Tools To Squash the Botnets

Roland Piquepaille writes "This is the intention of Paul Barford, a computer scientist at the University of Wisconsin-Madison. He wants to build a new line of defense against malicious traffic which has become today a billion-dollar 'shadow industry.' As one of 'the most menacing aspects of botnets is that they can go largely undetected' by a PC owner, he developed a new computer security technique for detecting network intrusions. His system has a 99.9% detection rate of malicious signatures, roughly equivalent to some of the best commercial systems. But it has zero false positives when commercial systems have high numbers. This new system could soon be available commercially."

Tools To Squash the Botnets - Squashed

[wap911]

The last line says it "could soon be available commercially". Wonder if I need to start saving pocket change so I can put it on my SimplyMEPIS box? Oh, wait they must be talking about having it run along side of Redmond-warez. nothing here - move on...........

Re:Tools To Squash the Botnets - Squashed

This article is junk and provides absolutely no information at all save to make people feel good.

I don't see that.

[khasim]

When the easiest way to DDoS someone's site is to have the zombie army keep hitting the pages ... how will any tool identify or protect you from that threat?

The zombies can simply flood your pipeline. There are that many of them.

Re:I don't see that.

[QuantumG]

You stop the machines becoming part of the botnet.

You'd know that if you RTFA.

Re:I don't see that.

[Penguinshit]

I thought the easiest way was to link them from a Slashdot article.

Talk about a zombie army...

Re:I don't see that.

I couldn't RTFA. The Slashdot zombie army killed the site.

Re:I don't see that.

[mOdQuArK!]

Zombies? You nuke them from orbit. It's the only way to be sure.

Re:I don't see that.

[ScrewMaster]

Talk about a zombie army...

Hey! I resemble that remark!

Re:I don't see that.

[Anpheus]

The irony is that none of us really intend to read the article anyway, we just see the underlined shiny text and click out of habit.

Re:I don't see that.

[Sentry21]

A friend of mine is getting DoS'ed for some reason (http://whatsmyip.org/), and he couldn't figure out why, or what to do about it. I suggested scanning the apache logs and firewalling off any IPs that make too many requests, dropping the packets so the application never sees it. Looking through his logs, though, I saw something interesting - the vast majority of connections to his site were from a user-agent of 'Java 1.6' (or somesuch). Configuring Apache to ignore requests from that user-agent resulted in his site becoming responsive again - all of the 'bad' clients were Java clients. Go figure.

I still think he should use that as a basis for firewalling IPs off, but I guess it doesn't matter in the end.

Re:I don't see that.

[Wog]

...brains?

Re:I don't see that.

[feepness]

hey chef, the tails of shrimp are not food, cut them off. No, they're not food. They're handles.

Re:I don't see that.

[DigiShaman]

Well, the latest Java runtime available is 1.6. So does that mean these botnets are programed in Java and are executed using this runtime?

Re:I don't see that.

I was praying to JESUS that no aliens would invade my home last night and guess what... none did! May whoever modded that down, rot in metamoderation hell.

Praying to Jesus isn't any different than praying to the company that wrote your virus scanner, except that praying to Jesus may work sometimes.

Re:I don't see that.

[sumdumass]

It probably means that there is some java app that as part of it's workings, checks against whatismyip to determine an actual IP addressable from the public. That is somewhat of an issue with a useful site like that. People tend to take it for granted and end up writing programs assuming they have the ability to access it and that the site could handle any of the traffic. Dlink and a few of the home router manufacturers were defaulting their NTP clients to one server and in effect DDos'd that server when those router started selling like hotcakes.

It could be some request error that instead of checking once a day ends up checking onces every five minute or something of the sort. It is likely something along the lines of the gaming community that is supposed to help gamers connect to each other through firewalls. I have seen a Java app that does this but don't remember the name.

Re:I don't see that.

[cehjohnson]

If http://whatsmyip.org/ is his site, as indeed sumdumass thinks, according to his post, then my take on this is a variant of the aforementioned poster: there are tons of clients available for whatismyip, including ones written in Java. I can't imagine your friend is perplexed by this, since it's almost certainly a result of his site providing too good a service, i.e. servicing requests from clients (that are configured too greedily) too often. The solution is not to block Java user-agents, but to configure the site such that too frequent requests from any client are ignored.

Re:I don't see that.

[syberdave]

Someone wrote some network program (in Java) that needs to get the computer's external IP. (Probably some P2P app.) And your friend's site is the "perfect" way to get it.

Re:I don't see that.

[raddan]

Yes, I remember that. The worst part is that some researchers had already set up a load-balancer for people to use, to ease the load on the stratum 1 machines: pool.ntp.org. If the people writing the D-Link software had spent a few minutes thinking about the impact of what they were doing, using this address would have been obvious. My personal opinion is that D-Link should have set up their own timeserver, and shared that out, since they should have had a reasonable expectation that any address they put in there would be hammered.

Re:I don't see that.

[irtza]

This guy is trying to shut down slashdot?!

Re:I don't see that.

[hendridm]

I remember NetGear was also guilty of this for DDoS'ing the University of Wisconsin.

Re:I don't see that.

[hosecoat]

hey chef, the tails of shrimp are not food, cut them off.

No, they're not food. They're handles.

but why do they leave the tails on in pasta or pad thai.

Re:I don't see that.

[nacturation]

So what you do is modify the site to respond to Java 1.6 clients with an IP address of the FBI for example. I'm sure hilarity will ensue.

Re:I don't see that.

[QuantumG]

exactly.

I know a few chefs and have asked them, the reasons:

1. that's how they were taught to do it
2. they think it is better "presentation"
3. it makes the shrimp look bigger

so not only are they being annoying, they're also being dogmatic, pretentious and deceitful.

Translation:

[rtechie]

"Our new security company, Nemean Networks, has developed a new IPS technology that will cure cancer and raise the dead."

What's with this blatant ad? When and if they ship a product or release their technology, we can talk about it. But right now it's just a bunch of hot air.

Re:Translation:

[crowbarsarefornerdyg]

A politician started this company?!

Re:Translation:

[sumdumass]

This isn't as much a blatents ad but a cover your own ass thing. The guy supposedly making this product realizes that if he can think of it, anyone can. He thinks that it might not be his superior intellect but the circumstances of the times pointing to an obvious solution.

SO he gets the word out that he is on top of this. Going to release a product and Blah Blah Blah. What it does is show that the obviousness was because he pointed it out. This makes it unique that he might obtain a patent and so on. In 5 years when the USPTO gives him a patent and 25 competing companies want prior art, the searches show up that he is his own prior art. That he was working with and on the stuff before anyone else.

So it is basically a CYOA with a little Bragging mixed in.

Re:Translation:

I wish people who don't know about stuff wouldn't post as though they did.
And I really, truly wish moderators wouldn't mod stuff up, that is just plain wrong.

Listen, for a community that likes to talk about patents a whole lot, we really need to take some time and understand them.

You cannot get a patent on anything that has prior art. ANY prior art. Your public disclosure does just as much to destroy your ability to get a patent as anyone else's. If this guy just described anything new, that he hasn't filed at least a preliminary application on, he cannot get a patent.

The only protection making a public disclosure would give him, would be that no-one else could later try and patent it, either. But after a public disclosure, NO-ONE, including the person making the disclosure, can get a patent on the idea.

If you want to get a patent on something, then the CYA behavior is to FILE for a patent. Now, I cant guarantee what is or isn't this guys motive in getting this article published. But attributing stupidity to someone, and suggesting that they are doing something to affect their patent standing, when what they are doing just destroys anyones patent standing, implies that patents work in a way they don't. IE a wholesale misunderstanding of how prior art works. Not that people here really seem to understand patents (mostly they seem interested in griping about what is in a description, instead of discussing the claims). Still. I wish that kind of crap wouldn't get modded up.

