Check Point Introduces New CPU-Level Threat Prevention

An anonymous reader writes: After buying Israeli startup company Hyperwise earlier this year, Check Point Software Technologies (Nasdaq: CHKP) now unveils its newest solution for defeating malware. Their new offering called SandBlast includes CPU-Level Threat Emulation that was developed in Hyperwise which is able to defeat exploits faster and more accurately than any other solution by leveraging CPU deubgging instruction set in Intel Haswell, unlike known anti-exploitation solutions like kBouncer or ROPecker which use older instruction sets and are therefore bypassable. SandBlast also features Threat Extraction — the ability to extract susceptible parts from incoming documents.

It seems to work, too

[dreamchaser]

I do a lot of Check Point engineering/consulting services and this is one of the more exciting things they've done in awhile. Even though they didn't actually develop it they've done a good job integrating into their firewall suite. It is not a panacea; nothing in security is, but it is good stuff.

Re:It seems to work, too

Yeah sure, it reads people's minds and shoots back at them if they think about attacking your system.
Like in this old soviet animation
https://www.youtube.com/watch?v=tr3TUbWDKp4

Re:It seems to work, too

[Monoman]

I would rather they buy out a company that has good tech support and services. We have been a CP customer for over a decade and their stuff is great until things go wrong. Dealing with their support/services can be a nightmare at times.

Re:It seems to work, too

[dreamchaser]

Oh I agree. I rarely have to call the TAC but it can be a struggle. That's why a lot of our clients use our support services. I don't work our support desk, I do design/pre-sales/installation/consulting, but the guys who take calls are really good. They rarely have to escalate to the TAC unless it's a bug.

Re:It seems to work, too

Take all of this with a grain of salt as I'm an outsider who has never worked for them. This might not be the case with all of their offices. Buuuut....

To souce talent, Check Point uses some of the lowest quality recruiters I've had the, erm, "pleasure" of meeting. You know, the kind of agencies that hire ex-retail workers with a year of total working experience to screen serious IT folk.

Entry level people are often paid well under $20 per hour for networking-related labour, while "free lunches" (aka never leave your desk again) are used to entice new applicants to join. Where I live, it's more profitable to get a ho-hum office job and avoid IT-related stress. The prevailing truth seems to be it's a great place to work if you're fresh out of post secondary and utterly desperate to put your papers to use. They also insist on standardized testing for their hires -- the kind of rigorous, jump-through-the-hoops stuff that we all love to hate.

But don't take my word for it -- cruise the intertubes, and you'll find the usual sort of up-talking about the company that goes on from freshers who lack dignity and self respect. Also: Isreal HQ. Thanks, but no thanks.

I felt compelled to post this because, as other Slashdotters have noted, their software is generally pretty junky. And I figured it might provide some perspective as to why :).

Excited about what deubging Instructions are

[Billly+Gates]

I never heard of deubging before and can't seem to find a Wikipedia article on it?

However, what is stop malware from using this to avoid detection at the cpu level where there is no footprint. It could be used to disable AV endpoint software as well.

Re:Excited about what deubging Instructions are

Not deubging, deubgging.

Re:Excited about what deubging Instructions are

I never heard of deubging before and can't seem to find a Wikipedia article on it?

However, what is stop malware from using this to avoid detection at the cpu level where there is no footprint. It could be used to disable AV endpoint software as well.

Seems like it's basically a hypervisor running a sandbox testing inbound suspect files both within a VM and on the CPU by virtue of a hypervisor call to system management mode/process trace (Intel) on the CPU and evaluating what's going on from both sides. It appears the point is to detect malware that is checking if it is being run in a sandbox and not activating if it is. Both SMM and Process Trace are part of the Intel x64 instruction set and are tools for debugging.

Re:Excited about what deubging Instructions are

http://blog.asset-intertech.co...

Re:Excited about what deubging Instructions are

I'm sorry, but is deubgging a typo or actually a word for something?

Re:Excited about what deubging Instructions are

[AmiMoJo]

Those instructions are privileged. If normal software tries to execute them it will simply crash (remember those privileged instruction errors when running old software on Windows 95, Mr. Gates?)

To execute these instructions the code needs to ask the OS to run it at the highest privilege level, normally reserved for the core OS and certain drivers that need to do some tricky hardware stuff. If a virus can get to that level you are screwed anyway.

Re: Excited about what deubging Instructions are

Sandboxing

Re: Excited about what deubging Instructions are

[OhSoLaMeow]

Sandboxing

That's gotta be even more boring to watch than golf.

Re:Excited about what deubging Instructions are

McAfee (now part of Intel) has something that is pretty innovative:
http://www.mcafee.com/us/solutions/mcafee-deepsafe.aspx

It basically puts AV as the hypervisor beneath the OS.

Nice advertorial

But it's not news for nerds, and it won't matter until it's proven more effective than current techniques.

Article or press release?

[Quinn_Inuit]

Is the anonymous reader just quoting a press release? It doesn't seem like there's much analysis or original thought in this "story."

Re:Article or press release?

[cdrudge]

It doesn't seem like there's much analysis or original thought in this "story."

I thought almost every /. post was just the first paragraph of the article. There's summaries that aren't just copy/paste jobs?

Re:Article or press release?

[bonfirer]

It doesn't seem like there's much analysis or original thought in this "story."

I thought almost every /. post was just the first paragraph of the article. There's summaries that aren't just copy/paste jobs?

Right. PLUS- I haven't seen a comparison to other anti-exploitation methods in any of their PR

Re:Article or press release?

[Quinn_Inuit]

A fair point. I guess I'm used to it copying the first few paragraphs of an article about the topic, so there's at least some analysis involved. For instance, I thought these two articles from yesterday were much more helpful than a press release-type article like the one in the OP:
http://tech.slashdot.org/story...
http://developers.slashdot.org...

Re:Article or press release?

[coofercat]

It's very informative that they thought to put Checkpoints trading symbol in the advert^H^H^H^H^H article though, now I know where to invest my money - that's the kind of information I come to slashdot to find.

Re:Article or press release?

[sociocapitalist]

Is the anonymous reader just quoting a press release? It doesn't seem like there's much analysis or original thought in this "story."

I couldn't even get through the summary without choking on the Checkpoint marketing bullshit.

This might be a good product - might not. What I'm sure of is that it won't fix the underlying problems with the layers of ancient code that they're going to stack it on top of.

Interesting

[Tough+Love]

Interesting. It should up the game for threat prevention, however it is a practical certainty that the black hats will learn from this technique in order to develop new and nastier exploits. If they have not already.

White list or you're jerking off

[Karmashock]

You have a white list of acceptable code and instructions and those are the only ones permitted...

Or you're basically daring the hackers that you're smarter than they are and you have thought of and dealt with any conceivable exploit they could think of or find.

And guess what... you are not smarter than they are... individually man for man... maybe... collectively? Not even remotely.

And it gets better because not only are you not smarter than them but you're also not aware of every exploit they're going to use.

Which means your blacklisting of naughty bits of code will accomplish fuck all.

You stop this by WHITE LISTing good code and good instructions. And yes yes... the thing that makes some things good or bad is the context... but that is implicit in the concept of white listing isn't it, chum? So there you go.

You white list.

Now is the home user douchebag going to white list properly? of fucking course not. Fuck him. He's on his fucking own. Sell him some of your blacklist snake oil. But for the SECURE environments... I'm talking about corporate and government systems that you don't want to be a giant fucking shit show... You whitelist or go fuck yourself.

Its that simple.

No no... White list... or:
https://www.youtube.com/watch?...

Re:White list or you're jerking off

Dangerous comments - you're going to invoke APK talking like that!

Re:White list or you're jerking off

I would like to see Karmadillo's reply to this question here http://it.slashdot.org/comment...

Re:White list or you're jerking off

Is it true you're a blowhard ne'er do well Karmashock? http://it.slashdot.org/comment...

Re:White list or you're jerking off

Is it true you're a dime a dozen wannabe that can't make things you talk of yourself? http://it.slashdot.org/comment...

Re:White list or you're jerking off

Scriptkiddie Karmashock saw it on youtube and spews it back. Guys like you don't build tools themselves though! Seems that got to you judging by your foaming at the mouth replies.

Re:White list or you're jerking off

I did. Truths stated about Karmadillo got to him. He got angry http://it.slashdot.org/comment...

Re:White list or you're jerking off

[CODiNE]

And whitelisting blocks ROP?

Re:White list or you're jerking off

[Karmashock]

How are you introducing the malware into the system? Specifically.

