NYTimes: About 70 million computers are botted

Discussion:

NYTimes: About 70 million computers are botted

(too old to reply)

Tester

2007-01-07 12:30:15 UTC

http://www.nytimes.com/2007/01/07/technology/07net.html

Bots being used for pump'n'dump spam, credit card fraud, even in
stealing shipping schedules from a coast guard. (piracy?)

Attack of the Zombie Computers Is Growing Threat
In their persistent quest to breach the Internets defenses, the bad
guys are honing their weapons and increasing their firepower.

With growing sophistication, they are taking advantage of programs
that secretly install themselves on thousands or even millions of
personal computers, band these computers together into an unwitting
army of zombies, and use the collective power of the dragooned network
to commit Internet crimes.

These systems, called botnets, are being blamed for the huge spike in
spam that bedeviled the Internet in recent months, as well as fraud
and data theft.

Security researchers have been concerned about botnets for some time
because they automate and amplify the effects of viruses and other
malicious programs.

What is new is the vastly escalating scale of the problem and the
precision with which some of the programs can scan computers for
specific information, like corporate and personal data, to drain money
from online bank accounts and stock brokerages.

Its the perfect crime, both low-risk and high-profit, said Gadi
Evron, a computer security researcher for an Israeli-based firm,
Beyond Security, who coordinates an international volunteer effort to
fight botnets. The war to make the Internet safe was lost long ago,
and we need to figure out what to do now.

Last spring, a program was discovered at a foreign coast guard agency
that systematically searched for documents that had shipping
schedules, then forwarded them to an e-mail address in China,
according to David Rand, chief technology officer of Trend Micro, a
Tokyo-based computer security firm. He declined to identify the agency
because it is a customer.

Although there is a wide range of estimates of the overall infection
rate, the scale and the power of the botnet programs have clearly
become immense. David Dagon, a Georgia Institute of Technology
researcher who is a co-founder of Damballa, a start-up company
focusing on controlling botnets, said the consensus among scientists
is that botnet programs are present on about 11 percent of the more
than 650 million computers attached to the Internet.
[...]

--
Posted via a free Usenet account from http://www.teranews.com

BlackPrince

2007-01-07 14:43:17 UTC

Post by Tester
http://www.nytimes.com/2007/01/07/technology/07net.html
Bots being used for pump'n'dump spam, credit card fraud, even in
stealing shipping schedules from a coast guard. (piracy?)
Attack of the Zombie Computers Is Growing Threat
In their persistent quest to breach the Internet's defenses, the bad
guys are honing their weapons and increasing their firepower.
With growing sophistication, they are taking advantage of programs
that secretly install themselves on thousands or even millions of
personal computers, band these computers together into an unwitting
army of zombies, and use the collective power of the dragooned network
to commit Internet crimes.
These systems, called botnets, are being blamed for the huge spike in
spam that bedeviled the Internet in recent months, as well as fraud
and data theft.
Security researchers have been concerned about botnets for some time
because they automate and amplify the effects of viruses and other
malicious programs.
What is new is the vastly escalating scale of the problem - and the
precision with which some of the programs can scan computers for
specific information, like corporate and personal data, to drain money
from online bank accounts and stock brokerages.
"It's the perfect crime, both low-risk and high-profit," said Gadi
Evron, a computer security researcher for an Israeli-based firm,
Beyond Security, who coordinates an international volunteer effort to
fight botnets. "The war to make the Internet safe was lost long ago,
and we need to figure out what to do now."
Last spring, a program was discovered at a foreign coast guard agency
that systematically searched for documents that had shipping
schedules, then forwarded them to an e-mail address in China,
according to David Rand, chief technology officer of Trend Micro, a
Tokyo-based computer security firm. He declined to identify the agency
because it is a customer.
Although there is a wide range of estimates of the overall infection
rate, the scale and the power of the botnet programs have clearly
become immense. David Dagon, a Georgia Institute of Technology
researcher who is a co-founder of Damballa, a start-up company
focusing on controlling botnets, said the consensus among scientists
is that botnet programs are present on about 11 percent of the more
than 650 million computers attached to the Internet.
[...]
--
Posted via a free Usenet account from http://www.teranews.com

Which all begs the question - is there any way that the normal PC user can
check and tell whether their PC has been taken over and used as part of a
botnet?

BP
==

Thane

2007-01-07 15:41:36 UTC

Post by BlackPrince
Which all begs the question - is there any way that the normal PC user can
check and tell whether their PC has been taken over and used as part of a
botnet?

I'm not sure we know what a normal PC user is in this context. I'm not
the expert in this but at $dayjob, where PC's are behind firewalls, IT
is responsible for all and sundry issues and will quickly isolate and
take down any infected machines. The accountability is clear.

For individual users (home), dial up would limit the effectiveness of
bots. I think DSL or cable-connected machines would be more of a
problem. Many individual users are not well informed about computers
and see it as an appliance (like toaster, TV etc.). I don't have a
strong feeling that the ISP's, being the next level of defense, are
doing enought to shut down bots, and that is assuming they feel the
need to do so.

As an example, I have been trying to have a Russian spam bot on a US
network shut down for months. The ISP, Liquidweb has been notified once
per spam by both email and by entering a help ticket on their website.
In spite of that the bot continued for months. This was a static IP.
Once again I do not believe ISP's are doing enough on this.

Thane

Onideus Mad Hatter

2007-01-07 16:19:07 UTC

Post by Thane

Post by BlackPrince
Which all begs the question - is there any way that the normal PC user can
check and tell whether their PC has been taken over and used as part of a
botnet?

I'm not sure we know what a normal PC user is in this context. I'm not
the expert in this but at $dayjob, where PC's are behind firewalls, IT
is responsible for all and sundry issues and will quickly isolate and
take down any infected machines. The accountability is clear.
For individual users (home), dial up would limit the effectiveness of
bots. I think DSL or cable-connected machines would be more of a
problem. Many individual users are not well informed about computers
and see it as an appliance (like toaster, TV etc.). I don't have a
strong feeling that the ISP's, being the next level of defense, are
doing enought to shut down bots, and that is assuming they feel the
need to do so.
As an example, I have been trying to have a Russian spam bot on a US
network shut down for months. The ISP, Liquidweb has been notified once
per spam by both email and by entering a help ticket on their website.
In spite of that the bot continued for months. This was a static IP.
Once again I do not believe ISP's are doing enough on this.
Thane

You're also assuming they're not getting compensated under the table
for it. ; )

It's The Mexican tactic, you cheat the system until yer caught and
then you pretend you can't speak English and play stupid to get out of
it.

--

Onideus Mad Hatter
mhm ¹ x ¹
http://www.backwater-productions.net
http://www.backwater-productions.net/hatter-blog

Hatter Quotes
-------------
"You're only one of the best if you're striving to become one of the
best."

"I didn't make reality, Sunshine, I just verbally bitch slapped you
with it."

"I'm not a professional, I'm an artist."

"Your Usenet blinders are my best friend."

"Usenet Filters - Learn to shut yourself the fuck up!"

"Drugs killed Jesus you know...oh wait, no, that was the Jews, my
bad."

"There are clingy things in the grass...burrs 'n such...mmmm..."

"The more I learn the more I'm killing my idols."

"Is it wrong to incur and then use the hate ridden, vengeful stupidity
of complete strangers in random Usenet froups to further my art?"

"Freedom is only a concept, like race it's merely a social construct
that doesn't really exist outside of your ability to convince others
of its relevancy."

"Next time slow up a lil, then maybe you won't jump the gun and start
creamin yer panties before it's time to pop the champagne proper."

"Reality is directly proportionate to how creative you are."

"People are pretty fucking high on themselves if they think that
they're just born with a soul. *snicker*...yeah, like they're just
givin em out for free."

"Quible, quible said the Hare. Quite a lot of quibling...everywhere.
So the Hare took a long stare and decided at best, to leave the rest,
to their merry little mess."

"There's a difference between 'bad' and 'so earth shatteringly
horrible it makes the angels scream in terror as they violently rip
their heads off, their blood spraying into the faces of a thousand
sweet innocent horrified children, who will forever have the terrible
images burned into their tiny little minds'."

"How sad that you're such a poor judge of style that you can't even
properly gauge the artistic worth of your own efforts."

"Those who record history are those who control history."

"I am the living embodiment of hell itself in all its tormentive rage,
endless suffering, unfathomable pain and unending horror...but you
don't get sent to me...I come for you."

"Ideally in a fight I'd want a BGM-109A with a W80 250 kiloton
tactical thermonuclear fusion based war head."

"Tell me, would you describe yourself more as a process or a
function?"

"Apparently this group has got the market cornered on stupid.
Intelligence is down 137 points across the board and the forecast
indicates an increase in Webtv users."

"Is my .sig delimiter broken? Really? You're sure? Awww,
gee...that's too bad...for YOU!" `, )

Kelly Bert Manning

2007-01-07 19:49:17 UTC

Post by Thane
I'm not sure we know what a normal PC user is in this context. I'm not
the expert in this but at $dayjob, where PC's are behind firewalls, IT
is responsible for all and sundry issues and will quickly isolate and
take down any infected machines. The accountability is clear.

But does $dayjob have a no remote access policy, including not bringing
portables, disks, thumbdrives, into the office and connecting?

Thane

2007-01-07 20:06:58 UTC

Post by Kelly Bert Manning
But does $dayjob have a no remote access policy, including not bringing
portables, disks, thumbdrives, into the office and connecting?

Yes, they are very strict about both remote access and internal
software installation and use. I know in addition to the firewalls,
daily local virus and PestPatrol scans, they'll quickly isolate and
then disconnect a suspect machine.

Thane

Stephen Satchell

2007-01-07 15:42:47 UTC

Post by BlackPrince
Which all begs the question - is there any way that the normal PC user can
check and tell whether their PC has been taken over and used as part of a
botnet?

1. Is the computer plugged in, turned on, and running Windows?

2. Is the machine connected directly to the Internet, without a
hardware firewall device?

OR

2. Is there anyone in the house who downloads software because it's "cool"?

If (1 and 2) then it is most likely a bot-net soldier.

--
A little learning is a dang'rous thing;
Drink deep, or taste not the Pierian spring;
There shallow draughts intoxicate the brain,
And drinking largely sobers us again.
-- Alexander Pope, Essay on Criticism

BlackPrince

2007-01-07 16:04:01 UTC

Post by Stephen Satchell

Post by BlackPrince
Which all begs the question - is there any way that the normal PC user
can check and tell whether their PC has been taken over and used as part
of a botnet?

1. Is the computer plugged in, turned on, and running Windows?
2. Is the machine connected directly to the Internet, without a hardware
firewall device?
OR
2. Is there anyone in the house who downloads software because it's "cool"?
If (1 and 2) then it is most likely a bot-net soldier.

Thanks for your response, I am a home user so (1) is for sure and the PC is
'protected' by Panda software and XPs firewall. I don't download any
software for its cool features, but I know people who do.....

The point I'm making is how would we know if our machines were part of a
botnet, what checks can we carry out to be sure if we were or not?

BP
==

Scott Dorsey

2007-01-07 17:25:31 UTC

Post by BlackPrince
Thanks for your response, I am a home user so (1) is for sure and the PC is
'protected' by Panda software and XPs firewall. I don't download any
software for its cool features, but I know people who do.....

Panda Software and the XP firewall are NOT hardware devices and are NOT
anything you want to count on.

The XP firewall is written by the people who made the system insecure in
the FIRST place. That's the LAST thing I would ever trust.

Post by BlackPrince
The point I'm making is how would we know if our machines were part of a
botnet, what checks can we carry out to be sure if we were or not?

You can always use good antivirus software... but if the antivirus system
catches a problem, it's already too late.
--scott

--
"C'est un Nagra. C'est suisse, et tres, tres precis."

Vernon Schryver

2007-01-07 17:51:15 UTC

Post by Scott Dorsey

Post by BlackPrince
The point I'm making is how would we know if our machines were part of a
botnet, what checks can we carry out to be sure if we were or not?

You can always use good antivirus software... but if the antivirus system
catches a problem, it's already too late.

No one seems to have mentioned the obvious, evidently most effective
defense of not using Microsoft products.

Even those who flog Microsoft's Big Lies about the nature of the Microsoft
security problems implicitly agree that for the immediately foreseeable
future, not using Microsoft products is the single most effective defense
against botnets and all other security problems.

Vernon Schryver ***@rhyolite.com

Rev. Beergoggles

2007-01-07 21:42:54 UTC

Post by Vernon Schryver
No one seems to have mentioned the obvious, evidently most effective
defense of not using Microsoft products.

The most effective defense is to not use a computer at all.

--
rbg

Sulu

2007-01-09 02:11:26 UTC

Post by Rev. Beergoggles

Post by Vernon Schryver
No one seems to have mentioned the obvious, evidently most effective
defense of not using Microsoft products.

The most effective defense is to not use a computer at all.

As long as we are after radical FUSSP style solutions

If you do that then the viral spam memes will get via the verbal interface.
A .45 hole from dominant hands ear drum to the other cures that.

Sulu

Cary

2007-01-07 19:44:17 UTC

On Sun, 7 Jan 2007 16:04:01 -0000, "BlackPrince"

Post by BlackPrince

Post by Stephen Satchell

Post by BlackPrince
Which all begs the question - is there any way that the normal PC user
can check and tell whether their PC has been taken over and used as part
of a botnet?

1. Is the computer plugged in, turned on, and running Windows?
2. Is the machine connected directly to the Internet, without a hardware
firewall device?
OR
2. Is there anyone in the house who downloads software because it's "cool"?
If (1 and 2) then it is most likely a bot-net soldier.

Thanks for your response, I am a home user so (1) is for sure and the PC is
'protected' by Panda software and XPs firewall. I don't download any
software for its cool features, but I know people who do.....
The point I'm making is how would we know if our machines were part of a
botnet, what checks can we carry out to be sure if we were or not?
BP
==

1 Get a firewall other than windows firewall. Preferably a hardware
firewall.
2 Get and run spyware checking software regularly.
3 Double check your antivirus is working at least weekly.
4 Turn off you computer when you're not using it.
5 make sure it stays patched for all software, including the operating
system.
6 Run by grc.com and check out if any strange or unneeded ports are
open.

