h2g2 The Hitchhiker's Guide to the Galaxy: Earth Edition

Set your bios to boot from the cd-rom drive, then insert your Linux installation disc one and reboot..

Hee hee, I couldn't resist that one!

To be expected..

Windows has it's place. Being connected to the internet is not it. We could have had an outbreak of W32/Mimail@MM today; We didn't, but I know where it will come from.

A virus outbreak will come not from the non-technical people who have windows PC's running office, as their machines are secured because I keep them up-to-date and well firewalled.

It will come from the technical windows developers who turn their virus killers off because they slow the machine down too much. The people who think they know more about their system than the network admins, and consequently don't bother installing security updates because they think that they are immune. The same people who are probably downloading and executing random precompiled binaries from who knows where dot com, and giving them unfettered access to a network of potentially sensitive information.

In the (vain) hope that any of our development team are reading this, you know who you are. When you bring the network to it's knees, your resident BOFH will be there, waiting for you. Unpleasantness will occur, you have my word on that.

Caveman Jim
An insane linux hacker, bookmaker, and C-junkie.

Good point, but the outbreaks will also come from the willfully clueless people who think, "Well, I know the last dozen times I've opened an attachment it's been a virus, and all the computer people tell me every time to never open these attachments, but this time... I bet it'll be ok."

As far as up to date and firewalled, you can only do so much. Unless you're pushing out new virus definitions by the minute (and even then you can get hit before the def's are created) and your firewall blocks every port (in which case you might as well not be connected at all), you're going to run into problems eventually. Even scanning email as it comes into the server doesn't always work that well.

From one Unix admin to another, I can sympathize. And they wonder why we haven't installed the latest, greatest version of whatever... yeah, we'll get right on that after we finish sending the 100th copy of the "Do not open attachments" broadcast email.

Among the tricks pulled on the mail server are the following:

Mail to users of executable types (.EXE, .COM, .PIF, .SCR, and various
other extensions) is renamed to .TXT
All attachments are checked against the latest virus definitions which we update every few hours
Various Content-Type: and Content-Location: headers are checked. Anything which doesn't match what the scripts expect is bounced to an admin to examine and either forward or delete.
Spam filtering, using the Spamhaus SBL and SpamAssassin is very agressive. We get a few false positivies, but they stand out in the trash list and get whitelisted eventually. About 80% of our mail is spam and/or virus code.
I have some scripts running on my linux boxes here looking for writable windows directories on shared drives. When I find them, the first action is to insert a text file into \Windows\Start Menu\Programs\Startup (or whatever) which will display messges along the lines of 'I could have been a virus. You will do this, NOW, to secure your box'. If it's not fixed in a week, I start renaming windows directories to C:\INSECURE and other nasty things that are trivial to fix, but annoying enough to force users not to share their drives in an insecure fashion.
Finally, we seem to be blessed with (some) users who ask us questions if they are suspicious. (See comments in previous post)

I also actively persue any cracking/relaying/proxying attempts being made from outside; many an idiot has been caught that way.

Among the tricks pulled on the mail server are the following:

Mail to users of executable types (.EXE, .COM, .PIF, .SCR, and various
other extensions) is renamed to .TXT
All attachments are checked against the latest virus definitions which we update every few hours
Various Content-Type: and Content-Location: headers are checked. Anything which doesn't match what the scripts expect is bounced to an admin to examine and either forward or delete.
Spam filtering, using the Spamhaus SBL and SpamAssassin is very agressive. We get a few false positivies, but they stand out in the trash list and get whitelisted eventually. About 80% of our mail is spam and/or virus code.
I have some scripts running on my linux boxes here looking for writable windows directories on shared drives. When I find them, the first action is to insert a text file into \Windows\Start Menu\Programs\Startup (or whatever) which will display messges along the lines of 'I could have been a virus. You will do this, NOW, to secure your box'. If it's not fixed in a week, I start renaming windows directories to C:\INSECURE and other nasty things that are trivial to fix, but annoying enough to force users not to share their drives in an insecure fashion.
Finally, we seem to be blessed with (some) users who ask us questions if they are suspicious. (See comments in previous post)

I also actively persue any cracking/relaying/proxying attempts being made from outside; many an idiot has been caught that way.

Hmm. Why do I say everything twice? Why do I say everything twice? Why do I say everything twice?

You've got some pretty aggressive strategies you're using. I only wish we could do the same, but with 19,000 users it's just not possible to do things like bounce every suspicious message to an admin. Where I work, we can scan a machine and look for vulnerabilities, but could face criminal charges for actually intruding (so putting text files in the Start menu is out for us).

We filter based on attachment types, mailing behaviour, spam probability, and RBL's. Funny, the false positives are the least of our RBL worries... what usually causes us grief is when the RBL's DNS server is down for an hour or two. Great choice, either we can jam up our gateways and run out of space or skip an RBL and let stuff through.

There's only so much we can do to buffer ourselves. No matter what barriers we have in place, something will get through at some point. The strongest defense we'll ever have is user education. If people would stop being careless there'd be far fewer problems... and there wouldn't be any of the really stupid problems

> criminal charges for actually intruding (so putting text files in the Start menu is out for us

I work on the basis that the company network is my responsibility, and that if you, the user, are making it insecure, then it's my job to get you to secure it.