So in other words...

[Icarus1919]

People still have to install it and use it, correct? If so, then why do we believe there aren't going to continue to be hundreds of thousands to millions of users out there who don't give a damn, like there currently are? How is this much of an improvement over the current state of things?

Re:So in other words...

[QuantumG]

Nope. It's an IDS. The ISPs would run it and either inform subscribers that their machine is owned or block the attack traffic.

Not that this is a very easy sell.. but it is in the interests of the ISP, as spam and DDoS continues eats up their bandwidth.

Re:So in other words...

[Joebert]

So we just have to randomize what the attack traffic looks like ? Doesn't sound too hard.

Re:So in other words...

[QuantumG]

Well, ya know, it really doesn't seem *hard* to me to make an IDS which understands protocols and detects when a particular communication fails to conform to it.

          220 foo.bar.baz.MIL (Well hello there)
          EHLO so.i.say.mil
          250-foo.bar.baz.MIL offers THREE extensions:
          250-8BITMIME
          250-PIPELINING
          250 DSN
          RCPT <exploit@blah.4312&<*~EYN%#^H$%Y$H$W#UJSFBSZCDT^^^&^&##$%FGE#$%$$$$$$$$$$$!/bin/sh$@!#>
          # id
          uid=0(root) gid=0(root) groups=0(root)
          # cd /home
          # ls -l
          drwxr-xr-x 4 steve users 4096 2007-05-01 18:26 steve
          drwxr-xr-x 4 bob users 4096 2007-05-01 18:26 bob
          drwxr-xr-x 4 tony users 4096 2007-05-01 18:26 tony
          drwxr-xr-x 4 anne users 4096 2007-05-01 18:26 anne

pretty obvious that the server didn't reply to the RCPT request correctly isn't it?

Re:So in other words...

[penix1]

but it is in the interests of the ISP, as spam and DDoS continues eats up their bandwidth.

You seem to be of the impression that ISPs care about bandwidth. Here's a clue-by-four for you...

They don't.

In fact, they want as much bandwidth being eaten up as possible to support their claims of "teh tubes are clogged!!!111!!! We need to get evil Google (YouTube) to pay more since they are obviously the cause!" to Congress.

Re:So in other words...

[FooAtWFU]

Well, ya know, it really doesn't seem *hard* to me to make an IDS which understands protocols and detects when a particular communication fails to conform to it.

Snooping all your outbound SMTP (+etc) traffic to validate that it's conforming to a certain protocol is somewhat resource-intensive. The protocol validation would need to be very, very, very good, or it would be liable to catch all sorts of garbage: there's no shortage of slightly-wrong products out there. (It's not just Microsoft either). Not all communications that you expect to be a certain protocol actually are - and they may be some extended version of the protocol. (Watch WebDAV over HTTP.) Not all protocols are trivial to validate in this manner. Not all exploits require a breach of a certain protocol. (Watch for some of the PHP exploits that you can send in a perfectly valid HTTP POST). Not all exploits are synchronous like this one. And, finally, privacy can be an issue.

It's not impossible, but it is hard, doubly so if you intend your product to be a good one... and the utility may be rather marginal.

Re:So in other words...

[Joebert]

Aren't exploits crafted to conform to protocols though ? Seems that untill the screener knows the application can not handle certain instances of a protocol, it would assume they're safe.

Getting installed on the system isn't the hard part, people willingly listen to Britney Spears for cryin out loud.
Once on the system, multiple communication applications could be used to communicate from zombie to zombie. Why would anyone suspect that the random person sending them an IM was actually a front for zombie communication ?

Re:So in other words...

[ILuvRamen]

that's exactly why I like my idea better. Get all massive ISPs in the US to get in on this one so no home user has to do much preventative. You find out what just got attacked by let's say the storm botnet. ISPs check their logs and see who tried to contact the victim IP more than 100 times in a minute. Then send em a warning e-mail telling them they're infected and give instructions on what to do to fix it. They could even e-mail them popular removal tools. If they don't do it, disconnect their internet. The only apparent problem is massive fake warning e-mails with virus attachments posing as removal tools but there are ways around that too.

Re:So in other words...

[xactuary]

That brings up a point for me, which I've always wondered about. Couldn't someone release a virus that fixed everybody's PC? Somehow I don't ever expect to hear myself saying "I, for one, welcome my PC-fixing viral overlords!"

Re:So in other words...

[cp.tar]

Besides, even if we got rid of spam, and the bandwith was freed, we normal users wouldn't see a bit of difference.

Re:So in other words...

[mcrbids]

Obvious to us, with our incredibly powerful pattern-matching brains. But while it's easy to write a program to look for this specific example, programming a machine to recognize this without some kind of advance programming/configuration is nothing less than AI.

It will, I'm sure, be done/possible eventually. But based on my understanding of the field, we aren't there, yet.

Re:So in other words...

[db32]

Somewhat resource intensive mattered 10 years ago. When my phone has the same processing power that an F-16 uses to fly...well I think the resource intensive debate is getting silly. Yes it is intensive, but the machines we have today aren't exactly short on the resources to make this extremely capable. In fact Sidewinder firewalls already do a good deal of this type of stuff. To the best of my knowledge they are the only proxy based firewall floating around commercially right now. Packet Inspection took off because it took less resources...and now they just slap more wizbang nonsense feature on top of these types of firewalls to make use of the excess resources. Now we have those resources and so many people are still trying to make packet inspection better rather than going back to the better design that we now have the resources to effectively implement.

All it needs is just one bit.

[140Mandak262Jamuna]

All packets originating from botnets must set the malicious bit to 1. That is all. Then the system is 100% foolproof.

Talk by Paul Barford

[QuantumG]

Title: Toward Self-directed Network Intrusion Detection and Prevention

Abstract:

Network attacks and intrusions have been a fact of life in the Internet
for many years and continue to present serious challenges for network
researchers and operators alike. The objective of our work is to develop
tools and systems that automate or otherwise enhance key activities of
network security analysts. In the first part of this talk, I will describe
our malicious traffic assessment activities using our Internet Sink
(iSink) system for dark address space monitoring. iSink is a highly
scalable system that includes both passive packet capture and a set of
stateless active responders that enable details of exploits to be
captured. Our results illustrate the variability in the traffic on dark
address space and the feasibility of efficient classification of attack
types. I will also describe how data from dark address space monitors can
be used to provide near real time network "situational awareness" for
security analysts. iSink data is also the basis for our Nemean system that
automatically synthesizes signatures for intrusion detection. Unlike
standard intrusion signatures, Nemean's signatures are protocol aware
which we show greatly enhances their resilience to false alarms. I will
describe Nemean, and conclude with a brief description of our current
activities in adapting Nemean into a real time intrusion prevention
system.

Where: Grad. Lounge

When: Thursday 27th Oct 2005 11 am.

2 years from lab to startup, not bad dude.

Re:Talk by Paul Barford

[44BSD]

The article touts Barford, but it looks as though this is one example of similar work that various researchers have been pursuing for years. Folks at CAIDA, Arbor, and Team Cymru have been talking about darknet design, construction, and use for a long time. This project seems to fit into that space quite nicely, but TFA is a damn press release, so naturally it is useless and devoid of context.

Re:Talk by Paul Barford

[Harmonious+Botch]

It only took a month of work, but this is the first we've heard from them because the've been DOSed to oblivion by botnets for the last two years.

Re:Talk by Paul Barford

[shmlco]

Worse, it looks like they formed the spinoff company AFTER doing most of the developmental work while at the University. To quote, "Nemean was developed and tested on the Wisconsin Advanced Internet Laboratory (WAIL), a unique test bed for examining complex behavior on the Internet."