None of this will prevent you from becoming a bot. But it will reduce
the risk and reduce the damage if it becomes one. Any machine
regardless of operating system can be compromised. Windows boxes just
get used more because there are so many more of them that are poorly
protected. The competent IP professional knows this and keeps his eyes
open for signs at all times.

--
Cary
Your have the right to say whatever wish.
But just as you may not open my door to say it,
you also may not put it in my email box.
Your rights end when they meet my firewall.

arja

2007-01-08 00:17:02 UTC

Post by Cary
On Sun, 7 Jan 2007 16:04:01 -0000, "BlackPrince"
1 Get a firewall other than windows firewall. Preferably a hardware
firewall.
2 Get and run spyware checking software regularly.
3 Double check your antivirus is working at least weekly.
4 Turn off you computer when you're not using it.
5 make sure it stays patched for all software, including the operating
system.
6 Run by grc.com and check out if any strange or unneeded ports are
open.
None of this will prevent you from becoming a bot. But it will reduce
the risk and reduce the damage if it becomes one. Any machine
regardless of operating system can be compromised. Windows boxes just
get used more because there are so many more of them that are poorly
protected. The competent IP professional knows this and keeps his eyes
open for signs at all times.

Why do you leave out the most important thing for all users, do not work
onder admin rights when not absolutely unavoidable.

arja

Steve Baker

2007-01-08 23:26:58 UTC

On Sun, 07 Jan 2007 13:44:17 -0600, Cary
<***@eaglemailserver.invalid> wrote:

I'm running Windoze permanently connected to the Internet via cable.

Post by Cary
1 Get a firewall other than windows firewall. Preferably a hardware
firewall.

Don't need one.

Post by Cary
2 Get and run spyware checking software regularly.

Don't need it.

Post by Cary
3 Double check your antivirus is working at least weekly.

Don't need it. Once in a great while I might have a use for a DOS
scanner to check removable media.

Post by Cary
4 Turn off you computer when you're not using it.

Hmm. Can't "they" hijack my IP address then?

Post by Cary
5 make sure it stays patched for all software, including the operating
system.

Never have had the OS patched.

Post by Cary
6 Run by grc.com and check out if any strange or unneeded ports are
open.

Hmm. That only checks TCP ports 0-1023, right?

I guess I'm vulnerable to a Winsock exploit, but are there any that
will let an attacker take over my computer? Other than that, I'm in
pretty good shape.

--
Steve Baker

Greg Samson

2007-01-09 07:42:54 UTC

Post by Steve Baker
I'm running Windoze permanently connected to the Internet via cable.
[rest of answers snipped]

I am guessing you're kidding. You ARE kidding, right? And/or providing the
answers that anyone advocating those fixes would have to push uphill against...?

--
u wi zat clue stick dotorg

Steve Baker

2007-01-09 13:46:35 UTC

On Mon, 08 Jan 2007 23:42:54 -0800, Greg Samson

Post by Greg Samson

Post by Steve Baker
I'm running Windoze permanently connected to the Internet via cable.
[rest of answers snipped]

I am guessing you're kidding. You ARE kidding, right? And/or providing the
answers that anyone advocating those fixes would have to push uphill against...?

No, I'm not kidding. The only "tricky" bit is that my ISP filters ports
135-139 and 445 (how many "consumer" ISPs don't do that?). Other than
that, I just practice safe hex. It's not paranoia when they are out to
get you, and I know that they *are* out to get me. I figure that anyone
who *needs* AV software is just an accident waiting to happen, anyway.
It's just a matter of time before they get zapped. Of course, one of the
prices I pay is that many web sites are "broken". My solution would be
unacceptable to the average user.

I agree with this part of the post I followed up to, and I don't
disagree with the suggestions in context, which was "how can I tell if
I've been compromised?".

Post by Greg Samson
None of this will prevent you from becoming a bot. But it will reduce
the risk and reduce the damage if it becomes one.

--
Steve Baker

Herb Oxley

2007-01-09 16:46:43 UTC

Post by Steve Baker
It's just a matter of time before they get zapped. Of course, one of the
prices I pay is that many web sites are "broken". My solution would be
unacceptable to the average user.

So what is your solution, disabling JavaScript, Java and 3rd party
HREFs on a page?

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Herb Oxley
From: address IS Valid.

Stephen Satchell

2007-01-07 20:05:39 UTC

Post by BlackPrince
Thanks for your response, I am a home user so (1) is for sure and the PC is
'protected' by Panda software and XPs firewall. I don't download any
software for its cool features, but I know people who do.....

Software is not enough. You need to have a firewall external to the
Windows system to ensure that a perp can't use a TCP/IP stack exploit.
This is in addition to the stuff you have now, not in place of it.
Defense in depth.

Post by BlackPrince
The point I'm making is how would we know if our machines were part of a
botnet, what checks can we carry out to be sure if we were or not?

Without a sniffer, there isn't much you can do. Any software monitor
can easily be killed by an intruder. Your ISP might (emphasize *MIGHT*)
monitor activity so that suspicious traffic triggers an alarm.

Some of the bots don't use dedicated ports; they'll reuse port 80 (WWW)
for the control. "It's just another Web site."

Proving a negative is *always* hard.

By the way, with a hardware router you should be able to set up a filter
so that all Port 25 traffic only goes to the listed mail servers, not
the world. Look for that feature when you shop. Insist it be
demonstrated to you that the feature exists -- most firewalls whose
design is more than nine months old does *not* have the feature.

(This is why I absolutely love using Linux IPTABLES-based firewalls.)

--
A little learning is a dang'rous thing;
Drink deep, or taste not the Pierian spring;
There shallow draughts intoxicate the brain,
And drinking largely sobers us again.
-- Alexander Pope, Essay on Criticism

Sulu

2007-01-09 02:11:24 UTC

Post by Stephen Satchell

Post by BlackPrince
Thanks for your response, I am a home user so (1) is for sure and the
PC is 'protected' by Panda software and XPs firewall. I don't
download any software for its cool features, but I know people who
do.....

Software is not enough. You need to have a firewall external to the
Windows system to ensure that a perp can't use a TCP/IP stack exploit.
This is in addition to the stuff you have now, not in place of it.
Defense in depth.

To feel, (not be secure), here the external FW is an old $50 PC runnign
open BSD with transparent FW on it. Any time I feel paranoid about am I
botted I log/sniff every in and out bound packet from the PCs concerned.
If the bots actually doing anything it will show up.
If its botted dormant and root kitted (see Sony)
http://www.google.com.au/search?
hl=en&q=sony+rootkit&btnG=Google+Search&meta=

Then How can you tell? mmmm....
Bootable CD roms and MD5 checksums...?
The bad guy relfashes your ROMS and is invisible
Paranoia is an infinitely deep hole....

Post by Stephen Satchell

Post by BlackPrince
The point I'm making is how would we know if our machines were part
of a botnet, what checks can we carry out to be sure if we were or
not?

Without a sniffer, there isn't much you can do. Any software monitor
can easily be killed by an intruder. Your ISP might (emphasize
*MIGHT*) monitor activity so that suspicious traffic triggers an
alarm.
Some of the bots don't use dedicated ports; they'll reuse port 80
(WWW) for the control. "It's just another Web site."
Proving a negative is *always* hard.
By the way, with a hardware router you should be able to set up a
filter so that all Port 25 traffic only goes to the listed mail
servers, not the world. Look for that feature when you shop. Insist
it be demonstrated to you that the feature exists -- most firewalls
whose design is more than nine months old does *not* have the feature.
(This is why I absolutely love using Linux IPTABLES-based firewalls.)

Nah that sucks OpenBSD is the only way to go....

{runs away, kills thread... sorry}

Sulu

Rich Clark, aka Left Rev Egg Plant, ULC, CotSG

2007-01-07 21:34:49 UTC

Post by BlackPrince

Post by Stephen Satchell

Post by BlackPrince
Which all begs the question - is there any way that the normal PC user
can check and tell whether their PC has been taken over and used as part
of a botnet?

1. Is the computer plugged in, turned on, and running Windows?
2. Is the machine connected directly to the Internet, without a hardware
firewall device?
OR
2. Is there anyone in the house who downloads software because it's "cool"?
If (1 and 2) then it is most likely a bot-net soldier.

Thanks for your response, I am a home user so (1) is for sure and the PC is
'protected' by Panda software and XPs firewall. I don't download any
software for its cool features, but I know people who do.....
The point I'm making is how would we know if our machines were part of a
botnet, what checks can we carry out to be sure if we were or not?

You might try ethereal, available at http://www.ethereal.com/. Will
sniff packets on the active network interface on your computer, and you
can see each packet coming and going, source/destination IP addresses,
ports, etc. and even extract the data from individual packets. Worth a
try if you suspect something network-intensive is running on your pc.

nobody >

2007-01-08 01:00:16 UTC

Post by Rich Clark, aka Left Rev Egg Plant, ULC, CotSG
You might try ethereal, available at http://www.ethereal.com/. Will

^^^^^^^^^^^^^^^^^^^^^^^^

Post by Rich Clark, aka Left Rev Egg Plant, ULC, CotSG
sniff packets on the active network interface on your computer, and you
can see each packet coming and going, source/destination IP addresses,
ports, etc. and even extract the data from individual packets. Worth a
try if you suspect something network-intensive is running on your pc.

Thank you very much for the link, Rich!

Yes I'm a Windoze user at home, for family reasons. Nobody else wants to
learn another opsystem and no space for a second machine at this time.

I know now that I'm *probably* clean, nothing running at this time that
I didn't expect other than I'm going to have to spend time pounding on
the router's recognize tables (high ARP count).

But then again, I'm one of the few that "do those geek things" like
keeping the antivirus up-to-date and scanning for crap every 4-5 days.
If only 20% of the 'great unwashed' did that with *real* tools instead
of trusting Symantec and MacAfee to do it automagically (and poorly),
we'd see 80% less zombie spam.

Bruce Barnett

2007-01-08 03:47:50 UTC

Post by Rich Clark, aka Left Rev Egg Plant, ULC, CotSG
You might try ethereal, available at http://www.ethereal.com/.

you mean http://www.wireshark.org/

Same developers, same code, different name. The Ethereal network
protocol analyzer has changed its name to Wireshark.

--
Sending unsolicited commercial e-mail to this account incurs a fee of
$500 per message, and acknowledges the legality of this contract.

Bill Cole

2007-01-07 21:54:18 UTC

Post by BlackPrince

Post by Stephen Satchell

Post by BlackPrince
Which all begs the question - is there any way that the normal PC user
can check and tell whether their PC has been taken over and used as part
of a botnet?

1. Is the computer plugged in, turned on, and running Windows?
2. Is the machine connected directly to the Internet, without a hardware
firewall device?
OR
2. Is there anyone in the house who downloads software because it's "cool"?
If (1 and 2) then it is most likely a bot-net soldier.

Thanks for your response, I am a home user so (1) is for sure

FWIW, that's not necessarily 'for sure' since home users run a more
diverse assortment of systems than corporate users. You are far more
likely to find Linux as a desktop OS, MacOS (both 10.x and 'classic'
versions,) and even some OS/2 in homes than in most businesses.

Post by BlackPrince
and the PC is
'protected' by Panda software and XPs firewall.

Those quotes are well-placed. If software on the protected machine
itself is the only protection you've got, your protection is limited. If
you routinely use the machine as a user with administrative rights, any
malicious software that tricks you into running it (or tricks some
broken piece of garbage software like Outlook Express or Internet
Explorer into running it) can do anything to that "firewall" that you
could do yourself.

It is still helpful to have such software because not all malware is
smart enough to disable all flavors of software firewall, and if your
software is configured to stop unknown outbound traffic as well as to
protect from unexpected external traffic (which is all the XP kernel
firewall really can do, as I understand it) you can get protection
against the bot software doing anything bad, but only if the bot is
dumber than the software firewall.

Post by BlackPrince
I don't download any
software for its cool features, but I know people who do.....
The point I'm making is how would we know if our machines were part of a
botnet, what checks can we carry out to be sure if we were or not?

That is really a question for people who are experts in Windows. This is
a newsgroup for discussion of email abuse, so you will get a fair amount
of vague dismissiveness in responses because a lot of us are not Windows
experts at all. I cannot tell you much about how to attack the problems
of Windows from the inside other than parrot stock answers: keep an
anti-virus and at least one anti-spyware package updated and scan
regularly (daily, at least) and if your software "firewall" alerts you
to some program trying to talk to the outside world that you don't
understand, keep it blocked until you do understand it.

I know it sounds elitist, but I am pretty well convinced that more than
half of common users are not (and never will be) willing and able to
independently manage their own systems securely. Everyone using
Microsoft's web and mail applications or any of the "peer to peer file
sharing" systems designed for copyright evasion demonstrates the
problem: people want things that are free and easy to use without
thinking about or even really understanding what they are doing. Secure
systems are always less convenient than insecure systems, and they are a
lot harder (read: more expensive) to design and implement. If you cannot
look at a list of network sessions and processes on your machine and
think of a reasonable explanation for each item in those lists, you
can't really understand independently if your system is compromised.

--
Clues for the blacklisted: <http://www.scconsult.com/bill/dnsblhelp.html>
Current Peeve: "This page was written to render correctly in any standards
compliant browser" on pages with hundreds of HTML errors.

Herb Oxley

2007-01-08 00:58:30 UTC

Post by Bill Cole
Secure
systems are always less convenient than insecure systems, and they are a
lot harder (read: more expensive) to design and implement.

So the $64 billion dollar question is would it be possible to design
an operating environent (hard and software) the average non-computer
professional consumer would find pleasant to use and thus willing to
buy?

I really think the current way the Internet is structured makes it
impossible for a consumer without any computer savvy to be secure and not
pose a potential problem.
Ditto for the current commonly-available personal computer platforms.

And I see only 2 ways that situation is likely to change is:

(a) when one of the large consumer ISPs cough up a billion or more in
damages from a large class-action suit. At that point you'd likely see
ISP-controlled firewalls on the cable and DSL modems and networks with
corporate-style rules the PC user would be prevented (technically and
contractually) from altering. (or Comcast etc would exit the consumer ISP
market altogether).

