Day in the Life of the Internet Storm Center

An anonymous reader writes "Network World Fusion has an article about the Internet Storm Center's inner workings. The writer follows the ISC during the day of the MyDoom-O outbreak (the one that hit Google et al.). The article talks about running W2K in vmware on top of SuSe Linux. A practice very common in malware analysis to isolate yourself from various ill effects of the malware. Other open source software receiving a mention in the article is everybodies favorite packet analyzer Ethereal."

Hahhaha

Nice caterpillar...

Re:Hahhaha

That's not "Offtopic" at all. It's the very symbol for the topic.

Why is a larva the symbol for "Worms"?

How interesting

[stratjakt]

Linux you say?

Firsties!

Firsties! completely irrelevant AC first post!

My Favourite Pony

[B3ryllium]

An invaluable tool for PCs that are "public access" or even boot-partitions of computers at work:

DeepFreeze

Just one reboot, and any malware infection is obliterated. (There are alternatives, too, but I like DeepFreeze the best)

Re:My Favourite Pony

[stratjakt]

Nothing on that link tells you how the product works.

The closest I read was "Deep Freeze instantly protects and preserves original computer configurations" which reads to me that it's kind of like Ghost, except it keeps an image local on the HDD?

If so, I'd shy away from phrases like "Completely invulnerable to hacking".

XP's system restore feature gives you the same functionalities, if it's used properly (of course, it never is). I'm in the habit of making a save point before I do anything that could potentially bork my machine (testing some new driver tweak, etc), and have rolled back successfully on more than one occasion.

Re:My Favourite Pony

[ciroknight]

We happened opon this product at the school where I used to work, and as far as I can tell from using it and poking around at the program, it keeps a log of all harddrive transactions, then when rebooted, it plays back the log backwards, restoring to the state in which the system was before; no Ghost partitioning required, but none-the-less not invunerable to attack. We had kids bring in Knoppix CDs and obliterate hard drives for no other reason than they could.

My suggestion is to use Deep Freeze with Ghost (It's a complex setup, but if you "un-freeze" the system for one reboot, then Ghost, all you have to do is cast the image, change the computer's name (we had a pretty complex naming scheme), then reboot the machine and it's ready to go.) It's a formittable combination, and far better than products like "Foolproof Security". Hope this helps.

Re:My Favourite Pony

[B3ryllium]

Try it, they have a free demo. Try and see if you can break it (let me know if you can :)).

Assume that a competent system administrator has already disabled floppy/cd-rom booting and password-protected the bios. For the annoying people in a public place ("Ooh! Bonzai Buddy!"), that would be sufficient to prevent almost all malware.

Re:My Favourite Pony

[stratjakt]

See, I have this co-worker who constantly fucks up his machines. He's supposed to be a programmer/analyst/tech support guy just like me (small company, you wear a lot of hats), but everytime something comes up, I have to handle it because his computer is broken.

"I can't build a working EXE, my Visual Studio is screwed up!" "I can't dial into that customer, because my modem isnt working" "I can't VPN in because my computer crashes when I fire up the Cisco client".

He's incompetent, but I'm dubious he's this incompetent. I traded him the machine in my office when I got a new one, everything worked perfectly. A week later, his VPN and Visual Studio are broken. I really dont have the time to keep rebuilding his machine for him. Of course, he claims he doesn't know how to reinstall Office or VStudio, etc..

I think he does it so he won't have to do actual work. I end up doing everything because he always has an excuse. When he's on site, his laptop is broken, so he has to phone in all the code changes he wants, I have to do it, cut an EXE and email it out. Of course, it's double bonus for him. Anything he fucks up on site, he can just blame me for, since I'm actually doing the work remotely.

It's pissing me off, and it makes our company look like a bunch of morons. My archetypal PHB thinks he's just the cats ass because he comes in "early" every morning (he shows up at 8:45 to drink coffee and read the paper, we open at 9. Sheesh).

Anyhow, this sounds like a decent product. I'm downloading the evaluation version now. I'll reinstall his machine one last time, ghost it, install this. Next time I hear "I can't dial in because my modem is screwed up", I'll reboot his box and it'll be fixed.

Re:My Favourite Pony

[ciroknight]

It's easy enough to break, but for high school students it might be a little tough. All that needs to be done is corrupting the transaction log that it keeps, which can be done by either tampering with the checksum that it keeps of it, the checksum that it keeps of the old files, or tampering with the actual transactions, all of which would take a lot of work (and most likely wouldn't be worth the trouble, as it would require writing a program for the specific task of finding the memory space of the driver, then breaking it in your favor).

