Slashdot Mirror

This whole market share angle is mostly bogus. There is what, about 10 million OS X users? Why hasn't there been a worm (or trojan, anything!) attacking them? Witty has a very successful worm: it hit all 12,000 vulnerable hosts.

How can you say 10 million is too small? The population of Canada (where I live) is about 33 million. The installed OS X based is then (about) 1/3 the population of Canada. That's not far from the population of New York city (~15M).

If a worm can hit only 12,000 hosts like Witty did and be called "successful" (it was basically a 100% infection rate), then surely the OS X population is vulnerable.

John Gruber has some articles on this.

The article linked to by slashdot does not fit the technical aptitude of many of the readers. Fortunately, it does link to the actual 15 page paper. The official page link with abstract is here. The full 15-page text is available in PDF.

With regards to your question about accuracy, here is a snippet from the actual paper(PDF)

To understand the effects of topology and access technology on our skew estimates, we fixed the location of the fingerprinter and applied our TCP timestamps-based technique to a single laptop in multiple locations, on both North American coasts, from wired, wireless, and dialup locations, and from home, business, and campus environments (Table 3). All clock skew estimates for the laptop were close-- the difference between the maximum and the minimum skew estimate was only 0.67 ppm. We also simultaneously measured the clock skew of the laptop and another machine from multiple PlanetLab nodes throughout the world, as well as from a machine of our own with a CDMA-synchronized Dag card [1, 9, 11, 17] for taking network traces with precise timestamps (Table 4). With the exception of the measurements taken by a PlanetLab machine in India (over 300 ms round trip time away), for each experiment, all the fingerprinters (in North America, Europe, and Asia) reported skew estimates within only 0.56 ppm of each other. These experiments suggest that, except for extreme cases, the results of our clock skew estimation techniques are independent of access technology and topology.

This is an incredibly accurate and precise method of verrifying if the computer is the same.

Some people have also mentioned NTP subverting this method. Here are a coupole of key quotes about NTP.

For example, default Windows XP Professional installations only synchronize their system times with Microsoft's NTP server when they boot and once a week thereafter. Default Red Hat 9.0 Linux installations do not use NTP by default, though they do present the user with the option of entering an NTP server. Default Debian 3.0, FreeBSD 5.2.1, and OpenBSD 3.5 systems, at least under the configurations that we selected (e.g., "typical user"), do not even present the user with the option of installing ntpd. For such a non-professionallyadministered machine, if an adversary can learn the values of the machine's system clock at multiple points in time, the adversary will be able to infer information about the device's system clock skew...

Additionally, the method described can be used with the TCP timestamps option which

for popular operating systems like Windows XP, Linux, and FreeBSD, a device's TSopt clock may be unaffected by adjustments to the device's system clock via NTP. To sample some popular operating systems, standard Red Hat 9.0 and Debian 3.0 Linux distributions2 and FreeBSD 5.2.1 machines have TSopt clocks with 10 ms resolution, OS X Panther and OpenBSD 3.5 machines have TSopt clocks with 500 ms resolution, and Microsoft Windows 2000, XP, and Pocket PC 2002 systems have TSopt clocks with 100 ms resolution. Most systems reset their TSopt clock to zero upon reboot; on these systems i[Ctcp] is the time at which the system booted. If an adversary can learn the values of a device's TSopt clock at multiple points in time, then the adversary may be able to infer information about the device's TSopt clock skew, s[Ctcp].

Paraphrasing, The article says that this technique can be used by websites, Carnivore-like apps, anybody between you and the computer you are communicating with, banner-ad companies and ISPs (think comcast forcing you to not use a NAT).

This is an incredible, and incredibly scary, way to track a physical computer. Doubtless, many security reform

The article linked to by slashdot does not fit the technical aptitude of many of the readers. Fortunately, it does link to the actual 15 page paper. The official page link with abstract is here. The full 15-page text is available in PDF.