(b) When the zombie problem is determined to be a national security issue
and Congress forces consumer ISPs to take responsibility perhaps
making business-busting lawsuits against negligent ISPs easier to win and
and places consumer ISPs under the jurisdiction of the FCC, which
would in turn mandate more secure environments, such as access devices to
contain a Layer 7 firewall with the config not directly accessable to the
customer along with mandating immediate suspension of service to any
machine which was compromised and no restoration of service until the
affected computer was certified "clean" .

Post by Bill Cole
If you cannot
look at a list of network sessions and processes on your machine and
think of a reasonable explanation for each item in those lists, you
can't really understand independently if your system is compromised.

I doubt fewer than 5% of personal computer users could do the above.
Take "svchost.exe" for instance; without a third party utility such as
Sysinternals Process Explorer you have no idea of what is behind each
instance of svchost.

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Herb Oxley
From: address IS Valid.

Philip Homburg

2007-01-08 08:26:45 UTC

Post by Herb Oxley

Post by Bill Cole
Secure
systems are always less convenient than insecure systems, and they are a
lot harder (read: more expensive) to design and implement.

So the $64 billion dollar question is would it be possible to design
an operating environent (hard and software) the average non-computer
professional consumer would find pleasant to use and thus willing to
buy?

No. Consumers don't care about the technical details of security, they don't
want to know how their computers work, but do want to be in full control of
those computers.

There is no way to build a secure system out of that.

IMHO the best thing is to make sure that there is an alternative that is
not as pleasant to use (for the average consumer) but that does provide
state of the art security mechanisms.

That allows people who do want to learn about security to switch.

Post by Herb Oxley
(b) When the zombie problem is determined to be a national security issue
and Congress forces consumer ISPs

You can't solve the zombie problem at the ISP level. You may be able to
stop specific types of abuse (such as spam) at the ISP.

--
That was it. Done. The faulty Monk was turned out into the desert where it
could believe what it liked, including the idea that it had been hard done
by. It was allowed to keep its horse, since horses were so cheap to make.
-- Douglas Adams in Dirk Gently's Holistic Detective Agency

Laurence F. Sheldon, Jr.

2007-01-08 15:47:24 UTC

Post by Philip Homburg
No. Consumers don't care about the technical details of security,
they don't want to know how their computers work, but do want to be
in full control of those computers.

You were on the right track, but missed a turn.

...they don't want to know how their computers work, but do want them to
do what ever they want them to do. (True also of cars, TV sets, and
relationships with other humans.)

Post by Philip Homburg
There is no way to build a secure system out of that.

You've got that part right.

Post by Philip Homburg
IMHO the best thing is to make sure that there is an alternative that
is not as pleasant to use (for the average consumer) but that does
provide state of the art security mechanisms.

You must first convince them that that is the avant garde Thing To Do.

Good luck.

--
Requiescas in pace o email

Ex turpi causa non oritur actio

http://members.cox.net/larrysheldon/

Philip Homburg

2007-01-08 16:50:03 UTC

Post by Laurence F. Sheldon, Jr.

Post by Philip Homburg
No. Consumers don't care about the technical details of security,
they don't want to know how their computers work, but do want to be
in full control of those computers.

You were on the right track, but missed a turn.
...they don't want to know how their computers work, but do want them to
do what ever they want them to do. (True also of cars, TV sets, and
relationships with other humans.)

No. People accept all kinds of weird limitations in cars, TV sets, etc.
Chiptuning in cars probably comes closest to computers but that is not
something the average user will do himself.

The other thing is that cars and television sets hardly change in
functionality. 'Fortunately' television sets get DRM, so things will become
worse, and cars will also get more software that can fail in mysterious
ways.

With computers, if you give a user a computer that just does everything
a computer did in 1990 (without any option to install new software) they will
be very unhappy because there will be no web browser.

If you give them a secure version of a computer in 1995, they will probably
complain about the lack of Javascript (well not directly, they will just
complain that the web doesn't work).

If you set out to build a secure system out of open source (because that
is easy to audit, to make more secure, etc), you get complaints that
YouTube doesn't work. And very likely many multi-media codecs won't be
there either.

The first thing most users want to do is install additional software. And
it is the installing of random third party software that guarantees that the
problem cannot be solved, even if the most popular OS today is so far from
state of the art, that only the lack of liability explains why they risk
shipping it.

--
That was it. Done. The faulty Monk was turned out into the desert where it
could believe what it liked, including the idea that it had been hard done
by. It was allowed to keep its horse, since horses were so cheap to make.
-- Douglas Adams in Dirk Gently's Holistic Detective Agency

Stephen Satchell

2007-01-08 18:38:04 UTC

Post by Philip Homburg
The other thing is that cars and television sets hardly change in
functionality. 'Fortunately' television sets get DRM, so things will become
worse, and cars will also get more software that can fail in mysterious
ways.

Game consoles getting tuners and DVDs.

Cars get their own version of Windows. Wonder what the Blue Screen of
Death will look like?

Laurence F. Sheldon, Jr.

2007-01-08 19:10:53 UTC

Post by Stephen Satchell

Post by Philip Homburg
The other thing is that cars and television sets hardly change in
functionality. 'Fortunately' television sets get DRM, so things will become
worse, and cars will also get more software that can fail in mysterious
ways.

Game consoles getting tuners and DVDs.
Cars get their own version of Windows. Wonder what the Blue Screen of
Death will look like?

In Ohio (I was thinking it was Iowa, but I just checked) it was called
"Signal 30").

--
Requiescas in pace o email

Ex turpi causa non oritur actio

http://members.cox.net/larrysheldon/

Quaestor

2007-01-09 00:49:54 UTC

Post by Stephen Satchell
Cars get their own version of Windows. Wonder what the Blue Screen of
Death will look like?

You make a thousand mile trip, and a navigational error near the end,
the fix is to go back and start the trip over in debug mode.

--
Godwin is a net-nazi.
Learn about spam: http://www.seige-perilous.org/spam/spam.html
If you can keep your head, when all about you are losing theirs,
you are probably the one with the axe.

Paul Johnson

2007-01-09 04:22:10 UTC

Post by Stephen Satchell
Cars get their own version of Windows. Wonder what the Blue Screen of
Death will look like?

Some doof will blindly believe the navigation when it tells them to go up
Bear Camp Road in the Oregon Siskyous in winter.

--
Posted via a free Usenet account from http://www.teranews.com

Laurence F. Sheldon, Jr.

2007-01-08 18:47:05 UTC

Post by Philip Homburg

Post by Laurence F. Sheldon, Jr.

Post by Philip Homburg
No. Consumers don't care about the technical details of security,
they don't want to know how their computers work, but do want to be
in full control of those computers.

You were on the right track, but missed a turn.
...they don't want to know how their computers work, but do want them to
do what ever they want them to do. (True also of cars, TV sets, and
relationships with other humans.)

No. People accept all kinds of weird limitations in cars, TV sets, etc.
Chiptuning in cars probably comes closest to computers but that is not
something the average user will do himself.
The other thing is that cars and television sets hardly change in
functionality. 'Fortunately' television sets get DRM, so things will become
worse, and cars will also get more software that can fail in mysterious
ways.
With computers, if you give a user a computer that just does everything
a computer did in 1990 (without any option to install new software) they will
be very unhappy because there will be no web browser.

You still missed the turn. The average computer user, in my estimate,
wants the 'puter to do what ever they want it to do. Whether they know
about it or not, whether anybody ever heard of it before three minutes
ago, whether it makes any sense or not, whether they bought the hardware
or not. All of those things require thinking, and that is the one thing
they _don't_ want to do.

Any nothinkum shiny thing that promises that is OK with these folks.

Post by Philip Homburg
The first thing most users want to do is install additional software.

That is the heart of the disagreement here. I think the first think
most users want is what ever the latest rage is. And "installing
software" as a explicit step is not going to be on the short list.

That is way too geeksville.

--
Requiescas in pace o email

Ex turpi causa non oritur actio

http://members.cox.net/larrysheldon/

Paul Johnson

2007-01-09 04:19:12 UTC

Post by Philip Homburg
If you set out to build a secure system out of open source (because that
is easy to audit, to make more secure, etc), you get complaints that
YouTube doesn't work. And very likely many multi-media codecs won't be
there either.

Youtube works on libflash just fine and is open source, w32-codecs handles
the multimedia codec problem (though this only seems to fix some really
obscure formats like quicktime and not something people actually use like
divx).

Post by Philip Homburg
The first thing most users want to do is install additional software. And
it is the installing of random third party software that guarantees that
the problem cannot be solved, even if the most popular OS today is so far
from state of the art, that only the lack of liability explains why they
risk shipping it.

You can work around it, though, depending on how you manage packages.
Debian folks can get away with telling people about aptitude or kpackage
and letting folks know they can request packages since they can't do damage
without being root anyway. This gives someone the chance to OK things that
get installed, give users some degree of choice, and damage control.

--
Posted via a free Usenet account from http://www.teranews.com

Philip Homburg

2007-01-09 13:23:46 UTC

Post by Paul Johnson

Post by Philip Homburg
If you set out to build a secure system out of open source (because that
is easy to audit, to make more secure, etc), you get complaints that
YouTube doesn't work. And very likely many multi-media codecs won't be
there either.

Youtube works on libflash just fine and is open source,

Which version? I tried flashplayer-0.4.13 from the FreeBSD ports collection
and it doesn't show any movie.

Post by Paul Johnson
You can work around it, though, depending on how you manage packages.
Debian folks can get away with telling people about aptitude or kpackage
and letting folks know they can request packages since they can't do damage
without being root anyway. This gives someone the chance to OK things that
get installed, give users some degree of choice, and damage control.

That's nice in a controlled environment (like a company). On there own,
people want the same 'cool' software as other people.

--
That was it. Done. The faulty Monk was turned out into the desert where it
could believe what it liked, including the idea that it had been hard done
by. It was allowed to keep its horse, since horses were so cheap to make.
-- Douglas Adams in Dirk Gently's Holistic Detective Agency

Paul Johnson

2007-01-09 18:28:06 UTC

Post by Philip Homburg

Post by Paul Johnson

Post by Philip Homburg
If you set out to build a secure system out of open source (because that
is easy to audit, to make more secure, etc), you get complaints that
YouTube doesn't work. And very likely many multi-media codecs won't be
there either.

Youtube works on libflash just fine and is open source,

Which version? I tried flashplayer-0.4.13 from the FreeBSD ports
collection and it doesn't show any movie.

I'm using the same version on Debian Sid and it works for me. I never
really gave it much thought after that.

Post by Philip Homburg

Post by Paul Johnson
You can work around it, though, depending on how you manage packages.
Debian folks can get away with telling people about aptitude or kpackage
and letting folks know they can request packages since they can't do damage
without being root anyway. This gives someone the chance to OK things
that get installed, give users some degree of choice, and damage control.

That's nice in a controlled environment (like a company). On there own,
people want the same 'cool' software as other people.

Well, you can't solve a social problem with a technological means.

--
Posted via a free Usenet account from http://www.teranews.com

Bill Cole

2007-01-08 15:54:37 UTC

Post by Herb Oxley

Post by Bill Cole
Secure
systems are always less convenient than insecure systems, and they are a
lot harder (read: more expensive) to design and implement.

So the $64 billion dollar question is would it be possible to design
an operating environent (hard and software) the average non-computer
professional consumer would find pleasant to use and thus willing to
buy?

I really have to learn to write more clearly...

The text you quoted translates into a direct "NO!" to your question.
This is not news.

Post by Herb Oxley
I really think the current way the Internet is structured makes it
impossible for a consumer without any computer savvy to be secure and not
pose a potential problem.
Ditto for the current commonly-available personal computer platforms.

It isn't fundamentally a solvable problem. Security is all about
restricting what people can do.

I think the long-term recurring fiasco of Windows security provides a
misleading example of one balancing point between cost, power,
convenience, and security. MacOS has provided less dismal balancing
points over the years, both before and since becoming a Unix-based
system. The various flavors of Unix and Linux provide others.

Post by Herb Oxley
(a) when one of the large consumer ISPs cough up a billion or more in
damages from a large class-action suit. At that point you'd likely see
ISP-controlled firewalls on the cable and DSL modems and networks with
corporate-style rules the PC user would be prevented (technically and
contractually) from altering. (or Comcast etc would exit the consumer ISP
market altogether).

Not likely, at least not beyond the current state of affairs. As I
understand it, many cable companies already control the CPE for Internet
service in the same way they control set-top boxes for TV service.

I don't believe that any major US ISP is competent to secure all of
their customers. They don't know their customers well enough to do so.
Short of gross elimination of legitimate functionality, having ISP's do
the securing isn't a fix.

Post by Herb Oxley
(b) When the zombie problem is determined to be a national security issue
and Congress forces consumer ISPs to take responsibility perhaps
making business-busting lawsuits against negligent ISPs easier to win and
and places consumer ISPs under the jurisdiction of the FCC, which
would in turn mandate more secure environments, such as access devices to
contain a Layer 7 firewall with the config not directly accessable to the
customer along with mandating immediate suspension of service to any
machine which was compromised and no restoration of service until the
affected computer was certified "clean" .

I don't expect that the US Congress will ever do anything like that,
given their long solid history of addressing telecom regulation
primarily as a tool to preserve the profitability of telecom companies.
ISP's do not want to be nannies, and will not allow their bought and
paid for representatives to tell them that they have to be nannies.

Post by Herb Oxley

Post by Bill Cole
If you cannot
look at a list of network sessions and processes on your machine and
think of a reasonable explanation for each item in those lists, you
can't really understand independently if your system is compromised.

I doubt fewer than 5% of personal computer users could do the above.

It really is not that hard given a reasonable system. The biggest hurdle
is giving a damn. It may well be that 95% of users can't get there.

Post by Herb Oxley
Take "svchost.exe" for instance; without a third party utility such as
Sysinternals Process Explorer you have no idea of what is behind each
instance of svchost.

Well, if you run a garbage OS, you have such problems.

--
Clues for the blacklisted: <http://www.scconsult.com/bill/dnsblhelp.html>
Current Peeve: "This page was written to render correctly in any standards
compliant browser" on pages with hundreds of HTML errors.

Laurence F. Sheldon, Jr.

2007-01-08 16:07:13 UTC

Post by Bill Cole
It isn't fundamentally a solvable problem. Security is all about
restricting what people can do.

