Cisco Can Now Sniff Out Malware Inside Encrypted Traffic

Simon Sharwood, writing for The Register: Cisco has switched on latent features in its recent routers and switches, plus a cloud service, that together make it possible to detect the fingerprints of malware in encrypted traffic. Switchzilla has not made a dent in transport layer security (TLS) to make this possible. Instead, as we reported in July 2016, Cisco researchers found that malware leaves recognisable traces even in encrypted traffic. The company announced its intention to productise that research last year and this week exited trials to make the service -- now known as Encrypted Traffic Analytics (ETA) -- available to purchasers of its 4000 Series Integrated Service Routers, the 1000-series Aggregation Services Router and the model 1000V Cloud Services Router 1000V. Those devices can't do the job alone: users need to sign up for Cisco's StealthWatch service and let traffic from their kit flow to a cloud-based analytics service that inspects traffic and uses self-improving machine learning algorithms to spot dodgy traffic.

And obviously ...

[nospam007]

...malware is torrents.

Re:And obviously ...

[technosaurus]

Sounds like its just a proxy server that takes your request, gets the data and then sends it back to you after it checks it ... these have been around for years. Non-news and if it is patented, should never have passed the obious or prior art tests.

Re: And obviously ...

It's Cisco, whom is nearly as bad as Oracle for creating islands of lawsuit opportunities. I would not put it past Cisco that they simply measure packet sizes on port 80 and 443, and when a known size comes across the wire, it checks the source and destination against DNS/IP blacklists.

Simply blocking DNS requests for known sources only works for ccTLD based malware. But most malware payloads often use the same malware kits, repeatedly, hence most root kits are obvious.

A Bitcoin miner is easily identified as well.

Not analyzing payload

[sinij]

They are not analyzing payload/application data, this is not possible with end-to-end. They are not analyzing metadata, as most malware C&C now pretends to be web traffic. So how? Packet sizes and frequency? This would be trivial for malware creators to circumvent.

Re:Not analyzing payload

[110010001000]

"users need to sign up for Cisco's StealthWatch service and let traffic from their kit "

"Sign up for" means "pay monthly for". It sounds like they are analyzing forwarded flow data and looking for flows to/from a particular port/IPs. It would catch malware that uses C&C to known rogue IPs, etc.

Re:Not analyzing payload

[ShanghaiBill]

So how?

According to TFA they look for "dodgy destinations" and self-signed certificates.

So no, they aren't looking at the actual contents of the encrypted traffic at all, and they aren't "sniffing" anything.

Re:Not analyzing payload

devices can't do the job alone: users need to sign up [...] and let traffic [..] flow to a cloud-based analytics service

Then use TLA-provided stolen/coerced root certs to peer into the data stream, in exchange for "data sharing" with the TLA.

Oh, and they will "flag malware for you", sometimes. Maybe.

 

Re:Not analyzing payload

[ugen]

The amount of bycatch will be nontrivial. This will inevitably result either in a lot of valid traffic being blocked, or no meaningful blocking of malware.

Except this time they slapped AI label on the service, so it's very modern and cool and costs more money.

We've seen this before.

Re:Not analyzing payload

[mysidia]

They are not analyzing metadata, as most malware C&C now pretends to be web traffic.

They could look at the IP addresses of the connections (Check against blacklist of malicious IPs); SSL Metadata, e.g. the SNI hostname from TLS, then look at reputation data regarding the hostname; certificate and public key information, common crypto parameters (Maybe some malware configures a HTTPS client uniquely). They can detect whether the SSL connection "Looks like" a normal web connection, or whether it looks like a VPN or continuous stream of data such as C and C.

Re:Not analyzing payload

[GameboyRMH]

Packet sizes and frequency, along with metadata. I saw a similar analysis of encrypted video streams being used to detect drone video:

https://www.wired.com/story/a-...

Looks like the next big thing in cryptography will be data padding...

Re:Not analyzing payload

So how?

According to TFA they look for "dodgy destinations" and self-signed certificates.