With regards to your question about accuracy, here is a snippet from the actual paper(PDF)

To understand the effects of topology and access technology on our skew estimates, we fixed the location of the fingerprinter and applied our TCP timestamps-based technique to a single laptop in multiple locations, on both North American coasts, from wired, wireless, and dialup locations, and from home, business, and campus environments (Table 3). All clock skew estimates for the laptop were close-- the difference between the maximum and the minimum skew estimate was only 0.67 ppm. We also simultaneously measured the clock skew of the laptop and another machine from multiple PlanetLab nodes throughout the world, as well as from a machine of our own with a CDMA-synchronized Dag card [1, 9, 11, 17] for taking network traces with precise timestamps (Table 4). With the exception of the measurements taken by a PlanetLab machine in India (over 300 ms round trip time away), for each experiment, all the fingerprinters (in North America, Europe, and Asia) reported skew estimates within only 0.56 ppm of each other. These experiments suggest that, except for extreme cases, the results of our clock skew estimation techniques are independent of access technology and topology.

This is an incredibly accurate and precise method of verrifying if the computer is the same.

Some people have also mentioned NTP subverting this method. Here are a coupole of key quotes about NTP.

For example, default Windows XP Professional installations only synchronize their system times with Microsoft's NTP server when they boot and once a week thereafter. Default Red Hat 9.0 Linux installations do not use NTP by default, though they do present the user with the option of entering an NTP server. Default Debian 3.0, FreeBSD 5.2.1, and OpenBSD 3.5 systems, at least under the configurations that we selected (e.g., "typical user"), do not even present the user with the option of installing ntpd. For such a non-professionallyadministered machine, if an adversary can learn the values of the machine's system clock at multiple points in time, the adversary will be able to infer information about the device's system clock skew...

Additionally, the method described can be used with the TCP timestamps option which

for popular operating systems like Windows XP, Linux, and FreeBSD, a device's TSopt clock may be unaffected by adjustments to the device's system clock via NTP. To sample some popular operating systems, standard Red Hat 9.0 and Debian 3.0 Linux distributions2 and FreeBSD 5.2.1 machines have TSopt clocks with 10 ms resolution, OS X Panther and OpenBSD 3.5 machines have TSopt clocks with 500 ms resolution, and Microsoft Windows 2000, XP, and Pocket PC 2002 systems have TSopt clocks with 100 ms resolution. Most systems reset their TSopt clock to zero upon reboot; on these systems i[Ctcp] is the time at which the system booted. If an adversary can learn the values of a device's TSopt clock at multiple points in time, then the adversary may be able to infer information about the device's TSopt clock skew, s[Ctcp].

Paraphrasing, The article says that this technique can be used by websites, Carnivore-like apps, anybody between you and the computer you are communicating with, banner-ad companies and ISPs (think comcast forcing you to not use a NAT).

This is an incredible, and incredibly scary, way to track a physical computer. Doubtless, many security reform

The clock skew for a particular device seemed to be reasonably constant over time and location (+/- 0.5 microsecond/sec) and nearly all devices had skews within the range -100 microseconds/sec to +100 microseconds/sec. This suggests the technique would only be useful for identification purposes when there are less than 100 or so candidate devices. Of course, this figure would go up substantially if the technique can be combined with other measurements (e.g. absolute clock time).

When considering applications of the technique, the author states "For forensics, we anticipate that our techniques will be most useful when arguing that a given device was not involved in a recorded event."

A number of posters have mentioned that the technique can be fooled by adding a random number to each timestamp. This won't work due to the way the author estimates clock skews (the slope of actual time plotted against reported system time) - what is needed is an adjustment to each timestamp that is proportional to the system uptime.

And OS did make a difference - RH9 and Win XP on a particular laptop led to clock skews of -58 and -85 respectively.

... and here:

http://www.caida.org/outreach/papers/2005/fingerpr inting/KohnoBroidoClaffy05-devicefingerprinting.pd f

Note how linear those skew lines are. That data looks so good that it needs independent verification. Others have observed more variation in clock skew than that. Computer clocks aren't normally observed to have error that consistent. There's variation with temperature. One wonders if they ran this test during a period when the target machines (a computer lab) were not in use.

This was found with a 10 minute search on the 'net. I remembered having something similar on RedHat 5.2. Interesting thing is that it was added to freshmeat.net about 10 days after McAfee patent application was filed.

This was found with a 10 minute search on the 'net. I remembered having something similar on RedHat 5.2. Interesting thing is that it was added to freshmeat.net about 10 days after McAfee patent application was filed.