> The strongest defense we'll ever have is user education

There are many members of the monastary that will disagree with you there (unless the read 'education' as 'eradication') but if it's any confort, I agree. Those that won't be educated should be treated with the same level of care as someone who isn't educated (i.e. sandbox'ed)

If only I could wean the users off Outbreak express, Thursdays would be a lot quieter (MS security alerts always arive on Thursdays, which is kind of wierd. Bugs don't wait until a particular day to rear their tentacles..)

I'm in a somewhat special work environment, so breaking into machines quickly gets one into serious legal problems (even if I'm the one doing it in order to secure our network). I'm not talking about the company pressing charges here, I'm talking about violations of federal law. Thanks to the latest federal regulations we're in the insane position of making sure our systems are accessible to the public while preventing the public from accessing our systems... Joseph Heller would be proud.

I trust by "sandbox" you mean "not allowed to own or operate a computer".

> making sure our systems are accessible to the public while preventing the public from accessing our systems

Are you sure you don't work for local government in the UK?

DANGER! - Rant mode has been engaged. You have five seconds to reach minimum safe distance

. . . . . Too late..

I have just finished writing some code on a windows box which has driven me past the edge of insanity. That's it! I am going to have to kill someone. I'll start with the crazy person who designed the winsock API.

I had been using GCC with Cygwin on the windows box, mainly because it seems to have a functioning select() routine, and opening a serial port at 9600 baud, 8 bits, even parity, 1 stop bit didn't involve much more than an open(), tcgetattr(), twiddle-some-bits, and a tcsetattr(). The windows API method was truly horrible.

Now, what utter maniac takes a perfectly normal bit of C, like foo = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); and not only makes the programmer run the gauntlet of 'where the ?? is netinet/in.h, socket.h and all the other things I habitually include when writing network code, but redefines the error returns from 'anything negative' to INVALID_SOCKET, and doesn't set errno, but make you call a WSAGetLastError() function. Not only that, close() doesn't work, nor does read() or write() on sockets for that matter, and depending on your version of MSVC, (struct hostent *)->h_addr isn't actually defined for no good reason. Sockets are no longer int, but 'SOCKET' types, which are actually HANDLE types, which are some sort of doubly-redirected pointer thing. Now, select() works, but only on streams of the same type, so if I am trying to select() between a serial port (which I can't open in MSVC easily, see above) and a network socket, the answer is AAAAARRRRRRGGGGGGHHHHHHHHHH.

Half an hour to write the server code with gcc and get it working, talking to it from a telnet session (from a unix box, because MS telnet is so laughably broken), and two *****ing days to get even the simplest client program to even COMPILE with MSVC.

The client has to be MSVC based, because in the end, it will interface with visual basic (just don't get me started on visual baSICK) and GCC, quite rightly, in my opinion, doesn't want to go anywhere near that particular slime pit.

No wonder microsoft make buggy software.

FDISK is the only command worth running on an installed windows box.

INFORMATION - Rant mode has been disengaged. Please come out of hiding now.

I rest my case.

You poor, poor soul.

My pet complaint about the Windows programming environment is the completely ill-conceived dll system. Why, why, why do they seem to deprecate everything 6 months after they've released it? Why do two brand new programs require mutually exclusive versions of, say, shlwapi.dll or comctl32.dll?

And why when one installs a new version of Office (or any other MS product you'd like to insert here) does everything else in the OS change? I remember installing Office95 and having all the explorer icons replaced by hicolor versions... sure I was running 24-bit color at the time, but I didn't really want my RAM and swap space eaten away by icons with double the color depth.

Ok, just a mini-rant to express my sympathy (empathy?).

And no, I don't work for the government in the UK. Though it seems at times I'm trapped in Brazil.

My comments regarding UK local government were directed at the notion that only a beauracracy gone insane, like most local govermnets are, could conceive a system that had to grant, and prevent access in the same maneuvere.

If DNA were still with us, I'm sure he would have had something to say about that.

Anyway, I got my stuff 'sort-of' working in the end. Now I get to dump it all on the visual basic person to deal with. My stuff works, it is, therefore, not my problem if VB can't handle it (which, as it is a really putrid abomination of a "programming language" (for temporary lack of a more perjorative term for it) it probably will fail miserably in so doing).

Me, I'm off to hack MySQL*. SQL is kinda new to me, but it doesn't look hard. I've done database design before on VAXen with RMS handling the file organisation (that's 'Record Management Services' not Richard Stallman). The difference being that back then I was writing database apps in FORTRAN (and why not?) Shouldn't be too hard. (The examples atleast appear to be quite simply constructed, unlike most MS examples)

*Why? Because I told myself I had to. The amount of data I'm sifting through (UK telephone area codes, descriptions, and charges) is small enough for a big malloc() and a sequential search, but I want to add SQL to my CV.

Indeed a beauracracy gone insane is reponsible for the system.

VAX, eh? No wonder you have such high standards for things working and making sense... I suspect you actually believe computers shouldn't need to be rebooted every 12 hours, as well.

As for MySQL, you'll probably pick it up in no time.