Slashdot Mirror
Slashback: Feathers, Worms, Happy Returns
Like the end credits on a short, short film. gi_wrighty pointed out that "the winners from the 5K web page contest (announced a while back ) have now been announced." Here are the welterweight web winners.
A different kind of Apache Con From Slashdot's own jimjag: "Are you interested in the details concerning how www.apache.org was defaced, as reported right here? Here's how it was done from the definitive source. It just goes to remind all of us that sometimes the obvious things are the ones we don't see, and the ones that come back and bite us in the arse. I can imagine quite a few SysAdmins making some changes over the last 36 hours."
... because the old ones were invidious. Remember the flap over GPL code in non-GPL drivers released by NVidia? Well, happily, the company kept its promises. Kheldar_522 writes "LinuxGames.com is reporting that the new NVIDIA XFree86 4.0 drivers released tonight have had all the GPL code removed."
May the circle be unbroken. Meanwhile, on the other side of the world, instead of subtracting code, Samsung is hoping to make sure some gets added. iKev contributed the news that "Last Sunday, Gmate, the creators of the [Linux-based PDA]Yopy, released a very preliminary SDK for the Yopy. You can check it out here (click on the Developer image). I haven't had a chance to try it (it's only for x86 linux)." iKev wondered whether the terms of the download violate the GPL, which is used for some parts of the SDK. Any takers?
You are near area 51. Leave. BenTheDewpendent wrote: "I was at gpspilot.com and found instructions on how to connect almost any GPS to a Pilot [including the construction of a null-modem cable if you need one - t] and I thought it could be handy for things like a nav system in a car or bike ... especially now that Clinton has ordered down selective avalability." Coupled with some decent mapping software, this might even help me get less lost, more often. Be warned, though -- this is not the only purveyor of Palm maps, and they do want to sell you some.
We han Cardly wait! For those who read paper books, this should be good news, contributed by Anonymous Coward after reading about the new Ender's Game sequel: "In a recent interview on otherview.com, OSC mentioned that he is also working on two more sequels to Ender's Game. Shadow of Death, the "final volume about Bean," and an unnamed Petra-and-Peter book. He mentions this on the third page of this article. Also interesting, OSC apparently is all in favor of e-books, though his publisher won't let him do it."
"Biting into some software and finding half a worm!" It's been a quiet couple of days for the administrators of Windows networks -- unless they have MS Outlook e-mail, in which case they don't feel Loved and it isn't Very Funny. Østergaard writes with "this piece, mainly as a reflection on the current worm mania filling the news (and mail-servers ;) around the world. I'd like to see what you people think." It's good reading, and very sobering if you're running the user agents at fault, or ones that could be, next time 'round.
but wouldn't "backslash" be a better name?
Ehh I don't know that you could make it *that* much worse than what we've seen so far. These email worms aren't quite as effective as spreading, I guess, since there are enough non-idiots to stop it eventually. Something like the Morrison worm (except actually carrying a decent payload) would be ideal. So there are two problems to worry about: the payload, and the method of propagation.
.doc file (or maybe even a .vbs? hee hee). The trojaned .doc would then drop a virus which would play mind games with you (as mentioned earlier), as well as add itself to your autoexec.bat (or something) so that it can e-mail some of your friends at a later date. The key (ho ho) is to be pretty low key. Symantec and McAfee and what not might pick up on it after a while, but it takes some *serious* damage in order for it to make the news. Once someone commits suicide because of the mind-games the virus/worm is playing, then it might make it on CNN or maybe even 20/20 or something.
As for the payload, there's not a lot you can do (that's interesting) without *a lot* of patience. I suppose you could make a worm which reformats the hard drive, etc., which would force everyone to reinstall and dig out the back-ups. Not really all that more exciting than the ILOVEYOU worm. In order to do some *real* data damage, one would have to destroy back-ups, but those are usually stored off-site (e.g. not even in the same room as a computer), so that would make it pretty difficult. Plus, it wouldn't really be all *that* interesting.
