Slashdot: News for Nerds


Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Estimating the Time-To-Own of an Unpatched Windows PC

kdawson posted about 6 years ago | from the 5-minutes-16-hours-whatever dept.

Security 424

An anonymous reader notes a recent post on the SANS Institute's Internet Storm Center site estimating the time to infection of an unpatched Windows machine on the Internet — currently about 4 minutes. The researcher stipulated that the sub-5-minute estimate was valid for an unpatched machine in an ISP netblock with no NAT or firewall. The researcher, Lorna Hutcheson, called for others to post data on time-to-infection, and honeypot researchers in Germany did so the same day. They found longer times to infection, an average of 16 hours. Concludes the ISC's Hutchinson: "While the survival time varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas."

cancel ×


How is this measured (5, Insightful)

Lord Lode (1290856) | about 6 years ago | (#24192499)

I've heard similar statistics in the past already. How is this statistic measured? Is it the time after you connected your ethernet cable or modem and doing nothing at all but wait, or is it the time after you opened a browser and let an "average" user surf the internet and open things? Is it a problem if you need 4 minutes to install all windows patches and updates?

Re:How is this measured (4, Informative)

Spad (470073) | about 6 years ago | (#24192575)

I know that last time I put a new install of XP SP2 straight onto the internet without firewall or antivirus (A tiny oversight - plugged in the wrong cable) it was owned in under 5 minutes without any interaction on my part.

Re:How is this measured (5, Insightful)

JimboFBX (1097277) | about 6 years ago | (#24192669)

The fact your firewall was disabled shows you already did some interaction.

Re:How is this measured (4, Funny)

Alpha Whisky (1264174) | about 6 years ago | (#24192927)

I'd mod you funny if I had modpoints. I think he probably meant no router/firewall, Microsoft's toy firewall enabled by default in SP2 is about as effective protection as a wet paper bag would be against a rocket propelled grenade. Or for the Slashdot crowd who only understand car analogies, as good a protection as a Ford Pinto crashed into by an express train.

Re:How is this measured (0, Troll)

Anonymous Coward | about 6 years ago | (#24192731)

Same here. Some years ago I installed XP and when I connected to the internet I almost immediately received the "your computer will shut down in 60 seconds" notice triggered by the blaster virus.

I bought Suse the same day and never looked back.

Re:How is this measured (5, Interesting)

Gumbercules!! (1158841) | about 6 years ago | (#24192963)

I recall working at a university, in which every PC had a public IP address. I clearly remember a Windows 2000 server being pwned during installation. As in before the install process even finished.

That was the last time I installed with the CAT/5 still plugged in (and yes, it was my first job)....

Re:How is this measured (1)

Dr.M0rph3us (1256296) | about 6 years ago | (#24192965)

That's one of the reasons I never plug in the network cable until the OS is installed, configured, hardened, firewalled, [insert paranoid security measure here].

I usually turn automatic updates off, and i don't immediately switch to new Service Packs (using Win. Server 2k3 EE/DC), cause I don't trust them until they are thoroughly tested (see what happens with XP SP3).

... and if you leave your car key in the ignition? (1, Insightful)

petes_PoV (912422) | about 6 years ago | (#24193013)

you'll find that also gets "owned" in less than 5 minutes, in any city in the world.

Solution: don't do it.

The point is not that there are bad people, or 'bots, about, it's that there are still a few individuals who are either too lazy or haven't been educated in the hazards of leaving their PCs unguarded. In time they will learn the hard way - or be taught (or possibly punished, as this weakness affects not just the person who's PC it is) that they will take a loss if they don't or "forget" to take the proper precautions. You can build better security into an O/S, but it still requires the people to actually use it: the problem is more an educational issue than a technical one.

Re:... and if you leave your car key in the igniti (4, Insightful)

Opportunist (166417) | about 6 years ago | (#24193073)

I actually forgot my car keys in my car overnight once and nothing happened. Well, this isn't LA downtown. I live in one of the cities with the least crime overall.

The problem is, with the internet space means nothing. You essentially automatically live in all the worst cities at once, they're all right in front of your doorstep.

That's what most people forget when they deal with the internet, especially if they live in a sheltered community where it's safe to walk the streets at night. They're not used to pondering being mugged any second. But that's exactly what happens on the internet, you live in the worst kind of neighborhood, anyone out there who wants to do something bad to you is camping right in front of your door.

Don't feel special, though. They camp in front of every else's door at the same time.

Re:How is this measured (2, Funny)

BazilBBrush (1259370) | about 6 years ago | (#24192699)

How is this statistic measured?

How long is a piece of string?

Pretty short in this case...

Re:How is this measured (1, Interesting)

Anonymous Coward | about 6 years ago | (#24192839)

It's simple: install fresh OS, plug in Interweb, wait 4 minutes. No other user action, instant zombie.

It comes from vulnerabilities in default services that shipped in the very first version of the OS. Nothing special about Windows except that there's enough of them to make it worthwhile to use some zombies to constantly probe for new ones.