Your public tax dollars at work once again.

Re:Talk by Paul Barford

In fact, this behavior is encouraged by UW--Madison, and rightly so.

UW--Madison allows the researcher to own the patents, and in essentially all cases, the licensing proceeds and some profits are voluntarily donated to the Wisconsin Alumni Research Foundation (WARF), a 3rd-party organization founded and maintain by researchers at the university for exactly this purpose.

This attitude can be summarized as "We trust our researchers, and we want to see their research become useful outside the ivory tower."

The WARF generates a huge amount of money which is then donated back to primary research at the university. It is the single reason why UW--Madison is consistently a leader in biotech, especially compared to other big state universities.

Re:Talk by Paul Barford

[shmlco]

Sorry, but I don't agree with the "rightly so". Public tax dollars help fund research which when proven out is then spun off to private companies, and it's "right" because those companies throw a bone or two back to the univerisity?

If they really "want to see their research become useful outside the ivory tower" then place it in the public domain and let EVERYONE have access to it. I assure you the patents will find more uses than if they're harbored inside a single company.

It's called...

[Eevee1]

Hello Slashdotters! I have made a new invention as well! It's called "Removing Plug from Wall!" With my new invention, nobody will have to worry about botnets, spammers, trolls and those pop-up ads ever again! Until you plug it back in!

One more thing

How about certain thing named Common Sense to be added to the list?

Screw that!

This is the problem with the education system in the US... This guy can use public funds and time at school to come up with something that he will then sell commercially. Bullshit - it should be open-sourced. Why should people at university get the benefit of tax-payer funding and turn it into self-gain? While I hate big government, regulation in this are is a must. Any developments coming out of tax-payer funding should be free and open to all. It disgusts me to see universities patenting things or doing things like this. Just like any government subsidized company (drug industry, transportation, etc) - should all be non-profit, for the good of all, not just the good who can afford it and the exclusion of those who paid for it thru taxes and now cannot afford it.

Re:Screw that!

[PopeRatzo]

I agree with the sentiment, but I don't believe that any idea that someone has while they're in school has to be open source. If the federal government is funding a research project, then yes, it should be open source. But it would be a bit restrictive to force every student who comes up with a bright idea to give his work away.

I wrote a book when I was a grad student. Should I have been forced to give it away? I was in a state grad school at the time and the bulk of the cost of my education was indeed funded by the public, but I did the work.

As far as technical advances go, I have no problem with universities patenting the results of their research. In an age of shrinking public funding for higher ed, it's one way to pay the bills.

Ultimately, it's up to the person who came up with the idea whether or not to release it as open source.

On the other hand, I think patents should be for a much shorter period, non-renewable, and non-transferable to anyone but the person or organization that made the innovation. They'd still have plenty of incentive to create, but important technologies (or IP) don't get locked up forever.

Re:Screw that!

No, I meant that when the government on any level is funding, in whole or in part, a project of any type, the results should be open and free. Your book is your's unless you did it on governmental paid/sponsored time at university.

And patenting them - not if they are funded by the government. Unless they offer free and unrestricted access to that tech to anyone - private citizens and corporations both pay taxes and should stand to gain equally. I would say in the case of a funded advance, the patent would be more to protect it from other private entities from patenting it after the fact.

Yes, patents are way to long. But that's another issue that won't be solved in our lifetime.

This whole system is f*cked. If RMS wants to do some good, he'd tackle stuff like this. I wholey believe in capitalism, but this has nothing to do with capitalism - more a broken loophole that the government needs to close for the good of it's people - the ones paying for that research and paying again for the results. Like double-dipping taxation. Up for another Boston Tea Party anyone? ;-)

See spot run. Run Spot! Run!

[buss_error]

Gee. Lookit this big bad threat.
Boo! Botnet! Boo!
Bad Botnet! Bad! Bad! Bad!

We can save you! We have Patented Technology!
All Hail our most Holy Precious Intellictual Property!
Hail IP! Hail! Botnet! Boo!

OK, can some one 'splain to me Lucy why this obvious and fact lacking
bit of pre-IPO spin made it to SlashDot? Is there anyone that can tell me
excactly how technology that allows for 99.9 percent accuracy with zero false
positives actually works? Remember, we're talking millions of infected botnet
systems with ZERO false positives. Make millions of ANYTHING and you're going
to have a few errors here and there.

This is great if it's true, however, I'm highly skeptical without more hard
facts that this is anything other than vaporware and high hopes for an early
buyout. Gee! FOUR patents!

I'll bet I could get four patents on a process to pick my teeth with a toothpick.
Not that I think it honest, you understand...

Re:See spot run. Run Spot! Run!

[martin-boundary]

You should definitely get those four patents on picking your teeth. I think Darl McBride might buy them off you if you tell him they're Linux related.

Re:See spot run. Run Spot! Run!

Is there anyone that can tell me excactly how technology that allows for 99.9 percent accuracy with zero false positives actually works?

Sure. You start by asserting that it's never wrong, then you arrest anyone that it fingers. Anyone who manages to escape conviction did so because they had an expensive lawyer get them out of it on a technicality. See, no false positives!

Coming soon to a wiretap or grocery store near you!

Re:See spot run. Run Spot! Run!

[buss_error]

You should definitely get those four patents on picking your teeth. I think Darl McBride might buy them off you if you tell him they're Linux related.

.

Well, Darl is a bit short of cash right now, seeing how he's busy transfering a patent to cattleback and all. And, oh, My, we forgot to pay anything for that transfer! Ooops! OUR BAD! Please let us make it right and do it now we've filed for bankrupcy! We'll just move anything of value out of SCOX and leave it with nothing but the bills while we move anything of value out to other subsideries.

About as obvious a a cat trying to cover up "business" on a tile floor. Problem is that the cat's business is far more honest than SCOX's "business", and about as transparent. The problem with stupid people is that they think we are dumber than they are.

It's always such a shock to them when they find out others are more intelligent than they are. Why, they are simply INDIGNIGANT and DEMAND we dumb ourselves down to their level. I'd oblige, but I don't have that nifty little MP3 player on my hip with the endless loop of "Ok, now INHALE......OK, now EXHALE.......INHALE........EXHALE......"

Sadly, this estimation of common IQ really isn't all that far wrong. As evidence, I submit the 2004 "elections".

Re:See spot run. Run Spot! Run!

[Alari]

> is there anyone that can tell me excactly how technology that allows for 99.9 percent accuracy with zero false positives actually works?

As a thought exercise I tried to figure out how. This is what I came up with: Set up a secure monitoring server on some random isolated IP address, no DNS name pointing to it or anything. If something connects it's probably malicious, especially if it tries to get all gay with the various known-to-be-vulnerable ports. Propigate that IP to the ISP/company routers' blacklist.

Re:See spot run. Run Spot! Run!

[Sancho]

This has been done. Search the web for "honeypot."

And malware authors work around it by probing. If they suspect that an address in a network is used for a honeypot to blacklist any IP that touches it, then they do a simple binary search to find out which addresses are used, then they stop hitting those addresses.

Of course, that's only for searching out vulnerabilities with a worm that automatically propagates. How would you get the same statistical results, only when the attack vector is spam containing a link to a trojan? Read up on Storm Worm before you answer, as it works around the obvious solutions.

Re:See spot run. Run Spot! Run!

[buss_error]

This has been done. Search the web for "honeypot."

And see exactly what? That someone is running honeypots? I don't need to look to know that, I run honeypots myself. I've more than two dozen sytems running multiple VM honeypot software from home grown to open source to closed source IDS'es. Let me be clear: I currently run $many to $shitpots of honeypot systems, with Sun boxen, AIX boxen, and WinTel platforms. Mostly these are "spares" to use when a production system goes down. It's a way to keep them "warm" and tested to be sure they run correctly.