That is correct, as a practical matter. As a theoretical matter, it is
possible to educate everyone and cause them to reach the belief that
security is important and thus cause them to behave in their own best
interests in what they buy and how they use what they have.

Post by Bill Cole
I think the long-term recurring fiasco of Windows security provides a
misleading example of one balancing point between cost, power,
convenience, and security. MacOS has provided less dismal balancing
points over the years, both before and since becoming a Unix-based
system. The various flavors of Unix and Linux provide others.

We have forgotten where the term "script kiddies" came from, haven't we?
I don't remember having to clean up any cracked Windows (or even
MSDOS) systems in the 1980's and 1990's. I don't remember any mentions
of cracked Amiga's or Commodore's either.

Post by Bill Cole
Well, if you run a garbage OS, you have such problems.

Just for the record--to the best of my knowledge, it is not
theoretically possible to have a secure OS that is hardware independent
and where the control core runs in a public environment.

--
Requiescas in pace o email

Ex turpi causa non oritur actio

http://members.cox.net/larrysheldon/

Stephen Satchell

2007-01-08 18:36:56 UTC

Post by Laurence F. Sheldon, Jr.
Just for the record--to the best of my knowledge, it is not
theoretically possible to have a secure OS that is hardware independent
and where the control core runs in a public environment.

Multics

Scott Dorsey

2007-01-08 18:48:25 UTC

Post by Stephen Satchell

Post by Laurence F. Sheldon, Jr.
Just for the record--to the best of my knowledge, it is not
theoretically possible to have a secure OS that is hardware independent
and where the control core runs in a public environment.

Multics

Multics did _not_ have the control core running in user space. It did,
in fact, employ ring protection of the type that later became very common
in the large system world but which now seems to have disappeared.
--scott

--
"C'est un Nagra. C'est suisse, et tres, tres precis."

Vernon Schryver

2007-01-08 20:26:25 UTC

Post by Scott Dorsey

Post by Stephen Satchell

Post by Laurence F. Sheldon, Jr.
Just for the record--to the best of my knowledge, it is not
theoretically possible to have a secure OS that is hardware independent
and where the control core runs in a public environment.

Multics

Multics did _not_ have the control core running in user space. It did,
in fact, employ ring protection of the type that later became very common
in the large system world but which now seems to have disappeared.

Disappeared?--not entirely, at least not from the hardware and if you've
read INTEL 80*86 hardware manuals published in the last 15 years.
Section 6.2.3 of the "i486 MICROPROCESSOR PROGRAMMERS REFERENCE MANUAL"
describes the intended use of the 2 bits of "protection level."
Figure 6.2 is titled "Protection Rings."

I think the fact that operating systems running on 80*86 compatible
harware make the hardware appear to applications much the same as RISC
hardware only indicates that 3 rings of protection don't fit the needs.
3 is too many for a UNIX style operating system that works fine with
the Project Genie single user/executive bit. 3 is far too few if you
want to map them to capabilities.

Vernon Schryver ***@rhyolite.com

Scott Dorsey

2007-01-08 20:35:57 UTC

Post by Vernon Schryver
Disappeared?--not entirely, at least not from the hardware and if you've
read INTEL 80*86 hardware manuals published in the last 15 years.
Section 6.2.3 of the "i486 MICROPROCESSOR PROGRAMMERS REFERENCE MANUAL"
describes the intended use of the 2 bits of "protection level."
Figure 6.2 is titled "Protection Rings."

Right, it's in the hardware. But NOBODY uses it. THAT is what is so
irritating.
--scott

--
"C'est un Nagra. C'est suisse, et tres, tres precis."

Vernon Schryver

2007-01-08 22:11:14 UTC

Post by Scott Dorsey
Right, it's in the hardware. But NOBODY uses it. THAT is what is so
irritating.

Irritating how? Multics style protection is not a sufficently rich
model for seriously secure systems (e.g. DOD). It is also not sufficient
to prevent all security problems. Nothing is. For example, a virus
needs only the ability for the user to install a program in some place
where it will be run at least occassionally. A worm needs only the
ability for a program to do the same. For example, a classic shell-only
UNIX account can have a virus if the user can give a file execute
permission and put the file where it will be executed such as in a
directory in $PATH or a `cron` or `at` table.

None of that has anything to do with Multics style rings of protection.
As long as the "program store" can be changed, it can be changed to
include malware.

What makes UNIX-style systems more secure is relying on the user to
as a gatekeeper for software installation and configuration chagnes.
UNIX-style systems are not perfect, what with user mistakes and
"buffer overruns", "debug commands" (Morris Worm), and other paths
through or around the gatekeep.

What distinguishes what Bill Cole called the "garbage OS" is not that
other systems are invulnerable, but that Microsoft's garbage has such
a vastly larger number of ways for programs to be installed without the
informed consent of the user. Ancient Microsoft viruses fit that model,
with the "installation" of new malware consisting of modifying an
existing program as the result of a user doing something with a floppy
that should not have been allowed to affect stable storage.

Micrsoft software will remain hopelessly vulnerable garbage as long as
it is based on the assumption that the user is an idiot of luser that
cannot be trusted. Backing away from the old Micosoft "user friendly"
notion of running any program from anywhere with supervisor priviledges
will help, but it is only a first step on a path that Microsoft evidently
cannot follow. Microsoft's new DRM (digital rights management) push
requires assuming that lusers are not only too stupid to give informed
consent about software installations or configuration changes, but
cannot be trusted to pay Microsoft and Microsoft's new customers all
that they feel they are due.

Vernon Schryver ***@rhyolite.com

Laurence F. Sheldon, Jr.

2007-01-08 19:08:45 UTC

Post by Stephen Satchell

Post by Laurence F. Sheldon, Jr.
Just for the record--to the best of my knowledge, it is not
theoretically possible to have a secure OS that is hardware
independent and where the control core runs in a public environment.

Multics

Don't know enough about it to say, but my recall is that it was not ever
on-line in a public invironment.

--
Requiescas in pace o email

Ex turpi causa non oritur actio

http://members.cox.net/larrysheldon/

Stephen Satchell

2007-01-08 21:27:38 UTC

Post by Laurence F. Sheldon, Jr.

Post by Stephen Satchell

Post by Laurence F. Sheldon, Jr.
Just for the record--to the best of my knowledge, it is not
theoretically possible to have a secure OS that is hardware
independent and where the control core runs in a public environment.

Multics

Don't know enough about it to say, but my recall is that it was not ever
on-line in a public invironment.

I was accessing several Multics systems via ARPAnet. Also available via
dial-up.

Laurence F. Sheldon, Jr.

2007-01-08 21:35:17 UTC

Post by Stephen Satchell

Post by Laurence F. Sheldon, Jr.

Post by Stephen Satchell

Post by Laurence F. Sheldon, Jr.
Just for the record--to the best of my knowledge, it is not
theoretically possible to have a secure OS that is hardware
independent and where the control core runs in a public environment.

Multics

Don't know enough about it to say, but my recall is that it was not
ever on-line in a public environment.

I was accessing several Multics systems via ARPAnet. Also available via
dial-up.

(Fixed my own typo) Was the control core accessible via the external
connection, or did you have to be at the console to make changes to the
software?

I operated computers (running under Exec 8) that were massively (for the
day) connected to the outside world (1.3 mbit dial-ups, among other
things.) but you could not change any of the centrally supported
programs, nor could you access any memory other than your own or of
common banks (which you could not change).

--
Requiescas in pace o email

Ex turpi causa non oritur actio

http://members.cox.net/larrysheldon/

Stephen Satchell

2007-01-08 23:08:26 UTC

Post by Laurence F. Sheldon, Jr.

Post by Stephen Satchell

Post by Laurence F. Sheldon, Jr.

Post by Stephen Satchell

Post by Laurence F. Sheldon, Jr.
Just for the record--to the best of my knowledge, it is not
theoretically possible to have a secure OS that is hardware
independent and where the control core runs in a public environment.

Multics

Don't know enough about it to say, but my recall is that it was not
ever on-line in a public environment.

I was accessing several Multics systems via ARPAnet. Also available
via dial-up.

(Fixed my own typo) Was the control core accessible via the external
connection, or did you have to be at the console to make changes to the
software?
I operated computers (running under Exec 8) that were massively (for the
day) connected to the outside world (1.3 mbit dial-ups, among other
things.) but you could not change any of the centrally supported
programs, nor could you access any memory other than your own or of
common banks (which you could not change).

I was doing programming on Multics in PL/I, and had my own library of
programs. The work was spread out across multiple systems for
redundancy. (Support for development for the now-defunct Network
Graphics Protocol for TCP/IP, as I recall.) I was not doing systems
programming, so I stayed within the bounds of my account.

As an aside, I had a Unix shell account (also for development of code
for an advertising agency who needed to have beer sales information
extracted from 1403-N1 print streams) with similar restrictions. This
was on a VAX.

By the definition you imply about "control core running in a public
environment", what systems allow an outsider to change central software?

Laurence F. Sheldon, Jr.

2007-01-08 23:15:36 UTC

Post by Stephen Satchell
By the definition you imply about "control core running in a public
environment", what systems allow an outsider to change central
software?

Surely you jest.

But assuming the remark was serious, to my inadequate knowledge, there
are several systms that will allow you to write to the boot sector,
allow to change and replace dynamic library elemnts on-the-fly, and so
forth.

The archetecture that I know best had hardware enforcemtent of storage
limits, hardware enforcement of restricted instruction execution, and so
forth.

And the initial program load was done from a physically secure "boot
tape" or a physically secure and hardware protected disk copy. (OK, or
a physically secure and hardware protected drum copy %^P

--
Requiescas in pace o email

Ex turpi causa non oritur actio

http://members.cox.net/larrysheldon/

glgxg

2007-01-09 01:58:16 UTC

Post by Laurence F. Sheldon, Jr.
I operated computers (running under Exec 8) that were massively (for the
day) connected to the outside world (1.3 mbit dial-ups, among other

Just curious how & when were you doing "1.3 mbit" dial-up?

Dave Platt

2007-01-08 19:14:51 UTC

Post by Laurence F. Sheldon, Jr.
We have forgotten where the term "script kiddies" came from, haven't we?
I don't remember having to clean up any cracked Windows (or even
MSDOS) systems in the 1980's and 1990's. I don't remember any mentions
of cracked Amiga's or Commodore's either.

If in the term "cracked" we can include virus-infected systems...
well, there were lots and lots and LOTS of such PCs running both DOS
and Windows in the timeframes you mention. The count of unique
DOS-infecting viruses (including identifiable variants) had to be in
the high hundreds, I believe.

The Internet per se wasn't a common infection vector, as very few PCs
had direct TCP/IP connectivity. Floppy-disk sharing, and BBS
uploads/downloads were much more common vectors.

Such viruses also affected the Macintosh - there were a handful of
fairly widespread Mac infectors floating around back in the early
1980s during the time I was actively involved in virus-fighting. Some
of those were extremely infectious - the WDEF virus and its variants
would spread just by inserting an infected floppy in the drive, even
if you never double-clicked on anything to open it.

Fortunately, the number of unique Mac viruses was much smaller than
the PC family, due in part to the smaller number of attackable systems
and perhaps in part to the fact that the Mac antivirus authors
cooperated extensively in detecting and diagnosing the viruses and
producing updated repair software (often free) very rapidly.

--
Dave Platt <***@radagast.org> AE6EO
Hosting the Jade Warrior home page: http://www.radagast.org/jade-warrior
I do _not_ wish to receive unsolicited commercial email, and I will
boycott any company which has the gall to send me such ads!

Laurence F. Sheldon, Jr.

2007-01-08 19:25:36 UTC

Post by Dave Platt

Post by Laurence F. Sheldon, Jr.
We have forgotten where the term "script kiddies" came from, haven't we?
I don't remember having to clean up any cracked Windows (or even
MSDOS) systems in the 1980's and 1990's. I don't remember any mentions
of cracked Amiga's or Commodore's either.

If in the term "cracked" we can include virus-infected systems...
well, there were lots and lots and LOTS of such PCs running both DOS
and Windows in the timeframes you mention. The count of unique
DOS-infecting viruses (including identifiable variants) had to be in
the high hundreds, I believe.

And I am suggesting that the Morris worm and a large number of cracking
scripts were attacking unix machines before that.

And no, the "Interner" was not always a vector in the attacks, although
predecessor (and un-named) networks and connections were--POTS being
among them.

--
Requiescas in pace o email

Ex turpi causa non oritur actio

http://members.cox.net/larrysheldon/

Laurence F. Sheldon, Jr.

2007-01-08 19:31:17 UTC

Post by Laurence F. Sheldon, Jr.

Post by Dave Platt

Post by Laurence F. Sheldon, Jr.
We have forgotten where the term "script kiddies" came from, haven't
we? I don't remember having to clean up any cracked Windows (or even
MSDOS) systems in the 1980's and 1990's. I don't remember any
mentions of cracked Amiga's or Commodore's either.

If in the term "cracked" we can include virus-infected systems...
well, there were lots and lots and LOTS of such PCs running both DOS
and Windows in the timeframes you mention. The count of unique
DOS-infecting viruses (including identifiable variants) had to be in
the high hundreds, I believe.

And I am suggesting that the Morris worm and a large number of cracking
scripts were attacking unix machines before that.
And no, the "Internet" was not always a vector in the attacks, although
predecessor (and un-named) networks and connections were--POTS being
among them.

Seems like the Morris worm used dial-up UUCP links as well as "network"
(probably ARPA or DARPA) connections.

And I remember sitting at the consoles of the 1110's and 1100/80's watch
ing unknown somebodies thumping on the modems one at a time all night long.

And it seems like Cliff Stoll wrote about a non-networked, MS-less
world, but I'll have to see who has the book and read it again--I have
slept since I last read it.

I'm betting most of the machines in the Stoll book would nowdays be
called BSD machines.

--
Requiescas in pace o email

Ex turpi causa non oritur actio

http://members.cox.net/larrysheldon/

Dave Platt

2007-01-08 19:49:39 UTC

Post by Laurence F. Sheldon, Jr.
Seems like the Morris worm used dial-up UUCP links as well as "network"
(probably ARPA or DARPA) connections.

To the best of my knowledge, it could not spread via UUCP. It
required a "live" TCP/IP connection between the infected system and its
target, attacking via SMTP (targeting sendmail), Finger, rsh/rexec and
similar services.