While such language is common on Creative Commons-licensed stuff, in this case it's almost like the author is saying "Here is my first cut of a document I'd like to see produced, everyone else please edit it, fill in the ( huge ) gaps, give it some actual content and substance. Thanks."

It's the literary equivalent of setting up an open source software project with a not-really-functional 'prototype' codebase and hoping someone makes it actually work.

I know the topic of P2P ( and more generally, 'file sharing' ) has been studied by tons of smart folks at universities and corporations alike, what about some links to some of those? Oddly enough, the 'study' just has links to ( mostly ) opinion pieces and blogs ( including, of all things, a slashdot article ).

To speak to the parent posts' points of

the author doesn't distinguish between "P2P" and "people trading copyrighted data against the owner's wishes". This manifesto seems to perpetuate the myth that "P2P" is a synonym for "piracy".

Frankly, copyright-protected files are the most common files found on P2P networks. Rather than hiding from reality, we should seek to understand what reality means. In this case, I think reality means that copyright is a generally unenforcable law - like many other laws on the books, it's an example of bad law which in the long run wastes taxpayer money for the ( dubious ) benefit of a small segment of the population.

Copyright infringment is an old, old problem, vastly pre-dating the internet. Even without filesharing, there'd be lots of "piracy", as it's now labeled. As long as there is copyright protection for easily copied items, there will be piracy. It's a law which is extremely difficult to enforce- at best.

The Macintosh machine, on the other hand, was assaulted as often as the Windows XP SP1 box, but never was grabbed by a hacker, thanks to the tunnel vision that attackers have for Windows. "The automated bot/worm attackers were exclusively using Windows-based attacks," said Colombano, so Mac and Linux machines are safe. For now. "[But] it would have been very vulnerable had code been written to compromise its system," he added

Prove it. (I'm talking more to the guy in the article than you, btw.)

That is just the kind of nonsense people say when they're trying to look "balanced" regarding Windows' security failures. I find it infuriating. The Mac and Linux boxen were "attacked" that often because they were on the same network and everything on that network was being attacked. Why? Because Windows machines were attacking them.

The argument that Windows has the most marketshare & therefore is attacked more isn't true in the web server and database markets. Yet while apache and Oracle have problems, they're not anywhere near as bad as IIS and SQL Server. (If anyone has hard data to the contrary, I'd be very glad to see it.)

The argument that Mac and Linux boxes are lone islands in a sea of Windows and therefore worms can't gain critical mass for major infections is equally bogus: the Witty worm attacked only boxes that were running certain versions of ISS BlackIce, yet managed to compromise most of its potential threat profile before it ran out of victims. There are easy, easy ways to find concentrations of Mac and Linux users if you need 'em. Try spamming certain domains with a virus, for example. That argument simply doesn't hold water.

I'm not saying that *NIX computers can't be hacked. I'm not saying that they will never fall victim to automated exploits. I am saying that they are much, much less vulnerable, even if the code were tailor-written to those systems. Privilege escalation vulnerabilities are much rarer and more difficult to exploit -- and no, getting privileges by the asking the user to sudo for you isn't a privilege escalation vulnerability. Social engineering is a cross platform flaw.

Spam, phishing, Witty, and fractions-of-a-penny theft schemes all prove the profitability of niche compromises. I have faith in the entrepreneurial spirit of the new commercial crackers. It will happen. The reason it hasn't happened yet is that OS X and Linux are not as vulnerable and it's hard.

In short, what Windows has is the most market share on bugs.

It's probably because he's using NetGeo to do the ip address -> geographical location lookup. That service has been abandoned, unmaintained, and out of date for years now. It's a joke. It gets the country wrong all the time, it's just a really old and stale database. I wish someone would remove it from CPAN so that people would stop using it, it's worse than useless.

All of America Flip Flopped in this election. Damn flip floppers. It's a nation of flip floppers.

http://electoral-vote.caida.org/

for most of October ... the map showed Bush winning by 80+ electoral votes

40% of the IPv4 address space is unallocated, and much of the allocated space is probably unused.

They [Qwest] had more fiber capacity crossing the country than all the other major U.S. providers put together.