Re:White list or you're jerking off

Good code can include very short sequences like 0x40C3. This is "inc eax; ret". This is VERY evil and cannot be allowed for _obvious_ reasons.

In this case, it is because whitelisting _code_ doesn't mean you can't have someone rewrite your stack with "return oriented programming". The ability to set eax to a known value (commonly finding xor eax,eax; ret and inc eax; ret) is very useful if you want to call API functions without being able to bypass data-execution protection at first. Also, these short sequences can't be allowed in any DLL's or delay-loaded DLL's executable code section.

You have to ensure that all mis-alignments of code don't result in "gadgets" of code that can form a ROP chain that can do bad things.

Is the home user going to block common two byte sequences from occurring in applications and libaries they have no control over? I say learn how to know everything or GTFO!

Re:White list or you're jerking off

Seems much more than whitelisting - here's a talk about what they do: https://www.youtube.com/watch?...

Re:White list or you're jerking off

They don't do whitelist, they do something much more sophisticated: https://www.youtube.com/watch?...

Re:White list or you're jerking off

[Karmashock]

I made it very clear I wasn't trying to protect the home user.

My context is a secure and managed corporate or government network or data center.

You lower the bar to "that machine that guy over there is masturbating to" and the only way I can protect that system is to walled garden it so hard that it literally would have to have factory writelocked memory.

That's the whole security regime on these tablets and smartphones that everyone likes. So the home users are apparently okay with a big company telling everyone what they can and can't install on the machines.

Fine. That's your solution for the home user.

And here you might say "what if he downloads something or something is snuck into an app"...

in the case of downloading something... you don't permit executable code unless it went through your "market" or whatever you want to call these gate keepers. And as to something getting white listed that shouldn't have been whitelisted. The whole point is that you don't do that with a white listing system. So... if you're doing something that is antithetical to the entire design philosophy... I guess that would be a problem... sure.

Re:White list or you're jerking off

[Karmashock]

going through your video, the first thing I saw in there was "what happens if someone sends a link to bad executable code to your stupid employees through email?!" ... well, a white listing system would not allow the executable code in the link to do anything. Also the fucking link itself might not even work because depending on the security of the network I might not permit any random computer to talk to your computer.

Why would I let an email client download and execute any random fucking code in an email? So right off the bat this video has me baffled.

Skipping past that he's talking burying weird instructions in PDFs etc. One thing I do to avoid that in particular is that I don't use standard programs to open files like that where possible. I use third party programs and one of the fun things about such programs is that while they have exploits their exploits are DIFFERENT. Getting a PDF file to execute X or Y using Adobe Acrobat Reader is a different kettle of fish to getting one of the third party programs to do the same thing.

Its not a perfect solution to the issue but it is marginally more secure.

Another thing that I do is that I control the permissions of every program so that it can and cannot do certain things. I'm not giving acrobat the ability to write to the registry or really do anything that it doesn't actually need to do.

That's really what all of this malware exploits. Overly permissive security settings.

You lock it down so that only the programs that are supposed to run have permission to run and even then you define what permissions it has while it is running. Can it access the local network? Can it access certain segments of the file system? Can it read or write to system files or the registry?

You just go through a long list of permissions.

And the reality is that most programs need very little to actually operate properly.

Take one of the more annoying applications... the web browser. It has to be able to access pretty much any address, downloads are often required which means we're letting this thing download ANYTHING to the workstation, then the fucking things have to allow HTML, Java, Javascript, cookies, flash, etc. How do you secure that?

My first step and again... this is a corporate/government secure network context... is that I don't permit you to access just anywhere on the internet. Someone in a context like that doesn't need to get to facebook. They can use a different system for that.

That alone reduces the threat dramatically.

The next thing is... sure... I'll let you download something and that something could be fucking awful but you can't "RUN" anything you downloaded. Nothing. Everything comes into the system with the presumption of being full of fucking snakes.

And if it is a document from a poorly designed file type that can include executable code in a data file... then you deal with that by limiting the permissions of the program itself so it can't really do anything.

And the firewalls are also going to stop whatever program or malware that got into the system from phoning home.

I really could go on and on and on. But the point I was making is that rather than trying to define bad code, the security community should be focusing on identifying GOOD code. Its much easier to know what should be allowed to run than not and only give the good code the freedom it needs rather than just give everything fucking root.

Re:White list or you're jerking off

Your solution might be ok in an imaginary world where users do what they are told, and corporate employees ("Rhonda from marketing") do what they're told and not surf to youtube, facebook or whatever. The truth is -
a) That world doesn't exist
b) Even that won't protect against malvertising campaigns -- malicious ads could be served when you view any site.
c) ROP is really a technique where attackers use the "good code" the security industry decided it is good (executables pages in memory), so how's that as an example to bypassing your paradigm?

Re:White list or you're jerking off

[Karmashock]

you didn't answer my question. How are you introducing the malicious code?

Answer the question please.

Re:White list or you're jerking off

[Karmashock]

Wrong.

Rhonda does what she's told or else she gets the hose again. You people keep ignoring the point about this being a secure system.

We're not talking about whatever jerk off network for idiots at the mustard factory you're running.

I even cited blocking domains. In secure systems you only permit communication to domains on an explicit basis. You don't let them talk to just fucking anything.

So for example, facebook is blocked. Why would anyone doing their job need to access facebook? I do permit an isolated wifi network to connect to anything. HOWEVER... that is a BYOD network that office systems will not connect to because not a fucking one of them has a wifi card. They're all wired. And here someone says "what if someone brings a laptop and connects it to the network!?"... then they won't even get an IP address... obviously.

And then someone says "what if they spoof a MAC address!?" Well, Rhonda isn't doing that. That's a deliberate attempt to breach the network's security which means any pretense of "oops that was just an honest mistake" goes completely out the window. And even then... while you'd get an IP address, you would not get access to servers and any system that connects to the network without doing certain things after it turns on will get flagged even if it has a known MAC address. Which means I'll get a text message within minutes of such a system connecting and then I'll go hunting for someone to mutilate.

And it goes without saying that you'd need to be INSIDE my network to even do that.

As to malvertising... I'm not sure what you think the threat is here. If they can't pass executable code to my systems then at best they're going to make someone's eye's bleed with penis enlargment ads or something. I don't really care about that. Beyond that, you're unlikely to be able to serve such ads if I restrict web access to domains that you have a "reason" to check and not just give you permissive access to the entire internet for no reason.

As to ROP, you're using good code only in part. What you're executing, the order of execution, and the object of execution are instructions you passed to the system. HOW are you introducing that code into the system? I'm having a hard time understanding the infection vector you're suggesting here. Because all the ROP infections I've seen have had very typical infection vectors. Once they were in the system they were a pain in the ass to deal with but you still had to play in the sewer drain to the infection in the first place.

Look, I don't even give my users a full workstation. Why would I? They use thin clients that link back to a terminal server. And the terminal does not retain changes to clients between boots. Every time they boot into their workstation it is tabula rasa. If they want to save something, they save it to the file server. Point is... even if you were able to infect an endpoint... the infection would be very short lived and wouldn't accomplish anything.

Re:White list or you're jerking off

You use whitelisted only instructions in the ROP chain

Re:White list or you're jerking off

[Karmashock]

... and this was introduced to the computer... HOW?

did someone walk over to the machine and ejaculate it into the USB port? How did it get into the system?

I know what ROP is... I want to understand how you're introducing the infection to the system.

Lets say I have a clean system. Everything is from the factory. I put it together, I install from the DVD.

Okay... how are you infecting me? Lets say I connect this machine to my organziation's firewalled network. So... how are you infecting me. Where is your infected code coming from?

if you say something about block chains again... I will strangle you with your umbilical cord. The block chains are how the infection operates but it is not how the infection was introduced to the system.

I want to know how you're getting this in the machine in the first place. HOW are you infecting the machine.

Re:White list or you're jerking off

Yes, after the hacking teams disclosure that signed modules are hardly or not looked at - there is a TON of work to be done.
Only a subscription based wishlist clearing house can work. The downside is their clearing house is bound to be stum /silent on law enforcement hacks.

It not new, but it sounds like the right direction. Using TWO methods to identify a rouge module, plus LINUX immutable bits are needed before windows has half decent security.

Re: White list or you're jerking off

For example, a pdf document that exploits a vulnerability in Adobe Reader XI

Re:White list or you're jerking off

[Karmashock]

As to subscriptions for signed modules... I think an open source list system will work just fine.

As to government hacks getting whitelisted... that's why it has to be open source.

That said, I think you're over estimating the difficulty here. The trick is to control ways code can be introduced into a system, properly identify that something is or is not code, and then run that code by the white list.