So no, they aren't looking at the actual contents of the encrypted traffic at all, and they aren't "sniffing" anything.

Then the article is wrong. I was at Cisco Live in Vegas in 2016 and attended a workshop in their developers zone where one of the engineers/researchers behind this technology made a presentation. They are looking at the encrypted data itself without decrypting it and just finds patterns. I probably still have the presentation somewhere.

Re:Not analyzing payload

Sounds like they are using horrific encryption then. Encryption payloads should be indistinguishable from random data.

Re:Not analyzing payload

| So how?

The same way cops pick out drug users and Johns looking for hookers...behaviour analysis.

Re:Not analyzing payload

[sinij]

So how?

According to TFA they look for "dodgy destinations" and self-signed certificates.

So no, they aren't looking at the actual contents of the encrypted traffic at all, and they aren't "sniffing" anything.

Then the article is wrong. I was at Cisco Live in Vegas in 2016 and attended a workshop in their developers zone where one of the engineers/researchers behind this technology made a presentation. They are looking at the encrypted data itself without decrypting it and just finds patterns. I probably still have the presentation somewhere.

If there are patterns in the encrypted data, then encryption is leaking information. I highly doubt they found a vulnerability in AES and decided to commercialize it.

They can look at the destination, they can look at handshakes, they can look at timing, they can look at frequency of communication. Am I forgetting something else?

Re:Not analyzing payload

[Stonent1]

That was what I was thinking. Patterns in transmission not really anything in the traffic itself. Sends a dozen packets out, receives 18 back, then every 30 seconds, sends 2 packets, receives 2 packets (some kind of heartbeat) and occasionally several minutes of non-stop streaming from the infected PC.

Re: Not analyzing payload

Sounds like Skype traffic :)

Re:Not analyzing payload

As other similar snake oil scams, the whole protection is mostly useless. Any sane malware vendor will host their service in a public cloud, which will definitely not be blacklisted by scanner service. But this will sell like free beer, as the CIO's are completely clueless and only know that their ass is saved if they just spend enough money to any security service.

Re:Not analyzing payload

[ShanghaiBill]

Then the article is wrong. I was at Cisco Live in Vegas in 2016 and attended a workshop in their developers zone where one of the engineers/researchers behind this technology made a presentation.

Or the presenter was wrong.

Or you misunderstood what was said.

They are looking at the encrypted data itself without decrypting it and just finds patterns. I probably still have the presentation somewhere.

That is implausible. Extraordinary claims require extraordinary evidence, and so far there is none.

Re:Not analyzing payload

[dstrupl]

The reports are created by Cognitive Analytics Engine - see https://cognitive.cisco.com/. The reports do not necessarily lead to an immediate blocking - it's up to your policy and security response team to define what happens with the findings. To the amount of "bycatch" - we carefully look for precision and recall of the individual detectors so the amount of "bycatch" is not as high as you expect. I said we because I work in the "Cognitive" team.

Re:Not analyzing payload

If they can get blockchain in there too then I think they can make this work.

Re: Not analyzing payload

Could you stop and think for one second before being so dismissive?

Re: Not analyzing payload

[new500]

Sounds like homegrown crypto, to avert signature detection.

when AES instructions first appeared. I thought it seemed a wasted opportunity. not to create some means of ring protection. Sure, malware can encrypt normally. but legitimate use should be access controlled, enabling audit and identification of unauthorized crypto generally by ser/des sampling for random data patterns. I want a log from a standard interface across CPU and offload NICs. coprocessors. iI want to view every crypto endpoint. and know how keys were generated. and how actually exchanged and stored.

post Spectre. i want audit as much. no more than i want patches.

My Netgear router could actually inspect crypto traffic against a global signature capture network. by Sophos. in 2010. at home. How is this better?

Re:Not analyzing payload

No one needs to self sign anymore.

LetsEncrypt will allow malware sites to have a legit ssl cert.

My guess the service tracks the destination of the encrypted data then looks for connections to known C&C servers the tracked connections make.