Worms need not be benign in order to propagate and destroy. The Witty worm probably infected within 45 minutes every vulnerable machine which was exposed on the internet and powered up at the time -- and then wrecked them.

The Spread of the Witty Worm
Witty Worm Analysis -- LURHQ

A hybrid worm/mass-mailer-virus could have the best of both worlds -- lying "dormant" for a while on filesystems, in email systems ready to infect any systems that wake up late in the day -- even after it's destroyed the bulk of the vulnerable Windows systems on the net. If it were further hybridized with worms that can be delivered as adware/spyware it would crawl down browsers, bypassing both your firewall and your antivirus program, and then spew itself out via email and network probes to infect the soft candy center that exists at the heard of most networks. We've seen worms that do each of several very clever things. A worm that does all of them won't be stopped in time on today's networks.

If Witty had exploited LSASS instead of a second-tier firewall product, people in Hawaii would have woke up that morning to a Windows-free world. Kinda like the computer version of 28 Days Later where we *NIX users would be wandering around a nearly-empty internet wondering, "where did everybody go?" (Well, OK, most of us would be wondering, "Why is my network connection so fast today?")

It could happen with the next buffer-overflow exploit in anything on Windows that listens on any of the ports that we all know and loathe. A Witty/LSASS worm would have destroyed a significant percentage of the Windows systems in the world within two hours. I am left with questions.

Would managers of IT shops continue to act as though Windows insecurity isn't a problem?

Would Microsoft be able to get the CERT advisory revised a couple days later to strike the recommendation that customers consider using a more secure system?

If the world keeps licking the Microsoft Windows Tootsie Pop, eventually we're gonna know how many licks it takes.

The Cymru Darknet is something entirely different, and it's not a honeynet either. Honeynets are nice sticky traps waiting to snare actively attacking crackers. This Darknet is primarily a passive monitoring system, and while it will see some active attacks such as port scans, another interesting thing it sees is backscatter from forged traffic, like CAIDA's System is tracking. Many DOS attacks use spoofed packets from random addresses, such as ICMP or SYN floods, and the victims or some routers will send TCP ACKs or ICMP responses back to the (forged) source, and some proportional fraction of that will end up in your darknet's detectors. It won't catch all such attacks - ISPs that want to be good citizens run the RFC2267 / RFC2827 best practices like uRPF spoof-proofing, which prevent their customers from forging packets except from the forger's own subnet address space, so you won't see those, but they're usually much less of a problem because they're easier to block, trace, and shut down. (Some of the cracker tools out there have built-in options to only forge within your /24 for just this reason.)

It's also called a network telescope. CAIDA has been implementing this type of thing for several months.

These things have been around for awhile, but known as Network Telescopes. The largest (AFAIK) is at UCSD, which is just a tad larger than a /32 (like, say, a /8). They collected some interesting data off the thing during all the Blaster rampages (Google cache of HTML'ed PDF here).

Also, see the NANOG guide to setting them up here, and the home for the CAIDA/UCSD telescope here.

So in short, nice job to the Welsh for implementing it, but there's bigger elsewhere for y'all to play with.

I believe you meant this for your first link.

Try this link for the analysis of the Witty Worm.

The analysis of the Witty worm (discussed on /. here ) used a massive darknet subtending 1/256 of the entire IPv4 address space. This gave them an excellent sample size for analyzing the behavior of the worm.

Software firewalls tend to also be useless due to exploits/backdoors and buffer overflows. I learned my lesson the hard way after Witty trashed my server.

Seriously though, even relatively small user populations are vulnerable to trojans and worms. The Witty Worm (see this analysis) indicates that non-Windows users are just as vulnerable a target - Witty infected almost 100% of the vulnerable worldwide population of 12,000 or so machines in about an hour. In other words, Mac (and Linux) users need to take the same precautions as those of us who are saddled with bloody Windows do.

NOTE: NetGeo has not been actively maintained for several years, and this will probably not change in the foreseeable future. As a result, there are several known major issues affecting accuracy and service availability. Please be warned that NetGeo may give wildly incorrect results, especially for recently allocated or re-assigned IP addresses.

What about the Witty worm? To quote from that link, Witty was the first widely propagated Internet worm to carry a destructive payload. The authors of the referenced study think that the Witty Worm infected the entire vulnerable population before it self-destructed by scragging hard disks.