The trickiest thing is going to be some dumb hybrid file formats that contain executable code for dubious reasons. But that just means you need to control the permissions of those programs so they don't have the permissions to do anything that would be a problem to the system or themselves. And if they can't do anything harmful then the code even if it is going wild inside of excel or whatever is just going to fail to do anything harmful and then drop out of memory on program termination.

Re: White list or you're jerking off

[Karmashock]

Yep... I keep hearing about these demon PDF files... poor Adobe. First flash and now PDF.

Two issues with this concept.

1. You're assuming I'm opening the PDF with adobe acrobat. Its a good assumption but it isn't necessarily valid. Lots of programs can open, edit, and write in PDF. I prefer actually to not use acrobat precisely for this reason. I avoid standard programs where convenient. No one cares about acrobat. You change excel or word and people lose their god damned minds. But change acrobat and most people don't even notice.

2. Any code operating from within acrobat would be using acrobat's own permissions to do whatever. If I restrict those to something tight enough that it can't really do anything then what are you going to do to me? If you can't access the internet to download a proper bit of malware. If you can't modify system settings. If you can't even change your own settings. Why do I care?

All these exploits rely on essentially shitty security. Its all "well after we sneak by the bank guard we'll just break into that cardboard box they store the money in and we'll be home free"...

There isn't one layer of defense. There are many layers and getting acrobat or excel to act crazy shouldn't be enough to actually threaten security.

My systems are locked down to such an extent that I can have a given endpoint entirely 100 percent infected and it still doesn't compromise the network.

Re:White list or you're jerking off

[Karmashock]

I hold the distinction so far as I know of being the only person on this site that has gotten along well with APK... to give you some idea of how crazy you probably think I am.

He's an interesting guy and unlike most of his detractors he's actually built something that actually works and he actually knows "something". He's abrasive, largely indifferent to the opinions of people he sees as knowing less than him, and some what robotic in his communication style.

That said... I empathize with that entire personality profile since it largely mirrors my own.

I don't believe in coddling retards. I'd prefer to piss them off and then slap the shit out of them until they learn their place. Its initially annoying but in the long run it is less work to maintain a functional social model if everyone is keenly aware of their place in the hierarchy. As to being indifferent to the opinions of ignorant people... sort of the same thing again. Dumb people have dumb opinions. As to a robotic communication style... I've been accused of that myself many times and i frankly don't see any shame in admitting it. I do have a "rules based" personality. I operate on a core logic. I don't make choices based on emotion. This baffles the humans but it is actually my nature. The reason in my own case is that I do not trust my own instincts or emotional compass to be a reliable guide for action. In my childhood it repeatedly let me down so I learned to think rationally simply as a survival strategy because my instincts are basically broken. As such when I see someone else operating under a rules based mental frame work... although a perhaps repetitive one from my perspective... I have some empathy for it.

The first time I encountered APK he tried to fight me. I kept refusing to get upset, responding rationally, being patient, and offering credit where credit was due. And he eventually started being nice to me. So, progress.

I have a long history of working with troubled geniuses. I grew up with a few and I work with a few on a regular basis. The world is full of a lot of really smart people that were sadly traumatized by their mentality because it disturbed their early childhood by isolating them.

A lot of them grow up to be odd people but they're frequently exceptionally productive members of society if you can put up with a little of that oddness and show them a little human compassion and understanding.

Just my own experience with such things. To each their own.

Re: White list or you're jerking off

First of all, the solution isn't about protecting you - it's about protecting all customers. Genius and ignorant as one.
Second, if you really think you are protected by that then you know nothing.. ignorance is bliss.

Adobe / Excel / Word - doesn't matter which application it might as well be AutoCad. Once an attacker runs his code he can use another PE exploit and inject into system process like explorer.exe, lsass.exe etc.. those processes have full control and can download and do whatever. If you think your approach helps you in any way - well actually it does, it slows down attackers - but everything is hackable.

Re: White list or you're jerking off

[Karmashock]

You're not thinking about this systematically. You're using magical logic and I can't go through the chain of logic when everything looks like a long string of unlinked and unassociated preconceptions. Its just a bunch of givens.

You're saying
X=5
Y=2
R=94

etc

And there's no association or proof or causal chain in it anywhere that I can evaluate.

You say that if the code gets into a program with limited permission on a network with limited access to specific domains on the internet that someone is going to take over the whole fucking network when the whole thing is knitted up tightly at every fucking level?

No, motherfucker. Absolutely not.
https://www.youtube.com/watch?...

Re:White list or you're jerking off

[KGIII]

Nah, you're not the only one who gets along with him. I get along with him and I don't even usually use a host file - however, I articulated my reasoning and know the consequences of my actions and make that choice based on security versus convenience. He might be a bit abrasive but I have a handy wheel on my mouse and don't actually care to silence anybody. Also, he knows some surprisingly esoteric stuff. I approached him much like you did. I enjoy poking the strange things - that's how you learn stuff. He's harmless and seems to be genuinely concerned with keeping folks protected from malware and ads.

Then again, I enjoy your comments as well.

Re:White list or you're jerking off

[Karmashock]

Its good to know I'm not alone in this respect. Its always distressing for me to see people ragging on the guy when most of the people doing it are f'ing useless fuckwits.

If there's anything I decry in the modern era it is that the playing field has been leveled not just between the haves and have nots but also between the competent and incompetent.

APK is a man on a mission... and he's actually built something pretty cool. To get dog piled by witless nothings is an indignity.

Re:White list or you're jerking off

[KGIII]

Who among us is not abrasive when we know we're right? I'd not take his approach but that's probable because I'm a bit lazy and don't tend to care that much. I've noticed that his comments don't get repeated if nobody mods them down - he seems to repeat them because they are no longer visible by default.

I need $5

To buy a wrench:

                    https://xkcd.com/538/

The strange power of delusional phantasy!

You built this marvel you speak of Karmashock, totally yourself, or is it just your imagination running wild with dreams of grandeur that you could?

Re:The strange power of delusional phantasy!

HahahahahahahaHaHAha

Re:The strange power of delusional phantasy!

A better question is does it even exist as a downloadable free product that works or is it more of karmashock's strange phantasies of things he could never manage to build, let alone himself, but talks of big things yet never can make one himself for security online! I'd wager the latter. Karmashock's a blowhard talker but never a doer.

Re:The strange power of delusional phantasy!

R O T F L M A O! "Karmashock's a big talker but never a doer" (that's 99% of slashdot).

Re:The strange power of delusional phantasy!

It's "Karmashock's a blowhard talker but never a doer." Get it right!

Re:The strange power of delusional phantasy!

[Karmashock]

their are many companies that offer white listing solutions...

Here was one I found with a single google search:
http://www.kaspersky.com/partn...

I also liked the barrage of toothless AC peasants cackling below you attempting to tag me with rotten produce.

The white listing system works and has worked for many years and there are many applications of it that are known to work quite well.

They're paradoxically easier to set up than blacklisting systems because they're a great deal more simple. All you do is make it so the computer can run LESS than it was designed to run and you set LESS to EQUAL what you want it to run. The other things that COULD run on the system before... simply can't.

I love that you think this is hard to do... think of the way a black listing anti virus system works. It looks for known bad code and then intercepts it. That's how it works.

A white listing system does the opposite. It intercepts EVERYTHING and prevents ANYTHING what so ever from running assuming that anything and everything is a virus... EXCEPT things specifically defined to it as NOT a virus.

Its the same system only instead of trying to guess every virus and malware possible... I just define whatever is currently running as GOOD and if anything is added to the system then it is ASSUMED to be bad unless otherwise stated.

Its a very simple system and I operate white lists pervasively on many systems using several of the most popular techniques for implementing them.

This is fundamental IT security. That you're ignorant of it is not surprising or embarrassing for you. You don't know what you're talking about. I do. I am an expert. You're an AC shit head.

*wink*

Re:The strange power of delusional phantasy!

So you didn't create it. You're a blowhard that others rightfully said you are. A mere big talker and at best you're a user of others work. Being a register user here didn't make you special. It made you another dime a dozen wannabe that does a lot of talking but strangely never any real doing himself in computing.

Re:The strange power of delusional phantasy!

Temper temper Karmadillo! Nobody said whitelisting's bad. They said you couldn't build it yourself. You don't have the skills. Appears that's truth based on your foaming at the mouth reaction that got a bit of a rise out of you. Truth will do that. We excuse you for being a "ne'er-do-well" blowhard.

Re:The strange power of delusional phantasy!

*chortle* @ "We excuse you for being a "ne'er-do-well" blowhard"

Re:The strange power of delusional phantasy!