Just connected (1)

SmallFurryCreature (593017) | about 6 years ago | (#24192861)

This is about worms and such that spread across the internet, not about trojans and virusses people download. Afterall, I could surfe google for years without ever getting a single virus and go to a .ru site and be infected in seconds. No, the 4 minutes is for a windows PC directly connected to the internet (no router in between) doing nothing but being connected. What will happen to a lot of people who just bought a new computer and are using a direct connection to the internet like many a cable company offers. If your connection to the internet has only ONE ethernet port or is a USB modem or something similar this means you. ADSL typically uses routers in my experience (more then one computer can be connected) and this effectively closes of your PC from the internet meaning it can't be contacted.

Re:How is this measured (3, Informative)

Opportunist (166417) | about 6 years ago | (#24193037)

I did exactly the same kind of "research" (for a documentation about online threats for our local TV network), here is what I did.

I installed XP SP1 (bear with me, it was the pre-Vista days), the way you got it delivered on a CD. I did nothing else (XP SP1 came without the firewall preinstalled). I turned on a network monitor to document and show what happens. Then I patched in an Ethernet cable to the local network which had unfiltered access to the internet (pretty much what the average cable user, or the average DSL user has after dialup).

Time to infection through the RPC hole was less than 2 minutes.

I did essentially NOTHING to faciliate it (besides, well, not having the machine patched at least to SP2), I just let the machine sit there, connected to the internet.

In a nutshell, if you're using XP and have one of those SP1 install discs, download SP3 before you kick the system in the gutter, put the service pack on a USB stick or external drive and install it before you connect that machine anywhere.

Re:How is this measured (1)

welshie (796807) | about 6 years ago | (#24193157)

It takes considerably more than 4 minutes to patch XP, even from a local copy of all the service packs and patches on a USB hard drive. More like 2 hours if you haven't got the updates scripted, and at least 30 minutes if it's all scripted. If you factor in that the average user doesn't have all those service packs and hotfixes archived, and need to download from the internet... It's toast. I had the unfortunate experience of taking delivery of a new Laptop that had Vista on it, and at the time, the only Internet connection available was a dial-up. After five hours online, it still hadn't finished downloading the updates. This makes me think - why can't Microsoft's updates just patch files that is already on the disk, rather than replacing the entire binary? This is hardly new technology.

Honeynet (1)

Architect_sasyr (938685) | about 6 years ago | (#24192501)

Didn't the honey project provide us this exact same information a few years ago?

Re:Honeynet (3, Insightful)

jd (1658) | about 6 years ago | (#24192583)

The fact that another Slashdot reader queried my insistence Windows 7 should have better host and network security is proof that there is still rampant ignorance on the subject. The fact that the time-to-pwn has not fallen over the past four years despite "security fixes" and security engines that inconvenience users and break applications is proof that the security methods employed by Microsoft are a failure. The fact that there is virtually nothing mainstream in the Windows world that compares with even the pittance of auditing offered by SARA and TARA is proof that there is no desire to fix this.

Re:Honeynet (2, Insightful)

EvanED (569694) | about 6 years ago | (#24192719)

The fact that the time-to-pwn has not fallen over the past four years...

Pray tell what has happened to the base Windows installation over the past for years? Those security fixes you mention aren't counted in this time, so you can't claim that they aren't contributing to overall security. From the article (sort of ) it sounds like this is still the time for XP and not Vista (though since neither the summary nor either linked article actually says or anything, so I'm not sure). So why, exactly, should we have expected the time to decrease?

Re:Honeynet (3, Insightful)

neokushan (932374) | about 6 years ago | (#24192755)

How can you say this shows no improvement over the last 4 years when the test subject was an UNPATCHED version of Windows?
The article wasn't even particularly clear if it was good ol' Vanilla XP or XP SP2 or whatever.

Re:Honeynet (3, Insightful)

willyhill (965620) | about 6 years ago | (#24192815)

One question though - why exactly would I face out a machine with an unpatched OS (the "article" doesn't even mention the version), any OS?

Especially since a $20 Linksys router solves my problems, assuming I'm unable to splipstream service packs or errata or whatever?

If this is Windows XP, why isn't there an article on the time-to-own for an unpatched RedHat 8 install? Do I not have to go online to download the errata for that one as well? Or even the new version?

Even with the larger number of exploits for Windows vs Linux, that doesn't mean there are no exploits for Linux. So I have 20 minutes to download my patches, instead of 5? And that's some sort of median, right? Wow, that sure sounds a lot safer. I hope I make it.

This "metric" is like measuring how deep a machete can cut into your leg, or how much chlorine bleach you can chug before doubling over. Useful? Sure. Should you try it? Nope. With *any* operating system. Not even with any of the *BSDs, which I tend to trust a hell of a lot more than most Linux distros nowadays.

Looks like a slow news night for Slashdot, as usual.

Re:Honeynet (3, Insightful)

ozmanjusri (601766) | about 6 years ago | (#24192981)

If this is Windows XP, why isn't there an article on the time-to-own for an unpatched RedHat 8 install?