If you invoke the "too" in "kills it's host too easily", then I'll just wave you off as tautological: there's no way to disprove what you've said, in that case.

Back when we discussed the Witty worm the article & discussion noted that UCSD Network Telescope mentioned here has 1/256 of the entire IPv4 address space. They seem well suited to track anomolous behavior.

About a week ago, we had a vulnerability announced in OpenSSL. I imagine most of us patched pretty quickly. But the Witty worm appeared within twenty-four hours of the announcement of the vulnerability it attacked, and it infected 95% of vulnerable machines within 45 minutes.

Yes, it's funny that it was a Windows firewall that was attacked. Yes, it's especially funny that it was an expensive Windows firewall that was attacked. Laugh.

But also think.

This could just as easily have been us. From my root logs I patched my servers for the OpenSSL vulnerability on Sunday 21st, which was four days after it had been announced. If the Witty worm had attacked OpenSSL, it would have got me. I suspect it would get most of us.

Linux (or BSD, or whatever) is not immune to this sort of attack. On the contrary, we're just as vulnerable as anyone else. Those of us who administer public-facing servers have got to learn to be still more cautious, and still more proactive about fixing holes as they are announced.

About a week ago, we had a vulnerability announced in OpenSSL. I imagine most of us patched pretty quickly. But the Witty worm appeared within twenty-four hours of the announcement of the vulnerability it attacked, and it infected 95% of vulnerable machines within 45 minutes.

Yes, it's funny that it was a Windows firewall that was attacked. Yes, it's especially funny that it was an expensive Windows firewall that was attacked. Laugh.

But also think.

This could just as easily have been us. From my root logs I patched my servers for the OpenSSL vulnerability on Sunday 21st, which was four days after it had been announced. If the Witty worm had attacked OpenSSL, it would have got me. I suspect it would get most of us.

Linux (or BSD, or whatever) is not immune to this sort of attack. On the contrary, we're just as vulnerable as anyone else. Those of us who administer public-facing servers have got to learn to be still more cautious, and still more proactive about fixing holes as they are announced.

Usage patterns show there is quite a bit of unused space, from the perspective of traffic. And why should any one entity be alloacated 16 million externally visable addresses?

PS: Next time, try "vulnerable".

Before it gets slashdotted even.

Is the internet telescope (also here) observing any DOS related activity? I've googled for information and not found anything that displays current (updated on the order of minutes/hours rather than days) data.

In fact, a DS3 has 44.736 Mbits/s capacity each way, though by the time you eat through the framing overhead for ATM, IP, TCP, etc. it's entirely possible to only wind up with only 32 Mbits/s usable payload. Sooooo... based on the CAIDA estimates, I'd say SCO had about 2/3 of their available bandwidth tied up by the attack.

I wasn't actually going anywhere with this. You can leave now.

CAIDA Analysis of SCO DoS Please use this link, the other one goes to a slow XML server.

CAIDA has published their observations regarding the recent attacks.

What is interesting, is that people on GrokLaw has been in contact with XO.net, which says they haven't seen any spikes in traffic or anything they would consider strange (and they are SCO's upstream provider).

The 34 kpps attack (cf. the CAIDA estimate) should have been visible on the customer link. I can't believe that XO (semi-)officially claimed that there were no attacks. You don't contradict your customer in such ways.

CAIDA Backscatter Analysis of SCO Attack

For more information (and graph of attack), see CAIDA's writeup.

I was so interested that I dug up some more links here, here and here.

I was so interested that I dug up some more links here, here and here.

One thing that might surprise though, is that the likes of Amazon, Google and so on, are usually right out on the edge. These companies don't need hundreds of links, they need reliable links, and that can be obtained by using quality providers and a small number of links.

As a side comment, now I understand why my connection got so slow.

[Internet Mapping Project's] mapping also takes nearly six months to generate a single map. My comment was that, "I can write a program that can map the entire net in a single day."

The Internet Mapping Project maps the Internet in under two hours (105 minutes for this morning's run). I'm not certain where the six months came from. The rate limitation is the packet rate limit we set (500 packet per second).

