At present, thousands of such zombies (essentially connected computers) have
been captured by vandals who are attacking my Linux Web site on a daily
basis. Who can I blame for this? I cannot contact the vandals and cannot
directly blame the owners of the computers. Their computers are devised as
weapons behind their backs. I can only argue that a faulty product from
Microsoft has let to DoS (Denial of Service) attacks on my site.
Is there any chance at all of getting compensation out of Microsoft or
whoever else bears guilt? Are they exempted from any responsibility for what
they unleash to the public? Like a car with faulty breaks?
I am aware that this current scenario crosse over to our rights online. Will
someone be able to give me advice nonetheless? The attacks have gone on
since the beginning of the month and show no signs of abatement. There is no
way of blocking them either. I am hopeless.
Thanks,
Roy
Peter Crosland
>You have no claim against Microsoft.
I'm not so sure. It's easily arguable that Microsoft have been
negligent for many years in selling software that is so easily
compromised and that their negligence has caused many hundreds of
millions of pounds/dollars in damage to hundreds of thousands of
individuals and companies.
I'd love to see someone try to sue them. Deep pockets would be
needed, of course :-(
Mike.
--
Entia non sunt multiplicanda praeter necessitatem
Whilst I am no apologist for Microsoft I think you are wrong. Exactly how is
anyone going to prove that the attack was not due to users being negligent
in applying patches and/or other appropriate security measures? A very up
hill struggle I suspect!
Peter Crosland
Best to pop round to Bill Gates house with a baseball bat or better and have
a word
with him.
>
> Thanks,
>
> Roy
The very fact that endless patches are necessary is an indication of
negligence on the part of Microsoft itself. It has released a large
amount of before-it-is-ready software, inadequately designed,
erratically implemented, and insufficiently tested. It is, therefore,
no surprise that weaknesses are found and exploited by random hackers.
If someone sells me crap, and demands that I hunt down the fixes, is it
then my fault if a newly-discovered crapness exposes me to a successful
attack? No, of course not. And that counts double if the fix isn't
even available. It's the vendor's fault, because he sold me the crap in
the first place. (And why did I buy the crap? What realistic
alternative did I have? In 1995, none. In 1998, for most consumer
desktop purposes, none. Now? Linux, maybe, depending on what you want
it for, and how much brain power you feel like applying to managing the
system.)
--
SteveR
(throw away the dustbin, send to stever@... instead)
Humans are way too stupid to be dumb animals.
http://www.accidentalcreditor.org.uk/
> (And why did I buy the crap? What realistic alternative did I have?
erm....not buy the crap. Nobody forced you too.
>Microsoft have admittedly released a flawed operating system.
<snip>
Although it breaks my heart to do so, I'll be fair to Microsoft.
IBM have their premier mainframe operating system, these days called
z/OS. It runs most of the biggest corporations. It's been developed,
tested, updated and improved continuously since 1964, when it was
introduced - it was OS/360 back then.
It *still* has flaws. Lots of them. So does every non-trivial piece of
software ever written. Live with it.
Mike
--
http://www.corestore.org
'As I walk along these shores
I am the history within'
>>>You have no claim against Microsoft.
>>
>> I'm not so sure. It's easily arguable that Microsoft have been
>> negligent for many years in selling software that is so easily
>> compromised and that their negligence has caused many hundreds of
>> millions of pounds/dollars in damage to hundreds of thousands of
>> individuals and companies.
>>
>> I'd love to see someone try to sue them. Deep pockets would be
>> needed, of course :-(
...which is something I do not have. No 'mom and pop' can ever sue Microsoft
for anything.
> Whilst I am no apologist for Microsoft I think you are wrong. Exactly how
> is anyone going to prove that the attack was not due to users being
> negligent in applying patches and/or other appropriate security measures? A
> very up hill struggle I suspect!
>
> Peter Crosland
That's what I imagined. That EULA would probably say that if the user does
patch up the product, he/she is fully responsible for the consequence.
meanwhile, my site continues to get hammered and nobody in the world can
ever be held accounted.
Roy
> Peter Crosland <g6...@yahoo.co.uk> writes:
>>>>You have no claim against Microsoft.
>>>
>>> I'm not so sure. It's easily arguable that Microsoft have been
>>> negligent for many years in selling software that is so easily
>>> compromised and that their negligence has caused many hundreds of
>>> millions of pounds/dollars in damage to hundreds of thousands of
>>> individuals and companies.