Can you still buy Redhat 8?

Re:Honeynet (1)

jcupitt65 (68879) | about 6 years ago | (#24193069)

One question though - why exactly would I face out a machine with an unpatched OS (the "article" doesn't even mention the version), any OS?

Because that's the version of Windows that (just about, I think, for now) Microsoft still sell. If you buy a copy of XP it really is unpatched. You need to either download the patches from a secure machine and slipstream them on to your own install disc, or you need to make sure you're behind a good firewall before you plug your fresh machine into the net and do an update.

When you download a Linux ISO, it already has all (or most) of the latest patches applied. In effect, they slipstream them on for you. If you but a CD ina shop, it will typically not be more than 6 to 12 months old, since that's the cycle time of most distros, and will not have so many patches to apply.

Of course XP SP2 is pretty old now. I wonder if Vista SP1 would get broken in to? Probably not.

Re:Honeynet (1)

EvanED (569694) | about 6 years ago | (#24193147)

Because that's the version of Windows that (just about, I think, for now) Microsoft still sell.

As I've said a few times, in the absence of information I would expect to see (the article is deficient in actual information about what it is they are measuring), I suspect this is pre-SP2 XP. You haven't been able to buy that for years. (Or at least MS hasn't printed it for years.)

This just in... (-1, Troll)

Anonymous Coward | about 6 years ago | (#24192507)

SANS is reporting that data taken in the Average Time to Orgasm for a Slashdotter Study was accidentally mixed in, skewing the results.... upward?

This can't be right.

Doesn't make sense (1, Interesting)

kaos07 (1113443) | about 6 years ago | (#24192509)

Man this doesn't make sense. So what, are they saying that as soon as you plug in your modem to the PC thousands of different sources are already trying to infect you? Even if you don't browse? Because the point is you can download Windows Updates and you can install and update your AV with only two connections. Not sure how you're going to get infected that way.

Of course it could just be "Windows users can't resist dodgy porn sites for more than 4 minutes". Which makes more sense. I mean, when you've just gotten access to the internet what's the first thing you do? Hot Busty Nurses > Slashdot.

Re:Doesn't make sense (1)

FluffyWithTeeth (890188) | about 6 years ago | (#24192525)

There are plenty of botnets that just scan and attack ip blocks. I'd imagine the frequency of attacks depends on country and whatnot.

Re:Doesn't make sense (4, Informative)

thona (556334) | about 6 years ago | (#24192537)

That makes a lot of sense - because that is exactly what happens. Tons of bots around trying to get into "known and patched for years" exploits. They jsut scan IP Address ranges for computer to come online. So, really - no browsing required. No user action required. They happily come to you. This is why a simple firewall like the one you have now on Windows (allow only outgoing connections by default) or simple NAT ALREADY raises quite a bar in security - there ARE, HAVE BEEN and WILL BE exploits that do not require any user interaction.

Re:Doesn't make sense (-1, Offtopic)

Anonymous Coward | about 6 years ago | (#24193077)

Re:Doesn't make sense (4, Informative)

kitgerrits (1034262) | about 6 years ago | (#24192545)

No, this type of infection is sent to random computers all over the Internet.
If one computer on the same IP range as you if infected, it will try to infect all computers on the same IP range and continue to try until someone either turns off the PC or formats the harddrive.

Try installing a firewall, connecting a computer directly to the Internet (don't -do- anything, just connect it) and then Wireshark to look at your Network Interface.
You'll be surprised at the stuff you get without asking.

Re:Doesn't make sense (2, Insightful)

MadMidnightBomber (894759) | about 6 years ago | (#24192633)

Exactly. It used to be a real problem, and at my uni in 2003 or so, I'd insist everyone built their servers and patched them offline. Some didn't listen to me and got owned during install.

These days, you turn on the firewall on XP SP2 or 2003 and don't have the problem. (As the OP said, just don't browse the web while you're doing a server install.)


Re:Doesn't make sense (1, Informative)

Anonymous Coward | about 6 years ago | (#24192687)

You don't even need to turn it on; with SP2 it's on by default. The same with Vista. Yet the compromised machines had the Windows firewall turned off. So it's kind of a bogus test, because XP doesn't ship without SP2 any more, and ships with the firewall on by default.

inform yourself (0)

Anonymous Coward | about 6 years ago | (#24192643)

There are exploits that don't require any interaction of the 'former owner' of the machine.

Re:Doesn't make sense (1)

gmuslera (3436) | about 6 years ago | (#24192701)

My firewall logs at least are pretty spammy with what are stopping at all hours.

Not sure if my netblock is relatively quiet or active, but got 14 test of 9 different ips to 9 different ports in a random chosen 10 minutes interval. If any vulnerability was there, i had no need to browse or do anything more than just get connected to get infected/exploited/botnetted.

Re:Doesn't make sense (1)

Max Littlemore (1001285) | about 6 years ago | (#24192703)

What doesn't make sense to me is the editorial standards on /.