And malware authors work around it by probing. If they suspect that an address in a network is used for a honeypot to blacklist any IP that touches it, then they do a simple binary search to find out which addresses are used, then they stop hitting those addresses.

One or two MIGHT. I, however, find that those running bot hearders are not sensitive to time constrants over fifteen minutes or so. Sure, there are a bunch of spammers that react to a reject on the second spam; however, there are far fewer that react to a block that takes place after the 500th. (and 2-500 are not delivered nor bounced, but held for later review.) And this ignores the vast majority of hardend spammers that tend not to send more than one spam per IP to identifiable IP space. In my case, I have several allocations that do not obviously tie back to me, consequently, I see this more than perhaps others do.

Of course, that's only for searching out vulnerabilities with a worm that automatically propagates. How would you get the same statistical results, only when the attack vector is spam containing a link to a trojan? Read up on Storm Worm before you answer, as it works around the obvious solutions.

And just by the way, I assume you know that a TCP-RESET can be forged from elsewhere, right? And that an effective way to prevent packet exchange is with a TCP-RESET, right? I'll leave even more esoteric spoofing and devious deeds for another conversation.

You are attempting to teach grandpaw how to suck eggs. (And why would anyone want to suck an egg? Burr!) You can assume any level of incompentence and disregard to details you'd like. One thing, however, stands out. I STILL havn't heard how this most Holy IP with attendant patents will serve to protect my networks. I DO see a lot of finding of fault where my methoids are not known, assumptions of ignorance or lack of expertise, and no more hard data on what I'm doing wrong.

At this point, my sole critizism has been a lack of information. My sole observation is that a lot of vendors promise the moon and the stars, and I fail to see how this vendor distinguishes themselves from the pack of lies, smoke dancers, and vaporware peddlers out there. I'm not saying they are such scum, I'm saying I don't see anything to lead me to believe their claims from a non-biased standpoint.

I'd be wild with joy if even half of what is claimed can be proven. However, I see a lot of claims, but I don't see a lot of proof, evidence, or independant review. So while I can continue to hope for the results of the technology, don't expect me to get behind it by writing a check for it until I have some evidence I'm not buying a pig in a poke.

I alread have lots of pokes, and lots of pigs. And case after case of lipstick for the pigs. Pardon me for being a bit gunshy.

Re:See spot run. Run Spot! Run!

[Sancho]

I'm confused as to why you responded to me. The person to whom I was responding did not seem to know what honeypots are. If you'll go back to my post and click "Parent" you'll see that I was replying to comment 21304407 (User Alari.)

I agree that lots of wild claims are made, and I'm skeptical, too. It would be nice if there was more information.

Re:See spot run. Run Spot! Run!

What the hell are you two talking about? Thanks for sharing your babble.

Re:See spot run. Run Spot! Run!

[Alari]

I know what honeypots are. Didn't I pretty much describe them? =)

Re:See spot run. Run Spot! Run!

[Sancho]

You did pretty much describe them, though you presented it as an idea you'd just come up with. As such, I figured you might be interested to know that a) they've been done, b) they've been heavily researched, and c) they're being bypassed by botnets.

Re:See spot run. Run Spot! Run!

[Alari]

I'm aware of what honeypots are, and that they're not perfect. Someone was basically saying that they couldn't imagine anything even remotely close to what was being described in the article. I was responding to them, with something remotely close. ;) (I was under no illusions that it was an original idea, I think whatever I was going for didn't translate well to text, my bad. =)

commercially.

[memnock]

if the botnet thing is that serious, wouldn't it be a better solution if it was free?

i'm not trying to say it HAS TO be free. hell, most of the people that have compromised machines won't know they need the software and where to get it, free or commercial or whatever. just kind of wondering out loud is all.

Re:commercially.

[PrinceOfStorms]

Not necessarily. If the solution was free, some (and I'm not saying all) users/managers wouldn't take it seriously. Charge them for it, and they'll want it, install it, run it, update it, whatever in order to justify spending money on it. Make it free and for some of them they'll consider installing it, and if they get that far, forget about ever running or updating it. For these people, free=worthless.

Re:commercially.

[memnock]

i see your point.

You cannot do that.

[khasim]

That would mean that the ISP's would be BLOCKING traffic based upon his system.

Yeah, like that will go over well.

Not to mention that, AGAIN, the most commonly used protocol in infecting those machines is HTTP (with SMTP being a close second).

Just install VISTA!

[The+Bandit]

I though some of the hype Micro$oft was chattering about was how secure Vista was. Shouldn't the maker of the operating system take some steps to secure their product before calling it secure? Or maybe the real problem is in the routing. Can't routers become more smart to know what packets are real vs packets from botnets?

Life just seemed so much simpler back in the good old Commodore days.

Let me see if I've got this straight.

[rindeee]

I buy Windows AND this new stuff (developed at a publically funded U.), and THEN I'll have a safe PC that I can utterly neglect and still feel responsible? Great...fantastic.

I have an idea!

[jhfry]

Why don't isp's implement firewalls at their end that effectively eliminate all traffic except those protocols demanded by the user.

It would be relatively simple to create a web page that could enable/disable these protocols... the page would know which IP, as you would be connecting from it, and could be protected by a simple captcha or password to make it difficult for malware to enable these protocols itself.

Obviously, the user could disable all filtering if they so desired.

This solution would prevent a ton of issues for most users, while still allowing those of us who are wise enough to monitor our own systems to enable everything ourselves.

In addition, why don't ISP's notify the user if they suddenly see an unusual amount of traffic on an unusual port or protocol... a simple email to say "we are seeing IRC traffic on your connection, you have never used IRC in the past. Some malicious software communicates via IRC protocols which may cause this unusual activity. Please read this linked article if you would like to know more."

I realize that most of us would rather our ISP stay out of our online activity... however I feel that if they actively participated in preventing the spread of malware on thier customers machines, they would not only increase customer satisfaction, but reduce the bandwidth being wasted. At first it would be an expense, but as the network was cleared of wasted traffic it would eventually pay for itself.

Re:I have an idea!

[fireboy1919]

Of course, they couldn't actually do this on a *per user* basis because the main hub routers aren't even close to powerful enough, and adding that would be astronomically expensive (it would never, ever pay for itself. It'd be better to just lay down fiber to get more bandwidth).

They could up the bandwidth and do it that way.

The *much, much* cheaper way would be to just configure the routers that come with the DSL and cable modems to be more restrictive by default and tell the users to change the settings themselves.

I wonder why they don't do that?

Re:I have an idea!

[feepness]

The *much, much* cheaper way would be to just configure the routers that come with the DSL and cable modems to be more restrictive by default and tell the users to change the settings themselves. Cheaper for who? You gonna take the tech support calls? ;)

Seriously, have them change the default password first and put it on a sticker on the box.

Re:I have an idea!

[140Mandak262Jamuna]

The compromised computers are running malicious code installed by the bot boss. Anything doable by the user is doable by the bot boss. They probably run cron jobs to reset the router settings to disable all filtering and exposing all the ports etc. Most users of the compromised computers don't know, or they don't care their computer is running malicious software.

Re:I have an idea!

[fireboy1919]

Anything doable by the user is doable by the bot boss.

Not reading a sheet of paper. You know...the one that will come with the installation that has the randomly generated key for the password to access the router?

There isn't one now, but if you're going to be doing this to stop hackers, then you'd (obviously, as you point out) want to do this.

Re:I have an idea!