>>>
>>> I'd love to see someone try to sue them. Deep pockets would be
>>> needed, of course :-(
>>
>>
>>Whilst I am no apologist for Microsoft I think you are wrong. Exactly how
>>is anyone going to prove that the attack was not due to users being
>>negligent in applying patches and/or other appropriate security measures? A
>>very up hill struggle I suspect!
>
> The very fact that endless patches are necessary is an indication of
> negligence on the part of Microsoft itself. It has released a large
> amount of before-it-is-ready software, inadequately designed,
> erratically implemented, and insufficiently tested. It is, therefore,
> no surprise that weaknesses are found and exploited by random hackers.
Some say that these patches come in every Tuesday. Microsoft have admitted
that they had built software in a poor and negligent manner:
http://online.wsj.com/article/0,,SB112743680328349448,00.html?mod=todays_us_page_one
<snip>
REDMOND, Wash. ? Jim Allchin, a senior Microsoft Corp. executive, walked
into Bill Gates?s office here one day in July last year to deliver a
bombshell about the next generation of Microsoft Windows.
'It?s not going to work,' Mr. Allchin says he told the Microsoft
chairman. The new version, code-named Longhorn, was so complex its writers
would never be able to make it run properly.
The news got even worse: Longhorn was irredeemable because Microsoft
engineers were building it just as they had always built software.
Throughout its history, Microsoft had let thousands of programmers each
produce their own piece of computer code, then stitched it together into one
sprawling program. Now, Mr. Allchin argued, the jig was up. Microsoft needed
to start over.
</snip>
> If someone sells me crap, and demands that I hunt down the fixes, is it
> then my fault if a newly-discovered crapness exposes me to a successful
> attack? No, of course not. And that counts double if the fix isn't
> even available. It's the vendor's fault, because he sold me the crap in
> the first place. (And why did I buy the crap? What realistic
> alternative did I have? In 1995, none. In 1998, for most consumer
> desktop purposes, none. Now? Linux, maybe, depending on what you want
> it for, and how much brain power you feel like applying to managing the
> system.)
I suppose my bitterness stems from the fact that I never use any of
Microsoft's products. There is no hypocrisy. Yet, I continue to suffer from
a terribly flawed product that they have spread around the world. If a fleet
of cars with faulty brakes was sold to the public and led to an endless
number of car accidents (involving other motorists), would you blame the car
owners for not mending the brakes? It doesn't matter if the manufacturer
/unknowingly/ let these faulty cars be out 'in the wild'.
Roy
Would that stop the DoS attacks? Would it give Microsoft the incentive to do
something on the matter...?
Microsoft have not even apologised. From what I hear, such hijacked machines
are also used to deliver spam by the millions, from untraceable IP
addresses. It is not only me who is affected; it is anyone who uses E-mail.
Roy
> It's the vendor's fault, because he sold me the crap in the first
> place. (And why did I buy the crap? What realistic alternative did
> I have? In 1995, none.
In 1995 there was an alternative - OS/2. This not only ran its own
applications but also Windows ones, in many cases better than Windows
itself did.
>Would that stop the DoS attacks? Would it give Microsoft the incentive to do
>something on the matter...?
>
>Microsoft have not even apologised. From what I hear, such hijacked machines
>are also used to deliver spam by the millions, from untraceable IP
>addresses. It is not only me who is affected; it is anyone who uses E-mail.
Estimates of the numbers of compromised Windows machines on the
Internet seem to have given up counting after ten million.
I honestly don't see a solution other than disconnecting all Windows
machines from the Net by international treaty. It's not feasible, of
course, but there's no practical solution.
> On Mon, 31 Oct 2005 02:39:50 +0000, Roy Schestowitz
> <newsg...@schestowitz.com> wrote:
>
>>Would that stop the DoS attacks? Would it give Microsoft the incentive to
>>do something on the matter...?
>>
>>Microsoft have not even apologised. From what I hear, such hijacked
>>machines are also used to deliver spam by the millions, from untraceable IP
>>addresses. It is not only me who is affected; it is anyone who uses E-mail.
>
> Estimates of the numbers of compromised Windows machines on the
> Internet seem to have given up counting after ten million.