The page at http://world.std.com/~franl/worm.html has a history of the
worm, and specifically states that it did not propagate via UUCP or
X.25 or BITNET connections.

Hmmm. It appears that the 1986 date I gave in my previous posting was
incorrect. Other sources give 1988 as the correct date... Gene
Spafford's "Phage" mailing list to deal with the worm was created on 3
November 1988. This puts it well after the appearance of PC viruses.

Post by Laurence F. Sheldon, Jr.
And I remember sitting at the consoles of the 1110's and 1100/80's watch
ing unknown somebodies thumping on the modems one at a time all night long.

Oh, I don't doubt you at all. Attempts at security exploits against
computers of whatever architecture probably date back to about ten
minutes after the first computer was hooked up to the first modem.
I'd guess that some of the first generation of attackers may well have
been associated with the classic "phone phreaking" community (although
I don't suspect that one could manage to crack a computer via a
modem-based connection by using a Captain Crunch plastic whistle :-)

--
Dave Platt <***@radagast.org> AE6EO
Hosting the Jade Warrior home page: http://www.radagast.org/jade-warrior
I do _not_ wish to receive unsolicited commercial email, and I will
boycott any company which has the gall to send me such ads!

Laurence F. Sheldon, Jr.

2007-01-08 20:10:33 UTC

Post by Dave Platt

Post by Laurence F. Sheldon, Jr.
Seems like the Morris worm used dial-up UUCP links as well as "network"
(probably ARPA or DARPA) connections.

To the best of my knowledge, it could not spread via UUCP. It
required a "live" TCP/IP connection between the infected system and its
target, attacking via SMTP (targeting sendmail), Finger, rsh/rexec and
similar services.

Last time I looked at "sendmail" (about 2003 or there abouts) it was
still handling mail via UUCP dial-up connections (I am very sure about
the "UUCP", not quite so sure about the "dial-up" -- the one route I
clearly remember was over an Ethernet kludge. But now that I think
about it _that_ one _could_ have been dial-up.

Post by Dave Platt
The page at http://world.std.com/~franl/worm.html has a history of the
worm, and specifically states that it did not propagate via UUCP or
X.25 or BITNET connections.

OK. I don't know different.

Post by Dave Platt
Hmmm. It appears that the 1986 date I gave in my previous posting was
incorrect. Other sources give 1988 as the correct date... Gene
Spafford's "Phage" mailing list to deal with the worm was created on 3
November 1988. This puts it well after the appearance of PC viruses.

That is probably correct--the worm got in my way when I was using a PC
clone to dial into the WELL.

Post by Dave Platt

Post by Laurence F. Sheldon, Jr.
And I remember sitting at the consoles of the 1110's and 1100/80's watch
ing unknown somebodies thumping on the modems one at a time all night long.

Oh, I don't doubt you at all. Attempts at security exploits against
computers of whatever architecture probably date back to about ten
minutes after the first computer was hooked up to the first modem.
I'd guess that some of the first generation of attackers may well have
been associated with the classic "phone phreaking" community (although
I don't suspect that one could manage to crack a computer via a
modem-based connection by using a Captain Crunch plastic whistle :-)

The point of my remarks is simply this. The weaknesses in security are
not primarily in the software, or in the hardware (although I still
think it is hard to get reasonable security if the software and hardware
are not "aware" of each other and cooperating.

In a world of perfect hardware and perfect software working perfectly
together, there will still be no reasonable security if any of the
people (underscore "any", meaning one or more) in it are less than
completely committed to behaving in secure fashion.

One default password left unchanged, or one password noted on the
underside of the keyboard, game over.

--
Requiescas in pace o email

Ex turpi causa non oritur actio

http://members.cox.net/larrysheldon/

Dave Platt

2007-01-08 21:02:35 UTC

Post by Laurence F. Sheldon, Jr.

Post by Dave Platt

Post by Laurence F. Sheldon, Jr.
Seems like the Morris worm used dial-up UUCP links as well as "network"
(probably ARPA or DARPA) connections.

To the best of my knowledge, it could not spread via UUCP. It
required a "live" TCP/IP connection between the infected system and its
target, attacking via SMTP (targeting sendmail), Finger, rsh/rexec and
similar services.

Last time I looked at "sendmail" (about 2003 or there abouts) it was
still handling mail via UUCP dial-up connections (I am very sure about
the "UUCP", not quite so sure about the "dial-up" -- the one route I
clearly remember was over an Ethernet kludge. But now that I think
about it _that_ one _could_ have been dial-up.

Every version of Sendmail I've worked with, was capable of supporting
multiple email transport mechanisms - there were multiple
sending-client and receiving-server pathways available.

uucp was one of these. It required the use of a separate package of
programs to actually manage the transport... sendmail would invoke a
program which would construct a uucp job (the message itself in a data
file, another data file which contained commands for the remote
system, and a file to actually specify the transfer). A program
"uucico" was run (often from a script) to dial up the modem, connect
to its peer on the remote side, and transfer the files. On the remote
side, the command file would be interpreted after the transfer was
complete... and this command file would usually run the "rmail"
command and pipe in the message body, and "rmail" would invoke the
local delivery agent (usually sendmail).

To the best of my knowledge and ability to discover, the Morris worm
could _not_ propagate via this path. The tricks it played were simply
unavailable via the "rmail" remote-receiver program, since this
program did not use SMTP.

The Morris worm could and did propagate via another of Sendmail's
transport mechanism - specifically, its ability to open a direct TCP
connection to port 25 on the receiving server, and talk SMTP.

Post by Laurence F. Sheldon, Jr.
The point of my remarks is simply this. The weaknesses in security are
not primarily in the software, or in the hardware (although I still
think it is hard to get reasonable security if the software and hardware
are not "aware" of each other and cooperating.
In a world of perfect hardware and perfect software working perfectly
together, there will still be no reasonable security if any of the
people (underscore "any", meaning one or more) in it are less than
completely committed to behaving in secure fashion.
One default password left unchanged, or one password noted on the
underside of the keyboard, game over.

I agree with you to some extent.

However, I'm not as willing to exempt the software - or, more
properly, the software's designers and marketers. It's entirely
possible (and all too frequent) for software designers to release
software which is designed in a way which creates a whole new
vulnerability, or class of vulnerabilities, when it is used in the
obvious default fashion.

Two examples:

- Email systems which, by default, and open and run attachments with
the receiving user's full set of privileges.

- Data systems which contain the equivalent of Turing-complete
executable or interpretable languages, which run with the user's full
set of privileges when a document is opened.

Unfortunately, there have been multiple cases of these sorts of
mechanisms being designed, released, and marketed, without the
designers having given enough thought to the ease with which these
mechanisms can be abused, and (in many cases) without any way for the
user of the product to control the scope of the use of these features
(other than perhaps turning the interpreter off completely, or
uninstalling the whole product).

Back in the day when I was working on Mac antivirals, there was a
recurring urban legend floating around - that of the "Good Times"
virus. The story was that an email message with a subject "Good
Times" was going around, containing an attached virus so virulent that
it could infect your machine if you simply read the email.

We spent a bunch of time and effort back then, trying to reassure
people that this was just a story and that no such virus existed...
that email systems didn't work that way. And, at the time, what we
said was quite true.

Then, You Know Who released an email system which allowed script and
executable attachments, and which would execute them upon reading of
the email... sometimes simply upon previewing the mail. Boom. New
virus-spreading mechanism, enabled by default, comes for free on each
new personal computer with the latest & greatest. Our previous
assurances that Things Didn't Work Like That were now untrue.

So, I'll agree with your statement

Post by Laurence F. Sheldon, Jr.
there will still be no reasonable security if any of the
people (underscore "any", meaning one or more) in it are less than
completely committed to behaving in secure fashion.

with the proviso that the "any of the people" *must* include the
people who design and market and support software systems, and
"behaving in secure fashion" *must* include a refusal to develop or
release products which are easily prone to abuse.

--
Dave Platt <***@radagast.org> AE6EO
Hosting the Jade Warrior home page: http://www.radagast.org/jade-warrior
I do _not_ wish to receive unsolicited commercial email, and I will
boycott any company which has the gall to send me such ads!

Laurence F. Sheldon, Jr.

2007-01-08 21:09:51 UTC

Post by Dave Platt
with the proviso that the "any of the people" *must* include the
people who design and market and support software systems, and
"behaving in secure fashion" *must* include a refusal to develop or
release products which are easily prone to abuse.

Absolutely. I meant everybody, everywhere, all the time. Which is why
it isn't going to happen.

So if I want my little part of the world to be secure, I will have to
depend only on things and people IN my little part of the world under my
control.

Which pretty much means me and what I do.

--
Requiescas in pace o email

Ex turpi causa non oritur actio

http://members.cox.net/larrysheldon/

Dave Platt

2007-01-08 19:39:05 UTC

Post by Laurence F. Sheldon, Jr.

Post by Dave Platt
If in the term "cracked" we can include virus-infected systems...
well, there were lots and lots and LOTS of such PCs running both DOS
and Windows in the timeframes you mention. The count of unique
DOS-infecting viruses (including identifiable variants) had to be in
the high hundreds, I believe.

And I am suggesting that the Morris worm and a large number of cracking
scripts were attacking unix machines before that.

The Moris worm was released in 1986. This is the same year in which
the first PC virus, a boot-sector infector known as (c)Brain, was
released, and several years after the first Apple DOS virus (Elk
Cloner) in 1983.

Post by Laurence F. Sheldon, Jr.
And no, the "Interner" was not always a vector in the attacks, although
predecessor (and un-named) networks and connections were--POTS being
among them.

True, the Moris worm propagated over the ARPAnet and the various
in-organization networks connected to it.

--
Dave Platt <***@radagast.org> AE6EO
Hosting the Jade Warrior home page: http://www.radagast.org/jade-warrior
I do _not_ wish to receive unsolicited commercial email, and I will
boycott any company which has the gall to send me such ads!

Paul Johnson

2007-01-09 01:54:33 UTC

Post by Dave Platt

Post by Laurence F. Sheldon, Jr.

Post by Dave Platt
If in the term "cracked" we can include virus-infected systems...
well, there were lots and lots and LOTS of such PCs running both DOS
and Windows in the timeframes you mention. The count of unique
DOS-infecting viruses (including identifiable variants) had to be in
the high hundreds, I believe.

And I am suggesting that the Morris worm and a large number of cracking
scripts were attacking unix machines before that.

The Moris worm was released in 1986. This is the same year in which
the first PC virus, a boot-sector infector known as (c)Brain, was
released, and several years after the first Apple DOS virus (Elk
Cloner) in 1983.

The Great Morris Worm of 1988 happened in '88, not '86.

--
Posted via a free Usenet account from http://www.teranews.com

Bruce Barnett

2007-01-09 03:18:23 UTC

Post by Dave Platt
True, the Moris worm propagated over the ARPAnet and the various
in-organization networks connected to it.

We used NYSERNET at the time (NY State's first regional IP
network) which wasn't an "in-organization network" in my mind.
Multiple companies and universities were connected.

--
Sending unsolicited commercial e-mail to this account incurs a fee of
$500 per message, and acknowledges the legality of this contract.

Scott Dorsey

2007-01-08 20:03:57 UTC

Post by Laurence F. Sheldon, Jr.
And I am suggesting that the Morris worm and a large number of cracking
scripts were attacking unix machines before that.

Not really. That's what made the Morris worm such a huge shocker... nobody
had really done anything like that before.

Before the Morris worm, things like the debug command in sendmail were
considered useful tools, and things like open guest accounts were considered
polite services that you were expected to provide for other network users.

Yes, hackers broke into computers and explored, but they didn't do so
automatically in huge volumes.

The Morris worm changed all that.
--scott

--
"C'est un Nagra. C'est suisse, et tres, tres precis."

Laurence F. Sheldon, Jr.

2007-01-08 20:21:35 UTC

Post by Scott Dorsey

Post by Laurence F. Sheldon, Jr.
And I am suggesting that the Morris worm and a large number of cracking
scripts were attacking unix machines before that.

Not really. That's what made the Morris worm such a huge shocker... nobody
had really done anything like that before.

Yes, really. The Morris worm and the script kiddies that followed were
attacking unix machines in large numbers before it becme fashionable to
invite them into MS-DOS and Windows machines throu insecure and
unsupervised network connections and software installations.

--
Requiescas in pace o email

Ex turpi causa non oritur actio

http://members.cox.net/larrysheldon/

glgxg

2007-01-08 23:27:28 UTC

Post by Laurence F. Sheldon, Jr.

Post by Scott Dorsey

Post by Laurence F. Sheldon, Jr.
And I am suggesting that the Morris worm and a large number of cracking
scripts were attacking unix machines before that.

Not really. That's what made the Morris worm such a huge shocker... nobody
had really done anything like that before.

Yes, really. The Morris worm and the script kiddies that followed were
attacking unix machines in large numbers before it becme fashionable to
invite them into MS-DOS and Windows machines throu insecure and
unsupervised network connections and software installations.

Unix machines and older WAN protocols are still being exploited even today:

http://secunia.com/advisories/21928/
[HP-UX X.25 Denial of Service Vulnerability]
Secunia Advisory: SA21928
Release Date: 2006-09-15
Last Update: 2006-09-20
Critical: Not critical
Impact: DoS
Where: Local system
Solution Status: Vendor Patch

[And the "Moris worm" is still attacking us today... a simple review of
NANAE authors will verify that :-(]

Quaestor

2007-01-07 22:08:48 UTC

Post by BlackPrince
Thanks for your response, I am a home user so (1) is for sure and the PC is
'protected' by Panda software and XPs firewall.

Most here will read this as "unprotected."

Post by BlackPrince
I don't download any
software for its cool features, but I know people who do.....

You must treat your computer as a personal vibrator - do NOT let anyone
else touch it or you don't know what you will get.

Post by BlackPrince
The point I'm making is how would we know if our machines were part of a
botnet, what checks can we carry out to be sure if we were or not?

This changes constantly. The program that detects something today may
miss the latest thing tomorrow. Computer security is now a full-time
occupation. Well, daily, at least.

--
Godwin is a net-nazi.
Learn about spam: http://www.seige-perilous.org/spam/spam.html
If you can keep your head, when all about you are losing theirs,
you are probably the one with the axe.

