once the software's written for a piece of equipment a company wants to sell, the software unit gets disbanded (what, you wanted support?). So then you're stuck with whatever OS was current at the time for the lifetime of the equipment. So we have setups costing 10's to 100's of thousands of dollars controlled by PCs running Win 95/98. It would be nice to have these connected to the network to facilitate transferring data, but who wants to risk that?
OTOH, we have some old Mac 8100's running OS 9 controlling some equipment. Those have been connected to the network for years, and we haven't had a problem yet (as long as we can find mouse, keyboard and monitor replacements).
Re:Fools... (Score:3, Insightful)
At least where I work, in the educational sector, that's impossible. The time spent retraining faculty and staff alone would outweigh the security benefits
Translation: I never have the time to do it right, but I always have the time to fix it!
Re:It's time.... (Score:3, Insightful)
"FYI, That statement has been proven to be FUD for quite some time now."
Um, how exactly? The only way it could be proven is if Apple had a significant share of the market. Which they don't, and won't. Nothing against Apple or Macs, it's just the numbers.
Re:It's time.... (Score:3, Insightful)
Actually, it hasn't been proven at all. It's not possible to prove it, as a matter of fact, without OS X being the dominant operating system on the market. The usual rebuttal, Apache vs. IIS, doesn't apply to anything but Apache and IIS.
Re:It's time.... (Score:3, Insightful)
i'm also a long time linux user (almost 10 years) and certified solaris administrator, and i can tell you exaclty _why_ a Unix or Unix look-a-like such as GNU/Linux are easiear than windows to clean and restore to a clean, working state: *NIXes are open.
open in the sense that you know exactly where things are, what they do, when they do and how. thanks in part to the long tradition of storing configurations on well documented clear text files.
more than once i had to clean gnu/linux machines infested with rootkits, and it was possible to do that in about 1 1/2 hour with a liveCD distro and a redhat/debian/suse/whatever set of disks from where to copy the original, clean packages.
basicly the proccess is:
- boot from the live distro;
- backup everything important (data files, $HOME dirs,
- copy good binaries of basic stuff from
- chroot to the mountpoint where you have the infected disk mounted. just make sure no infected binary gets executed when a profile/init script is executed when you chroot
- force install of clean packages from a known cd. make sure you replace the kernel and modules with good ones, just in case
- check the MD5 hashes of every possible package.
- check every init script or or profile scipts such as
- reboot to a clean box.
- apply every possible update.
anything that gets executed at boot time will be listed either in
Comment removed (Score:4, Insightful)
Re:It's time.... (Score:4, Insightful)
That's kind of like arguing against putting a better lock on your door, because criminals are always going to figure out a way to break it. It's true, but really you don't need a lock that's strong enough to keep every criminal out, you just need to make it more secure than your neighbor's house. In OS terms, eventually you're just going to make it secure enough that it's easier to go after the user than break the system itself.
Re:It's time.... (Score:3, Insightful)
Re:It's time.... (Score:5, Insightful)
Well if one of the best analogies is dismissed as not relevant because they aren't the same as OS's, wouldn't the idea that OS X would have the same problems as Windows also be dismissed because OS X is not the same as Windows? There is either a relation between poor security and popularity or their isn't.
Retraining? (Score:3, Insightful)
of course, the poor it department burdered with fixing their mess, a power windows users. but why? certainly all their jobs - adding scheduled tasks, performing a system upgrade, fixing the server are much easier in linux.
Re:So they just lick their wounds and move on? (Score:3, Insightful)
Or it could be in the cases you cited, what was done was done very publicly, so the person responsible was easy to find. Now if you know who is responsible for the malware in question, why don't you let the FBI know and see what happens?
Its no odder than the fact that I got a speeding ticket when I sped past an unmarked police car, but they haven't found the person who broke several windshields in the neighborhood a while back.
Re:It's time.... (Score:2, Insightful)
You have absolutely no idea... (Score:3, Insightful)
On top of that, the people who actually make the decisions, have no fucking clue what they are doing.
It's not common sense. It's wrong. (Score:5, Insightful)
It's not common sense. It's wrong.
Microsoft is in a unique position. Because it has a virtual monopoly, Microsoft makes more money when its software has a lot of security vulnerabilities. For those who are ruled by money, morality has no force; "Maximizing Shareholder Value" is the way they live their lives.
Microsoft makes more money if it pressures its programmers to work too fast, so that they are sloppy, and then releases buggy software. Many people are fascinated by computers, and easily accept the world that Microsoft has created for them.
Here's a story about a Microsoft VP saying, "Oh, the next Windows operating system will be secure": "Safety and security is the overriding feature that most people will want to have Windows Vista for" [com.com].
So, Microsoft is once again [microsoft.com] telling us "The next version of Windows will be the good one." Before, Microsoft said Windows XP was "Built to be Dependable".
However, Vista will NOT include virus protection [arstechnica.com]. Jim Allchin, co-president of Microsoft's platform products and services division told CRN, an industry magazine [crn.com] this:
CRN: In terms of security, how do you compare security in Vista vs. security in Windows XP SP2?
Allchin: SP2 was a very good system but compared to Vista, it's night and day.
CRN: Is there going to be antivirus in Vista?
Allchin: No, there is not.
CRN: Why?
Allchin: It's a complicated answer as to why not.
CRN: Was the decision based on technical concerns?
Allchin: It wasn't technical.