The title should be "Estimating the 71m32pwn of an Unpatched Windows PC.

Really, the standard is slipping.

Re:Doesn't make sense (4, Informative)

sowth (748135) | about 6 years ago | (#24192709)

I'm going to jump in, because I don't think anyone explained this.

Windows runs lots of services (server programs) by default, some of which have vulnerabilities. Some of which can't be turned off, because of the way MS programmed them. If you wonder why they are there, this is how things like filesharing works: it has a server program which will reply when someone else on the lan broadcasts asking for other shares. If someone creates specially formed packets, they can break into those vulnerable services, and you are rooted.

There could also be vulnerablilities in the kernel (main system), but they are rare. You could also be infected if you opened up a shared folder, and someone / a program uploads a hostile program to it, and you run that program.

This is in addition to getting infected by visiting a hostile site with an insecure browser.

I may not have explained this very well, but hopefully you get the idea.

Re:Doesn't make sense (1)

NickCatal (865805) | about 6 years ago | (#24192997)

I was thinking the same way

For instance, I had a Windows XP machine with the latest updates setup as the DMZ host for YEARS and I *NEVER* got compromised in any way. And this is with no anti-virus or firewall. I used this thing for all of watching movies, so if it got hacked I would just reformat the thing. Every so often I would come back and run a virus scan (not norton or mcafee, but like NOD or Kaspersky) I would not find a single thing.

Not once, not ever.


Now spyware/adware I watched crop up constantly. Those anti-virus programs would find that all over. But that is mostly from downloading it unknowingly or just being careless.

Now go on my parent's computers and it is full of crap that they downloaded. They were behind NAT the entire time.

Re:Doesn't make sense (1)

NickCatal (865805) | about 6 years ago | (#24193015)

I might add that this machine was recently reformatted and is safely behind NAT and I use it to only play music and host media files, so trying to compromise it now would be... difficult.

Re:Doesn't make sense (2, Insightful)

Opportunist (166417) | about 6 years ago | (#24193129)

What's cooking here is worms. Those pesky little things that don't wait for you to click on an infected program but use security holes in your RPC to infect you. XP pre-SP2 was notorious for such a security hole, and my firewall logs tell me that such machines are still widely in use on the internet.

As I stated above, it took less than 2 minutes with SP1 in 2004. I should repeat that test, I wonder if it changed in the past 4 years.

Bottom line of it all, a router for 20 bucks can already solve that problem if it's configured to drop any incoming packets (which it is by default). An expense of 20 bucks is all that keeps Joe Average from defeating about 99% of today's worms. I know of a few POCs that can actually find ways around this, but so far I'm not aware of any widespread use of any of those.

Um, what version? (1)

EvanED (569694) | about 6 years ago | (#24192511)

You think either the summary or the linked article would have been kind enough to say what version of Windows.

From the link that goes here [] (linked from the first linked page) it looks like Windows XP. Would be interesting to compare with Vista.

Re:Um, what version? (4, Funny)

Anonymous Coward | about 6 years ago | (#24192555)

Would be interesting to compare with Vista.

They tried. They ran into some obscure bug with Vista that prevents it from accessing the internet while the machine is powered on.

Re:Um, what version? (3, Informative)

IntlHarvester (11985) | about 6 years ago | (#24192707)

XP SP2 comes with a firewall on by default. Vista comes with a firewall on by default.

This is only seems interesting if you're installing from your vintage 2001 XP disk.

Re:Um, what version? (3, Informative)

EvanED (569694) | about 6 years ago | (#24192763)

Which is exactly my point. We know those machines get pwned quickly, so why is this news? The /. summary presents it as if it's a current measurement of a current OS and not one that was superseded almost four years ago? (Assuming they are using a pre-SP2 install. Which, since the site doesn't give any actual information, I don't know.)

Baloney (1, Funny)

Anonymous Coward | about 6 years ago | (#24192529)

I am posting this message from a completely unpatched windows box on the Internet and I am not seeing any side eff....

Buy Viagra Cheap at http://myipaddres/viaga

Re:Baloney (1, Funny)

Anonymous Coward | about 6 years ago | (#24192563)

Pft. Newb. If you were smart, like me, you would have patched your Windows bo

Buy Viagra Cheap at http://myipaddres/viaga

Re:Baloney (4, Funny)

SurturZ (54334) | about 6 years ago | (#24192597)

Fools, don't you know that all you have to do is make sure you scan any flopp

Buy Viagra Cheap at http://myipaddres/viaga [myipaddres]

Re:Baloney (5, Funny)

Exitar (809068) | about 6 years ago | (#24192651)

Haha, no problem for me with my Linux dis

Buy Viagra Cheap at http://myipaddres/viaga [myipaddres]

Re:Baloney (2, Funny)

Anonymous Coward | about 6 years ago | (#24192785)

Well, once again, me and my Mac have been proven to be superi

Buy Viagra Cheap at http://myipaddres/viaga [myipaddres]

Re:Baloney (1, Funny)

Anonymous Coward | about 6 years ago | (#24192877)

This reminds me, can your OS be shut off remotely? Because I just got a new dell, and I'm wondering if I install linux can dell jack my computer and turn it off remo

Re:Baloney (1)

EvanED (569694) | about 6 years ago | (#24192959)

Oops, sorry about that. I selected the wrong post in my post->IP reverser and hit you instead of Exitar. My bad.