*snicker* @ "Being a register user here didn't make you special. It made you another dime a dozen wannabe that does a lot of talking but strangely never any real doing himself in computing."

Re:The strange power of delusional phantasy!

[Karmashock]

Its like talking to some moron that thinks his imaginary friends are supporting evidence.

Shall I click "post anonymously" here to make it look like I'm a third party when really I'm just agreeing with myself?

You're fooling no one but yourself with this pathetic display.

Re:The strange power of delusional phantasy!

[drinkypoo]

You're arguing with APK, right? It seems like his "No, this isn't APK, you can tell because I didn't mention hosts files in this comment" style. Don't do that. It's a waste of time. He doesn't even write funny responses. HTH, HAND.

Re:The strange power of delusional phantasy!

[Karmashock]

I get along with APK just fine. I've had a few discussions with him. I like him. :-D

Unlike most of the people that diss him he actually knows something, has accomplished something, and has one of the few novel perspectives on stuff.

Does he go on and on about his host file thing? Yeah. The man is advertising to a certain extent. he hears all these problems and he's like "my program solves this" and everyone is like "fuck you you're stupid!"... think about how that would make you feel.

As I said, I get along with him just fine.

I'm working on something even better

[JoeyRox]

Electron-level threat protection. It analyzes randomly-moving electrons to decide how best to separate people from their IT budget dollars.

Re:I'm working on something even better

The AC's commented funnier and got -1's. Damn it's a downhill slope around here.

All you literally need to do is not use Windows and your security vulnerabilities drop by 99.95% immediately.

Is this company Check Point in it to actually make computing safer? If so they should be on board with great software companies. If they are in it for the cash... well this shit is a joke.

Rinse. Lather. Repeat.

Microsoft Windows. We sell Windows all week and break them on weekends. Now for "your" safety Windows 10 will be total global spyware.

http://www.technobuffalo.com/2013/08/22/nsa-windows-8-exploit/
http://www.technobuffalo.com/2013/07/11/microsoft-gave-the-nsa-direct-backdoor-access-to-outlook-skype/
http://winsupersite.com/windows-10/how-stop-windows-10-upgrade-downloading-your-system
http://www.extremetech.com/computing/195592-with-windows-10-microsoft-could-move-to-a-subscription-based-model
http://www.extremetech.com/computing/205320-microsoft-windows-10-will-be-the-last-version-of-windows
https://www.youtube.com/watch?v=5GU5uv28a3I
http://techrights.org/2015/07/31/vista-10-anticompetitive/
https://www.youtube.com/watch?v=wwRYyWn7BEo
http://www.ghacks.net/2015/08/28/microsoft-intensifies-data-collection-on-windows-7-and-8-systems/
https://gitlab.com/windowslies/blockwindows

distrowatch.com and have a great day y'all.

Windows already HAS whitelisting

Windows already HAS whitelisting by applications Karmadildo! Talk about selling snakeoil or snow to eskimos. Get aware of things dumbo!

Windows already HAS whitelisting

Windows already HAS whitelisting by application Karmadildo! Talk about selling snakeoil or snow to eskimos on your part.

Re:A better one = You don't get sick.... apk

spam harder, we didn't hear you the first four times.

Re:A better one = You don't get sick.... apk

And APK, the world's most retarded AC, is back. Now that you've revealed you believe in psychics, can you tell us whether Nostradamus predicted your host file app? More importantly, can you reveal if you like to massage your anus with printouts of your host file?

Re:A better one = You don't get sick.... apk

He probably just hopes you finally chew off your fingers in a fit of rage.

Re

Melek Koçluu http://selestiaplus.com/

The final straw

[johannesg]

The software Checkpoint makes already prevents any kind of useful work from being done on a machine. Now it takes the logical final step, and just completely stops the CPU from doing anything at all! Our IT department will love it for sure. Anything they can do to slow down actual business processes.

Seriously. We use Checkpoint at work. On a fast machine with an SSD, compiling takes longer than on machines with a normal harddisk...

Re:The final straw

As far as I could see they don't do that on endpoint but a network gateway so the files are emulated not on the endpoint itself... Don't you rather be slow and secure than fast and have some chinese hacker steal your hard work ?

Re:The final straw

> The software Checkpoint makes already prevents any kind of useful work from being done on a machine.

So it's taking over from MacAfee Home Edition?

Re:The final straw

SSDs don't speed up compile time. Compilers are just too good at caching to have any measurable effect. I know; I've tested it several times over the years.

They're trying to be more like the regular news...

I think they're just trying to be more like regular news sites with this. On the plus side, it has better editing than the usual lack thereof.

It is yet another attempt at intentions-detector

"We will run some stuff in a box and see it tries to break the box" - this is old.
Tons of companies tried to solve this and failed but several of those made tons of money by sheer snake-oilness of the
idea. Basically it is a magical proposition by any standard.

Yawn

How many hours will it take for the first malware to detect this hypervisor and adapt their tactics ?

Re:Yawn

The good thing here they detect the malware before it starts to run

Re:A better one = You don't get sick.... apk

I begin to believe APK is one of the lesser evils here.

Well

How does your "whitelist" detect "code injected by means of PDF file" ?

The problem is not to detect malicious *.exe or *.dll files; the enormous problem are all the code injection opportunities in the "good" *.exe and *.dll files.

Having said that, 50 % of CVE exploits could be eliminated if we did not use C and C-style C++. But you know what ? Our rulers want it that way. They handed us the trojan horse of Unix and C so that our computers could be inspected ANY TIME, ANY WHERE.

We already had a much better state of affairs with the Algol mainframes, where (for example) every array bounds access was checked. But the "free" Trojan horse from Bell Labs killed this much more secure competitor.

Conclusio: The IT industry is an enormous BUNCH OF SUCKERS.

PS: Yeah, Whitelists are always superior to Blacklists, but they do not suffice, as you can see.

Re:Well

http://l4hq.org/projects/os/
http://ssrg.nicta.com.au/

Please excuse me for brutally pasting this here:

  Past achievements of the SSRG team include:

        World's first formal proof of functional correctness of a complete, general-purpose operating-system kernel, plus a proof that the kernel binary is a correct translation of the C implementation;
        Formal proofs of isolation properties (integrity and confidentiality) of the seL4; together with the above this establishes a complete proof chain from high-level security properties to the kernel binary, making seL4 the first provably secure OS kernel;
        First-ever sound and complete timing analysis of a protected multi-tasking operating system kernel
        Two papers accepted to SOSP'09 (including a best-paper award). These are the first papers from Australia in the 42-year history of the top OS conference;
        Design and implementation of a high-performance capability-based secure microkernel (seL4) that integrates kernel and user resources in the same protection and management framework;
        All recent Apple iOS devices ship with a security processor controlled by a fork of our L4-embedded microkernel;
        A new approach to the design of device drivers which eliminates the majority of typical driver bugs by construction (Dingo);
        A comprehensive approach to accurate energy management via dynamic voltage and frequency scaling that does not rely on pre-characterisation or inaccurate models of the hardware (Koala);
        Highest message-passing performance ever reported on a number of architectures.
        A review of the impact of process simulation research upon software systems published at ACM Impact Project workshop.
        The Lending Industry XML Initiative (LIXI) developed and released industry-wide reference business processes, architectures and implementations for lending transactions to more than 100 Australian financial firms.
        Contributed to ISO/IEC/IEEE 42010 Systems and software engineering Architecture description standard.
        Our Empirical Software Engineering team named one of the three top research groups in the field in Communications of the ACM
        Our spinout company Open Kernel Labs has deployed OKL4, its descendant of our L4-embedded microkernel, in billions of mobile devices.

Re:Well

[Karmashock]

As to PDFs... two things.

1. I try to use non-standard applications for such uses where I can get away with it. Acrobat reader for example is one I generally replace with a third party alternative. Your executable code will assume acrobat and it won't get passed anywhere via that little tweak all by itself.

2. The PDF readers etc have restricted permissions. The code in the file uses the application's own permissions to do things and it doesn't have the permissions to do anything that would threaten me. Is there a reason I need to give Excel Network or internet access? Any reason to give Excel access to system settings? What is it going to do?

The workstations are thin clients that connect to a terminal server. And the templates refresh on each login so even if you corrupted excel some how it would be clean again on the next load.

As to the IT industry being full of suckers... I would agree. They seem entirely incapable of grasping what it means to put on your game face... to go to war over the network. They don't take any of it seriously and frankly I think a lot of that attitude is why other aspects of business and government actually don't take IT seriously. It shows. You are serious or you're not taken seriously.