Bruce Barnett

2007-01-08 03:44:22 UTC

Post by BlackPrince
Thanks for your response, I am a home user so (1) is for sure and the PC is
'protected' by Panda software and XPs firewall. I don't download any
software for its cool features, but I know people who do.....

You need a hardware-based firewall.
If nothing else - it gives you defence in depth.
The attackers have to defeat the hardware firewall AND the PC firewall.

As for the Microsoft Firewall - remember- it allowed the Sony rootkit.

--
Sending unsolicited commercial e-mail to this account incurs a fee of
$500 per message, and acknowledges the legality of this contract.

Stephen Satchell

2007-01-08 04:30:30 UTC

Post by Bruce Barnett

Post by BlackPrince
Thanks for your response, I am a home user so (1) is for sure and the PC is
'protected' by Panda software and XPs firewall. I don't download any
software for its cool features, but I know people who do.....

You need a hardware-based firewall.
If nothing else - it gives you defence in depth.
The attackers have to defeat the hardware firewall AND the PC firewall.
As for the Microsoft Firewall - remember- it allowed the Sony rootkit.

That's because the Internet was not the vector for the Sony RootKit: it
was the little plastic disk with the DRM on it...

--
A little learning is a dang'rous thing;
Drink deep, or taste not the Pierian spring;
There shallow draughts intoxicate the brain,
And drinking largely sobers us again.
-- Alexander Pope, Essay on Criticism

Bruce Barnett

2007-01-09 02:58:45 UTC

Post by Bruce Barnett
As for the Microsoft Firewall - remember- it allowed the Sony
rootkit.

it was the little plastic disk with the DRM on it...

And the Microsoft firewall allowed it to phone home - connecting to
Sony - without asking for your permission or notifying you that it was
doing this.

--
Sending unsolicited commercial e-mail to this account incurs a fee of
$500 per message, and acknowledges the legality of this contract.

Rev. Beergoggles

2007-01-09 03:27:33 UTC

Post by Bruce Barnett

Post by Bruce Barnett
As for the Microsoft Firewall - remember- it allowed the Sony rootkit.

it was the little plastic disk with the DRM on it...

And the Microsoft firewall allowed it to phone home - connecting to
Sony - without asking for your permission or notifying you that it was
doing this.

That's because softy has made holes in the firewall for paying customers.
While I can't delve into it much, there are at least two lists in the
windows system .dll files that tell the firewall not to block those
servers, services, and allow apps with certain certificates to pass.

--
rbg

DevilsPGD

2007-01-08 08:32:31 UTC

Post by Bruce Barnett

Post by BlackPrince
Thanks for your response, I am a home user so (1) is for sure and the PC is
'protected' by Panda software and XPs firewall. I don't download any
software for its cool features, but I know people who do.....

You need a hardware-based firewall.
If nothing else - it gives you defence in depth.
The attackers have to defeat the hardware firewall AND the PC firewall.
As for the Microsoft Firewall - remember- it allowed the Sony rootkit.

I'll give you $500 if you can supply the name of one hardware-based
firewall that would have blocked the Sony rootkit.

--
If I were still loyal to the Goa'uld, you would know it.
It would be immediately apparent as I would not hesitate to kill you where you sit.
-- Teal'c

Quaestor

2007-01-09 00:56:06 UTC

Post by DevilsPGD

Post by Bruce Barnett

Post by BlackPrince
Thanks for your response, I am a home user so (1) is for sure and the PC is
'protected' by Panda software and XPs firewall. I don't download any
software for its cool features, but I know people who do.....

You need a hardware-based firewall.
If nothing else - it gives you defence in depth.
The attackers have to defeat the hardware firewall AND the PC firewall.
As for the Microsoft Firewall - remember- it allowed the Sony rootkit.

I'll give you $500 if you can supply the name of one hardware-based
firewall that would have blocked the Sony rootkit.

My Frigidaire trash-compactor would do it. So would the garbage
disposal. Of course, these have to be actively implemented.

--
Godwin is a net-nazi.
Learn about spam: http://www.seige-perilous.org/spam/spam.html
If you can keep your head, when all about you are losing theirs,
you are probably the one with the axe.

DevilsPGD

2007-01-09 01:57:20 UTC

Post by Quaestor

Post by DevilsPGD

Post by Bruce Barnett

Post by BlackPrince
Thanks for your response, I am a home user so (1) is for sure and the PC is
'protected' by Panda software and XPs firewall. I don't download any
software for its cool features, but I know people who do.....

You need a hardware-based firewall.
If nothing else - it gives you defence in depth.
The attackers have to defeat the hardware firewall AND the PC firewall.
As for the Microsoft Firewall - remember- it allowed the Sony rootkit.

I'll give you $500 if you can supply the name of one hardware-based
firewall that would have blocked the Sony rootkit.

My Frigidaire trash-compactor would do it. So would the garbage
disposal. Of course, these have to be actively implemented.

I'm fond of the microwave, myself...

--
Are you tired of having your hands cut off by snowblowers?

Paul Johnson

2007-01-09 04:04:33 UTC

Post by Quaestor

Post by DevilsPGD
I'll give you $500 if you can supply the name of one hardware-based
firewall that would have blocked the Sony rootkit.

My Frigidaire trash-compactor would do it. So would the garbage
disposal. Of course, these have to be actively implemented.

I prefer the microwave when it comes to dealing with that. Very modern art.

--
Posted via a free Usenet account from http://www.teranews.com

Bruce Barnett

2007-01-09 03:01:12 UTC

Post by DevilsPGD

Post by Bruce Barnett

Post by BlackPrince
Thanks for your response, I am a home user so (1) is for sure and the PC is
'protected' by Panda software and XPs firewall. I don't download any
software for its cool features, but I know people who do.....

You need a hardware-based firewall.
If nothing else - it gives you defence in depth.
The attackers have to defeat the hardware firewall AND the PC firewall.
As for the Microsoft Firewall - remember- it allowed the Sony rootkit.

I'll give you $500 if you can supply the name of one hardware-based
firewall that would have blocked the Sony rootkit.

ZoneAlarm would have blocked the Sony rootkit from phoning home.

--
Sending unsolicited commercial e-mail to this account incurs a fee of
$500 per message, and acknowledges the legality of this contract.

DevilsPGD

2007-01-09 19:26:38 UTC

Post by Bruce Barnett

Post by DevilsPGD

Post by Bruce Barnett

Post by BlackPrince
Thanks for your response, I am a home user so (1) is for sure and the PC is
'protected' by Panda software and XPs firewall. I don't download any
software for its cool features, but I know people who do.....

You need a hardware-based firewall.
If nothing else - it gives you defence in depth.
The attackers have to defeat the hardware firewall AND the PC firewall.
As for the Microsoft Firewall - remember- it allowed the Sony rootkit.

I'll give you $500 if you can supply the name of one hardware-based
firewall that would have blocked the Sony rootkit.

ZoneAlarm would have blocked the Sony rootkit from phoning home.

Only because it wasn't worth Sony's time to defeat it.

From a software point of view, anything you install is 100% useless as
the rootkit could simply disable it.

From a hardware point of view, it's just regular 'ol HTTP traffic,
nothing unique or special that would make it stand out from a
webbrowser.

--
Why is a person who plays the piano called a pianist,
but a person who drives a race car isn't called a racist?

Sulu

2007-01-09 04:09:24 UTC

Post by DevilsPGD

Post by Bruce Barnett

Post by BlackPrince
Thanks for your response, I am a home user so (1) is for sure and
the PC is 'protected' by Panda software and XPs firewall. I don't
download any software for its cool features, but I know people who
do.....

You need a hardware-based firewall.
If nothing else - it gives you defence in depth.
The attackers have to defeat the hardware firewall AND the PC
firewall.
As for the Microsoft Firewall - remember- it allowed the Sony rootkit.

I'll give you $500 if you can supply the name of one hardware-based
firewall that would have blocked the Sony rootkit.

http://www.cssiweb.com/products.html

email to Firewall.20.STAU at the usual domain to arrange delivery
of the $500.

For a home built hardware firewalll to keep the Sony root kit out Id
suggest 3/4" plate, arc welded.

Sulu

So as not to be waste of space yes the real (the term HW firewall is BS)
FW, in my case a PC running openBSD as transparent FW, does not prevent
attacks by insiders, (you/me), injecting malevolent software (sony music
CD)

___*however*___

A good FW between the rapeable box and the bad guys will make it hard for
it to phone home. My FW has only ports open that I want open, in some
cases some ports are only open to some ips, everything not required is
not allowed : holes are punched only when something desired doesnt work,
and can trivially be flipped so that it prints _all_ traffic to a log...
I also work at making my PCs not hum traffic (phone homes),
Thus when I F up and install a root kit, no matter how invisible it is to
my PC FW it cant get out without going through my dedicated FW[1], which
is exceedingly unlikely to get root kitted as I dont intall or run crap
on it. On the FW Data is Data and never gets executed, and OpenBSD dealt
with buffer overflows several versions ago. So yeah my 'HW'(sic) FW does
mtigatae a Sony root kitting.

__not only but also__

Once the OBSD FW keeps my M$ PC from being annoyed by internet flies
looking for open window boxes, I can set my windows boxes personal FW at
maximum noisiness, if _any_ attack packets arrive at my PC I want to know
now, because that means the unthinkable happened and the OpenBSD FW was
breached, (I dont expect to live that long: MTBF).

Not the critical part the personal FW plays it and it alone has some idea
which apps are trying to talk out, it is the primary agent that alerts me
when new software wants to phone home.

[1] Yes if I was the NSA Id worry about steganographic data channels in
CDMA encryted in the timing of packets, but Im not so I dont. Security is
relative.... A relative of paranoia.

DevilsPGD

2007-01-09 19:26:38 UTC

Post by Sulu
A good FW between the rapeable box and the bad guys will make it hard for
it to phone home. My FW has only ports open that I want open, in some
cases some ports are only open to some ips, everything not required is
not allowed : holes are punched only when something desired doesnt work,
and can trivially be flipped so that it prints _all_ traffic to a log...
I also work at making my PCs not hum traffic (phone homes),
Thus when I F up and install a root kit, no matter how invisible it is to
my PC FW it cant get out without going through my dedicated FW[1], which
is exceedingly unlikely to get root kitted as I dont intall or run crap
on it. On the FW Data is Data and never gets executed, and OpenBSD dealt
with buffer overflows several versions ago. So yeah my 'HW'(sic) FW does
mtigatae a Sony root kitting.

While all being true, do you browse the web? What IPs will you access
tomorrow? Or do you un-firewall HHTP servers IP by IP as you browse?

--
Why is a person who plays the piano called a pianist,
but a person who drives a race car isn't called a racist?

Herb Oxley

2007-01-08 15:59:46 UTC

Post by Bruce Barnett
As for the Microsoft Firewall - remember- it allowed the Sony rootkit.

As the Sony Rootkit was installed via their CDs, no firewall would have
stopped it from being installed.

It also seems a little fishy that shortly after Winternals exposed this
little corporate pig-trick they were acquired by Microsoft.
I suspect a little corporate plata-o-plumbo here.

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Herb Oxley
From: address IS Valid.

Bruce Barnett

2007-01-09 03:06:45 UTC

Post by Herb Oxley

Post by Bruce Barnett
As for the Microsoft Firewall - remember- it allowed the Sony rootkit.

As the Sony Rootkit was installed via their CDs, no firewall would have
stopped it from being installed.

But it would have stopped it from phoning home.

BTW I never said a hardware firewall replaces a software firewall.
You need both.

--
Sending unsolicited commercial e-mail to this account incurs a fee of
$500 per message, and acknowledges the legality of this contract.

Bill Cole

2007-01-07 17:05:12 UTC

Post by BlackPrince
Which all begs the question - is there any way that the normal PC user can
check and tell whether their PC has been taken over and used as part of a
botnet?

Anyone who runs Windows who does not assume his machine is under
constant attack and act accordingly with strong firewalling, anti-viral,
anti-spyware, and patching strategies can be assumed to be compromised.

While I have a great deal of respect for some of the people the NYT
cited in that article, I think 11% is a low estimate. I have not seen a
casually managed Windows machine in over 5 years that was not cracked to
some extent. A "normal PC user" who is solely responsible for his
machine (i.e. does not have an IT department playing nanny) and has not
taken the threat seriously, following the stock recommendations for
preventing trouble, is unlikely to have avoided compromise

--
Clues for the blacklisted: <http://www.scconsult.com/bill/dnsblhelp.html>
Current Peeve: "This page was written to render correctly in any standards
compliant browser" on pages with hundreds of HTML errors.

E-Mail Sent to this address will be added to the BlackLists

2007-01-07 23:43:12 UTC

Post by Bill Cole
While I have a great deal of respect for some of the
people the NYT cited in that article, I think 11% is a
low estimate. I have not seen a casually managed
Windows machine in over 5 years that was not cracked
to some extent. A "normal PC user" who is solely
responsible for his machine (i.e. does not have an
IT department playing nanny) and has not taken the
threat seriously, following the stock recommendations
for preventing trouble, is unlikely to have avoided
compromise

The end of the article about covers a stereotypical user:
<http://www.nytimes.com/2007/01/07/technology/07net.html?pagewanted=2&_r=1>

<BlockQuote>
Serry Winkler, a sales representative in Denver, said that
she had turned off the network-security software provided by
her Internet service provider because it slowed performance
to a crawl on her PC, which was running Windows 98.
A few months ago four sheriff’s deputies pounded on her
apartment door to confiscate the PC, which they said was
being used to order goods from Sears with a stolen credit
card.
The computer, it turned out, had been commandeered by an
intruder who was using it remotely.

“I’m a middle-aged single woman living here for six years,”
she said. “Do I sound like a terrorist?”

She is now planning to buy a more up-to-date PC, she said.
</BlockQuote>

--
E-Mail Sent to this address <***@Griffin-Technologies.net>
will be added to the BlackLists.

DLU

2007-01-07 19:43:23 UTC

Post by BlackPrince

Post by Tester
http://www.nytimes.com/2007/01/07/technology/07net.html
Bots being used for pump'n'dump spam, credit card fraud, even in
stealing shipping schedules from a coast guard. (piracy?)