Some of the spammers have accumulated armies of 100,000 zombies or more. They
either use them for E-mail spam or DoS attacks. Some suggest that the
zombies are also used to fool Google's AdSense program (reference on
demand). This essentially means that companies which advertise have their
investment go down the drain while many unique IP's reach their site in
vain.
> I honestly don't see a solution other than disconnecting all Windows
> machines from the Net by international treaty. It's not feasible, of
> course, but there's no practical solution.
>
> Mike.
/Somebody/ has got to work /something/ out. I can't carry on like this and I
know others who suffer much like myself. If no solution is found soon, I can
envision people practically taking their baseball bats and flying off to
Redmond.
Roy
Which particular OS version and exploit are you thinking of?
--
PeteM
See below:
http://www.eweek.com/article2/0,1895,1879102,00.asp
<snip>
Updated: Security researchers highlight more errors in Microsoft's
patch creation process and warn that the mistakes are proving costly
for users.
It's being called the "story of a dumb patch."
A private security research firm has published an advisory with details
on a fundamental mistake made by Microsoft Corp. that caused a security
patch to ship without an adequate fix for the flaw it was meant to
address.
</snip>
Does it not fall other the heading "negligence"?
Also see this research paper (PDF):
http://argeniss.com/research/MSBugPaper.pdf
The log files confirm that all attacks are Windows machines. That information
is held in one of the fields, which one would assume has not been spoofed by
so many machines across the world.
Thanks for the help,
Roy
number of car accidents (involving other motorists), would you blame
the car
owners for not mending the brakes? It doesn't matter if the
manufacturer
/unknowingly/ let these faulty cars be out 'in the wild'.
>>
That's not a good analogy, because it completely ignores that there is
a malicious third party involved, who in your analogy would be
deliberately tampering with the brakes. Nobody here seems to be blaming
the hackers, which have been a thorn in the side of the computer
business since before Windows was invented. Anyone here read The
Cuckoo's Egg?
Anyway, if you want a better car analogy there is a real life one. Many
people are run down and killed or injured every year by stolen cars.
The car industry knows that car theft is a problem and while they are
gradually improving car security, the problem remains.
Has anyone ever tried to sue a motor manufacturer because they didn't
prevent their product being stolen and used to injure someone? (serious
question).
TWJ
How about fighting fire with fire? Release a virus that will affect
*only* compromised PC's. On such a machine, the virus brings a popup
every 10 minutes to inform the user that the PC is compromised, and
gives instructions as to how to remove & protect the PC. If no action
after a few days, it either removes the malevolent code or blocks all
access to the Internet.
--
Cynic
That sounds like an excellent idea, but will you ever have the consent from a
large corporation to do that to its customers? I suppose they could argue
that prompts which urge the user to get patches do exactly that.
The initiative must come from the ISP. I know we can disconnect users in our
network if their computers has been demonstrated to be scanning ports, thus
attempting to infect more machines. Can the same be applied to hijacked
computers? And if so, is it at all detectable?
To solve the problem globally (as the Internet is not a /local/ network)
could you ever woo every ISP to hop aboard the same initiative? We mustn't
forget that it's enough to have one country with 100,000 flawed PC's to make
a bitter existence to the remainder of the World Wide Web.
Roy
Yes.
>Would it give Microsoft the incentive to do
> something on the matter...?
Yes provided you break every bone in his body, I can guarantee that.
>
> Microsoft have not even apologised. From what I hear, such hijacked
machines
> are also used to deliver spam by the millions, from untraceable IP
> addresses. It is not only me who is affected; it is anyone who uses
E-mail.
Gates need to be 'incentivised'. (or incinerated)
>
> Roy
>> How about fighting fire with fire? Release a virus that will affect
>> *only* compromised PC's. On such a machine, the virus brings a popup
>> every 10 minutes to inform the user that the PC is compromised, and
>> gives instructions as to how to remove & protect the PC. If no action
>> after a few days, it either removes the malevolent code or blocks all
>> access to the Internet.
>That sounds like an excellent idea, but will you ever have the consent from a
>large corporation to do that to its customers? I suppose they could argue
>that prompts which urge the user to get patches do exactly that.
Who said anything about getting consent? I said fight fire with fire.
The virus gets on their PCs in the same way that they were originally
compromised - without consent. Yes, I am fully aware that it would be
illegal.