So they pay the price over and over again. They get treated like shit and their systems get raped by the first black hat that really tries. Fuckwits.

Is my system perfect? Its as close to perfect as I've been able to make it. its pretty fucking secure. There have been many attempts and... I believe no breaches ever. Can I know? Its possible. Its just not very likely. I don't just have firewalls but I also have a very robust logging and reporting regime. Lots of things are logged and a penetration should show up in the logs.

BINGO

All those attempts to "retrofit the polished turd of Unix and Windows kernels with security" will only bring your system performance into the crapper. The root cause of the never ending stream of exploitable bugs is that security has always been an afterthought. The most horrible afterthought being the use of C and all its shitty mechanisms like "unchecked arrays" "funny casting" "manual heap memory management" and the like.

Add rotten companies like Adobe to the mix (their kernel modules for font rendering in the WNT kernel) and all the "security" efforts are actually a travesty.

Your company should look at this:

A) Do not use the X11 system. Its architecture means a single program subverted subverts ALL programs, simply by means of redirecting keypresses.
B) Use SE Linux (a whitelisting technique)
C) Use AppArmor (a whitelisting technique)
D) Use L4, where they attempted to prove total correctness of the kernel
E) Use Ada, Java, C# instead of C or C style C++
F) Only hire folks who have a CS degree, at least for development. The amateurs simply do not know techniques like proper lexers and parsers - with exploitable bugs being the consequence.
G) Do heavy firewalling (not just at the border to the interwebs) in order to detect illict traffic inside your network. With "heavy" I mean having a team of people analyzing the traffic using Perl scripts in order to filter out the harmless stuff and being able to look into the suspicious 1% of traffic. Yeah, it is expensive. Maybe less expensive than using a paper registry instead of computers.

Re:BINGO

[johannesg]

Your solutions are not solutions at all. You are basing everything on a combination of trust, and techniques of dubious real-world value. That's fine for a few very specific domains, but in the real world things like "time to market" also matter.

Whitelisting is bullshit. I should not have to rely on a "trusted" list of applications; I should trust that the OS has containers that stop any damage from being done in the first place. And I don't want to give an application either nothing, or the keys to the kingdom, which is essentially what UAC or sudo ask you to do. Let me choose what it gets on a case by case basis: network access, full screen access, access to specific devices and directories, etc.

Can you write malicious software in Ada or Java? Of course, and it's trivial. Can a person with a CS degree write bad software? Don't make me laugh, I see it every day. Those are not solutions at all.

The answer is not trust, it is containers with specific, easily understood access rights.

Re:BINGO

[aberglas]

Yes, but you also demand vast amounts of useless functionality. 100% compatibility with every ill-concieved feature that has ever been added in the past. To be in lock step with the latest fads in UI. And that means huge amounts of code, and huge amounts of complexity.

Which is why your containers will leak like a sieve.

Your WALL OF TEXT

...does not address the "malware served by ad PNG" issue. An attacker could very well build attack code which goes after firefox's PNG rendering code, checks for the "current location" and only if it is in the target network does the reconnaissance. (Or the destructive/manipulative work).

The "ad" would be distributed to essentially the entire WWW by means of DoubleClick. It would only hit YourCorp.com, though. And if YourCorp firewall team is not alert, it would exfiltrate the reconnoitered data to NastyOrg.ru. Maybe via googlemail - they have these nice 5GByte mailboxes and YourCorp was too stupid to allow access to googlemail. Traffic would be concealed as googlemail traffic.

Sounds expensive ? Well, the secrets of YourCorp might be worth more than a massive Doubleclick ad campaign. Especially if YourCorp is in the business of making high tech stuff...

Re:Your WALL OF TEXT

[Karmashock]

Why would I talk to double click? I don't even talk to double click on my personal machine at home? why would I let a protected system talk to doubleclick?

Access denied.

I'm generally a believer in not running code that I don't need to run. That extends to javascript.

I am currently blocking about 5~7 domains from serving javascript on this site alone... right now. And I've seen sites that were trying to push me to run 20+ javascript domains for a single page.

Its dumb.

I run script when it serves a purpose. And then I only run the script that I need to run to permit that purpose. And i do not permit domains I do not trust to run anything.

I've never seen anything where I "had" to run double click. I feel bad about it sometimes because the sites likely lose ad revenue. But I'm not running the code. I will happily display the image but the code... no.

As to embedding malware in a PNG file, my understanding is that you're not infecting anything with that file unless the image file is not merely displayed by run as an executable.

its less that some image files contain viruses than that you can write an executable so that it displays as an image if given the appropriate file extension. But so far as I know, the image file itself will not infect anything unless executed rather than being read as an image.

Correct me if I'm wrong. If that works then the webbrowsers are more incompetent than I had imagined.

Regardless, I don't run scripts or access domains that I don't need something from. I'm quite happy to give them nothing.

Re:Your WALL OF TEXT

Correct me if I'm wrong. If that works then the webbrowsers are more incompetent than I had imagined.

You are wrong.
You are confusing malwares and exploits.. Images can trigger vulnerabilities and carry exploits just as any other file type. For example (rather old but still the example) - MS05-009 "PNG Processing Vulnerability in Windows Media Player - CAN-2004-1244:
A remote code execution vulnerability exists in Windows Media Player because it does not properly handle PNG files with excessive width or height values. An attacker could try to exploit the vulnerability by constructing a malicious PNG that could potentially allow remote code execution if a user visited a malicious Web site or clicked a link in a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system."

So it's enough to display the image in order to run code on your machine. IF there's this kind of vulnerability nowadays.

Re:Your WALL OF TEXT

[Karmashock]

hmmm... I'm still seeing the presupposition that the program in question has the permissions. And you're still forgetting the firewalls.

I mean... fine... you might get by ONE defense by doing something like this but to actually be effective you need to get past them all. And I don't see that happening.

I mean, fine... you get some code into active memory... great... but what permissions does it have? Its going to inherit the permissions of the host program. So you're inheriting the permissions of what? Internet explorer/firefox/chrome/opera/whatever? Congrats. Its permissions are shit.

Re: Your WALL OF TEXT

Not scalable dude

Re: Your WALL OF TEXT

[Karmashock]

I do it on a large a very large network, dude.

I do a lot of it with control of DNS servers. If you're talking about blocking doubleclick.. I mean... that's an easy one.

The whitelisting isn't just for programs. Its for web domains as well. We have several different networks but for this discussion you just need to know there is an unlocked Wifi Network for people to facebook on and there is a HEAVILY locked down wired network is which what the machines I actually give a shit about are connected to...

Totally scalable. And in case you're curious... we have about a dozen external IPs though most of them are for specific servers. In so far as the users are concerned there are TWO IPs. The locked down wired network and the everything goes download horse porn network. And nether the twain shall they meet.

Look look look.

Here's the thing. Security is very very serious in my context. Enough that... well there are security guys with guns... and those guns have bullets in them.

So... Keep that in mind when you're saying something I'm saying isn't realistic. It isn't just realistic... its every fucking day. Its just high security.

How many of you guys operate managed air gapped networks? That's one of our layers of security for the archives amongst other things.

Is this reasonable for everyone? No. But its reasonable for more people than do it. A lot of these corporate and government breaches could have been stopped if they had been more serious about it. Sure, an Ed Snowden can nail you if one of your IT people goes rogue. But short of that, I don't see how you break a system like this... and even the Ed Snowden thing has a solution. The solution is drastic... but effective.

Re:Your WALL OF TEXT

hmmm... I'm still seeing the presupposition that the program in question has the permissions. And you're still forgetting the firewalls.

I mean... fine... you might get by ONE defense by doing something like this but to actually be effective you need to get past them all. And I don't see that happening.

I mean, fine... you get some code into active memory... great... but what permissions does it have? Its going to inherit the permissions of the host program. So you're inheriting the permissions of what? Internet explorer/firefox/chrome/opera/whatever? Congrats. Its permissions are shit.

Historically malware may combine vulnerabilities.
The first (such as the PNG vulnerability mentioned) uses a vulnerability in a trusted program to load the code, and that code contains a privilege elevation attack.

You should already know that, Karmashock.
Are you intentionally being obtuse to "win the argument", or did you actually not know?

Re:Your WALL OF TEXT

[Karmashock]

... sure you could nest a million different things in there that will serially defeat everything but I don't see it working in one shot like that.

My experience with these things is that they contain one or two things in them to break through and then the presumption is that they'll be home free.

If the security is layered and pervasive and customized and contains lots of brute force defenses like write locked files or protocol shifts or nasty firewalls.

I've never even heard of a malware that worked like that.