Which all begs the question - is there any way that the normal PC user can
check and tell whether their PC has been taken over and used as part of a
botnet?
BP
==

I run PCCillin, Spybot, search and Destroy, and Ad Aware, and Win
patrol, among other checks.

The problem is keeping track of any changes in the root files.

Lemat

2007-01-07 19:47:58 UTC

Post by BlackPrince
Which all begs the question - is there any way that the normal PC user
can check and tell whether their PC has been taken over and used as
part of a botnet?

I run PCCillin, Spybot, search and Destroy, and Ad Aware, and Win
patrol, among other checks.
The problem is keeping track of any changes in the root files.

a simple look at network card LED will show you if the network card is
transmitting something (blinking fast). If you at the moment do not use
any network applications then it is a problem there...

--
Regards
Lemat

Kelly Bert Manning

2007-01-07 20:00:03 UTC

Post by BlackPrince
Which all begs the question - is there any way that the normal PC user can
check and tell whether their PC has been taken over and used as part of a
botnet?

I won't buy Norton anti-malware products ever again, but they used to offer
a free scan service at the symatec website. Other vendors and the AVG group
may do the same.

My ISP offers a no extra cost security security product which doesn't dig
it's claws into the registry nearly as deeply as Norton does.

Apart from the annual fees Norton puts you on an upgrade treadmill.

My first inkling of trouble in symantec land was when the install of the new
version of Norton Internet Security failed because it didn't correctly find
and replace all of the registry corruption the previous version had done.

Norton support was of no help in resolving it, so I got a refund for the NIS
update and ran NAV for a year before dropping that to.

The most recent PC we bought was assembled by a local firm, primarily to avoid
the "corrupted by Norton or Macafee right out of the box" headache that most
major brand PCs arrive with these days. I have no confidence that anything
could purge a PC of Norton's registry corruption. Nothing at the Symantec
website did the job. I tried them all.

Ironic when the "cure" introduces persistent, unwanted, software changes of
it's own, isn't it?

DLU

2007-01-08 01:45:55 UTC

Post by Kelly Bert Manning

Post by BlackPrince
Which all begs the question - is there any way that the normal PC user can
check and tell whether their PC has been taken over and used as part of a
botnet?

I won't buy Norton anti-malware products ever again, but they used to offer
a free scan service at the symatec website. Other vendors and the AVG group
may do the same.
My ISP offers a no extra cost security security product which doesn't dig
it's claws into the registry nearly as deeply as Norton does.
Apart from the annual fees Norton puts you on an upgrade treadmill.
My first inkling of trouble in symantec land was when the install of the new
version of Norton Internet Security failed because it didn't correctly find
and replace all of the registry corruption the previous version had done.
Norton support was of no help in resolving it, so I got a refund for the NIS
update and ran NAV for a year before dropping that to.
The most recent PC we bought was assembled by a local firm, primarily to avoid
the "corrupted by Norton or Macafee right out of the box" headache that most
major brand PCs arrive with these days. I have no confidence that anything
could purge a PC of Norton's registry corruption. Nothing at the Symantec
website did the job. I tried them all.
Ironic when the "cure" introduces persistent, unwanted, software changes of
it's own, isn't it?

Two ways to get rid of the malware.
1. Format the drive and start with a bare bones system.
2. Search the registry for any Norton references and delete them there
besides a search of the working files.

--
ÐÏà¡±á

Nohbody

2007-01-08 02:45:49 UTC

Post by Kelly Bert Manning
My first inkling of trouble in symantec land was when the install of the new
version of Norton Internet Security failed because it didn't correctly find
and replace all of the registry corruption the previous version had done.
Norton support was of no help in resolving it, so I got a refund for the NIS
update and ran NAV for a year before dropping that to.

<snip>

Post by Kelly Bert Manning
Ironic when the "cure" introduces persistent, unwanted, software changes of
it's own, isn't it?

Two ways to get rid of the malware.
1. Format the drive and start with a bare bones system.
2. Search the registry for any Norton references and delete them there
besides a search of the working files.

Or, for the lazy, there's at least a few programs out there that will do
it for you, available from any legitimate file service, like Tucows (no
comment on their registry branch... another story entirely, in regards
to "legitimate") or download.com.

Bunch of ILlegitimate file services, too, but going to those sites is
like playing Russian Roulette with at least half the chambers loaded,
anyhow. :P

Dan Poore

--
About the only difference between the wingnuts on each end of the
[political] spectrum is *which* civil right(s) they think we can do
without. -- Rowan Hawthorn, in alt.callahans (2/28/05)

Bill Levinson

2007-01-08 18:20:12 UTC

Post by Kelly Bert Manning

Post by BlackPrince
Which all begs the question - is there any way that the normal PC
user can check and tell whether their PC has been taken over and used
as part of a botnet?

I won't buy Norton anti-malware products ever again, but they used to offer
a free scan service at the symatec website. Other vendors and the AVG group
may do the same.
My ISP offers a no extra cost security security product which doesn't dig
it's claws into the registry nearly as deeply as Norton does.
Apart from the annual fees Norton puts you on an upgrade treadmill.
My first inkling of trouble in symantec land was when the install of the new
version of Norton Internet Security failed because it didn't correctly find
and replace all of the registry corruption the previous version had done.
Norton support was of no help in resolving it, so I got a refund for the NIS
update and ran NAV for a year before dropping that to.
The most recent PC we bought was assembled by a local firm, primarily to avoid
the "corrupted by Norton or Macafee right out of the box" headache that most
major brand PCs arrive with these days. I have no confidence that anything
could purge a PC of Norton's registry corruption. Nothing at the Symantec
website did the job. I tried them all.
Ironic when the "cure" introduces persistent, unwanted, software changes of
it's own, isn't it?

Two ways to get rid of the malware.
1. Format the drive and start with a bare bones system.
2. Search the registry for any Norton references and delete them there
besides a search of the working files.

I have to cancel NISSERV.EXE through task manager every time I start my
computer, because it takes over 99% of the CPU.

I am surprised that Symantec is still in business.

--Bill
http://www.stentorian.com/antispam

DLU

2007-01-08 20:44:37 UTC

Post by Bill Levinson

Post by DLU
Two ways to get rid of the malware.
1. Format the drive and start with a bare bones system.
2. Search the registry for any Norton references and delete them there
besides a search of the working files.

I have to cancel NISSERV.EXE through task manager every time I start my
computer, because it takes over 99% of the CPU.
I am surprised that Symantec is still in business.
--Bill
http://www.stentorian.com/antispam

Try winpatrol, you can disable the startup with it.
Also in the registry, you can change the function that references it
from a 1 to a 0, that should stop it.

You should be able to find the file that causes it to appear in the
startup. Norton likes to hide these things. I used to be able to
delete Norton once a year and reinstall it, then update, but somewhere
they managed to hide where they check to see when you installed it. I
have not been able to find that reference yet. However I switched to
PCCillin. Much better company to deal with.

--
ÐÏà¡±á

Laurence F. Sheldon, Jr.

2007-01-08 21:00:00 UTC

Post by Bill Levinson

Post by DLU
Two ways to get rid of the malware.
1. Format the drive and start with a bare bones system.
2. Search the registry for any Norton references and delete them
there besides a search of the working files.

I have to cancel NISSERV.EXE through task manager every time I start
my computer, because it takes over 99% of the CPU.

Try winpatrol, you can disable the startup with it.
Also in the registry, you can change the function that references it
from a 1 to a 0, that should stop it.
You should be able to find the file that causes it to appear in the
startup. Norton likes to hide these things. I used to be able to
delete Norton once a year and reinstall it, then update, but somewhere
they managed to hide where they check to see when you installed it. I
have not been able to find that reference yet. However I switched to
PCCillin. Much better company to deal with.

Have you tried Start->Run->msconfig to find out where it is?

--
Requiescas in pace o email

Ex turpi causa non oritur actio

http://members.cox.net/larrysheldon/

glgxg

2007-01-09 01:12:21 UTC

Post by Bill Levinson

Post by DLU
Two ways to get rid of the malware.
1. Format the drive and start with a bare bones system.
2. Search the registry for any Norton references and delete them there
besides a search of the working files.

I have to cancel NISSERV.EXE through task manager every time I start my
computer, because it takes over 99% of the CPU.
I am surprised that Symantec is still in business.
--Bill
http://www.stentorian.com/antispam

Try winpatrol, you can disable the startup with it.
Also in the registry, you can change the function that references it
from a 1 to a 0, that should stop it.
You should be able to find the file that causes it to appear in the
startup. Norton likes to hide these things. I used to be able to
delete Norton once a year and reinstall it, then update, but somewhere
they managed to hide where they check to see when you installed it. I
have not been able to find that reference yet. However I switched to
PCCillin. Much better company to deal with.

Save a copy of your registry.
Uninstall Norton from the standard Windows control center "Add/Remove
Software".

After "uninstalling" Norton, properly "uninstall it":

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039
link:
ftp://ftp.symantec.com/public/english_us_canada/removal_tools

Run CCleaner (http://www.ccleaner.com/). It does an excellent job of
cleaning out all of the old registry entries and other crap. It also
has set of tools for uninstall and startup. It's also free.

Then run Spybot Search&Destroy
(http://www.safer-networking.org/en/index.html)
Check for an download all updates then:
Mode|Advanced mode|Tools|System Internals| check all boxes
then under System Internals on the tools menu (left panel) click to see
what your startup programs are. Click on any suspious entries, move the
right scroll pane over to the left to see any data that SBS&D might have
on the entry (the one on the far right just to the right of the right
scrollbar), unclick the entry to disallow it from starting on reboot.
After reboot if you find that you need the entry/program, you can always
go back into SBS&D and check it again to start back up, or click on the
entry and delete it.

Run CCleaner again when you are finished.

Then run hijack this (http://www.spywareinfo.com/~merijn/programs.php)
to clean out any other registry/system entries that may have been
missed. Hint: run hijack this, copy the output file and paste it into:
http://www.hijackthis.de/index.php?langselect=english into the logfile
textbox and then click the Analyze button. Clean accordingly.

There is more... but too much to go into here.

Reboot.

Boot into safe mode. Repeat.

Download Bitdefender - free version works very well just remember that
it is not interactive so you need to set regular scan schedules. Or pick
one from: http://www.av-comparatives.org/
http://www.av-comparatives.org/seiten/ergebnisse_2006_11.php

When finished; download a linux distro and make a dual boot system (I
recommend Ubuntu 6.061 Dapper LTS (http://www.ubuntu.com/); 6.10 Edgy
sucks so far for me). Allocate 2 weeks to fiddle with the new OS, load
new programs, and get it trimmed to your specifications (same as
upgrading from Windows ME to Windows XP). Only boot into Windows when
you feel the need to get infected, need to run Windows specific games,
or need to troubleshoot a Windows customer infected system.

nobody >

2007-01-09 06:32:07 UTC

Post by Bill Levinson

Post by Kelly Bert Manning

Post by BlackPrince
Which all begs the question - is there any way that the normal PC
user can check and tell whether their PC has been taken over and
used as part of a botnet?

I won't buy Norton anti-malware products ever again, but they used to offer
a free scan service at the symatec website. Other vendors and the AVG group
may do the same.
My ISP offers a no extra cost security security product which doesn't dig
it's claws into the registry nearly as deeply as Norton does.
Apart from the annual fees Norton puts you on an upgrade treadmill.
My first inkling of trouble in symantec land was when the install of the new
version of Norton Internet Security failed because it didn't
correctly find
and replace all of the registry corruption the previous version had done.
Norton support was of no help in resolving it, so I got a refund for the NIS
update and ran NAV for a year before dropping that to.
The most recent PC we bought was assembled by a local firm, primarily to avoid
the "corrupted by Norton or Macafee right out of the box" headache that most
major brand PCs arrive with these days. I have no confidence that anything
could purge a PC of Norton's registry corruption. Nothing at the Symantec
website did the job. I tried them all.
Ironic when the "cure" introduces persistent, unwanted, software changes of
it's own, isn't it?

Two ways to get rid of the malware.
1. Format the drive and start with a bare bones system.
2. Search the registry for any Norton references and delete them there
besides a search of the working files.

I have to cancel NISSERV.EXE through task manager every time I start my
computer, because it takes over 99% of the CPU.
I am surprised that Symantec is still in business.
--Bill
http://www.stentorian.com/antispam

1)
Open up RegEdit, find and delete all instances of NISSERV.EXE. It may
take a while to search the registry, but it's possibly the only way to
get rid of it.

2)
Symantec has at least 2 "Symantec Removal Tools" on their corporate
website. I think you can Google them. Even *they* admit that they have
problems.

Bill Levinson

2007-01-08 18:16:10 UTC

Post by Kelly Bert Manning

Post by BlackPrince
Which all begs the question - is there any way that the normal PC user can
check and tell whether their PC has been taken over and used as part of a
botnet?

I won't buy Norton anti-malware products ever again, but they used to offer
a free scan service at the symatec website. Other vendors and the AVG group
may do the same.
My ISP offers a no extra cost security security product which doesn't dig
it's claws into the registry nearly as deeply as Norton does.
Apart from the annual fees Norton puts you on an upgrade treadmill.

Symantec is permanently disqualified from selling me anything
whatsoever, because of the kind of experiences you describe.

--Bill
http://www.stentorian.com/antispam

b***@gmail.com

2007-01-07 22:26:27 UTC

Post by BlackPrince
Which all begs the question - is there any way that the normal PC user can
check and tell whether their PC has been taken over and used as part of a
botnet?

.... or a website a surfer can go to to have their computer tested ???

Some percent of AOL users signing up for freebies on the net can be
predicted to use their AOL password ... that can't help either. Heck
shoot some bulk mailers specialize in freebies aimed at AOL'ers.

Bill Levinson

2007-01-08 18:17:19 UTC

Post by BlackPrince
Which all begs the question - is there any way that the normal PC user can
check and tell whether their PC has been taken over and used as part of a
botnet?
BP
==

Won't a virus scan (with current definitions) clean out any such bots?

--Bill
http://www.stentorian.com/antispam

ThePsyko

2007-01-08 18:47:02 UTC

On 08 Jan 2007 I stormed the castle called alt.2600 and heard Bill

Post by Bill Levinson

Post by BlackPrince
Which all begs the question - is there any way that the normal PC
user can check and tell whether their PC has been taken over and used
as part of a botnet?
BP
==

Won't a virus scan (with current definitions) clean out any such bots?
--Bill
http://www.stentorian.com/antispam

Not necessarily. Best practices dictate you have a properly configured
firewall in addition to updated AV and other anti-malware utilities (I
like Pest Patrol myself).