[fireboy1919]

I will be more explicit. It is much cheaper to put per-user routing restrictions into the DSL or cable modem than it is to put it in the neighborhood level or higher level routers.

Whether that saves enough bandwidth to be cheaper TCO, I'm not sure, but that's not really what we were discussing. I get the feeling you were talking about implementing versus not rather than the type of implementation, since the support calls would be about the same whether you went to a website that's actually running on your router to do the admin or one that's actually on the local network router.

Re:I have an idea!

[patrikor_007]

nah, i don't need my isp to tell me how much porn i look at ;)

Re:I have an idea!

[VENONA]

"Why don't isp's implement firewalls at their end that effectively eliminate all traffic except those protocols demanded by the user."

At ISP scale, the vast majority of common ports are used for legitimate traffic by someone. That's what makes them common ports. :)

"It would be relatively simple to create a web page that could enable/disable these protocols... the page would know which IP, as you would be connecting from it, and could be protected by a simple captcha or password to make it difficult for malware to enable these protocols itself."

Why would you want to move this functionality from equipment under your control to something under the ISP's control? This is available on tons of broadband routers now, either cable modem, or DSL.

If you've never seen this, perhaps you have older gear, and you might want to call your ISP. I know some of them are always trying to get customers to upgrade, because the newer gear gives them more of an opportunity to sell more expensive services, whether that be higher speed, or whatever. Who knows, you might be able to upgrade at no cost. It can't hurt to check.

Re:I have an idea!

[jhfry]

I am not thinking of myself but the neighbour who has no firewall running (unless you count XP's software firewall), no method of monitoring/restricting outgoing traffic, and wouldn't have the faintest idea what to look for to determine if her machine had been compromised.

I am more concerned about outbound traffic as it relates to the article in question... if the ISP prevented everything but http(s) traffic by default and you had to manually enable other forms of traffic by visiting a website and selecting the protocol/application in question, they could prevent your machine from sending anything OUT as well as blocking incoming garbage.

I don't know the best solution... only that ISP's COULD and probably SHOULD look at ways of making it safer to connect to their service.

As long as they don't restrict what a knowledgeable user can do of course!

Re:I have an idea!

[Xenoflargactian]

The protocol filtering won't fix a thing, unfortunately. The bad guys will then just switch to using common ports (80, 443, 21, etc) to control their botnets. It would also create a usability for lay users. Imagine "I bought this just-released game, but I can't connect to the multiplayer system." Most users would be clueless.

I like the unusual traffic notifications. It reminds me of the credit card companies' notifications about odd purchases, except the volume of traffic to monitor would be several orders of magnitude greater than those of the CC companies. A drawback of this approach is that the ISPs would then need to keep track of which protocols each of their users used, when they used them, how often, etc. This information would be ripe for subpoena by law enforcement, effectively defenestrating privacy.

Not only that, but there are NO details.

[khasim]

I can accept an ad that describes the advances. This article says NOTHING.

And the claims he is making do NOT fit with how machines are infected or how the zombies are used.

Intrusion Detection Systems are based around knowing YOUR traffic. And finding patterns that do NOT match what is normal for your network.

They include patterns for known exploits ... but there are an almost infinite number of patterns for exploits.

But there SHOULD be a finite number of LEGITIMATE patterns on your corporate network.

Instead of claiming "new" ways of "faster" identification of "bad" stuff, a real improvement would be faster identification of LEGIT patterns.

I'm thinking "snake oil" here.

Re:Not only that, but there are NO details.

[skoaldipper]

A huckster in our midst? Let's see.

"Botnets represent a convergence of all of the other threats that have existed for some time,"

Scared of rickets? You, sir. Step right up here.

One of the most menacing aspects of botnets is that they can go largely undetected by the owner of a personal computer.

Folks, you might not feel sick today, but that's no guarantee you won't feel sick tomorrow.

Nemean is based on four distinct patents that are either filed or are in process with the Wisconsin Alumni Research Foundation (WARF).

No matter what ails ya, Professor Nemean's original. medicinal, remedial, compound exlixir is patented and irrevocably guaranteed to...

The innovation with Nemean is a method to automatically generate intrusion signatures, making the detection process faster and more precise.

boost your bends, target your temperature, and positively palliate your particulars. Yes, folks...

"The technology we're developing here really has the potential to transform the face of network security,"

this age-defying, mystifying, wiz bang fandangle will cure everything from flakey skin to original sin.

Only two bits a bottle. Worth a dollar a drop! Step right up! Step right up!

Snort!

[khasim]

I use Snort on our company network and I have absolutely no problems with it. I don't see how anything else could be better.

But then ... I also do things like block out-bound SMTP from anything other than my mail server and check the logs to see if anything is happening.

There's not enough info in that "article" ("ad") to say whether his work is even as good as Snort. Let alone better.

Ahoy! Press release!

[martin-boundary]

Where does Roland Piquepaille find all these contentless press releases? No facts, no explanations, pie-in-the-sky false positive claims, unnamed competitor systems...

Does he think slashdot readers don't read the article or something?

Re:Ahoy! Press release!

[Brian+Gordon]

Apparently you didn't..

it has zero false positives when commercial systems have high numbers

Heh

Re:Ahoy! Press release!

No, he just knows that the editors won't.

Let's look at this logically.

[khasim]

Someone who isn't going to patch his mail server is going to install this new IDS? Correctly? And keep it patched?

Now, what if the mail server is responding with a "user not found" error in a multi-line format? Does that trigger your IDS?

If not, why? Or are you going to set patterns for EVERY possible, legitimate, response so you'll be able to find the ones that don't match it?

Yeah, good luck with that. You should start working on it now. Maybe in 10 years of so you'll have caught all the possible legit patterns for everything available today.

That is why current IDS's depend so much upon the ADMINS training the IDS's to what is LEGIT traffic for their particular network.

Which yields a LOT of "false positives" in the early stages (and immediately after upgrades). But if I'm running Exim4, why should my IDS be looking for patterns of Exchange responses? Or Sendmail responses? Or anything else?

Despite what that guy claims, there is no easy way to identify the bad without having a person identify what is good.

BotHunter, anyone?

[AgentPhunk]

A free/open-source tool called BotHunter has been available for a while now. Sounds like maybe the guy in TFA is just going to copy and sell their ideas.

http://www.cyber-ta.org/releases/botHunter/

From the site: BotHunterTM is a novel, dialog-correlation-based engine (patent-pending), which recognizes the communication patterns of malware-infected computers within your network perimeter. BotHunterTM is a passive traffic monitoring system, which ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection. When a sequence of in and outbound dialog warnings are found to match BotHunter's infection dialog model, a consolidated report is produced to capture all of the relevant events and event sources that played a role during the infection process.

There's also a great PDF available showing a full dissection of a Storm variant.

false positives

[1u3hr]

FTFAdvertisement:

Hackers have become so adept at disguising malicious traffic to look benign that security systems now generate literally thousands of false positives, which Nemean virtually eliminates. In a test comparing Nemean against a current technology on the market, both had a high detection rate of malicious signatures 99.9 percent for Nemean and 99.7 for the comparison technology. However, Nemean had zero false positives, compared to 88,000 generated by the other technology. Sure, but if his system went into use, the "hackers" would quickly adapt and it would not be any better than current systems. Lots of anti-spam ideas work fine for the originator, but when they become common enough to bother the spammers, they target them.

Mod parent up!

[martin-boundary]

I'd mod you up myself, but I've already commented today!

Re:Mod parent up!

[martin-boundary]

(for the humour impaired, the comment immediately above is meant to be ironic.) There actually are no verifiable facts in the linked to article. The quoted statement

it has zero false positives when commercial systems have high numbers

is meaningless drivel, since the commercial systems aren't named and the supposed testing procedure and experimental data is not described and certainly not controllable by others.