Even the whole stuxnet thing which was a state sponsored malware attack wasn't as sophisticated as what you're suggesting.

And while... sure it could work, I think you'd need to have detailed insider knowledge of how my systems are set up to actually design such a thing properly. You can't just guess.

I don't believe in being standard. Standards can be studied and war gamed against, and defeated prior to battle even being joined. If you're non-standard then no preconceived attack can reliably work without insider knowledge of the structure.

Re:Your WALL OF TEXT

What you say about code and DNS whitelisting is good advice.
I once worked in a major university.
We locked down and used whitelisting for the clerks and business office type people.Those people are like 99% of the problems (if you let them) because they are the kind of people that if you left a pistol on their desk, and they would pick it up and pull the trigger to see if it was loaded.
After that, life became easy and we laid off about half of the desktop staff.
I'm not talking about students' network - their world is chaos, panic, doom, and tough-luck-you-should-have-known-better.

As for the scientists, engineers, etc, we installed the computer, basic software, and monitored if they didn't already do it themselves.
There is no possibility of implementing anything resembling whitelisting or blacklisting for both technical and managerial reasons.
When something bad appeared on the network, we busted our butts to fix it. Fortunately, that was not often because those people aren't retards.

P.S. Karma, you are showing some significant ignorance regarding how modern malware works. You're right about a lot of things, but not what you're saying about malware.
Please stop responding on that topic.

Re:Your WALL OF TEXT

[Karmashock]

When I find someone has made an error, I tell them not only that they made the error but the nature of the error and help educate them so they learn from the experience.

lets say I'm wrong as a given here... what did I learn or did you teach me simply by saying I was wrong? I don't understand the error you're suggesting I made here. You've given me not only no opportunity to validate your opinion as to whether YOU are right but you've also given me no opportunity to correct my own opinion.

Can you explain my error in some detail please so I can validate its accuracy and if it is accurate correct my own thinking.

What i tend to find in these security discussions where someone says "you're wrong karma" is that they assume one LAYER of security is ALL the security. I'm just guessing you're going to say "this thing you said wouldn't stop X"... okay but what about the security walls before that one thing and after that thing and so on? Eh?

I do a lot of BRUTE FORCE things to secure my networks. Start with what I feel are good initial premises.

1. I don't assume that I've thought of everything.
2. I don't assume that my code is perfect.
3. I don't assume that I'm smarter than my attacker.
4. I don't assume that they're simply not going to make the effort.

That's just some basic thoughts in my head as I deal with this situation.

I don't try to make some perfect egg shell defense. My network is more like a motte and bailey castle. Layers.

Re:Your WALL OF TEXT

When I find someone has made an error, I tell them not only that they made the error but the nature of the error and help educate them so they learn from the experience.

lets say I'm wrong as a given here... what did I learn or did you teach me simply by saying I was wrong? I don't understand the error you're suggesting I made here. You've given me not only no opportunity to validate your opinion as to whether YOU are right but you've also given me no opportunity to correct my own opinion.

Can you explain my error in some detail please so I can validate its accuracy and if it is accurate correct my own thinking.

Good point, but I read the posts by the various other AC's, and they did in fact correct your mistaken belief and explain why.
For example you said. "As to embedding malware in a PNG file, my understanding is that you're not infecting anything with that file unless the image file is not merely displayed by run as an executable."
That was explained by the AC that responded that code can be injected without the malware running an executable file. He even gave you the MS05-009 where you read up on how it works.

You then said

"I mean, fine... you get some code into active memory... great... but what permissions does it have?"

Then an AC says
"Historically malware may combine vulnerabilities.
The first (such as the PNG vulnerability mentioned) uses a vulnerability in a trusted program to load the code, and that code contains a privilege elevation attack."

Which gets from you:

"My experience with these things is that they contain one or two things in them to break through and then the presumption is that they'll be home free.

If the security is layered and pervasive and customized and contains lots of brute force defenses like write locked files or protocol shifts or nasty firewalls.

I've never even heard of a malware that worked like that.

Its hard to tell who you're talking to, but your reply "In my experience" and "I've never heard of a malware that worked like that." tells us much.
It means that not only do you not know much about the topic at hand (malware), but also that you're just quibbling.
Quibbling is annoying, which is why you have all these trolls attacking you even about the things you are right on.

So, anyway, ignoring your jerkish and quibbling attitude, and for the benefit of other slashdot readers, here's more info.

Some of the vulnerabilities are in system calls. A low-priv program can request resources from a higher-priv resource. If the higher-priv resource has a vulnerability, and the low-priv takes advantage with a malformed request, the injected code runs with the permissions of the higher-priv program.
Read this.
https://technet.microsoft.com/...

This is an example. There are many others like it. PRETTY PLEASE DO NOT TELL ME WHY YOUR SITE IS NOT VULNERABLE TO THIS ONE EXAMPLE.
I don't give a shit about your site. I give a shit about people posting bad information.
In this case, it is your statements on how malware does or does not work.

An Advert

[Stonefish]

I expect my ads to be off to the side and not the main course on slashdot. What was the price of this post?
+2 for subtlety......... cocks

Re:An Advert

[nazsco]

not to mention the fake first post adds to the ad instead of cursing, as usual. can it get more obvious?

Karmashock uses hosts files as do you... apk

See subject: I don't attack him. You use hosts too drinkypoo!

(Yet YOU DO attack me oddly enough - you've been doing it for a few weeks now, & your post history's the evidence of it!)

APK

P.S.=> I can't figure out WHY you do, but guess what drinkypoo? Not everyone here is me! I know - big newsflash/new NEWS, right?? It's true man - get over it! apk

Wasn't me Karmashock... apk

Look at the writing style: NOTHING like mine is! Drinkypoo popping up & blaming me now though? I'd have to say, "there's your culprit!" - especially trying to "frame me" as he has now!

I get along with you as well. I have NO ISSUES with you & in fact, since you use hosts files too? I have every reason to not give you guff!

* I don't get it - I know that YOU use hosts files, but oddly enough? SO DOES Drinkypoo... & I can't see WHY he's trying to frame me up for some troll doing you wrong (my guess, yes, is that it's HE doing it - & doing a POOR JOB "imitating me").

APK

P.S.=> Drinkypoo's been messing with me for a few weeks now & if you don't believe it? His post history says it all for me as the "proof thereof"... apk

Re:Wasn't me Karmashock... apk

[Karmashock]

On the issue of hostfiles I like the concept of security through DNS because it eliminates a huge number of threat vectors very cheaply and is very hard to bypass.

The virus would have to have to have its own DNS query system which would increase the complexity, code size, and detection surface of the malware.

I think DNS filtration should be a bigger aspect of firewall operation. Obviously a proper firewall has to expand that to IP filtration.

I'd like to see two way filtration based on DNS name where in if the DNS name is redirected to localhost that the firewall is also made aware of the correct IP for that hostname and also blocks any attempt for that IP to be accessed at the firewall level.

Managing all the fucking IPs I have to make available at the firewall is irritating. I passively block anything not on the allowed list on the high security network. Where as I use more of a blacklisting system for medium security networks. The low security ones only block pornography and known blackhat IPs.

Anyway, if you ever came along with something that made managing a really comprehensive blacklist for a large network easy... you could get yacht money. Just fyi for thee. We're currently still managing a lot of this stuff manually. There are tools that try to help but they generally are all for show and don't actually work when the barrel is against your temple and the hammer cocks back.

And in a high security network... that is PRECISELY when the fucking thing needs to work. We both see these nutty hack demos at the hacker conventions where things are just WIDE OPEN to attack. And I'm sure it baffles you as much as it baffles me.

i think to some extent it explains the shift to cloud services. The clouds for all their sins generally have "better" security. Good? Great?... perhaps not. But better than nothing.

What I "hope for" & usually get?

See subject: Is for downmodding trolls to blow thru their modpoints exhausting them.

* They usually do, & then I can post whatever I do, minus them trying to effetely + vainly "hide" my posts they downmod, with no valid technical justification why no less as always by pointing out some mistake I made (I don't do that) - since they've exhausted their modpoints, usually 5-7 posts worth, my subsequent posts afterwards are left alone in THAT capacity...

(Of course, then comes the ad hominem attacks in the ones I do NOT have a downmod on, & those are done by UNIDENTIFIABLE ac posts - no biggie on that, my word gets out TOTALLY unimpeded & all they're left with is their own drooling mess in those illogical offtopic ad hominem attacks!)