Re:My Favourite Pony

[Johnny+Mnemonic]

Try it, they have a free demo. Try and see if you can break it (let me know if you can :)).

That offer good for the OS X version of their product, too? If so, you're on.

I'll also stipulate to disabling external booting via Firmware lock, disabling single user mode, and not having the root user enabled. I'll pretend that I can't defeat that by not changing the RAM--which is plausible on a workstation with a padlock (but not on a portable.)

Re:My Favourite Pony

[ciroknight]

And it'll work fine for that, as long as the asshat isn't insane enough to actually hack deepfreeze. But this is exactly what this product was made for, and it works wonders for keeping machines alive after a virus storm or freak driver accident.

Hope it works out!

Re:My Favourite Pony

[scovetta]

Confucius say:
"Never trust a product that includes the phrase:
Completely invulnerable to hacking..."

Re:My Favourite Pony

[jrockway]

It's pretty good. I couldn't get around it in Windows after they blocked real mode programs. Before that I had to crack the BIOS password and then boot Knoppix, then delete key files. And sometimes the fucker still came back.

So from my independent analysis, I'd say DeepFreeze is good. I haven't done any code-tracing, though, so I don't know if some buffer overflow would ruin the whole thing. It wouldn't surprise me, though.

Closed source is what it is.

Re:My Favourite Pony

[Feng]

Set the boot priority to boot the hard drive first and password protect the BIOS. That'll make it harder for them to mess things up!

Re:My Favourite Pony

[RichardX]

This is just a guess, but from the (very limited) description on the site - particularly the bit about only needing 2 Mb of drive space - I suspect than rather than keeping a rollback log, instead it redirects all writes elsewhere and somehow fools the system into combining them

I don't really know if that makes sense, but basically what I'm saying is I think instead of allowing changes to the stuff that's already on the drive, instead it makes the system write the changes to a "scratch space", as it were, and when it comes to read back files, it takes that into account... when you reboot, it wipes the scratch space (which just contains the differenced versions of the files)

The difference between the two methods is the differencing system doesn't take any "extra" space, as anything you're saving/installing you'll be taking into account in your HD space, whereas a changes log could grow huge, fast, and take up a lot of unaccounted-for-by-the-user-space

Wow.. reading this back, it's a really mangled and incomprehensible way of explaining a simple concept. I should write manuals for a living!

Re:My Favourite Pony

[joper90]

u know what, i think hes doing this on purpose..

you also need to show him how to do it, and then here are no excuses.. However he WILL blame ghost for now fucking up his machine.

I would make him sign off something that states he is happy with it before he breaks the keyboard and cannot press 'enter' to resetup the drive.. i f**king hate people like that.

:)

Re:My Favourite Pony

[Nimey]

So document what's going on with your cow-orker, then go to your PHB or PHB->PHB and get his sorry ass fired. If your direct PHB won't do anything, maybe he'll get fired too.

Re:My Favourite Pony

Or, you could kill him.

Re:My Favourite Pony

Just to add to what the others have said, my father also runs a school computer lab, and I fix things for him when I come home to visit every couple months. He is a drafting teacher close to retirement and knows CAD software inside and out but less so when it comes to administrating the network etc, although he is still picking things up. Oh and the school district's computer people are incompetent.

We use DeepFreeze in the lab and it works very well. I have yet to find or hear about any way for the student to mess up the machine as long as it boots off of the drive that DeepFreeze is installed on. Hanging out in script kiddy channels I heard a lot of people asking how to hack DF, but no one had any answers, other than boot disk. So if you disable booting from CDROM and floppy in the BIOS and use a BIOS password, then short of opening the case or figuring out your password, there is really no way that the user can mess things up.

-jackson

Re:My Favourite Pony

[Cramer]

30sec with a screw driver and that password is history. You'll need a real lock (not the BS manufacturers tend to put on there) to keep that screw driver at bay. Heh, then it'll take a few minutes with a paperclip and a screw driver *grin*

Re:My Favourite Pony

[sumdumass]

if i can get into the system running windows i can get into the bios and change the password.

Granted the average script kiddie would have dificulty in doing so but it is verry possible. Using a bios password to lock changes in boot order and such are really good for keeping people that shouldn't be on the computer in the first place off. If they have access to it in a working enviroment reguardless of user priviledges, it is hackable.