Instead this is a content-less advertising press release (as can be easily seen by noticing that the source is the UW-Madison "news" page, which is meant to give alumni and other potential cash donors a warm fuzzy feeling about the achievements of the university). Such press releases rarely have anything concrete in them, because that would allow competitors and critics to point out flaws and wild claims, thereby ruining the effect.

Unworthy article

[flyingfsck]

Bah! This article isn't even worthy of Digg. Is Roland on their payroll maybe?

doomed to failure

Apple is going to rape them.

Is this prior art?

[khasim]

http://seclists.org/focus-ids/2003/Feb/0031.html

And that is with 30 seconds of Google searching. I thought I had heard of that concept before.

Search Google with "worm 'protocol validation'".

That's the fault of the developers.

[khasim]

They tend to test against a VERY limited set of threats.

And since their product is based upon defeating that very limited set of threats ... it does amazingly well against that very limited set of threats. Mostly because the set of "good" is also very limited.

The concept of protocol validation is good. But not for an IDS. It is better as part of the firewall protecting that server running that service. BUT! That also means that it needs to be able to shut off access to that server when it sees ANYTHING it doesn't understand.

Can you say DoS?

Otherwise, it's nothing more than a warning AFTER you've been cracked. Because it is possible to crack with one machine and control with a different one.

Great

[causality]

I love the way we keep coming up with all these band-aid solutions that attack symptoms without addressing the root cause, just because the root cause is non-trivial.

There are really only two reasons why botnets and their associated malware have become so prevalent. All other apparent causes stem from these two reasons:

• The Windows monoculture. When this accounts for over 90% of all desktop installations, it's much easier to write a single worm/trojan/virus/etc that can single-handedly infect many thousands of hosts. This greatly reduces the number of vulnerabilities that need to be targeted and the knowledge necessary to exploit them on a large scale, which is a situation that favors the blackhats tremendously. If nature handled genetics this way, then the first lethal contagious disease to come along would destroy civilization. There are good reasons other than their business practices why the Microsoft monopoly is a bad idea. No matter how hard they work to improve security, there will be vulnerabilities, and due to this monopoly any single vulnerability will instantly affect millions of hosts. If you want the Internet overall to be a more secure place, this is not a good start. I believe this would be the case with any single vendor controlling this much of the market. Consider also that security is not the only selling point of Windows; convenience and "easier to use than EVER!" are also major factors and (especially convenience) are not compatible with security. The boilerplate nature of most commercial software is also a factor here.
• The lack of education of the average user. I don't really know whether this is more or less difficult to address than the first item. The fact is that most users don't give a damn about security, at least not until their identity gets stolen or their data gets deleted or $AUTHORITY_FIGURE knocks on their door asking why their machine is attacking other machines. This appears to be because they don't see their security as their responsibility; they feel that this is entirely $VENDOR's problem. That they would feel this way is a foreseeable consequence of widespread "more convenient and easier to use than ever!" marketing, since this sets up the expectation that it will Just Work with no effort. While it would be easy to blame this on Microsoft since they have profited handsomely from it, I personally believe that this is an aspect of our general instant-gratification culture that effectively says nothing is worth putting any time and effort into; Microsoft merely had the business sense to realize that catering to it is the path to profit. It's difficult to seriously blame a company for doing something when nearly everyone is rewarding them for it. Because of this, if you try to educate people regarding things like system security, what you will find is that not only are most users ignorant, they don't WANT to learn. They see "all that technobabble" as an inconvenience, yet they insist on using equipment that requires some technical skill to properly maintain. This is something of a Catch-22 because Microsoft would build a much more secure Windows if no one would buy Windows otherwise, but average users with little technical skill are not going to create this kind of market.

Just like after-the-infection virus and spyware removal tools, this botnet detector is NOT a real solution, it's a form of damage control and should only be represented as such.

What I really want to see a long-term plan for dealing with those two points. Until these factors change, we are going to keep having the same kind of problems again and again as the arms race between blackhats and whitehats continues. You are never going to have perfect security, but the current situation where one piece of malware can do tremendous damage on a massive scale is a situation that many people have worked very hard to bring about. Too bad that in a superficial society like ours, we have a huge phobia of actually addressing the roots of our problems because we keep hoping to find some form of an "easy way out" of situations that took a long time to become what they are.

Re:Great

[maxume]

How far are people willing to take the monoculture analogy? Nature doesn't have the ability to make iterative improvements to existing individuals, and the magic wand of software updates is a lot more magic than the magic wand of modern medicine.

Even if you posit that something like 100 different operating systems would make any sense, by the time you have 1 billion computers connected together, a flaw in any one of those operating systems gives you access to some big chunk of 10 million machines. That's still an awful lot of resources to be chasing after.

The economics of targeting Mac platforms have apparently become good enough:

http://www.f-secure.com/weblog/archives/00001312.html

so I don't think I'm way off base here.

User education is getting easier; people that have any sort of investment in their data and setup usually don't want to lose it a *second* time.

If networked computers didn't come with all the new problems that they come with, they would likely be awful boring to use; I'd bet that many of the security problems of today turn out, in hindsight, to be little more than growing pains.

Re:Great

[causality]

How far are people willing to take the monoculture analogy? Nature doesn't have the ability to make iterative improvements to existing individuals, and the magic wand of software updates is a lot more magic than the magic wand of modern medicine.

It's just an analogy; once its point is made, it's no longer useful. Take it as far as you like.

Even if you posit that something like 100 different operating systems would make any sense, by the time you have 1 billion computers connected together, a flaw in any one of those operating systems gives you access to some big chunk of 10 million machines. That's still an awful lot of resources to be chasing after.

The economics of targeting Mac platforms have apparently become good enough:

Okay, let's assume 100 different OSs in common use as you are saying here. The idea is not that none of them have exploits, or that 99 of them being secure means nothing if one is exploitable. The idea is that they each have different exploits, and what allows you to root one of them won't gain you any access on another. The reason why botnets have grown so large is not because a vast army of human beings has launched personal, targeted, hand-crafted attacks against individual machines. Botnets have grown so large because a single automated piece of malware can self-propagate with a success rate that is far higher than it should be. I did not claim that more OS variety would be some perfect, ultimate solution. What I am saying is that (in some ways) we are collectively behaving as though we wanted to make the blackhat's job as easy as possible, enabling write-once-run-almost-anywhere malware that allows them to do great damage with little effort.

User education is getting easier; people that have any sort of investment in their data and setup usually don't want to lose it a *second* time.

If networked computers didn't come with all the new problems that they come with, they would likely be awful boring to use; I'd bet that many of the security problems of today turn out, in hindsight, to be little more than growing pains.

I know you mean well with that comment, but referring to this as "growing pains" is tantamount to saying that it's normal and acceptable and couldn't have been any other way and gee-whiz I hope it gets better soon. To do so is to make an excuse for it. The reality is that almost all of it is caused by poor decision-making by people who could not be bothered to inform themselves because making better choices was not worth the effort (to them). All I am saying is that this is a "garbage in, garbage out" scenario, and laziness is one way to do "garbage in". And yes, it is often laziness; you don't need to be a computer security expert to understand that executing binaries from unknown sources is a bad idea. Anyone who has ever truly pursued a goal that required extreme effort and dedication and discipline can understand that the entry-level book or two that the average person would have to read to be aware of most threats out there (which would vastly improve their security practices) is trivial. They don't WANT to learn; otherwise, they would be self-starters who do it on their own and practically nothing could stop them, certainly not an "its too HAAAARD" attitude.