What would be interesting is to get it to spawn a virus which would "play tricks" on you. You send an e-mail to your boss, and the virus randomly and subtly changes your message into something damaging. Or it could discreetly yet "sloppily" download child pr0n in order to get you arrested. It could discreetly send "realistic" emails to your friends and family, etc. in order to ruin your live. Combine that with the power of a good worm (so that it propagates on its own) and you would have some very interesting results. Trying to get any of these to work *well* though (so that your tampered e-mails to your boss are actually believable) would take an incredible amount of work and patience.
As for the method of propagation, it seems like it's getting harder and harder to get a good worm going. The Morrison worm was a wake-up call of sorts, and now almost all Unices have switched to (more or less) secure daemons. Plus the Unix market is so fragmented that a worm wouldn't get very far (e.g. you might be able to make a worm that gets through old Solaris boxes all right, but not on BSD boxes). Except through poorly configured web servers (and things like Back Orifice, which would be pretty difficult to put into a worm), it's hard to run arbitrary code remotely on a Windows box. DOSes are pretty common, but that doesn't do much good for a worm. Basically what you're left with on the Windows/MacOS/... side of things are these "worms" that require intervention by stupid computer users. Melissa and ILOVEYOU have shown us that there is quite a considerable number of idiots out there, but not quite enough I don't think.
If the worm were subtle, though, it might work a little bit better. Instead of sending out 50 e-mails immediately, trashing your hard drive, etc., let it stay dormant for a while. At random intervals (every week or so), let it change one of your emails so that it attaches "oh yes and here's document X which I think you should look at" along with a trojaned
Anyway it's not entirely clear as to whether this approach would to more damage than the "explosion" kind of damage that Melissa, ILOVEYOU and the Morisson worm did. Basically all they did is waste some man-hours and cause some headaches for sysadmins, but nothing really interesting/evil.
Is it just me, or is it kinda strange to rejoice over the fact that there's no GPL'd code in the Nvidia drivers? :)
---
I no longer browse at less than +3 comments, so perhaps this has previously been mentioned:
What really needs is for someone to release a worm that teaches people a lesson. It would go in, delete and scramble a ton of files, wreak absolute havoc to their system...
...and tell them while it does it...
...and then stop, display a window that explains they just got away damned lucky, that nothing actually happened, but that IT COULD HAVE DESTROYED THEIR SYSTEM. In big fiery letters.
Perhaps... just *perhaps*... those people who mindlessly double-click every attachment they receive would *FINALLY* get a clue.
Though, that idea all stated and free for the taking, I really doubt that anything short of a two-by-four upside the head is really going to clue most of them.
Sigh.
--
--
Don't like it? Respond with words, not karma.
really is user stupidity. However it would be abnormal for a user to be able to destroy other users' or system files on a unix style system. Not impossible, just exceptional. You'd need an exploit for that; not just stupid users.
:)
;P
There is no exploit in iloveyouallcaps, 'cept trusting users to send it on.
application-executable/x-sh
Hmm... that might be worth a try
Switching a platform below dummy users is going to do nothing except giving them a headache... save if the philosophy in the system changes so that there is at least a possibility to save people from such errors. Windows NT would actually be better fitted for this, far as I understand. However, you could for instance have the external gimmicks run as user nobody!
I have another rant on the subject and it seems some moderator has found it interesting, go figure
I think, therefore thoughts exist. Ego is just an impression.
The scripts seem like proof of concepts for dummies; "can I really do like this?" Their goal is not to bring the world to its knees. That could be done the same way, but nobody's that interested. There's another "mothers day" version that actually wipes out system files, but it's still just a half-hearted attempt.
What I'd like to see on news, but haven't seen, is that these are based on the lack of security on Windows, and stupidity of users. If we don't get that point out, people will think computers in general are insecure (like they are, but not
Sorry for sounding cruel but IMHO that is true.
I think, therefore thoughts exist. Ego is just an impression.
www.apache.org compromised; a windows virus spreads over the globe like a chain reaction on H2O (if such were possible). What's in common?