Maybe,in cases with school children or the existance of co-workers that all the sudden have computer poroblems when work needs to be done, some sort of monitoring program should be employed and a strict discleplin policy followed. I had users deliberatly fuck stuff up and after watching through a vnc session the boss fired one and punished the other. I think this is a real way of doing it. Fireing people should be a last resort but messing a computer up and costing the company money is just like vandalizing the break room or other companie property. An action that usually carries a statis of getting you fired.

Re:My Favourite Pony

It's pissing me off, and it makes our company look like a bunch of morons. My archetypal PHB thinks he's just the cats ass because he comes in "early" every morning (he shows up at 8:45 to drink coffee and read the paper, we open at 9. Sheesh).

Then you should come in early, too, if only to read the paper and drink coffee.

As for the rest, yeah--I'd fix his machine with deepfreeze, etc. and if you have some official auspices under which to do it (e.g. you're the sysadmin + company policy provisions for it--better make sure you have good reason to believe you have explicit authorization), you can put some loggers on the machine to see how exactly he's screwing things up.

Maybe he's just a terrible programmer who manages to damage windows with shoddy coding? (Hey, it's been done...)

Re:My Favourite Pony

[Lisandro]

At the cybercafe i work we use GoBack (http://www.goback.com/) for instant hard drive restoration. It works fairly well and never gave us an issue; i didn't set up PCs, but i recall the guy who did had some problems with DeepFreeze.

I hate that this kind of software has to exist, but if DF doesn't do it for you, GoBack works just right.

Re:My Favourite Pony

[pen]

I suspect that the 2MB requirement is for installation only. Whether it keeps a transaction log or saves the changes temporarily to a different location, that information still needs to be saved somewhere.

Otherwise you'd end up with a read-only hard drive. From personal experience, I can tell you that the hard drive is writable while you're using the system. The first time I saw it, I just thought that the computer was being reimaged upon boot.

Re:My Favourite Pony

You can never trust a former BeOS user. Hey bery, how's life treating you?

chuffy

Re:My Favourite Pony

[JThundley]

That's what I always thought.
Just last week at my college I thought I'd throw a knoppix disc and not use their 2 year old installation of Windows 98. Knoppix was slow as fuck with the little amount of RAM it had, so I thought I'd install it to the hard drive so it would run faster, DeepFreeze is on this machine, when I reboot win98 will be right back where it was, right? Wrong. I hope nobody finds out that I did that or I'll get banned from using the college network... again. DeepFreeze wasn't deep enough...

By the way, to see if DeepFreeze is on the computer: Ctrl-Alt-Shift-F6

Re:My Favourite Pony

[ciroknight]

Not practical. We store ghost images on bootable cds, so the only way to restore the system was to boot from cd. We tried PXE, but our network just didn't like that idea. We tried floppies, but nearly 90% of the machines either had bad floppy drives, wouldn't boot to floppy for some unknown reason, or were completely missing floppies. It's a wonder the kids could bring ANYTHING from home in, if they didn't have cd burners at home that is.

Re:My Favourite Pony

[ciroknight]

I would call Deepfreeze a script kiddie deterent. I was given the task to break a machine with deepfreeze on it, just because our network administrators were really, well, not up to par.

I took the task head on and found that Deepfreeze works (to my knowledge, I'm not exactly sure about the internals) on keeping a transaction record, and then playing it back. It also is almost continually checking checksums of access files so that it knows which ones to fix later. Destroy either the ability to keep the checksum, the checksum itself, or the transaction data, and Deepfreeze has lost that file. Of course, it takes a lot to be able to do that, and I would say it would be very difficult with an NT kernel, but simply hooking into its device driver and fucking it up will prevent the system from it's delete/restore function on reboot. Of course, all of this is much easier said than done, and I wasn't asked to implement such a tool (and HAVEN'T, and WON'T), but I can say that this is far outside of the reach of a script kiddie. (Would have to know how the Windows kernel interfaces with device drivers, how that device driver works, and then how to break it in a way that will leave you with a viable system afterwards and not the BSOD. These are things that people typically don't know, and don't feel like working out.)

Correct link

[Tyrdium]

Ethereal's website is ethereal.com, not ethereal.org.

Re:Correct link

[bahwi]

Poor guy

Re:Correct link

[strictfoo]

Just shows that the Slashdot editors don't read the articles and/or follow the links either.

Re:Correct link

[geordie_loz]

Perhaps if you want to advertise yourself as a PHP developer for hire, you'd want to remove the PHP parse errors in your code?