Re:Baloney (0)

Anonymous Coward | about 6 years ago | (#24193093)

It's not just Dells.

Every Windows computer can be remotely controlled by Microsoft via a secret backdo

except Vista, which is perfect in every way. Such a thing of beauty, elegance and grace. An efficient user of resources and not at all irritating. BTW, have I mentioned what a dick Twitter is?

[twitter: Erris Mactrope gnutoo inTheLoo willeyhill westbake Odder ibane deadzero freenix myCopyWrong] See my homepage

Offline updates (5, Informative)

Fallen Andy (795676) | about 6 years ago | (#24192533)

For XP/Office/Vista, you owe it to yourself to use the Heise [] offline updates.

Back in '04 the time to live was (claimed to be) around 20 minutes. I wonder what the time is for an unpatched Vista (the figures in the article are for XP). Heh - I bet '98SE survives forever (nobody would want to exploit that).


Re:Offline updates (1, Interesting)

Anonymous Coward | about 6 years ago | (#24192615)

For XP/Office/Vista, you owe it to yourself to use the Heise [] offline updates.

How do I access those without going online?

Burn them on a CD, you say? How do I do that? Connect the CD-burner to the modem, without using the computer?

Imagine that I only have one computer. Imagine it is brand new, and this is not a 5*Re trouble shooting session.

(5*Re: Retry - Reboot - Reinstall - Reformat - Redhat)

Re:Offline updates (1)

drx (123393) | about 6 years ago | (#24192799)

You could buy one of those Walmart Ubuntu CDs and download the patches from the LiveCD.

Use a Linux live CD (1)

Nicolas MONNET (4727) | about 6 years ago | (#24192899)

But then you might just want to install Linux instead.

Re:Use a Linux live CD (0, Troll)

Cramer (69040) | about 6 years ago | (#24192999)

*ding* we have a winner. of course, sadly, a linux (or solaris, or in fact, almost any *NIX) box can be hijacked just as fast if no patches are (ever) installed. ('tho i don't know about 4min, as linux isn't as highly targeted.)

What constitutes an unpatched Windows system? (0)

Anonymous Coward | about 6 years ago | (#24192535)

Windows XP SP1? Windows 95? Windows 98? No, wait... Windows 3.1.1? Oh, I know! Windows 2000 SP3! Or was that Windows 2000 (Post SP4) Update Rollup 1 for W2K ver 2?

The related article didn't seem to mention what exactly constituted an "unpatched Windows system."

In the words of a Corellian... (1)

CriminalNerd (882826) | about 6 years ago | (#24192549)

"I like those odds."

Time-to-0wn with dumb NAT firewall (1)

billstewart (78916) | about 6 years ago | (#24192551)

The article recommends using a NAT firewall and a correctly configured personal firewall, and of course that's a good start (NAT is evil, but is generally a good starting place for devices that aren't running servers, and until you've got your system running the current patches, you don't want to be running servers at all, and even after that many client-like things work adequately behind NAT.)

But does anybody have any estimates of how long an unpatched machine will last behind a dumb NAT firewall? Are you ok at least until you've installed the standard patches for Windows (or your favorite Linux) and your favorite applications?

Re:Time-to-0wn with dumb NAT firewall (1)

JimboFBX (1097277) | about 6 years ago | (#24192813)

A system behind a NAT device could sit forever because no incoming traffic would come to it without it making a connection request first. Just don't stick it in the DMZ until you have a firewall.

Re:Time-to-0wn with dumb NAT firewall (4, Informative)

totally bogus dude (1040246) | about 6 years ago | (#24192853)

You should be perfectly safe, as a dumb NAT firewall won't be sending your PC any traffic that it didn't originate. The only possible vectors would be: a) if its connection tracking code gets confused and lets in traffic which it thinks is associated with another connection but really isn't, b) bugs in the NAT firewall device (pretty much the same thing), or c) an attacker gets very lucky with spoofing connections that happen to be in the NAT table (tremendously unlikely).

All up, the chances of anything getting through are pretty much negligible.

The caveat is that stuff on your PC may be making connections without your knowing; and in particular, some programs may use UPnP to open a listening port for incoming traffic. This shouldn't be an issue with an out-of-the-box install.

This is of course assuming the common NAT device setup, where you have your modem/router which gets a public IP address and then NATs all outbound traffic. Inbound traffic will hit the router and not go any further unless the user has explicitly set up forwarding rules on it.

Pretty much everyone with broadband in Australia will be behind such a device, as this is the kind of device most every ISP recommends or sells. Not sure what the norm is elsewhere in the world.