;)
Users are not careful. Systems must be secure by default. For all intents and purposes, system administrators are the users of the software their systems consist of (again, see apache.org incident).
Here's listening to OpenBSD. For all their arrogance they have that one right.
This is something every distribution should be based on. Every OS and software distribution. Do not open possibilities of exploit. Is it that hard to think about?
We'll live in a pretty ugly world pretty soon unless this simple principle gets generally accepted.
There is nothing stopping someone using Windows automation exploits, DDoS and such for possibly worse purposes than random harrassment. For what? Play more Illuminati
I think, therefore thoughts exist. Ego is just an impression.
Although, PLEASE, lets not give it its own awful colour scheme!
/. not become a total entity of the web - namely, no memory. Taco asked on GIS when /. started to suck: I say it started to pull itself back together when it started following up on stories.
Its important that
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
In order to do some *real* data damage, one would have to destroy back-ups, ...
And while it is dormant on your hard drive, it trashes your backups as they're being made. Then after a couple of months it trashes your hard drive.
Have you checked your backups lately?
Steve M
I think 2 cm is only possible with special surveyor receivers and post-processing. My civilian GPS receiver has been reporting a estimated probable error of approximately 6 meters since SA was turned off.
Mea navis aericumbens anguillis abundat
If you connect this a Palm VII, with the unlimited service, this would be very, very, cool. Its like mpaquest + "where the hell am i", and useful for trips, hiking, and even airplanes (does the Palm.net service work in the air, and do the airlines let you use it?).
-mark
-mark
If your computer says LINUX, run...computers can't talk! [unless you have text-speech software]
Okay, here's a stupid question about the worm thing:
When I'm explaining the potential issues surrounding these worms to less technically inclined people, they always seem rather complacent. They aren't concerned because no worm, thus far, has done serious damage. At least nothing catastrophic.
I try to explain that the worms could be programmed to do things that are so much worse. The inevitable question I get is "Then why haven't they done it?". How do you respond to that? I don't KNOW why we've gotten so lucky so far. As they've said in the article, there are a number of things that could be done to make life more difficult, such as deleting things of importance (how about .doc, .xls, .dll, and .exe files), and changing the subject line at random.
Here's the stupid question: Why? Why haven't we seen a truly malicious version of one of these yet? Any ideas?
-Jer
It would be a trademark violation if they turned around and tried to sell Mickey.
So would that be: http:///..org/\
You don't think "I Love You" qualifies as a world-wide epidemic? It was pretty much everywhere!
Furthermore, your comment on MAD relating to virus writers makes little sense - if the virus writer were primarily a UNIX user, what does he care that half the Windows clients on earth were desroyed?
Like another poster, I wish that news people would start reporting that it's the stupidly permissive scripting mail clients that are making this possible, mostly Outlook! You'd think that after two major events like this that companies would switch away from Outlook as a mail client. But my own company shows no signs of stopping. We even get scripts and executables from the Windows SA's that we are commanded to run.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I challenge that. If you really managed to destroy every Windows client on the face of the earth, what really would be deeply affected?
A lot of big busineses run on old mainframes. Most modern businesses have UNIX systems at the core that would remain unaffected. Even those vital systems that run on Windows NT would be back up within an hour from backups, if the virus managed even managed to get near them (unlikley with a good SA at the helm).
The only people to be harmed would really be a vast lot of end users.
You may think it was only big in the UK. Over here in the US at my workplace it took out our company e-mail for over half a day, and all network shares were marked as read-only for an entire day and a half thereafter.
I can't tell you what company it was (we are well known though and have thousands of employees) as we were told (just as every other U.S. Company who was affected told thier workers) that we were to keep the virus attack confidential.
It was definatley a lot wider spread than just the UK, and certainly wide spread within the US given the domains we got mail from and the people our internal systems sent mail to! I'd guess 10% might be closer to the number of companies spared than saved. In that figure I'd include the businesses that may not have been hit, but simply turned off e-mail for a day.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I don't think the virus would reach most of those servers though, even though it seems that's the sort of thing it was after (going after mostly web related files like js and jpg).