APK

P.S.=> Works EVERY single time they do it (as they are here) - they "run dry" of the modpoints they bogusly abuse & I'm just the man to do it to them since I know "their kind", the lowest of the LOW online, better than they know themselves - so it's EASY TO GET THEM TO DO WHAT I WANT & in the end, I get what I want, always - see above (it just works)... apk

Re:What I "hope for" & usually get?

I heard an Internet user in New Jersey who used your host file tool got AIDS.

Re:What I "hope for" & usually get?

Grow up.

Thanks Karmashock... apk

It wasn't me. Drinkypoo suddenly showing up though trying to "frame me" somehow though? That screams 'setup' to me. Too bad his writing style while attempting to "mimic me" isn't ANYWHERE near the same as my own!

* I don't get it!

(He, like yourself, uses hosts files also - so I can't figure out WHY he's been trying to "get my goat" for a few weeks now!)

Anyhow/anyways: Whoever is bugging you was NOT me! I wish they'd get a grip & realize THEY TOO had best be able to show they've built something decent instead of trying to cut you up on that note - they're being hypocrites!

APK

P.S.=> IF you find that difficult to believe? His post history shows it clearly enough that he DOES & HAS been @ "attacking me" - this time? It seems like he's hit somekind of 'strange low', attempting to 'frame me' here... & again - I don't GET WHY! For Pete's sake, he's even told me I am RIGHT ON HOSTS FILES, literally... so why attack me as he has been for a few weeks now here & there? apk

Re:Thanks Karmashock... apk

[Karmashock]

It doesn't matter. I only get harassed by a couple AC trolls... I recognized one of them... and I've decided to call him "bingo the clowno"... :)

Oh and communists don't like me because whenever their failed ideology comes up I take some joy is rubbing their stupid faces in it.

Besides that... I generally get along with everyone.

APK, have you thought of making an application of your DNS hostfile thing ON a Raspberry pi? Like actually package it as an appliance image?

Because the Pi has more than enough brain power and bandwidth to handle a network DNS server. The pi costs about 30 USD.

My main issue with your program is that while it is applicable to ONE computer I'd like to try it on a wider network. Point the router DNS to the Pi and then have the Pi effectively filter the DNS results of the entire network.

Maybe I'm being dumb and there is already a superior product for this that you'd like to suggest. I do operate a lot of DNS servers in the few networks I manage but controlling these subscription based DNS lists is not practical.

Just an idea and all the best.

Ok then - shoe's on the OTHER foot now! apk

What have YOU personally created for securing computers then?

* ?

(I suspect you're a "POT CALLING THE KETTLE BLACK" mere hypocrite that hasn't done what he harps on others for himself...)

APK

P.S.=> Drinkypoo, somehow? I SUSPECT THIS IS YOU trying to "frame me up" for this as you've been trolling me for a few weeks now -> http://slashdot.org/comments.p... per my comments to KarmaShock on that much - odd part is, YOU USE HOSTS TOO, as does Karmashock, & I can't figure out WHY you'd do this to me since you use them also... apk

Is there an echo in here?

[phonewebcam]

Qualcomm just announced the same

Re:Is there an echo in here?

[bonfirer]

Not even closely related let alone "same" ... read both articles again

A better one = You don't get sick.... apk

If you block online "sources of infection" via APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...

(... & yet go faster too, via 2 methods in adblocking + hardcoded fav sites you spend most of your time @ online @ the TOP of hosts for best speed cached into RAM - which is MOST unlike other so-called solutions that actually SLOW YOU DOWN too)

FREE & adds speed, security, + reliability, doing more with less, more efficiently vs. browser addons & locally installed DNS servers @ home + fixes DNS' redirect security issues - obtaining its data vs. online threats & adbanner blocking from 10 reputable sites in the security community!

By using something you already natively have vs. "bolting on 'MOAR'" that's usermode slower & increases messagepassing, cpu + ram overuse overheads!

* :)

MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...

&

It's GUARANTEED safe & clean per it being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...

+

In its 32-bit model also https://www.virustotal.com/en/...

---

"The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"...

APK

P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:

PERTINENT QUOTE/EXCERPT:

"The image this title brings to mind is of a mighty military commander, one who can at a mere word summon rank upon rank of protective power" from https://answers.yahoo.com/ques... & THAT WORD = hosts!

(Accept NO substitutes!)

...apk

Re:A better one = You don't get sick.... apk

Evidently troll who stalks apk, you're out of modpoints as apk predicted you would be. That took no psychic. He simply methodically ran you dry of them as he always does and so you pop out of the woodwork with your weak off topic illogical failing ad hominem attack attempts. It must kill you that you can't prove apk wrong and he beats you at your own game of abusing moderation in the end as always.

DNS & hosts = bread & butter... apk

See subject: How so? Ok: Hosts combined w/ OpenDNS (a filtering vs. malware one mind you) compliment one other.

See - I don't resolve 'every host-domain there is' via hosts, only my favorites @ top of hosts (20 of them beating indexing past 2++ million records).

It's where ANYONE spends MOST OF THEIR TIME online - & it's faster + more efficient vs. calling to remote DNS servers.

Placement of favs thus, for FAST RESOLUTION from memory (hosts are cached like any file is)!

This setup additionally saves CPU cycles, RAM, + I/O turning off the slower usermode clientside DNS cache service, instead opting for the kernelmode diskcache (no context switch overhead to the IP stack either this way).

The rest of my hosts files' entries is currently 3,791,575++ blocked entries vs. malware & ads of many kinds.

I use REMOTE FILTERING DNS SERVERS that help block out malicious sites/servers/hosts-domains via DNSBLs (not locally here as a separate redundant wasteful recursive server or a service/daemon).

---

OpenDNS:

208.67.222.222
208.67.220.220

Patched vs. Kaminsky redirect poisoning - 99.999% of ISP DNS aren't.

---

It LIGHTENS remote DNS loads - admins of 'em should like that!

---

Combined with Windows Firewall (IP address based), it's all I really personally need - using what I have already, natively built-in to my OS.

APK

P.S.=> I don't use a locally setup DNS server (or daemon/service) here (single system @ home only nowadays) - it'd be wasteful of electricity + cpu cycles/ram/other forms of I/O it'd use, & more complexity for me (in running apps that might introduce room for breakdown or exploit, ala the Kaminsky redirect poisoning flaw), for no good reason - I compliment DNS using hosts (since I don't "cache every host-domain name under the sun) - however, IF YOU RUN A LARGE NETWORK (especially ActiveDirectory based ones), you NEED to run a DNS... apk

Re:DNS & hosts = bread & butter... apk

[Karmashock]

As to electricity, I'm talking about a Pi to do it which would gobble 5 watts of juice.

Oh well, I don't know what you do professionally but if you came up with an appliance application of your software that could be integrated into a network... It would be worth yacht money.

As to OpenDNS... I've had some problems with their DNS lists.

But again, the concept here that would be GOLDEN would be a recursive white/black list that associated Domain and IP address firewall rules in a manner that if you blocked a Domain, the system would do DNS query for that domain, capture all the IP addresses associated with it and then blocked both the Domain AND the associated IP addresses.

And likewise, blocking an IP address should do a DNS query to find domains associated with that IP address... and at least give the option to block the listed domain associated with the IP address as well as all other associated IP addresses linked to the domain.

There are some programs that work with hardcoded IP addresses that they link to. Obviously knocking the DNS out makes it MUCH harder for malware to operate on your system. BUT, we have to keep in mind that we're in an arms race here and the opposition will of course resort to IP addresses if they feel that DNS is a fatal liability for their attacks. And as such obviously any proper firewall has to filter IP addresses.

The problem I have with that is that managing all those IP addresses is a pain in the ass. Google has a zillion IP addresses. So how do I enable all the addresses for google. Sure, they have an IP range which you can enable or disable. But they're not all contiguous which means they still need to be cited separately and they do get added to occasionally which is annoying.

A smarter firewall rules management system with a fixation on hostname resolution to IP or IP to hostname would be interesting. Again... it would be worth yacht money.

Questions, Possibles, & Suggestions... apk

I was a few 'titles' in the industry as a pro 1994-2009 going from techie (94-95), to network admin (95-96), then programmer-analyst (97-2000), & software engineer (2000-2009).

Then I "semi-retired" (everyone's goal's this pretty much in some form after all) getting into realestate.

However - I still get out & work ON OCCASION (that occasion being paid enough to get off my lazy ass, @ $45/hr. or thereabouts, & that's taken care of by various Fortune 100-500 companies periodically contracting my services to do custom apps & network migrations).

I've reserved my programming to hobby projects like the APK Hosts File Engine I note here that I give away. It's a fairly simple app (30-40k lines), the hardest part, is the data trimming of bulk crap from hosts filter & false positives lists.