--
ThePsyko
Public Enemy #7

jitter

2007-01-08 19:02:44 UTC

Post by ThePsyko
On 08 Jan 2007 I stormed the castle called alt.2600 and heard Bill

Post by Bill Levinson

Post by BlackPrince
Which all begs the question - is there any way that the normal PC
user can check and tell whether their PC has been taken over and used
as part of a botnet?
BP
==

Won't a virus scan (with current definitions) clean out any such bots?
--Bill
http://www.stentorian.com/antispam

Not necessarily. Best practices dictate you have a properly configured
firewall in addition to updated AV and other anti-malware utilities (I
like Pest Patrol myself).

Another "best practice" is not to reveal to the world what security
software you're using.

Obscurity != Security... But it can certainly help.

Steve

2007-01-09 06:07:27 UTC

***@127.0.0.1 wrote in message news:<xdjoixghgw$***@127.0.0.1>
...

Post by jitter

Post by ThePsyko
On 08 Jan 2007 I stormed the castle called alt.2600 and heard Bill

Post by Bill Levinson

Post by BlackPrince
Which all begs the question - is there any way that the normal PC
user can check and tell whether their PC has been taken over and used
as part of a botnet?
BP
==

Won't a virus scan (with current definitions) clean out any such bots?
--Bill
http://www.stentorian.com/antispam

Not necessarily. Best practices dictate you have a properly configured
firewall in addition to updated AV and other anti-malware utilities (I
like Pest Patrol myself).

Another "best practice" is not to reveal to the world what security
software you're using.

Why not, I'll reveal that I use a lot of proprietary stuff I built
myself ;)

/steve

--
Packetderm, LLC
Web hosting, SSH Tunneling, Proxies, Advanced E-Mail, Privacy
http://www.cotse.net/areyoureadyforus.html

nobody >

2007-01-09 06:27:21 UTC

Post by Bill Levinson

Post by BlackPrince
Which all begs the question - is there any way that the normal PC user
can check and tell whether their PC has been taken over and used as
part of a botnet?
BP
==

Won't a virus scan (with current definitions) clean out any such bots?
--Bill
http://www.stentorian.com/antispam

No

Paul Johnson

2007-01-08 22:46:43 UTC

Post by BlackPrince
Which all begs the question - is there any way that the normal PC user can
check and tell whether their PC has been taken over and used as part of a
botnet?

Short of running a real operating system and keeping careful track of all
changes with tripwire or something similar? No.

--
Posted via a free Usenet account from http://www.teranews.com

Onideus Mad Hatter

2007-01-07 16:28:21 UTC

Post by Tester
http://www.nytimes.com/2007/01/07/technology/07net.html
Bots being used for pump'n'dump spam, credit card fraud, even in
stealing shipping schedules from a coast guard. (piracy?)

Possibly or they might be comparing it to weather phenomena and tide
drift to find out which shipments had lost cargo and then they look to
salvage...although last I checked most of that was publicly
available...that was like 10 years ago though so things may have
changed. Another possibility is they're trying to find out what
companies are shipping what in order to "cheat" a bit on the stock
market. Or, like you said, they could just be real pirates looking to
steal cargo...although I would think that practice would be fairly
uncommon in or near US waters.

Post by Tester
Attack of the Zombie Computers Is Growing Threat
In their persistent quest to breach the Internets defenses, the bad
guys are honing their weapons and increasing their firepower.

Yeah and a good 99% of that shit is coming from hoarding little ass
bands of disgruntled IRC chatty addicts who use their lil warez chans
as front ends for their DDoS operations.

--

Onideus Mad Hatter
mhm ¹ x ¹
http://www.backwater-productions.net
http://www.backwater-productions.net/hatter-blog

Hatter Quotes
-------------
"You're only one of the best if you're striving to become one of the
best."

"I didn't make reality, Sunshine, I just verbally bitch slapped you
with it."

"I'm not a professional, I'm an artist."

"Your Usenet blinders are my best friend."

"Usenet Filters - Learn to shut yourself the fuck up!"

"Drugs killed Jesus you know...oh wait, no, that was the Jews, my
bad."

"There are clingy things in the grass...burrs 'n such...mmmm..."

"The more I learn the more I'm killing my idols."

"Is it wrong to incur and then use the hate ridden, vengeful stupidity
of complete strangers in random Usenet froups to further my art?"

"Freedom is only a concept, like race it's merely a social construct
that doesn't really exist outside of your ability to convince others
of its relevancy."

"Next time slow up a lil, then maybe you won't jump the gun and start
creamin yer panties before it's time to pop the champagne proper."

"Reality is directly proportionate to how creative you are."

"People are pretty fucking high on themselves if they think that
they're just born with a soul. *snicker*...yeah, like they're just
givin em out for free."

"Quible, quible said the Hare. Quite a lot of quibling...everywhere.
So the Hare took a long stare and decided at best, to leave the rest,
to their merry little mess."

"There's a difference between 'bad' and 'so earth shatteringly
horrible it makes the angels scream in terror as they violently rip
their heads off, their blood spraying into the faces of a thousand
sweet innocent horrified children, who will forever have the terrible
images burned into their tiny little minds'."

"How sad that you're such a poor judge of style that you can't even
properly gauge the artistic worth of your own efforts."

"Those who record history are those who control history."

"I am the living embodiment of hell itself in all its tormentive rage,
endless suffering, unfathomable pain and unending horror...but you
don't get sent to me...I come for you."

"Ideally in a fight I'd want a BGM-109A with a W80 250 kiloton
tactical thermonuclear fusion based war head."

"Tell me, would you describe yourself more as a process or a
function?"

"Apparently this group has got the market cornered on stupid.
Intelligence is down 137 points across the board and the forecast
indicates an increase in Webtv users."

"Is my .sig delimiter broken? Really? You're sure? Awww,
gee...that's too bad...for YOU!" `, )

Vernon Schryver

2007-01-07 16:27:09 UTC

Post by Tester
http://www.nytimes.com/2007/01/07/technology/07net.html
Its the perfect crime, both low-risk and high-profit, said Gadi
Evron, a computer security researcher for an Israeli-based firm,
Beyond Security, who coordinates an international volunteer effort to

Gadi Evron has earned a reputation elsewhere that I do not envy, but
then I'm not in sales and don't want or need to be called for a quote
every time a mass media hack is assigned to write for the 11 o'clock
newscast on the impending collapse of the net. He is like most
self-described "security researchers," which is to say that his
"researching" is to the naive definition of the word as as Al Gore's
creation of the Internet was the naive definitions of "invent" or "create."

In other words, no, the sky is not falling today any more than it was
last last year or the year before or the year before last year etc.
Botnets have been and will continue to be a major problem, but when it
comes to their use for spam, they're fairly easy to quench with port
25 blocking and smart host filtering and rate limiting.

Disclaimer: some of my code will be in a minor, internal part of a
well known security/anti-spam vendor's anti-botnet product if they can
ever figure out how to finish beta testing. That particular vendor
was not among the several mentioned in that NYTimes...ah...piece.

Vernon Schryver ***@rhyolite.com

PerfectReign

2007-01-08 23:00:37 UTC

On Sun, 07 Jan 2007 07:30:15 -0500, Tester got out the hammer and chisel

Post by Tester
http://www.nytimes.com/2007/01/07/technology/07net.html
Bots being used for pump'n'dump spam, credit card fraud, even in
stealing shipping schedules from a coast guard. (piracy?)

but does it run on Linux?

--
kai
www.perfectreign.com || www.4thedadz.com

a turn signal is a statement, not a request

224 Replies
3 Views
Permalink to this page
Disable enhanced parsing

Thread Navigation

Tester 2007-01-07 12:30:15 UTC

BlackPrince 2007-01-07 14:43:17 UTC

Thane 2007-01-07 15:41:36 UTC

Onideus Mad Hatter 2007-01-07 16:19:07 UTC

Kelly Bert Manning 2007-01-07 19:49:17 UTC

Thane 2007-01-07 20:06:58 UTC

Stephen Satchell 2007-01-07 15:42:47 UTC

BlackPrince 2007-01-07 16:04:01 UTC

Scott Dorsey 2007-01-07 17:25:31 UTC

Vernon Schryver 2007-01-07 17:51:15 UTC

Rev. Beergoggles 2007-01-07 21:42:54 UTC

Sulu 2007-01-09 02:11:26 UTC

Cary 2007-01-07 19:44:17 UTC

arja 2007-01-08 00:17:02 UTC

Steve Baker 2007-01-08 23:26:58 UTC

Greg Samson 2007-01-09 07:42:54 UTC

Steve Baker 2007-01-09 13:46:35 UTC

Herb Oxley 2007-01-09 16:46:43 UTC

Stephen Satchell 2007-01-07 20:05:39 UTC

Sulu 2007-01-09 02:11:24 UTC

Rich Clark, aka Left Rev Egg Plant, ULC, CotSG 2007-01-07 21:34:49 UTC

nobody > 2007-01-08 01:00:16 UTC

Bruce Barnett 2007-01-08 03:47:50 UTC

Bill Cole 2007-01-07 21:54:18 UTC

Herb Oxley 2007-01-08 00:58:30 UTC

Philip Homburg 2007-01-08 08:26:45 UTC

Laurence F. Sheldon, Jr. 2007-01-08 15:47:24 UTC

Philip Homburg 2007-01-08 16:50:03 UTC

Stephen Satchell 2007-01-08 18:38:04 UTC

Laurence F. Sheldon, Jr. 2007-01-08 19:10:53 UTC

Quaestor 2007-01-09 00:49:54 UTC

Paul Johnson 2007-01-09 04:22:10 UTC

Laurence F. Sheldon, Jr. 2007-01-08 18:47:05 UTC

Paul Johnson 2007-01-09 04:19:12 UTC

Philip Homburg 2007-01-09 13:23:46 UTC

Paul Johnson 2007-01-09 18:28:06 UTC

Bill Cole 2007-01-08 15:54:37 UTC

Laurence F. Sheldon, Jr. 2007-01-08 16:07:13 UTC

Stephen Satchell 2007-01-08 18:36:56 UTC

Scott Dorsey 2007-01-08 18:48:25 UTC

Vernon Schryver 2007-01-08 20:26:25 UTC

Scott Dorsey 2007-01-08 20:35:57 UTC

Vernon Schryver 2007-01-08 22:11:14 UTC

Laurence F. Sheldon, Jr. 2007-01-08 19:08:45 UTC

Stephen Satchell 2007-01-08 21:27:38 UTC

Laurence F. Sheldon, Jr. 2007-01-08 21:35:17 UTC

Stephen Satchell 2007-01-08 23:08:26 UTC

Laurence F. Sheldon, Jr. 2007-01-08 23:15:36 UTC

glgxg 2007-01-09 01:58:16 UTC

Dave Platt 2007-01-08 19:14:51 UTC

Laurence F. Sheldon, Jr. 2007-01-08 19:25:36 UTC

Laurence F. Sheldon, Jr. 2007-01-08 19:31:17 UTC

Dave Platt 2007-01-08 19:49:39 UTC

Laurence F. Sheldon, Jr. 2007-01-08 20:10:33 UTC

Dave Platt 2007-01-08 21:02:35 UTC

Laurence F. Sheldon, Jr. 2007-01-08 21:09:51 UTC

Dave Platt 2007-01-08 19:39:05 UTC

Paul Johnson 2007-01-09 01:54:33 UTC

Bruce Barnett 2007-01-09 03:18:23 UTC

Scott Dorsey 2007-01-08 20:03:57 UTC

Laurence F. Sheldon, Jr. 2007-01-08 20:21:35 UTC

glgxg 2007-01-08 23:27:28 UTC

Quaestor 2007-01-07 22:08:48 UTC

Bruce Barnett 2007-01-08 03:44:22 UTC

Stephen Satchell 2007-01-08 04:30:30 UTC

Bruce Barnett 2007-01-09 02:58:45 UTC

Rev. Beergoggles 2007-01-09 03:27:33 UTC

DevilsPGD 2007-01-08 08:32:31 UTC

Quaestor 2007-01-09 00:56:06 UTC

DevilsPGD 2007-01-09 01:57:20 UTC

Paul Johnson 2007-01-09 04:04:33 UTC

Bruce Barnett 2007-01-09 03:01:12 UTC

DevilsPGD 2007-01-09 19:26:38 UTC

Sulu 2007-01-09 04:09:24 UTC

DevilsPGD 2007-01-09 19:26:38 UTC

Herb Oxley 2007-01-08 15:59:46 UTC

Bruce Barnett 2007-01-09 03:06:45 UTC

Bill Cole 2007-01-07 17:05:12 UTC

E-Mail Sent to this address will be added to the BlackLists 2007-01-07 23:43:12 UTC

DLU 2007-01-07 19:43:23 UTC

Lemat 2007-01-07 19:47:58 UTC

Kelly Bert Manning 2007-01-07 20:00:03 UTC

DLU 2007-01-08 01:45:55 UTC

Nohbody 2007-01-08 02:45:49 UTC

Bill Levinson 2007-01-08 18:20:12 UTC

DLU 2007-01-08 20:44:37 UTC

Laurence F. Sheldon, Jr. 2007-01-08 21:00:00 UTC

glgxg 2007-01-09 01:12:21 UTC

nobody > 2007-01-09 06:32:07 UTC

Bill Levinson 2007-01-08 18:16:10 UTC

b***@gmail.com 2007-01-07 22:26:27 UTC

Bill Levinson 2007-01-08 18:17:19 UTC

ThePsyko 2007-01-08 18:47:02 UTC

jitter 2007-01-08 19:02:44 UTC

Steve 2007-01-09 06:07:27 UTC

nobody > 2007-01-09 06:27:21 UTC

Paul Johnson 2007-01-08 22:46:43 UTC

Onideus Mad Hatter 2007-01-07 16:28:21 UTC

Vernon Schryver 2007-01-07 16:27:09 UTC

PerfectReign 2007-01-08 23:00:37 UTC

about - legalese

Loading...