Parse error: parse error, unexpected T_STRING, expecting ',' or ';' in /usr/local/domains/josephguhlin.com/public_html/in dexfooter.php on line 8

Malware

[Ford+Prefect]

A practice very common in malware analysis to isolate yourself from various ill effects of the malware

Best description of Windows I've heard in ages... ;-)

Re:Malware

[The+Jonas]

True.

However, if anyone out there is running a honeypot as a hobby or are new to setting them up, some good advice on a more secure Windows configuration can be found here. Specifically, it details how to cripple DCOM using a hex editor and reconfiguring other networking services. Good advice, even if you don't use their product. Be careful, you may lose some desktop functionality.

Re:Malware

ha ha ... worst +5 funny post i've read EVER.

ethereal.org?

Has some "Goddamn Hippy" taken over the packet analyser site?

More "fun" than running viruses in vmware...

[mkavanagh2]

Is running them in WINE. Especially since it's not a virtual machine, and the virus might detect WINE then trash your lunix ;)

Re:More "fun" than running viruses in vmware...

[DarkOx]

only if you are crazy enough to run wine with elevated privilages.

Re:More "fun" than running viruses in vmware...

[IamTheRealMike]

What, you'd prefer it to trash your home directory instead? ;)

Re:More "fun" than running viruses in vmware...

[NuclearDog]

su isolate
wine my_virus_executable.exe

I keep a seperate account on my machine specifically for running untrusted programs, so no worries for me.

ND

virus

[spotplace]

Windows 98 has largely been ignored by the virus writers for the past two years... The worms this year that took down my school districts entire network of w2k machines didnt harm the windows 98 machines at all!

Re:virus

[ciroknight]

Funny, we had the opposite take affect at our school district. We migrated all of the machines we could to Win2k (some were just not powerful enough, sadly), and then got hit by a virus that thrashed the remaining Win98 systems, but left the Win2k machines completely alone. Needless to say, it was an older virus that someone brought in on floppy, but the effect nonetheless was devistating for quite a while. It also seems that the Win9x virus protection programs weren't as effective at scanning the floppy's on mount, verses the Win2k scanners that worked flawlessly for us (Norton for both, 2k3 on the Win2k machines, 2k1? on the Win98 machines).

Re: virus

[Alwin+Henseler]

Yes, still running Win98 here, and I have the same experience. Visited Windows Update after install, then stripped out IE (98lite), full backup, use Mozilla, regularly updated virusscanner, and rarely run binaries fresh of the 'net. Result: last worm infection was long ago (on a LAN party), lockups are rare, no weird problems of any kind.

I guess a major factor is that many exploits are created by reverse engineering patches. As Microsoft has ended active support for Win9x systems, that also means no new patches for hackers to reverse engineer. Then there was this source code leak, wasn't it Win2k source code? So different code from what's in Win9x. And as Win9x systems are replaced with Win2k/XP, their smaller market share makes Win9x a less interesting target.

Re:virus

[russint]

One more reason to get rid of all those ancient floppy thingies.

Re: virus

I guess a major factor is that many exploits are created by reverse engineering patches.

That's what Microsoft says, but I don't buy it.

There are plenty of 0-day exploits out there which the public (including security@microsoft.com) never gets to see. Actually, it being patched is usually around the time the exploit gets leaked, because it's no longer so useful and someone wants the credit for 'discovering' it...

That said, yes--responsible administration of a Win 98 SE box can leave it relatively secure (at least, compared to Win XP)

SuSE and VMware

[rainer_d]

Speaking of it: I can't get VMware Workstation 4.5.2-8848 to work on SuSE 9.1 with the latest kernel.

Anybody got a good tip ?

Rainer

Re:SuSE and VMware

[UnderAttack]

Get the latest VMware build, and check the vmware community forums. But the latest build I downloaded installed without a hitch on Suse 9.1 running on an AMD64 system.

Ethereal is for the weak

[xxxJonBoyxxx]

Ethereal is for the weak - real admins use snort.

Re:Ethereal is for the weak

Buh-shih. Real admins don't use snort. Real admins snort

Re:Ethereal is for the weak

[Timesprout]

snort is for big girls blouses.

Real admins plug the network cable directly into their brains to perform packet analysis

Re:Ethereal is for the weak

Real admins plug the network cable directly into their brains

You mis-spelled brains. Its spelled 'ass'

Re:Ethereal is for the weak

and its one of the BOFH's "special" cables

Zaaaaaaaap!