Data's from the security community & thank-goodness they provide it AND for other things, not just host-domain names, but also spam/phish lists, known bad IP addresses, etc. - et al!

OpenDNS is great for single home users. It fails on AD networks (ActiveDirectory) & especially with Exchange Servers - thus, I don't recommend the free model in industrial AD networks environs (I've been thru that one in testing on a workstation to find that out) but, it's great for home users.

The app you describe sounds like a combo of tools!

Since you have a roadmap have you considered doing it yourself?

Coding's putting your nose to a problem, one you FULLY understand from the start to the finish (which sounds like you do) & grinding it out in actual code. Takes time (but if it was impossible nobody could do it).

APK

P.S.=> FYI - hostname to IP & IP to hostname can be done w/ "ping" code (reverse DNS type) my program does for "favorite sites" you want to resolve locally via it's "Speedup Fav Sites" tab... it's faster vs. calling out to remote DNS servers (this is faster & part of how my program speeds you up in fact, along w/adblocking)... apk

Re:Questions, Possibles, & Suggestions... apk

[Karmashock]

Sounds like you've earned your rest.

Its nice to find someone else here that agrees that the solution to all this sneaky security shit is to brute force block it.

Its always some new buffer overflow this or memory exploit that. Who can be bothered to keep up with it all. It wasn't a problem in the pre internet age and it is a problem now. So the problem is the access and the need to limit it to what it needs to be rather than anything any person anywhere could possibly want ever. Which is generally how people run their networks.

As to email servers and filtered DNS. You don't need to only have one DNS server. :D

Tell the work stations to use DNS server 1 which is locked down. Tell Server group A to use DNS server 2. etc.

I am playing around with some open source firewalls. Its currently making me want to hurt small animals because the damned thing accepts the command, shows the command was accepted, and then ignores it. :-D

That is the face of insanity.

As an aside, with the nonsense with ICANN, I feel an increasing need to internalize DNS within the organization. DNS is just an internet phonebook really. Nothing says I have to list or not list what ICANN wants in the list.

I'm watching the EU slowly move to suggest certain sites be stripped of their domains. Its mostly criminal sites but any authoritarian measure starts with "lets do it for the children" type arguments.

Something that should be kickstartered or something... I'd do it if I had the balls. Would be push the cheap appliance DNS servers that are so simple any idiot could plug them in. As a political statement on top of anything else. Just make it clear to the politicians etc that actually the internet is an entirely arbitrary framework there are no choke points for them to exploit to enforce their various whims.

Sorry... I'm a crazy American... I burn with a certain zeal for such things. I can't help it.

I'm "semi-retired" man, & into realestate... a

See subject: I only work on contract @ roughly a $45/hr. rate typically for a couple Fortune 100/500's that retain my services periodically (occasionally for custom app work, &/or network migrations)... other than that? Quoting David Bowie as Nikola Tesla from the film "The Prestige": "... and, here I am, enjoying my retirement..." & liking it - it's what we're all out to do in the end, I just started MINE a wee bit earlier than most do (@45 yrs. of age & so far, so good).

I've never programmed that platform, but what I have learned about coding is, they're all "pretty much the same" (Object.Property method) with frameworks & interfaces usually pretty functional to do so beforehand. It's STILL WORK though - easy to "talk a good game" until you hit 'snags'... & you usually always do in some way, shape, or form (makes it fun, but makes it a PAIN too).

I've gotta ask - since YOU have the 'roadmap' down of what it is you want done, have you considered doing it yourself?

Seriously!

If coding were some "impossible task", then NOBODY could do it @ all!

APK

P.S.=> I wrote it in Delphi (Object Pascal) & the toolkit allows FAIRLY easy ports to iOS, Android, Win32/64, OSX, + even Linux (via FreePascal & Lazarus IDE, I wish Borland never dropped Kylix though - it was a quick route to Linux apps via Delphi that way, or rather, quicker than the other I noted) - but, afaik? NOT Raspberry Pi - however, it's usually only a matter of drive letters vs. mounted devices I'd have to do exceptions for, WinSock2 to *NIX sockets (this I have resolved & abstracted away already), & API specifics since I used it in Windows that I'd have to do analogs on other platforms' APIs instead to port it correctly/fully... apk

Layered security/Defense in depth works

See subject: It's the best thing we've got going. I'm with you that when you CUT OFF SOURCES OF INFECTION/INFESTATION, you can't get 'sick' since you isolate yourself from contact with them - the logic's sound & actually works.

This means doing what you speak of, right down to the network nodes/workstations & printers levels, leaving no stone unturned.

I'm all for DNS when you have MANY systems & especially in AD networks using Exchange Servers as that works and is NECESSARY for it to do so since ActiveDirectory has HEAVY dependencies on DNS which as I noted before that when I tried OpenDNS free model with a workstation in such an environs while working for a large company with a large network, Outlook stopped working using it...

(I'm also all for covering EVERYTHING possible, security-hardening it, & especially in combination with hosts down to the aforementioned servers & workstations levels based on my subject line above).

Your frustrations with firewalls? Yea, I've been there with others' apps. Sometimes it's bugs you know. That's when I'd write the authors if possible (to have them either set me straight or fix the issue)... it's worse with others' code, & why I never went "Open SORES" - I'd rather write up my own so I have total understanding & control of it.

Projects of any kind are yes, balls, but also TIME & EFFORT (and it's worse when you "upset the powers that be" threatening their "money tree" - they'll do incredibly LOW things to try stop that from happening).

APK

P.S.=> Lastly - On "retirement"? It's only 'semi' like I said - Computers are now a SECONDARY form of income for me since 2009... & thus, so I gave up "building other folks dreams" (did decades of that working 1982-2009 here, & it was QUITE enough), instead concentrating on my own. I figure it's what we all do in the end anyhow or we should - I've "earned it" as much as anybody does I suppose... apk

Re:Layered security/Defense in depth works

[Karmashock]

On the issue of DNS, so long as the exchange server doesn't use Open DNS but the rest of the network does, I think in your scenario things would have been fine, no?

Sorry for late reply & no... apk

I set up the FREE model of OpenDNS onto a workstation (vs. AD network one) in Internet Connection TCP/IP properties (section for DNS the local workstation used) & outlook wouldn't work... this was in, oh, 2008 iirc!

APK

P.S.=> Try it yourself on an Active Directory (AD) network & see what I mean (NOT outlook.com, but full-blown locally installed OUTLOOK from MS-Office)... apk

Re:Sorry for late reply & no... apk

[Karmashock]

I'm sure you'll get issues. I'm just saying it is possible to mitigate them if you understand what is causing the problem.

I don't have a problem with an email server having a fairly permissive internet connection. I"m more inclined to restrict the connections of workstations.

That said... obviously the email server needs a heuristic firewall. And I've seen many email servers that are only permitted to connect to specific machines. As in... you cannot send addresses on that server unless you're on a whitelist or in a VPNed intranet. It does make sending emails to that server harder but then the only people sending or receiving emails in that system don't especially care since security is more important... and the first thing they do whenever they use their laptops to do work is login to the VPN. So they wouldn't care anyway.

Cause = AD dependency on DNS

See subject: Shifts to OpenDNS free on a workstation messes it up. It's not made for a local LAN/WAN Active Directory network in that capacity - why?

Directory services like AD are heavily DNS dependent.

APK

P.S.=> In other words, when you use Exchange it depends on Active Directory (AD) to function properly throughout client endpoints on your LAN/WAN... apk

Re:Cause = AD dependency on DNS

[Karmashock]

Yeah but you're supposed to use nested DNS.

host file > AD > Router linked DNS which can be open DNS.

So you point the workstation at the server as you would normally. Then you point the server at the router or whatever your DNS server is which can have OpenDNS set as its DNS and... no worries.

There are issues and more than what I've cited here but you can deal with it if you're determined.

I like your host file system. I'll fuck around with some scripts to see if I can burn the feature into a server.

Only problem was I didn't control it

See subject: I was a programmer/analyst @ the time, not network admin, for that company (wasn't my role)...

* I'd like to give that a go actually, as to your suggestion, since it makes sense!

(I.E.-> Making the forward facing perimeter hardware router use OpenDNS & then interior AD network DNS server do what it has to for Active Directory/AD to function right with Exchange Servers + Outlook, AFTER the forward facing perimeter router is its updater upstream).

APK

P.S.=> Thanks & glad you like it:

"I like your host file system." - by Karmashock (2415832) on Wednesday September 09, 2015 @03:57PM (#50489401)

I like it too (lol) - it's why I created a program to make it easier to do than doing it manually... apk