Map layout time is not included in that time, but that is not done on a daily basis. A map layout take about six hours, as I recall. It only took a couple weeks to produce all the layouts necessary for a movie of the Internet from Aug 1998 to Jan 2001 based on the daily runs.

CAIDA also creates daily maps of the Internet as part of their Skitter project. Their schedule varies between measurement points. In addition, other projects, such as the Mercator project and the RocketFuel projects, also map or did map the Internet.

Each project has slightly different goals. Skitter focuses on paths to major web and DNS servers. Mercator attempted to discover networks with limited pre-knowledge. RocketFuel wants a very accurate map of a particular ISP. The Internet Mapping Project is focused on the router connectivity within and between public backbones.

Okay, yes, I fully admit that it's cool to map the internet in one day. Regardless...I think I hear about some internet every other day.

There's John Quarterman who's been doing it for years, and then the CAIDA visualization tools, and Cybergeography and the Internet weather report and damn maps and more maps.

Note to everyone: please stop mapping the internet.

Here is a URL to back up what you are saying: http://www.caida.org/analysis/geopolitical/bgp2cou ntry/

In particular, check out the prefix space and AS count by country

As an example, Japan has less than 3% of the IPv4 address space. India and China have less than 1% each.

The US already has over half the IP address space.

MM
--

Here is a URL to back up what you are saying: http://www.caida.org/analysis/geopolitical/bgp2cou ntry/

In particular, check out the prefix space and AS count by country

As an example, Japan has less than 3% of the IPv4 address space. India and China have less than 1% each.

The US already has over half the IP address space.

MM
--

Patching is a reactive thing. If you look at SQL Slammer was able to infect over 90% of hosts in under 10 minutes

This time we were lucky, A) the patch had been available before hand (although it was nearly impossible to apply) B) it was for a service that usually shouldn't be Internet facing. C) It was for a service that has "minor" use on the Internet.

What about next time? When someone finds an exploit in a common web server? ssh daemon? smtp daemon? or name server? All things that are much less likely to be firewalled, the exploit can be coded into a virulent worm before the "white hats" know about it, before a patch is announced. And, if like Slammer it can reach >90% of the hosts in under 10 minutes, are you going to have time to even notice, isolate and identify the problem and put a solution in place before it infects your machines? Do you constantly moniter the internet 24 hours a day 7 days a week?

As a sysadmin there is only so much you can do. Sure being a good sysadmin can prevent many of these attacks, but it can't prevent them all. Diversity is the only real defense against worms, and it's something that Microsoft do very very poorly. Under Linux you can get cheap diversity and very little administration overhead by running redundant servers under two different hardware architectures (Intel + PowerPC for instance). once the kernel has booted the administration of the two machines is virtual identical, but they might as well be from different planets as far as a worm is concerned.

It's not a new problem. Nor is any amount of wishful thinking is going to fix the problem, Microsoft's products just aren't engineered for security. It's a problem that would take years to fix. Bill Gates himself made allusions to the U.S. Apollo space program of the 1960's which was $25 billion over 10 years. However, for the time being, the security issue is treated like a PR problem and the customers are taking the lumps.

A this point the problem is sociological or psychological. Like any other cult, Microsoft provides a sense of purpose and belonging to it supporters. Note that neither a technical background nor even an analytical way of thinking is a prerequisite, thus fulfilling even the unconditional acceptance aspect of a cult.

As much as IT staff and, especially IT manangers, admire the personal wealth of Bill Gates, they just need to be able to let go of Windows and move on.

Move on, either to Macintosh or Linux or QNX or BSD or Novell there are many choice. There will be some up front costs, but even without the viruses and worms these upfront costs will be offset by the number of maintenance hours saved.

pathchar! It takes a bit of time to complete, and is not terribly user friendly, but it is pretty precise.

The Ministry of Truth should also censor the Nature journal and the "Al" Caida web-site, as these are some of the sources Sean P. Gorman cites on some of his e-mails.. just query "sgorman1@gmu.edu" on Google...

I think virus writers' priorities have changed since. With everyone on the net now, the bragging points have to do with how quickly and how many machines you can infect. Its quantity over quality. Payload? What payload?

Ah yes, the halcyon days of the wazoo virus or when getting a virus meant your disk partitions were officially destroyed.