Re:Ethereal is for the weak

This is why I love /.

Re:Ethereal is for the weak

[vwjeff]

Real admins plug the network cable directly into their brains to perform packet analysis.

Real admins don't need the cable. They are already one with the network.

Re:Ethereal is for the weak

Real admins plug the network cable directly into their brains to perform packet analysis

I really don't want to know what type of viruses you have!

Re:Ethereal is for the weak

[julesh]

Real admins plug the network cable directly into their brains to perform packet analysis

You mean like this?

Re:Ethereal is for the weak

"big girls blouses"???

( . Y . )
That conjures up mental images of pr0n.
No wonder you scored high for off topic!

Re:Ethereal is for the weak

[MrNemesis]

This is actually a very good security measure. No-one is going to attempt to sniff the network after *that*

The difference between this and real storm chasing

Real storm chasing leads to really cool pictures.

Internet storm chasing leads to porn.

I can't decide which one is better.

On duty, 24/7

[p0]

From TFA :
He is the only full-time staffer among the 30 ISC handlers who span the globe and are on duty 24-7. The rest are volunteers who take turns watching over the Internet. Most have other jobs and aren't expected to be awake for their entire 24-hour shift.

Who the hell is this Ulrich guy? R2D2?

Re:On duty, 24/7

[Big+Nothing]

"Who the hell is this Ulrich guy? R2D2"

Funny you should ask...

Here's a pic of Ullrich and here's one of R2D2. Although the picture of R2D2 is a bit old (taken june 12:th, Long Time Ago), it's still obvious that the two are identical or that I am full of shit.

QED.

Re:On duty, 24/7

TODO: add /AT/ to next build

Virus naming conventions

[AndroidCat]

Does anyone really remember the difference between MyDoom-O and MyDoom-N? Perhaps they should start using first names like real storm centers do for tropical storms/hurricanes. They could issue warnings about incoming class 5 virus MyBad-Kevin.

Re:Virus naming conventions

Residents of [Insert_Town] are today picking up the pieces after the devistating DOS attack which began early this morning.
Linux hippies were overjoyed at watching [Insert_Unliked_Corp]'s computer systems melt.
Symantec labs confirmed that this outbreak has all the hallmarks of the much feared W32.Slashdot-Taco@mm attack.

Re:Virus naming conventions

[c0p0n]

Nope, because you would have to name the viruses with female names. We the /.'ers have enough problems to get a girl, I don't wanna know what could happen if they think that we geeks are male chauvinists...

Re:Virus naming conventions

Female names like with Hurricane Ivan, right? (They changed the rules several years ago to allow boy hurricanes.)

Three links I just can't live without as an admin:

[AcquaCow]

SANS Internet Storm Center
Provides current Internet port graph history and advisories

CERT's Vulnerabilities page
Provides current Internet virus history and news.

Keynote Internet Health Report
Provides a table of ping times between various Internet backbones and providers. Great for checking if it's your ISP, or the backbone they are attached to that's having a slow day.

I advise everyone to check these out, as they provide a great wealth of information in a nice organized format.

Re:The difference between this and real storm chas

[no+reason+to+be+here]

Real storm chasing leads to really cool pictures.

Internet storm chasing leads to porn.

You mean to say porn isn't really cool pictures?

The Storm Center is excellent

[Saint+Aardvark]

One of the first things I check out every day is the Storm Center's diary. Between that, and Microsoft's security page, and SecurityFocus, and Infosecdaily.net, I've got more than enough paranoia (I hope...) to make it through BugTraq and Full Disclosure.

What about the rest of you? What links do you check out, and what am I missing?

Re:The Storm Center is excellent

I check out /. and let the Windows update and automatic virus scanner update work their magic.

I don't have to be paranoid, you see, I don't turn those protective measures off in the first place. But then again, I'm not an 'expert' who is constantly getting hit by these viruses and worms.

Re:The Storm Center is excellent

Full Disclosure is my favourite. Their archives even contain traffic from 2005 and 2006. I can read about vulnerabilities full two years before they are discovered.

Re:The Storm Center is excellent

[presmike]

I use http://www.dailyrotation.com/ You can customize which sites it draws headlines from. Saves me tons of time by having everying all in one place.

Re:The Storm Center is excellent

[elwing]

I usually let vulnwatch deliver "important" information to my mail box. I don't keep on top of 0-day vulns any more, so vulnwatch is good enough for me. SANS @RISK is another mailing that's useful, although sometimes out of date.