Re:Great

[maxume]

My point about 100 OSs in common use was that it is the extreme opposite of a monoculture, and all it does is push the cost to infect and bot a given machine from the very cheap of a monoculture over towards cheap. There might be a sweet spot somewhere in between where the number of machines is balanced with the amount of code, who knows, but the success and propagation rates would likely still be high enough to make bot networks a problem.

I'm really not trying to make excuses for poor security either, it just isn't as clear to me that a bunch of security minded decisions made ten years ago would have given us the fairly incredible internet we have today, and all the problems that come with it(the problems may well be a feature of the relative level of freedom that exists). There are certainly things that could have been done differently that would have a minimal impact on the usefulness of the internet and a huge impact on its security, but I don't really cotton to the idea that my ability to see that things could be better makes the way things are 'bad'.

Re:Great

[causality]

I'm really not trying to make excuses for poor security either, it just isn't as clear to me that a bunch of security minded decisions made ten years ago would have given us the fairly incredible internet we have today, and all the problems that come with it(the problems may well be a feature of the relative level of freedom that exists). There are certainly things that could have been done differently that would have a minimal impact on the usefulness of the internet and a huge impact on its security, but I don't really cotton to the idea that my ability to see that things could be better makes the way things are 'bad'.

You raise an interesting point there, about whether the Internet would be the way it is now if security were a design goal from the beginning. I'm not sure if you are coming from a perspective of features-versus-security but it is an interesting thing to consider. I have to say that I honestly don't know, but there are other forms of "security" that have little to do with hardening hosts. For example, the only reason why anyone ever sends spam e-mail is because there is a small percentage of people who buy these products and make it economically worthwhile for the spammer. I put security in quotes there because spammers are actually using SMTP as designed (their botnets that send the SMTP messages notwithstanding -- spam was around before this was the case); it's more of an abuse of an open system that wouldn't happen if there were no economic incentive. Personally I think the real solution to spam is to treat the buyers as the cause of the problem, whatever that would practically mean (ideally education would be enough). If the incentive for spam were removed, one of the major reasons for having a botnet would go with it.

I don't mean so much that the way things are is "bad" as in morally wrong or anything like that. But I do believe we have already seen plenty of examples of why security matters throughout the years. The message is there for anyone who cares to get it. There is nothing recent or novel about the idea that some people like to exploit poor security practices and break into systems in order to harvest their data or take over their resources. This has been going on for quite some time and has steadily gotten worse for quite some time. It is reasonable to say that if nothing is changed, the Internet will continue to become an increasingly hostile network. When this is the case, I have to conclude that there is something fundamentally wrong with our priorities.

We are only growing more dependent on technology and networks as time passes. One way or another, this problem must be resolved. I would much rather see people start giving a damn about security and inform themselves and address the real root problems, than see the government-imposed alternative that we might get if this doesn't happen. If this continues to get worse, then at some point either your ISP will be required to be your online nanny, or you will be forced to obtain some sort of license to use the Internet by the same protect-the-public logic that requires you to have a license to use a car on public roads. While that second option might sound good, consider how little training and ability is needed (at least in the USA) to get a license to drive a car that could really hurt someone in meatspace -- how high do you think the standard will be for cyberspace? Nothing pleases a politician more than to let something become a crisis, go into "we've got to do SOMETHING" mode, and implement a half-assed feel-good measure that expands the size and power of government. What you get from that is CAN-SPAM, the DMCA, and the Patriot Act. I just don't trust them to get this one right either.

Re:Great

[maxume]

Plenty of people that are worried about security just use VPNs. They seem to be a pretty good solution if you have trusted users and want to be able to ignore all the crap on the network at large.

I meant more than just features vs security, I meant that for the most part, if you want to do something with the internet, you can just go ahead and start doing it. That's pretty cool, and it isn't really the same thing as a feature.

And I didn't mean 'bad' in a moral sense either. I was reaching for something about room for improvement not being a flaw(in and of itself) and missed a little bit.

I would also note that the part of the DMCA that relates to the internet isn't all that bad. Sure, the mechanism behind take down notices is pretty easy to take advantage of, but there is recourse, and the safe harbor provisions are pretty fantastic. The provisions against circumventing encryption are the nasty part of the DMCA.

Re:SLASHDOT SUX0RZ

In fact, forget the peace and love.

Re:Stop lying.

Maybe he was trying to RTA FROM the zombie army, and was duly blocked.

ISPs won't implement it anyway.

[fluffy99]

The major ISPs do not want to implement any kind of IDS or traffic monitoring. Why? Because they really enjoy their status as common-carriers. It absolves them of any blame for how the end users use the internet. If they start examining and filtering traffic even for legitimate reasons like detecting malicious traffic, they put that distinction in jeopardy. People and potentially the civil courts would assign the Telco the responsibility of policing their traffic. People would start suing the Telcos because they didn't detect that joe-blow had his computer compromised or they didn't detect and squash the DDOS attack directed against some company. Next step is forcing the Telcos to listen to all phone calls for the words 'bomb' or "Allah is great". Afterall that's NSAs job. :}

Re:ISPs won't implement it anyway.

[geminidomino]

Why does this get posted in every story involving TCP/IP manipulation? ISPs do not and never have had common carrier status.

Re:ISPs won't implement it anyway.

[fluffy99]

Maybe because they fall under the definition as described in 47 U.S.C. 153(h)? http://www.cybertelecom.org/notes/telecom_carrier.htm

Re:ISPs won't implement it anyway.

[fluffy99]

Even more to the point, please refer to http://www.cybertelecom.org/ci/esp.htm. Specifically, the ISPs want to provide only "basic" service. As soon as they start doing anything with the "format, content, protocol or similar aspects of the subscriber's transmitted information", that becomes "enhanced" services which do not enjoy common carrier status under Title II of the Communications Act. Still, it's a hotly debated subject as far as the ISPs are concerned. They don't want to do anything that jeopardizes the status quo.

99.9% detection... until the botnet makers adjust

[noidentity]

His system has a 99.9% detection rate of malicious signatures, roughly equivalent to some of the best commercial systems. But it has zero false positives when commercial systems have high numbers.

Similarly, you can eliminate SPAM in the lab, but the moment you release it, the SPAM makers will adjust their strategy. That's how arms races work. So get back with us once your solution is still working 6 months from now.

Missing Tools!

[psychicsword]

I know this isn't a slashdot survey but there is a very good tool to use(no not that tool you pervert).
LINUX!

Why boycott?

[magnus_1986]

Seeing that I was one of those who made inflammatory comments against Roland, I want to say some things.

You should notice that he stopped hiding links to his blogs in there and his topics are now about stuff a bit more, shall we say concrete. I say we let him post (Not that I'm in a place that allows me that authority but still) and not flame his better posts.

Let the flames against Roland stop...

Re:Why boycott?

[cralewyth]

hah, what a sig! :P

Thankyou, thankyou, I'll be here all week. Do try the fish.

Simple solution...

[Gordonjcp]

Set your routers up to do OS fingerprinting. Drop all traffic from Windows boxes. This will have the handy side-effect of killing 99% of the spam that's out there too.

Re:Simple solution...

[Macthorpe]

This will have the handy side-effect of killing 99% of the spam that's out there too. And the even handier side-effect of driving away about 90% of your customers.

It must be nice to cling to an ideology so tightly that you can ignore practical concerns in order to follow it.

Re:Simple solution...

[Ash-Fox]

WHOOOOOOSH

Re:Simple solution...

[Macthorpe]

I'd like to remind you that this is Slashdot, and therefore there is a much higher chance that he is sincere ;)

Re:Simple solution...

[Gordonjcp]

It must be nice to cling to an ideology so tightly that you can ignore practical concerns in order to follow it.

It's not a case of "clinging to an ideology". I don't want people with festering sores near me stinking the place up with their germs, and I don't want people with computers running Windows flooding the Internet with their spam and viruses.

