We’re well and deep into April 1 now, and if you were to believe some of the reports and hype on the internet, we should’ve all been paying in bottle caps right about now. As any sane person already saw coming, the Windows worm Conficker didn’t do anything. It just kind of sat there, patiently mocking all those who did not update their machines properly.
The Conficker.c variant had an activation date of April 1, 2009, and naturally, people were curious as to what exactly it would activate. April 1 is well under way now, even 12:00 GMT has passed, and it’s a bit of a letdown. Thanks to all the doom and gloom media reports, I was expecting a total meltdown of society. I had been saving up bottle caps for months now, and easily have enough of them to buy some leather armour and a Chinese assault rifle. I guess I’ll keep them just in case there’s going to be yet another meltdown of society.
Joking aside, what exactly has Conficker.c done so far? Well, not a whole lot. The earlier variants of the worm (a and b) haven’t changed their behaviour at all, and the c variant only increased the number of domains it polled for possible update locations. It hasn’t sent any spam, nor has it partaken in any denial-of-service attacks. In other words, nothing has happened.
Still, this doesn’t mean that the problems are gone. There are still between 1 and 4 million infected machines out there because of people who failed to keep their machines up-to-date (even after news of the worm became known), and those need to be cleaned up. With the increase in number of domains polled for updates, this process has become a little harder.
What can we learn from all this? Well, if you still need to learn something from this, you haven’t been paying attention the past, say, 9 years. The internet is a source of viruses, worms, and malware, and Windows has been particularly receptive to them. The situation has improved greatly since Windows Vista, though. The key to avoiding these problems is to use another operating system, or at least to keep Windows up-to-date. Expletive deleted.
The security hole exploited by Conficker and its variants was already patched before the worm got out, which means that if you were a good boy or girl, and kept your machines up-to-date, you had nothing to fear. However, thanks to the laxness of other people, we are now facing a pretty huge botnet that could be used for anything from sending spam to performing DOS attacks.
Apparently, among those lax people are several government agencies. The UK Ministry of Defence has been infected, including a number of Royal Navy warships, but also the UK’s parliament, a Sheffield hospital, the judicial systems in the city of Houston, and the Bundeswehr (that’s the German army).
Doesn’t it feel comfortable to have your government watch over you?
A BBC article summed it up nicely:
http://news.bbc.co.uk/1/hi/technology/7976099.stm
Edited 2009-04-01 14:14 UTC
Couldn’t we just apply his response to Symantec’s own software? It seems more like exploits than upstanding utilities most of the time. I don’t know of any other software that could be labeled as crashware so readily.
aside frmo a lame april fools “OMG the world is going to end” virus (Y2K anyone?) there could be more to it.
Yesterday marked the last day of the financial quarter. Anti virus companies are hurting just like any other industry. What would be a great way to get a bunch of people to help pad your bottom line for that quarter than a big scare to get tehm to buy new antivirus licences? “there’s nothing like a war to end a depression.” This wouldnt be the first time something like this has happened, i doubt it will be the last.
Perhaps doing nothing was the April Fools joke in itself?
Nope. Windows security is the real joke. This is not an April 1st joke, this is an ongoing joke.
if people had of patched their systems in October, when the patch came out, then the worm wouldn’t exist. This is not a problem with Windows security, it’s a user problem.
Every system gets security updates. Repeat it now:
EVERY SYSTEM GETS SECURITY UPDATES.
If you keep spouting nonsense, it’ll be you that looks like the joke.
Listen BlownoseJoke,
Blaming the users for the holes in Windows security is lame. Why are there holes in the security in the first place?
“Blaming the users for the holes in Windows security is lame. Why are there holes in the security in the first place?”
Because the source code is not open to allow people to improve it…..
Allowing idiots to use Windows is like giving car keys to drunk drivers. (they damage themselves and others…..)
Because bug-free code is impossible to write. Only agencies like NASA can write bug-free code, but that does mean that in the hypothetical case NASA were to write a general-purpose operating system, it would cost upward of 10000 EUR per copy – probably a hell of a lot more.
We are modding you down because you have absolutely no idea what you’re talking about. Starting with Windows Vista (and to a lesser extent, XP SP2) Windows is a pretty damn secure operating system. The only recent case of massive failure is this Conficker thing, which doesn’t count since it only affects unpatched system.
Satan666, I know you are the person who systematically mods down almost each and every of my posts, we have insights into those things, you know. It’s kind of funny that you complain about being modded down while you yourself abuse our system so thoroughly.
What makes you think NASA writes bug-free code? They just test their code, have some redundancy in their systems, and don’t have to put up with malicious users.
I’ve been following NASA lately. There’s some really exciting stuff going on. For example, the Kepler mission is going to give us a remarkably reliable statistical map of “Earth-like” planets in their stars’ “habitable zones” in just 3 or 4 years. But… as Thom asserts… it’s not bug-free code[1]:
http://www.nasa.gov/mission_pages/kepler/news/keplerm-20090330.html
My assertion is that software projects, including those at Microsoft (and yeah, Mozilla), have come to expect that we won’t roast them for being careless. (Hell, we heap praise upon Mozilla for being careless… after they release the fix.) And the more lax we become in our insistence upon quality, the more lax they will become in their development and release practices.
I used to despise DJ Bernstein and his attitudes. These days I’m not so sure.
[1] It is, however, well thought out and resilient.
Edited 2009-04-01 19:24 UTC
Some of it is not just carelessness. Security bugs usually arise when people have subtle misconceptions about the contracts of the functions they call (or the functions are misspecified). You really can’t get anything done if you spend all of your time reading every callgraph down to its leaves.
Microsoft (particularly the Windows team) tries its hardest to catch all of these security defects by banning certain unsafe standards, by encoding the contracts in a static anotation language that is checked by machine before code is allowed into the main branches, and by fuzzing and heavily reviewing parsers, protocols, and externally-facing code. It’s still possible to miss something, however.
I wish DJB luck in ‘putting the security industry out of business.’ I’m afraid though that to truly do that, we’d need to ensure that all network-facing software is written by a small cadre of uber-programmers, reviewed by another set of uber-programmers, and fuzzed/tested extensively. Even if you can get Linux and Windows written by those kinds of people, you still need to deal with the third-party and LOB applications of the world who don’t have the same incentives and resources.
I assume that your irony levels are somewhat on the high level there!?
Why are there security holes in Debian? Fedora? OS X?
Because all operating systems have holes, and all need patches. Believing that Windows is the only OS with security holes and patches issued is what’s lame. Here are some pages. Read them and become at least a little knowledgeable:
List of recent security updates for Debian Stable:
http://www.debian.org/security/
Fedora 8:
https://admin.fedoraproject.org/updates/
OS X:
http://support.apple.com/kb/HT1222
FreeBSD:
http://www.freebsd.org/security/advisories.html
Windows:
http://www.microsoft.com/protect/computer/updates/bulletins/default…
Oh, and please, grow up. I didn’t call you any names, I just yelled some common sense at you.
And for fun
OpenBSD ( the uber secure OS)
http://www.openbsd.org/security.html“