Re:Time-to-0wn with dumb NAT firewall (1)

Cramer (69040) | about 6 years ago | (#24193023)

Answer: Until the dump user clicks on the wrong attachment, etc. Browsing the web from an unpatched IE is asking for trouble. The same is true of unpatched Outlook and Outlook Express.

NAT cannot protect you from your own stupidity.

Typical /. Hypocrisy! (5, Funny)

Anonymous Coward | about 6 years ago | (#24192561)

I keep hearing on /. about how slow Windows is. Now it turns out that Windows is very fast.

Re:Typical /. Hypocrisy! (1)

ya really (1257084) | about 6 years ago | (#24192873)

Now it turns out that Windows is very fast.

Kinda like a high priced callgirl...and just as expensive to purchase.

What about TCO? (0)

Anonymous Coward | about 6 years ago | (#24192887)

Also, this really undercuts the notion that Linux has a lower cost of ownership. I mean, Windows computers are getting owned for *free* and it only takes a few minutes online!

A TCO like that is just incredible!

I have to call BS (0)

Anonymous Coward | about 6 years ago | (#24192573)

I never patch my windows unless its a service pack and I run just fine... Always have my Antivirus running and Windows defender with a router with built-in firewall... No complaints for the 7 years since I built my pc....

Re:I have to call BS (5, Funny)

Anonymous Coward | about 6 years ago | (#24192601)

I never patch my windows unless its a service pack and I run just fine... Always have my Antivirus running and Windows defender with a router with built-in firewall... No complaints for the 7 years since I built my pc....

Indeed, your computer is a valued member of our botnet.

Re:I have to call BS (2, Interesting)

CrackedButter (646746) | about 6 years ago | (#24192657)

I never patch my Mac unless its a point release and I run just fine... never used antivirus or any other program to shield me from the net... no complaints for the 5 year since I owned Mac's.

Re:I have to call BS (1)

IntlHarvester (11985) | about 6 years ago | (#24192747)

Point release for OS X is more like "Patch Tuesday" for Windows than a Service Pack. The GP is basically saying he goes years between patches, which I hope no Mac user would consider.

Re:I have to call BS (1)

fastest fascist (1086001) | about 6 years ago | (#24192691)

Always have my Antivirus running and Windows defender with a router with built-in firewall...

Good for you, that's not what the article is about, though. The point is, a system NOT protected by a firewall or antivirus will get owned in about 4 minutes.

Re:I have to call BS (1)

maglor_83 (856254) | about 6 years ago | (#24192769)

Good for you, that's not what the article is about, though. The point is, a system NOT protected by a firewall or antivirus will get owned in about 4 minutes.

Which is kinda moot since you can't buy Windows without firewall on by default.

College Network (2, Interesting)

Anonymous Coward | about 6 years ago | (#24192585)

I think the Time to Infection on a college network is like... 45 seconds.

Re:College Network (0)

Anonymous Coward | about 6 years ago | (#24192667)

False. I run on a college wireless network every day, and the only problems I've had are overall system slowdown, stolen identity, a cease and desist from the RIAA, and my computer turning itself on and off at odd times...

Ah. I see your point.

Re:College Network (0)

Anonymous Coward | about 6 years ago | (#24193059)

Surely the computers can't be infected that quickly.

Oh wait...

That's why you slipstream (3, Informative)

Toreo asesino (951231) | about 6 years ago | (#24192613)

You can bundle all the patches & service-packs you want into a slipstream image and install everything at the same time.

Otherwise, there's WSUS (

(Not that I disagree XP was horribly insecure when it came out)

Improved odds in XP/2003 SP2 and Vista/2008 (5, Interesting)

FuegoFuerte (247200) | about 6 years ago | (#24192621)

At risk of sounding like I'm supporting something Microsoft has done, the feature they added with Server 2003 SP2 (and I believe also XP SP2) was quite a good move considering these facts.

When a SP2 system is first brought up, after running through Mini-Setup or the OOBE, it will open a "Post-Setup Security Update" wizard. Until the user clicks the "Finish" button on the wizard, the firewall blocks all incoming traffic. The wizard also has links to Microsoft Update, etc. This gives the user a chance to download all the patches before opening up the firewall.

In Vista/2008, the firewall is on by default and fairly locked down, only allowing certain traffic through. In Server 2008, the firewall rules are also grouped into categories to make it easier to configure so the user doesn't get frustrated and just turn it off completely (and if a user tries this by just stopping the firewall service, they lose their 'net connection completely... one must instead set a firewall policy to allow all traffic, which then shows the firewall status as "off").

Re:Improved odds in XP/2003 SP2 and Vista/2008 (1)

louarnkoz (805588) | about 6 years ago | (#24192791)

Actually, all versions of Windows since XP/SP2 (August 2004) come with the built-in firewall turned on by default. To get the "owned in 4 minutes" statistic, you need to either install an old unpatched version of XP or XP/SP1, or deliberately turn off the firewall. Which explain maybe why TFA is so light on details...