Re:The Storm Center is excellent

[El+Volio]

I have a set of tabs that I load every morning precisely for this; some of them are:

• ISS GTOC
• myNetWatchman (another perspective on port activity)
• NIPC Critical Infrastructure (updates are spotty but sometimes interesting)
• US-CERT Current Activity (often a tad behind)

ISC is definitely the main one to get but these are useful. I didn't list virus sites but those may be useful as well depending on your environment.

I'm sure today will not be a typical day..

[craznar]

If slashdot lives up to its reputation, I can imagine that today will not quite follow the usual pattern for the ISC.

Re:The difference between this and real storm chas

[Mark+Hood]

Hopefully they're really hot pictures.

Sorry.

Mark

Small code ... ?

[thrill12]

From the article:
"It's amazing how these virus writers get such small code," Ullrich says. "They should be working for some of the commercial code vendors."

Why not: s/should/could
And for the conspiracy-minded: s/working for/commanded by
Really twisted addon to the latter: s/code vendors/anti-virus vendors

Another episode in "preaching to the converted".

Similar Article

Tech News Live covered this a few weeks ago. Pretty nifty stuff in here. Check it out!

Re:Similar Article

[UnderAttack]

don't click on the link unless you want your cube mates stare at you ;-)

Re:Similar Article

[REBloomfield]

yeah, ditto. what gob shite modded that informative? or is that some kind of switchable proxy miror?

Re:Similar Article

[Mant]

This is something like the third article where someone has posted that link, then it has been modded up as informative.

Maybe a lot of Slashdotters don't pay attention when they Mod, but it smells to me of some organised trolling.

Re:Similar Article

I'd guess organised trolling - responses pointing out the NSFW link have been modded down too.

Re:Similar Article

Maybe a lot of Slashdotters don't pay attention when they Mod, but it smells to me of some organised trolling

I would like to nominate Mant for the No Shit Sherlock Award of the year! Taking obvious clues and producing even more obvious conclusions merit this high award.

You shall now be known as Captain Obvious!

Re:Similar Article

I agree. These trolls are really starting to piss people off. It has even gotten the attention of Linux Journal's Staff who think they might be able to take legal action once they identify the perpretators.

Re:Similar Article

[0x0d0a]

Nah. We just need a better trust system.

Re:Similar Article

Why? The NSFW reminders are just as offtopic as the disgusting link posts themselves.

Re:Similar Article

In case anyone is interested, that site appears to retrieve a copy of your clipboard, so be careful when visiting.

... and a nice Ethereal add-on...

[m0rningstar]

... is Packetyzer, available from Network Chemistry http://www.networkchemistry.com/products/packetyze r/.

Has some neat additional features, such as conversation tracking and I believe it has a few more decodes. Only for Windoze, however, thus encouraging the VMWare machines.

Redefining protocols?

[little_fluffy_clouds]

From the article...

Like previous versions of MyDoom, this one too seems to be listening on certain ports for commands. Ullrich pings each port, but the virus does not react.

That's a neat trick.

I guess they mean "ping" as in "connected to a TCP or UDP port in some manner", and not the usual "send ICMP ECHO_REQUEST", which I don't believe has anything to do with "ports".

Ah, journalism.

Re:Redefining protocols?

I think you're splitting hairs. I "ping" co-workers. Submarines send "pings" for range finding. And really, isn't the submariner term the real source of the internet acronym? And in that sense, "ping" is just a sound, e.g. an engine can "ping" too.

I take "ping" to mean "check" rather than "create an icmp packet and expect a response". It's far shorter and gets the point across, and you don't sound like a wordy pedantic ass when you use it.

Re:Redefining protocols?

Ah, pedanty.

Re:Redefining protocols?

[g-san]

And really, isn't the submariner term the real source of the internet acronym?

Packet Inter Net Groper.

As long as the hairs are splitting, I would never ping a port, but I might try to open a connection to it. You ping a host, you connect to a port. UDP is another story.

thats SuSE and _not_ SuSe

learn the meaning of company and product names first, before posting slashdot stories.

--
ignorants

Re:thats SuSE and _not_ SuSe

[cuzality]

Actually, these days it's SUSE.

See: SUSE LINUX

Re:thats SuSE and _not_ SuSe

[angrykeyboarder]

Either way, it's still unpronounceable. ;-)

Re:Three links I just can't live without as an adm

[stienman]

Those are great and all, but where do I go when Slashdot goes down?