>The initiative must come from the ISP. I know we can disconnect users in our
>network if their computers has been demonstrated to be scanning ports, thus
>attempting to infect more machines. Can the same be applied to hijacked
>computers? And if so, is it at all detectable?
AFAIK all ISPs are entitled to disconnect a customer if that
customer's PC is doing something against their T&Cs. Which sending
spam email usually would be.
--
Cynic
When I tried to view this article, it produced an alert box inviting me
to fill in a survey form. When I clicked the "Cancel" button, the
article text was deleted from my screen. Wonderful.
Eventually I managed to reload the page, but it turned out I couldn't
understand a single sentence of the article. For example "The original
patch was meant to address a denial-of-service flaw on CSRSS
(Client/Server Runtime Server Subsystem), the user-mode part of the
Win32 subsystem." You what?
If this is how people who are trying to *improve* software reliability
design their websites, then God help us.
--
PeteM
> On Mon, 31 Oct 2005 14:58:44 +0000, Roy Schestowitz
> <newsg...@schestowitz.com> wrote:
>
>>> How about fighting fire with fire? Release a virus that will affect
>>> *only* compromised PC's. On such a machine, the virus brings a popup
>>> every 10 minutes to inform the user that the PC is compromised, and
>>> gives instructions as to how to remove & protect the PC. If no action
>>> after a few days, it either removes the malevolent code or blocks all
>>> access to the Internet.
>
>>That sounds like an excellent idea, but will you ever have the consent from
>>a large corporation to do that to its customers? I suppose they could argue
>>that prompts which urge the user to get patches do exactly that.
>
> Who said anything about getting consent? I said fight fire with fire.
> The virus gets on their PCs in the same way that they were originally
> compromised - without consent. Yes, I am fully aware that it would be
> illegal.
Yes, I know, but this is uk.legal, is it not? Besides, this is morally wrong
to take the law (or one's computer) into your own hands.
>>The initiative must come from the ISP. I know we can disconnect users in
>>our network if their computers has been demonstrated to be scanning ports,
>>thus attempting to infect more machines. Can the same be applied to
>>hijacked computers? And if so, is it at all detectable?
>
> AFAIK all ISPs are entitled to disconnect a customer if that
> customer's PC is doing something against their T&Cs. Which sending
> spam email usually would be.
Try to tell every ISP to metaphorically 'pull those knobs' rather than turn a
blind eye. People are lazy by nature, unless there is compromise or risk or
threat involved.
Notice the suffix in the Web address. It is ASP, which is Microsoft's attempt
to embrace, extend and extinguish Apache (/Linux) servers, as well as PHP,
CGI and the like.
I have always complained about downtime, reliability (or lack of it) and
speed of Microsoft-powered sites. For this very same reason, I am always
reluctant to cite them. Any respectable governmental site runs on Linux or
Solaris and does not suffer from these problems. One thing they are not
immune to however: DoS attacks that are carried out by armies of hijacked
Windows boxes.
...checking my logs again and no signs of abatement... over 1,000 attacks
yesterday... going strong for over 3 weeks now...
...hopeless... *sigh*
Roy
> The news got even worse: Longhorn was irredeemable because Microsoft
> engineers were building it just as they had always built software.
> Throughout its history, Microsoft had let thousands of programmers each
> produce their own piece of computer code, then stitched it together into one
> sprawling program.
That's how *all* non-trivial software is written, dingbat.
marc
> Would that stop the DoS attacks? Would it give Microsoft the incentive
> to do something on the matter...?
What makes you think that DoS attacks are only mounted from Windows
systems? The only reason you see so many is because many users are
halfwits who will run any attachment or click on any link they are sent.
marc
Watch you mouth please. These were not my words. They came from an article,
which I happen to agree with.
Microsoft often portray the Linux development 'model' as one which involves
many 'cowboys' building standalone components. Prior to this revelation, it
was assumed that Microsoft used their vast resources to build software in a
more principled manner rather than compose 'code spaghetti'.
Since software such as Windows was admittedly not modular (a Windows
developer said this to me), it was difficult to detect all these possible
loopholes. Thus, nowadays people are forced to patch up Windows very
frequently are are still susceptible to attacks via routes that have not yet
been explored or realised, yet.
Roy
>> Who said anything about getting consent? I said fight fire with fire.