CRN: Will Vista resolve security problems once and for all?
Allchin: I'm not going to claim perfection or near perfection, but I think we're unrivaled in the work we've done. I believe security will be a huge problem for the industry for years and years and years but this will change the landscape in a fairly dramatic way.
Once again, Microsoft is taking advantage of the fact that most of its customers have little technical knowledge. Mr. Allchin said that "security will be a huge problem for the industry for years and years and years".
Microsoft charges for OneCare Live [windowsonecare.com]. That's another way to make money. Make sloppy software, and then sell protection against the sloppiness.
Note the emphasis on "beta testing" in Mr. Allchin's statements in the CRN interview. Someone said that Microsoft's motto is "The whole world is our beta tester."
--
Before, Saddam got Iraq oil profits and paid part to kill Iraqis. Now a few Americans get Iraq oil profits, and American citizens pay to kill Iraqis. Improvement?
Re:It's not common sense. It's wrong. (Score:2, Insightful)
Re:It's not common sense. It's wrong. (Score:3, Insightful)
It's even better if the pistol has a combination trigger lock known only to the GunAdmin, but that's probably only likely in corporate or schoolastic settings...
Re:It's not common sense. It's wrong. (Score:3, Insightful)
Linux, for example, doesn't prevent user stupidity, but it does prevent user stupidity from being trivially escelated into a rootkit installation.
It's a lot harder for someone to light themselves on fire if you have them step out of those gasoline-soaked clothes they've been wearing.
-- Granted, its stupid of them to walk into a restaurant wearing gasoline-laced clothes, but you could probably still launch a lawsuit against the idiot that sold them the clothes in the first place under the guise of "it's the industry standard -- We've got everybody wearing them!"
Re:It's not common sense. It's wrong. (Score:2, Insightful)
But only so long as people refuse to demand secure quality software. Microsoft isn't evil, it's only producing what the consumer is demanding.
People aren't demanding secure software. They may say they are, but their actions speak differently. They don't read their EULAs, don't firewall their systems, don't use good passwords, are indiscriminant in their browsing, are indiscriminant in providing personal information to anyone who asks, and according to all observation, only mildly annoyed at crashes, hangs, and malware. What they demand instead are new features, even if they're only superficial changes to the UI. Even otherwise savvy IT personnel exhibit these behaviors. As long as they're not alone in their insecurity people won't much care.
When people place so little value and security and quality, it shouldn't surprise anyone when Microsoft similarly devalues them.
Re:It's time.... (Score:2, Insightful)
SOP? It's failure and lock in. (Score:3, Insightful)
This is an admission of failure on Microsoft's part. The complexity and inflexibility of such a system is unacceptable and the efficacy is questionable. What's keeping the bad guys off your image server? If they root that, they have every machine in your organization. The same kind of thing can be said of local image copies, you are moving the target not fixing the root problem which is an unacceptably poor security model. The cost of all of this is a complete loss of user freedom within the organization. If your users can't chose the tools they need, they can't do the work that makes the company run. "Standardized desktop" a euphemism for vendor lock in.
Re:It's time.... (Score:2, Insightful)
Backwards (Score:1, Insightful)
YOu might have to delete $home in some cases but being basically a Unix variant, the system itself should be relatively immune from a system-wide infection.
I'd much rather restore my system files than $home.
Re:It's not common sense. It's wrong. (Score:3, Insightful)
But its really sad to see the Slashdot community to go from a can do, toaster modding bunch of creative tech junkies, into an Apple teet sucking, iPod praising pussies, sucking up Apples marketing crap and pretending it just the natural, uncommercialized evolution from Linux to a solid GUI. And everyone using Windows and a non Apple Ipod is missing something.
Please, please pull that giant Apple marketing dildo out of your collective asses.
Windows is not broken, OSX is not infallable, and Ipods are ubertrendy.
If you're going to be a whore, that's fine. But don't do it under the guise that it's the right thing, trying to rationalize your weakness to flutter into the mainstream.
If you can't list 100 reasons why OSX is better than Windows and vice versa, another 20 why an Ipod is better than its -$100 counterpart and vice versa, you have lost all objectivity. You are now an ignorant whore, and you've lost the plot.
The sky is not falling, Microsoft is not purposely making shitty code, the man is not stealing your hard earned dollars.
The line between the weekend commando, dressing their kids up in cammo in the paranoia of pretecting themselves from democracy, and the M$ hater genuinely thinking that Bill is purposely ruining the world, is paper thin.
Both MS and APPLE are here for one reason, increasing shareholder value. Whoever convinces the market that they aren't wins.
Respect to Steve Jobs, for convincing some of what I thought were the most objective people on the internet, to think different.
Re:It's time.... (Score:3, Insightful)
Its like the worst parts of 1984 mixed with the worst parts of Brave New World. Dammit, if you're gonna take away my freedoms, at least give me soma and orgies, not another goddamn war.
Re:It's time.... (Score:3, Insightful)
The simple face is, Apache vs IIS does prove the simple argument that the ratio of users to exploits is higher relative to other competitors doesn't work. Whether or not there is in fact another model that fits is certainly an interesting question. But good luck not making a completely esoteric model that works but only applies to a very small subset of the industry.
Re:It's time.... (Score:3, Insightful)
Wouldn't this mean you can neither argue for nor against it, since it's only theoretical? It sounds like you're using this as a point to argue against it?