-Adam

Mirror

[LiquidCoooled]

http://www.google.co.uk/search?q=cache:jo3aRe29uHs J:slashdot.org/+&hl=en

i know, i know...

Since when...

[mikrorechner]

...are the "commercial code vendors" interested in small code size?

Another good product is....

[callipygian-showsyst]

Microsoft's "Virtual PC" for Windows. It gives you a complete virtualized PC that you can run on top of Windows. We use it a lot to test installs, to give ourselves a "clean machine" to make sure there are no dependencies that we didn't think of, and to test unknown software.

Re:Another good product is....

[haffi]

To bad that:

"Virtual PC 2004 does not support universal serial bus (USB) connections. "

(From the online help for Virtual PC 2004)

Re:Another good product is....

[Proteus]

Microsoft's "Virtual PC" for Windows. It gives you a complete virtualized PC

Well, not complete. Virtual PC is great if you need to run multiple versions/copies of Windows for testing purposes. However, VirtualPC isn't a complete VM -- if total isolation is required, Virtual PC isn't a good choice. However, if you don't need the total isolation of something like VMware, Virtual PC will probably work (and it performs better than VMware because it's not a complete VM).

I use VMware for isolation testing (malware, patches, &c.), but Virtual PC for version-compatibility testing (i.e. "Will this XP software work on our 2k machines?").

Re:Another good product is....

I am sorry, but you have been misinformed. Virtual PC is every bit as much a full virtualization as VMware. VMware and some Linux types seem to try to perpetuate the this incorrect meme.

As for performance, although Virtual PC may have marginally better performance on Windows OSes than VMware, under Linux OSes, the reverse is often true. The products are truely very similar on the desktop. VPC has slightly better general compatibility, and VMware has an edge in USB and network configurability, either of which may affect your specific choice.

VMware can host on Linux. VPC cannot. (Although VPC images may also be run under OS/2 and Mac OS, these alternatives do not seem to be attractive to the vast majority of the target virtual machine audience).

Elsewise, from the vast majority of perspectives, these two are interchangeable.

Forecast

[dr_dank]

from the Internet Storm center. Tonight, expect a high pressure system of script kiddies from the northeast to make the morning telecommute messy. Tomorrow, scattered DDOS showers, high of 10000 bots. Now, here's Glenn with sports.

Windows is the problem

[hey]

It should actually be called the Microsoft Windows Storm Center. Most of the problems are with Windows.

Re:Three links I just can't live without as an adm

[Ice_Balrog]

For Linux users, I highly recommend Linux Security to keep up on current advisories.

Hahahhaha

[brennz]

The first word that caught my attention was the word "handler".

To paraphrase Dave Aitel, "handler = someone without a CS degree".

$ans is all about cash. That is why their classes are packed to the brim, so people can watch powerpoint presentations...

(yes I have attended one)

Half of the SANS hardening guides were ripped straight from the US government (NSA/DISA STIGs). No credit given either btw.

Re:Hahahhaha

[pbemfun]

Obviously you didn't pay much attention in the class or attended a really bad one. I've attended a few SANS courses, and while they are expensive, they are worth every penny IMO. Every instructor I've had has gone beyond whats on the PPT presentations.

Re:Hahahhaha

Guess you didn't make the cut ;-). Not everyone with a CS degree qualifies to be a handler, or for that matter is able to pass a SANS/GIAC certification.

And as far as the '$sans is all about cash': Find another training provider that offers so much back to the community for free. (@RISK mailing, the ISC of course, top 20 list, SCORE project, support for cisecurity.org and more.)

Re:Hahahhaha

[buffy]

So, what'd you do, go only to Track 1? Not that I'm saying that course is bad by any means, but it is only an introduction. The other tracks present far more information than is just included in the PPTs. SANS seems to use PPTs for just what they were designed for--as outlines to guide the discussion/presentation, not the full content.

The GIAC certifications are also one of the few cert programs that I think are worth pursuing. You have to prove a decent command of the material before you can complete the cert.

As for The Dave Aitel quote, what the hell? First off, who cares. It's not like most CS programs give a shit about packet analysis. That skill is usually home grown out of the interest/need of a specific individual. Regardless, I think most of the handlers do, in fact, have degrees, with a bunch more than just undergrad.

-buf

Re:Hahahhaha

[brennz]

you should have at least mentioned your membership in the ISC so everyone would know you are biased.