Based on a.. diary post? (3, Insightful)

ulash (1266140) | about 6 years ago | (#24192639)

The source for this post seems to be lacking on quite a few fronts when explaining how they arrived at this data.

- (As pointed out already by numerous posters) Which version of Windows are they using?
- What activity are they using the computer for?
- Who are the "all" in "placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas" ?
- How unpatched is unpatched? Is this a version of the OS that one needs to deliberately search for or if I go and buy a boxed version of the OS there is a pretty good chance it will be just as "unpatched" ?

The "piece" raises more questions than the answers it provides.

What? (1)

Waccoon (1186667) | about 6 years ago | (#24192695)

So, why have I been using Windows for 12 years with no antivirus, and have never gotten a virus? At one time I had a DSL connection at work with no NAT and didn't have any problems there, either.

Re:What? (2, Informative)

able1234au (995975) | about 6 years ago | (#24192713)

How do you know you don't have a virus unless you scan your computer? Even then, if you have a rootkit successfully installed it might be possible for the rootkit to avoid the AV software.

Re:What? (1, Funny)

Anonymous Coward | about 6 years ago | (#24192921)

hell people have managed to survive jumping from airplanes without a parachute.

And these techs tell you... (3, Insightful) (142825) | about 6 years ago | (#24192729)

These tech people from Comcast or SBC tell you to plug your machine directly. Maybe they work for the people who run botnets?

A spit on them. They seem to be as incompetent as the 'Geek Squad'

Obvious misspelling in title (1)

oodaloop (1229816) | about 6 years ago | (#24192739)

That should be Time-To-Pwn. You're welcome.

7 months and counting (3, Informative)

petes_PoV (912422) | about 6 years ago | (#24192741)

At the end of last year (just before christmas) I reconfigured an old laptop with W2k/SP4 for use receiving weather satellite pix and acting as a weather station. Since it only has a 150MHz processor and 96MB memory I decided not to include any anti-virus or spam filtering on the box itself. It does sit behind my Netgear DG834GT, which only lets through selected ports - mainly for the benefit of the other machines I run.

While the laptop itself has very little internet presence (just downloading patches, drivers and s/w updates) I've occasionally remote-mounted it's disk to another box that runs Norton. I've never detected any spam, viruses, trojans or other nasties.

My conclusion is that with some basic precautions and common-sense (plus no email and only visiting "well known" websites) it's quite feasible to run a windows box for dedicated applications 24*7 without the overheads of virus protection.

another nonsense MS bashing piece (1, Interesting)

timmarhy (659436) | about 6 years ago | (#24192751)

right let's install a 5 year old linux distro and see how long it takes to get owned. it's the same thing they are putting forward here with an unpatch winXP system.

unpatch systems with no protection are easy to infect - this is not news.

Re:another nonsense MS bashing piece (1)

EvanED (569694) | about 6 years ago | (#24192869)

right let's install a 5 year old linux distro and see how long it takes to get owned. it's the same thing they are putting forward here with an unpatch winXP system.

No it isn't. That Linux distro wouldn't be old enough... it should be 7 years old, not 5.

(Not that XP would stand a chance even in that comparison, but the failure to mention that it sounds like these numbers are for XP without SP2 in the summary, making it sound like Vista or even XP with SP2 is as vulnerable is very disingenuous.)

Anonymous Coward (1, Funny)

Anonymous Coward | about 6 years ago | (#24192753)

Why does my IT guy always say PwN3D? he actually pronounces the "3" in klingon. Does this somehow relate?

But in practice... (1)

cruachan (113813) | about 6 years ago | (#24192821)

Who ever sets up a windows PC with a direct internet connection? Being behind a NAT will cover the drive-by attack issue perfectly adequatly, and whilst it was it was common a few years ago for consumer broadband companies to supply USB broadband 'modems' which did connect directly, in practice now this is rare as most now use a pre-configured (generally wireless) router.

Re:But in practice... (1)

_Shad0w_ (127912) | about 6 years ago | (#24192987)

Oh you'd be surprised; companies that host Windows web servers for a start - especially when they normally only deal with BSD and Linux based boxes. I've known a hosting company put an unpatched Windows 2003 Server on their external network, it was riddled with all sorts of fun by the time I looked at it.

What about Vista? (1)

Tracy Reed (3563) | about 6 years ago | (#24192857)

Whether we like it or not MS is slowly but surely on their way to strong-arming everyone into running Vista. I don't care about XP anymore. What is the TTO (time to ownage) for Vista?

I'll believe Windows is getting more secure when I start getting less spam in my inbox.

Re:What about Vista? (1)

IkeTo (27776) | about 6 years ago | (#24192923)

> I'll believe Windows is getting more secure when
> I start getting less spam in my inbox.

I'd be a bit easier. I'll believe Windows is getting more secure once the anti-virus companies go out of business.