>> The virus gets on their PCs in the same way that they were originally
>> compromised - without consent. Yes, I am fully aware that it would be
>> illegal.
>Yes, I know, but this is uk.legal, is it not?
And? Nothing says I acnnot speculate about illegal activities.
> Besides, this is morally wrong
>to take the law (or one's computer) into your own hands.
If it ends up having an enormous benefit with zero harm being done, I
don't see how it could be called immoral. I do not equate the law
with morality (though they intersect quite substantially).
I was simply thinking up a *pragmatic* solution to the problem posed.
People already have the means to detect and remove zombies and other
malware, but it is evident that there are many people who cannot or
will not do so.
--
Cynic
> >> The news got even worse: Longhorn was irredeemable because Microsoft
> >> engineers were building it just as they had always built software.
> >> Throughout its history, Microsoft had let thousands of programmers each
> >> produce their own piece of computer code, then stitched it together into
> >> one sprawling program.
> >
> > That's how *all* non-trivial software is written, dingbat.
>
> Watch you mouth please. These were not my words. They came from an article,
> which I happen to agree with.
It's your agreement with which I am taking issue. How do you think large
software projects are written? How do you think large software projects
*should* be written?
> Microsoft often portray the Linux development 'model' as one which involves
> many 'cowboys' building standalone components. Prior to this revelation, it
> was assumed that Microsoft used their vast resources to build software in a
> more principled manner rather than compose 'code spaghetti'.
Where do Microsoft 'often portray' this about Linux?
marc
> In article <dk6vaj$13nj$1...@godfrey.mcc.ac.uk> newsg...@schestowitz.com
> wrote...
>
>> >> The news got even worse: Longhorn was irredeemable because Microsoft
>> >> engineers were building it just as they had always built software.
>> >> Throughout its history, Microsoft had let thousands of programmers each
>> >> produce their own piece of computer code, then stitched it together
>> >> into one sprawling program.
>> >
>> > That's how *all* non-trivial software is written, dingbat.
>>
>> Watch you mouth please. These were not my words. They came from an
>> article, which I happen to agree with.
>
> It's your agreement with which I am taking issue. How do you think large
> software projects are written? How do you think large software projects
> *should* be written?
Okay, fair enough.
Software should be written to become more cohesive by using specifica-
tions, use cases and smarter ahead-planning. If an operating system per-
mitted access and full control to any hacker in the world, something had
definitely gone rotten. If even a patch was incomplete, it is then negli-
gence.
>> Microsoft often portray the Linux development 'model' as one which
>> involves many 'cowboys' building standalone components. Prior to this
>> revelation, it was assumed that Microsoft used their vast resources to
>> build software in a more principled manner rather than compose 'code
>> spaghetti'.
>
> Where do Microsoft 'often portray' this about Linux?
Public speaking and word-of-mouth can be just as damaging as one would ex-
pect. While it's true that several obscure applications have been coded in
somebody's garage, the core (kernel) is carefully administered and tested
by professionals. That is not what anti-Linux campaigns would have you be-
lieve though.
Yesterday, for the first time in ages, the extent of the zombie attacks
seems to have decreased. I hope it's not merely a one-off.
Roy
> > It's your agreement with which I am taking issue. How do you think large
> > software projects are written? How do you think large software projects
> > *should* be written?
>
> Okay, fair enough.
>
> Software should be written to become more cohesive by using specifica-
> tions, use cases and smarter ahead-planning.
And what do you *know* that shows that Microsoft *don't* do this?
(Notice the use of the word 'know')
> If an operating system per-
> mitted access and full control to any hacker in the world, something had
> definitely gone rotten. If even a patch was incomplete, it is then negli-
> gence.
And if we invent glass that allows hooligans to break it then I suppose
something has also gone rotten in the glassmaking industry.
> >> Microsoft often portray the Linux development 'model' as one which
> >> involves many 'cowboys' building standalone components. Prior to this
> >> revelation, it was assumed that Microsoft used their vast resources to
> >> build software in a more principled manner rather than compose 'code
> >> spaghetti'.
> >
> > Where do Microsoft 'often portray' this about Linux?
>
> Public speaking and word-of-mouth can be just as damaging as one would ex-
> pect.
Yeah. Great. Sure. I asked you 'where'. You appear to be unable to back
up your words with any kind of evidence. 'Word of mouth'...give me a
*break*!
marc