And even if it did manage to hit them, they would be restored from backups pretty quickly.
Basically, the only people to really be affected by a really bad virus like this would be a large number of end users. Budgets in progress would be lost, project plans destroyed, PowerPoint presentations shredded like so much wheat. In other words, no real impact whatsoever!
Even if I had been so silly as to run this on my machine at work, because I use source control rigorously and can re-install things pretty easily, the worst impact to my work would have been the loss of some carefully chosen Dilbert cartoons. I can't think of any kind of programmer across my whole company that ran the thing - every time I got another virus by e-mail (constant throughout the day [once they brought up the e-mail server again after half a day downtime], and somewhat beyond the company filter to totally remove for some time) it was from someone with a title like "Senior Director" or "Project Consultant".
Not only do I rely on those arguments, but I present one more - do you really think someone writing one of these viruses is really holding back because they calculate that 20% or the networked world will be unavailiable to them for some time? I really don't see a sucessful virus writer after a launch loading up barnesandnoble.com to go book shopping.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Well, first of all while a 'fuck with you' type virus would be much more interesting then a hard drive reformater, I think hard drive reformatting would still be interesting enough to a brainless script kiddy.
:P Of course, I doubt that there are any more then a hand full of people in the would who would be capable of coding something like that, if any. But, in theory it could be possible. You wouldn't want to use an email clicker as a transport, though but system level exploits. If a bug crops up in NT attack before it gets patched (or even better, search for bugs in all the major OS's yourself, and then don't make them public. Or hack into Microsoft and insert a hole in the next service pack :)
:P
What I always thought would be cool would be a system where the viruses keep in contact with there 'children' through the network. Some of the viruses would be removed, but the code would try to stay unnoticed. The viruses would 'grow up' on the systems to test the amount of size they can take up without being noticed. Eventually, the larger nodes would contain resource files for the greater whole, IE implementations for other platforms, etc. The theory was, eventually, you'd have a huge computer system at your disposal, if people didn't find out about it. More powerful even then distributed.net. Not that I'd have any idea what to do with it.
But, combine that Idea with yours, about the viruses inserting themselves into the actual lives of the people who use the computers by messing with email etc, and you get some interesting results. If your great AI network could parse through email, etc, and actually figure out what was going on in the world (and send you summaries), you could give it commands as to what you wanted it to do and it would alter the key information to make it happen. If the thing was smart enough, it wouldn't really need to change much.
After a while, you'd be one of the most powerful people on the planet. You could hardly say that that isn't interesting
Oh well, this is the stuff of Sci-Fi stories, for now anyway
ReadThe ReflectionEngine, a cyberpunk style n
In real-time, only the military can get this kind of accuracy, since it requires getting rid of the two biggest errors: selective availability and atmospheric effects. With SA turned off, it's now largely a matter of the atmospheric interference, which will still hold you to tens of meters accuracy, though that's still a big improvement over the ~100m accuracy with SA. Of course, since the military has access totwo channels, they can cut out a lot of the atmospheric error.
You can get better accuracy with post-processing, though. There are some geologists who claim to have millimeter accuracy good enough to detect the yearly movement of earth's crust from plate tectonics.
That is the question after all. Is distributing it in two tarballs (One with the GPL libraries, the other with a closed-source program) a derivative work? If it is than this is in violation of copyright law, as you do not have permission to redistribute the GPL code (unless you distribute code for your own applications). If it is not than the GPL has lost most of its teeth.
Personally, I feel that it is. Your code depends on the GPL library and cannot function without it. In addition, when the closed-source program is run, it will be linked with the GPL library.
Thus, what you're talking about is a trivial workaround to try to get around the letter of the law and I *hope* that a court would see it as that.
Just as a thought experiment. Say I sold a collection of numbered and colored tiles and a sheet of paper with a numbered grid. The tiles are are all monochrome, but different colors. No copyright law has been violated. Now, say that someone bought the package and followed the instructions. They assemble the tiles by following the sheet of paper. What results is a giant picture of Mickey Mouse.