Re:Hahahhaha

[brennz]

$ans is all about cash.

Re:Hahahhaha

[buffy]

Your point being?

Northcutt is one guy. Don't know of the actual situation being described, but there are more holes in that post than a piece of coagulated swiss dairy product.

SANS _is_ a non-profit. It does pay it's people (most of the handlers are volunteers--so don't be too big of a tool, please.) and it's speakers, and has a heck of a lot of infrastructure to support. All things that cost $$. They're not the only non-profit org that actually makes (and then uses) a fair amount of money. Take a look at the annual budget of the Red Cross!

Back to your original message:

The first word that caught my attention was the word "handler".

To paraphrase Dave Aitel, "handler = someone without a CS degree".

I took a bit of issue with this statement. You have yet to back it up with anything useful. Do you even know any of the handlers? What does it matter to you re: their degree, and how is it even relavant to the topic?

$ans is all about cash. That is why their classes are packed to the brim, so people can watch powerpoint presentations...

(yes I have attended one)

They're packed b'cause they're good. If you didn't get anything out of it, then perhaps there's something (someone) else at fault. Ahem.

Half of the SANS hardening guides were ripped straight from the US government (NSA/DISA STIGs). No credit given either btw.

No they weren't. Prove otherwise, or stop slandering a good organization of white hats.

Your original post is bullshit, and you back it up with more bullshit. Posting a link to an e-mail some guy wrote==bullshit. Got anything more useful? If not, please don't even bother to reply.

-buf

Re:Hahahhaha

[welshwaterloo]

I know this discussion is a day old, but I wanted to post in case anyone read your comments and accidentally thought you knew what the fcuk you were talking about.

Just to clear the air - I am in no way affiliated with SANS, I just attended one of their classes recently.

$ans is all about cash.
Now, clever use of the dollar sign I agree - sure to lend much needed credibility to your ideas, but listen:
Where does it say on their site that SANS is a charitable organization dedicated to bringing practically free training to all??

Nowhere, you retard. SANS courses are mildly expensive, but you get what you pay for. I attended 6 days of training for about £2000.
Gee Bob, that's a lot of money! Sure it is, but when you do a little math [can you?] you see that per day - it's no more expensive and actually a deal cheaper than other technical training.
'Other technical training' companies also don't offer an enormous wealth of information, reports & step-by-step guides in their reading rooms. They don't partner with the FBI & Scotland Yard to help advertise the biggest risks. They don't give out software to benchmark the security of your workstations.

That is why their classes are packed to the brim...
Two frickin guesses why their classes are always packed to the brim. *smacks head*.

... so people can watch powerpoint presentations...
Shit! Hold the front page! Training Company Uses Presentation Package To Present Materials To Attendees.
Those bastards.
Oh, oh - wait. It's ba$tards, isn't it?
(Incidentally, my class had a two hour hands on workthrough of the day's material after the full day class.) The money grabbing scum.

If you've got beef with them, tell it straight - just don't go spreading fud.

OT: your .sig

[JerkBoB]

up 12 days, 22:30, 2 users, load averages: 993.20, 994.21, 994.56
[*makes note to disable fork()]

That is one of the funniest .sigs I've ever read on /.

Still chuckling.

Re:Three links I just can't live without as an adm

[sosuke]

umm, is the sans site not firefox compatible? thats pretty funny

yuo Fail It!

would you like 7o everyday...We

fp homo...

It aatempts to from the sidelines, cuntwipes JordaN was at the same

Worms topic icon...

[Gnividon]

..is a caterpillar, not a worm.

DON'T click the link in parent

[6Yankee]

Filth, pure filth. Don't say nobody warned you.

SAY NO TO DISGUSTING LINKS!

Sign the petition to get rid of these nasty websites from the internet over at Tech News Live!

caterpillars aren't worms

[sjalex]

you insensitive clod!

My 'ounce of prevention' solution...

[iamcf13]

is at this URL.

Why use products like DeepFreeze after the malware has run and (irreperable?) damage is done when you can stop the malware from running in the first place.

Since malware by email is extremely popular, my approach simply treats all file attachments as 'text files'. 'Running' a text file on an uncompromised machine will cause the file to be loaded into another (trusted?) program.

These 'text files' can be safely handled, scanned for malware by trusted antivirus software, then deleted if infected or renamed back to their original extention.

As the old saying says:

An ounce of prevention is worth a pound of cure.

Why not focus on malware that doesn't use email to spread itself around and solve that problem instead?