Re:What about Vista? (1)

Toreo asesino (951231) | about 6 years ago | (#24192985)

Should be much more secure as the 1st time you connect to any new network (wireless or otherwise), Vista assumes it's a hostile network by default, and coaxing it into opening any ports at all on the new interface requires admin privileges. If you don't, everything inbound is locked down.

So, in theory, if you just "plug in a vista RTM machine", it should be watertight. Start opening ports though, and it might be a different story.

ha! (3, Interesting)

thatskinnyguy (1129515) | about 6 years ago | (#24192881)

4 minutes eh? I've seen XP installs (Pre-SP1) get owned during the install process!

Re:ha! (1)

freedom_india (780002) | about 6 years ago | (#24192919)

You made me spill hot coffee in my lap, you insensitive clod!

Thats because once you patch.... (1)

3seas (184403) | about 6 years ago | (#24192949)

... you are infected and there is no more "time to infection".

What about NAT? (1)

samael (12612) | about 6 years ago | (#24192951)

Does putting it behind NAT entirely protect it?

Or are there worms out there that can bypass that?

Re:What about NAT? (1)

LanceUppercut (766964) | about 6 years ago | (#24193075)

An XP machine behind a NAT (router) remains uninfected forever, without any additional protective means. Moreover, I don't know where they get their strange times. I had an XP machine connected directly for 7 months in a row without any infection.

Running round in circles? (0)

Anonymous Coward | about 6 years ago | (#24192971)

Now this is indeed funny tbh

Imagine you have a fresh install of windows XP because it crashed the hard drive or something like that, you are on holidays and the only connection you have is a wifi up link with limited bandwidth.

This could (or prolly will, like proven in the test) lead you to getting owned by several trojans, exploits or whatever you name it.

Now how could you ever, when only having an uplink without any blocking/firewall mechanisms on hand, get updated with the right patches.

I guess the only solution is to not do this.

Now I don't use the XP firewall, but use netlimiter pro for firewalling and bandwith shaping. I truly wonder if this is good enough, since I mostly sail through the year and my only connection uplink is through wifi (which is as open as it can get)

About all of my connections run through a openvpnserver which I run at home, but ofcourse, the first step in the process to get a connection is by getting an ip-adress and start the tunnel. From that point on I suppose it is secure since all traffic from that point on is through the tunnel

But then again, if it get's compromised before the rerouting through the tunnel starts, everything is screwed, or isn't it? Now once comprimised, everything, including the trojans and other such will go through the tunnel and I'm still screwed right? allthough from that point on, there won't be any new trojans/exploits/... since the firewall on the other end will block it, but wait again, if the trojan is already inside, it still can open an connection and start transfering new ones to me...

I guess I got a dutch saying here, the chicken and the egg problem, running round in circles...

So to get it all done, this means I have to get a dvd filled up with patches to make sure I can update/fix all the holes before getting online. But wait again, to activate the XP I have to get online, or pick up the phone to dial Microsoft to get it all activated.

Ahhh, nope, XP has this firewall activated by default.

Or is it not?

If it is activated by default, not patched, but a clean install, it still has this truck load of vulnerabilities?

Just wondering.

Any OS will get owned post-install (3, Informative)

ptashek (1176127) | about 6 years ago | (#24193053)

I took about 2 minutes the last time I remember this was *accidentally* tested on our /16 network (XP SP2, way down in mid-2006). But this is not a Windows problem per-se. Any other OS, in a post-install state, will eventually get compromised. It's just a matter of time. Solution: build + patch + secure offline, then deploy.

So what? (0)

Anonymous Coward | about 6 years ago | (#24193067)

So what? I'm not sure what this is telling us that we didn't already know. It's like removing the airbags and seatbelts from a car, putting a person in the drivers seat, putting the car in drive and letting the car go without the person intervening. Eventually the car is going to come in contact with something and the person is going to be harmed. This is obvious. Throwing an estimated amount of time onto it doesn't tell you anything useful.
Running the test with a fully patched install, that's usable information.

I have always known...... (1)

rust627 (1072296) | about 6 years ago | (#24193083)

That bugs come in through open windows......

What does "prior to install" count as? (2, Informative)

Cramer (69040) | about 6 years ago | (#24193133)

I recall a former boss's computer getting compromised during the installation. It was either NT4 or 2000 server. I'm not sure his disk (most likely an MSDN disk) had any service packs on it. (this was late '03.) It was beyond the firewall, naked on a Bellsouth DSL line.

I also recall a friend (sysadmin) had his linux (redhat 6.2 maybe) machine compromised within a day of installing it. I don't know if it was within 4min or 16hrs; the next day we noticed it was scanning the network. That was a "naked" workstation on an ISP's core network -- no firewall of any kind. That was 7-8 years ago, and we still kid him about it.

The T1 at the office was seeing about 100 probes per minute years ago when I cared enough to log all that shit. The DS3 was seeing just as much crap the instant it was turned on a few months ago. (seeing how the morons setup that router (cisco), I wouldn't be surprised if people have broken into it -- with no logging turned on, how would anyone know?!?)

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account