Re:Simple solution...

[Macthorpe]

You would be absolutely right if it was just Windows machines cracked on the net that were sending spam and viruses. Unfortunately, it's not, so you aren't.

Free to use, NOT open source

The source is nowhere to be found. Unfortunately.

Zero false positives? hahahahahahahaha

[hal9000(jr)]

Every intrusion detect vendor has hawked ways to reduce or eliminate false positives that have met with marginal success. Put that puppy in a live network and see what te fasle postivies are.

Now there are certain behaviors that bots exhibit even when they are quiet waiting for commands. So looking at network traffic alone, if you have a bunch of hosts all talking to the same server for a long, long time (days, weeks, hours), that seem to move in unison, you probably have a botnet. This is differnet than traffic where a bunch of users are hitting a popular site like Youtube or Facebook where the traffic pattern looks more like web traffic (port 80, lots of small packets to teh server, lot of bigger packets coming back, interative behavior, etc).

Don't believe the zero false positives until you see it.

Don't forget lousy design...

[argent]

It's not the Window monoculture so much as the fact that the Windows HTML control is designed to allow you to pass it a chunk of code and say "run this" and if you smell right... it will! How anyone in the world could look at this design and not go "you mean, if I can get some trust hormones and smear them on my program, everyone who looks at it using Internet Explorer will run it?". I mean, this is such a completely insane design that I'm honestly boggled Microsoft hasn't been creamed by a trillion dollar class action suit over it yet. This is like Ford building autos that kick the owners out and follow you home if you wave a yellow hanky at them.

What the hell is wrong with people that anyone, for one minute, could think this is a good idea? It's not. It's so lousy an idea that it makes only moderately lousy ideas like Java's security model look good by comparison, even to people like me who know better. It's so lousy it'd still be scratching after a week in pyrethrin. It's so lousy... gah... there's not an analogy corny enough to do justice to how lousy it is.

Re:Don't forget lousy design...

[causality]

t's not the Window monoculture so much as the fact that the Windows HTML control is designed to allow you to pass it a chunk of code and say "run this" and if you smell right... it will! How anyone in the world could look at this design and not go "you mean, if I can get some trust hormones and smear them on my program, everyone who looks at it using Internet Explorer will run it?". I mean, this is such a completely insane design that I'm honestly boggled Microsoft hasn't been creamed by a trillion dollar class action suit over it yet.

The reason why this was done is because it's so much more convenient and "easier to use than EVER!!" compared to either not having such functionality, or having it severely locked down (say, whitelist-only, with restrictions).

The Windows monoculture is simply why most users take the presence of such "features" for granted and can't imagine doing things any other way. It's why such a design can instantly appear on millions of hosts. It's also why the idea that rebooting is going to magically fix anything, or that crashes and lockups are a normal part of computing are so widely accepted and are not generally questioned. It's why "everybody knows" that you "need" to be using an after-the-fact antivirus or antispyware tool, hoping that it can remove that malware now that you're already infected and can no longer trust that machine. This sort of thing would be less common if visiting their next door neighbor meant that a user was likely to see a very different system with a saner design. Lousy indeed.

Re:Don't forget lousy design...

[triffid_98]

Of course it's not a good idea, but look at the alternative. Java's security model=applets, and with only 1.0 java guaranteed that's not much fun either. If you're running a java-app you can do all kinds of mischief but that is perfectly reasonable since you're explicitly running an application on your machine, presumably from a trusted source. In the middle ground there's flash, at least for those not running linux.

What the hell is wrong with people that anyone, for one minute, could think this is a good idea? It's not. It's so lousy an idea that it makes only moderately lousy ideas like Java's security model look good by comparison, even to people like me who know better.

Re:Don't forget lousy design...

[argent]

Of course it's not a good idea, but look at the alternative.

The alternative to ActiveX is hard-sandboxed scripts and applets that provide no mechanism for the sandboxed code to ask the user for access outside the sandbox, let alone automatically getting it if they "smell right".

Since every other HTML implementation in the world, including the ones used by Firefox and Safari, take the alternative path, and the alternative path is the only option if you're not running Windows, then I guess I like the alternative and I'm kind of at a loss as to what you're getting at.

Re:Don't forget lousy design...

[argent]

The reason why this was done is because it's so much more convenient and "easier to use than EVER!!" compared to either not having such functionality, or having it severely locked down (say, whitelist-only, with restrictions).

First, ActiveX in theory *is* whitelist-only. Whitelisting is basically what the "security zones" model is all about. And it doesn't work. The only thing that actually works is providing a strictly restricted API.

Second, no product implemented this functionality before Microsoft did, and since no product has emulated Microsoft's design, and opening up your browser to allow it takes several times as much effort as explicitly downloading and installing the applet. So it's neither necessary nor more convenient.

Third, it is possible to use Windows, to partake of the monoculture, without using applications that apply the ActiveX design to untrusted content. And if you do that you get comparable security to the situation before Active Desktop was introduced. I did that, and it works.

Fourth, the monoculture is not what keeps bad designs shipped with the system in use. Inertia does that. There's design flaws in OS X and it's just as hard to convince people to do something about them as it is to convince them to eschew Internet Explorer and its fellow-travelers.

The monoculture is a problem, yes, but this particular design flaw is a much much bigger one, and breaking the monoculture wouldn't solve it.

Re:Don't forget lousy design...

[triffid_98]

No, actually flash works just fine on a Mac. For client side content you have flash, you have applets, you have activeX. Lots of sites use flash, many sites use activeX, almost nobody uses applets. Java succeeded as a server development language, but it has totally bombed as a client platform. Whether you or I personally like that fact is kind of irrelevant. As Colbert would say 'the free market has spoken'.

...and the alternative path is the only option if you're not running Windows, then I guess I like the alternative and I'm kind of at a loss as to what you're getting at.

Re:Don't forget lousy design...

[argent]

No, actually flash works just fine on a Mac.

OK, I think you have a really deep and fundamental misunderstanding somewhere about what I wrote.

This is not about Java. This is not about Java vs Flash, or even Java vs ActiveX.

This is about ActiveX.

The alternative path is, basically, everything but ActiveX. EVERYTHING. Flash. Java. Javascript. Embedded Postscript and SafeTcl and all the other technologies that never took off. Out of all the applet technologies for the web that's ever gotten past the starting gate ... even the ones that broke a leg in the first yard... ActiveX as used by the Microsoft HTML control is the only one I've found that is not sandboxed. Even Java's funky sandbox model is still a sandbox.

There is no excuse for using ActiveX on the web, nor for allowing it to be used. It is fundamentally, unfixably, and even arguably criminally insecure. There is no way to make it secure.

Thank god it's restricted to *one* browser on Windows, so you can use something else that's only got fixable security flaws.

Tools to Squash Botnets...

[Isauq]

Bigger botnets?

0 false positives?

[nog_lorp]

Write a legitimate program to remote-control your computer with IRC. Bet you get a false positive then.

Bots against Bots

[cavebison]

Why not just create (and keep creating) "good" virii that will infect computers and look for malicious traffic. They can perhaps closely imitate the code signatures of the infections they're trying to thwart - if the user has enough anti-virus nous to remove the offender, it also removes the "good" virus, no long-term harm done.

In the meantime, fight fire with fire. If there's a hole in that approach, I'd like to hear it.

Re:Bots against Bots

[silk600]

1. It'll increase network traffic to the same amount (if not more) than it will decrease it.

2. It's almost as illegal as creating a malicious virus.

Re:Bots against Bots

[cavebison]

1. An increase in security at the cost of traffic? Doesn't sound too bad.

2. Nothing is illegal if the government does it. :)