Would that be a violation of copyright law?
Furthermore, your comment on MAD relating to virus writers makes little sense - if the virus writer were primarily a UNIX user, what does he care that half the Windows clients on earth were desroyed?
Ah. He (I assume maleness for now, if you don't mind) might wish to do this, if only to prove how weak Windoze is, etc. However, in terms of self-interest -- a few things on the Web DO run on MS ware. (Check the Netcraft survey for a statistic that claims that MS servers are second to Apache in popularity, with about 21% of the Web.) So, a reasonable person probably doesn't want that much to be cut off from 20% of the Web's functionality for a few hours. However, virus writers might not be reasonable people...
Ceterum censeo Microsoftam esse delendam.
Or can I just galavant around selling GPL'd material, make a profit, then stop with but a wrist slapping or less when caught? I don't want to see someone who is even slightly linux friendly get sued over this boner, but they need to face up to the fact that they broke the law!
Restitutions are in order!!!
"A witty saying proves nothing." -Voltaire
"A witty saying proves nothing." ~Voltaire
"d'Oh!" ~Homer
How about a worm that looks for sent mail and sends another copy "Sorry, forget the attachment"?
Anyway I'm lucky. English is not my mother tongue and any personal mail in english is very suspicious.
All opinions are my own - until criticized
Despite their mistakes in the past, nVidia is trying to comply. Everybody makes an innocent mistake from time to time.
(and yes, if they hadn't fixed it, I'd say "Off with their heads".)
Free music from Jack Merlot.
How about MS Worms: Armageddon?
I can picture it now... you could play as one of three different teams, Microsoft the Allmighty (whose special weapon would be the BSOD), The DOJ (with their anti-trust laws... be warned, though, they only affect the MS team!), and the (always the underdog) Linux team V2.4.6.2.23.4.234.1912.31!
Hm, I'd kinda like to see Mr. Torvalds pointing a bazooka at Bill Gates...
-- Dr. Eldarion --
It's not what it is, it's something else.
If users are asked ``are you sure you want to run this?'' they click yes, never realizing what is about to hit them. If they know that they must save the file, start up another user agent, then run the file thru that agent, they are going to (magically) think twice about what they are doing.
Sure, they may think twice, but really the only type of people to fall for something like this are the people who have absolutely no clue what they're doing anyways.
So, say they got an e-mail with an attatchment saying that if they open it in the other program, they can play the newest version of Elf Bowling! Naturally, they get very excited (and not worried in the least, of course), and go into the other program... and voila... the problem is still there.
-- Dr. Eldarion --
It's not what it is, it's something else.
This is really only true in the case of something like a Word document, which has its own little scripting language and can do something devious. If clicking on a jpeg fired up a jpeg viewer...that is not such a big deal. This is actually 1 thing that I miss from Windows (one of the ONLY things! :) However, double-clicking on something should NOT run a script without some sort of confirmation.
:)
Of course, others have pointed out here that no matter what the confirmation dialog box says, people will just hit "OK", as in "OK, yes, whatever, just get on with it". I personally believe that they've been led to this by the excessive amount of confirmation dialogs in Windows/MacOS, but that is just my opinion
These sorts of things spread for 2 reasons: weaknesses in the OS is one, but the more critical one is a weakness in the users. It woulnd't matter if everyone started running Linux/BSD/whatever tomorrow, if they all ran everything as root and left a bunch of services open. How to solve this problem is probably beyond me; my only advice is to try to educate users in the most non-technical terms possible. If you can explain it to them in ways they can understand (analogies help lots!)...you know, it's not like they WANT to spread virii. Most people want to Do the Right Thing...
WMBC freeform/independent online radio.
IANAL, but There is an interpretation of 17 USC 117 that claims that it is not an infringement for a fella to treat GPL'd code as LGPL'd code: "it is not an infringement ... to make ... another copy or adaptation of that computer program provided: (1) that such a new copy or adaptation is created as an essential step in the utilization of the computer program" where linking GPL'd code to proprietary code is such an "essential step."
Will I retire or break 10K?