That's why it's cloud based, they need to aggregate all those connections to look for known C&C servers.

Re:Not analyzing payload

[zlives]

so would using free service like opendns...

Re:Not analyzing payload

[zlives]

the C level believe in magic, and cisco sells them magic... so they buy it.
if you try to explain to them technical things... then the product is no good.
i have been in so many meetings where the term "magic sauce" is used to explain things from the vendor. and no one cares what that is...

Re:Not analyzing payload

We got a presentation on this last year at the Cisco campus. Basically if you see malicious traffic in the clear and encrypted, you start to discern a pattern statistically, good enough to alert on. Layer that on top of their threat intel (OpenDNS) and presto! Next Next NEXT Gen protection.

Re:Not analyzing payload

[phorm]

Not to mention that most decent security products already do "dodgy destinations". One of the common methods is to intercept the DNS calls and re-inject them with an internal IP address, thus blocking attempts to hit the remote baddie but also allowing further capture of data.
Hell, I can (and have) do this with a raspberry pi for a select number of machines.

Re:Not analyzing payload

the amount of "bycatch" is not as high as you expect

It will be when people start intentionally chaffing it.

Re: Not analyzing payload

[Brockmire]

I'm calling bullshit that Netgear released a product and worked out the major bugs before dropping the product, probably just outside the warranty window.

Re: Not analyzing payload

Not sure how Cisco is doing it, but Vectra Networks had something similar (it could/can detect malware in encrypted streams) in their appliance over 2 years ago. Vectra's did it all with dadta science and machine-learning. I assume Cisco catching up to another company is newsworthy for some reason...

Re:Not analyzing payload

[arglebargle_xiv]

They're not necessarily looking at metadata, you can discern quite a lot about encrypted traffic without ever seeing the plaintext. In the last few years researchers have recovered things like pages visited, income details (from online tax filing), language spoken (VoIP), speech patterns, videos watched, and other data, all without having to break the crypto. It looks like Cisco have just applied that research. It's a nice piece of applied research, but no magic is involved.

Seems near

[symes]

But what happens when they detect something?

Re:Seems near

[Chrisq]

But what happens when they detect something?

This is what I was going to ask. Do they block traffic (risking false positives) or merely alert you to the fact that some thing(s) on your LAN are acting suspiciously?

Re:Seems near

[will_die]

It alerts you or you have the option of having it blocked or quarantined. All of that is in the customization of the software.
More technical info it feeds the information into pxGrid using Cisco Identity Services Engine (ISE) with Cisco TrustSec and Software-Defined Access (SDAccess). From the marketing info.

Great for now

[TimothyHollins]

That's wonderful news. I wonder how long it will be until Cisco caves to NSA pressure and starts looking for other "mal"traffic as well. And then how long until Russia learns how to do it as well.

Re:Great for now

I would be very interested in signing up for your newsletter and receiving a copy of your manifesto. Thanks.

Re: Great for now

How long? You're kidding right?

This is -already- happening, beyond the shadow of a doubt.

Re:Great for now

[TimothyHollins]

Why certainly. My newsletter is here http://viz.co.uk/2015/04/11/se...
I'm still working on my manifesto, there are a lot of pictures to colorize.

Re: Great for now

I think you are vastly under-estimating the Agency Who Must Not Be Named and their level of involvement int that DARPA project from way back when.

We have always been under surveillance.

Re:Great for now

[strikethree]

I wonder how long it will be until Cisco caves to NSA pressure

I assume you are young. The NSA already examines all traffic. This "offering" from Cisco has no potential to be of use to the NSA.

It will also not be of interest to Russia, China, or any other state actor.

At best, this might of interest to medium sized or smaller businesses looking to "spy" on their competition. Any major corporation has better methods for spying available than revealing their intentions to Cisco. Medium sized businesses can not bully Cisco into doing something unethical and illegal.

kind of like...

[supernova87a]

I suppose this the the banks (hubs of the financial world) being made to detect money laundering by the pattern and size / frequency of money transfers. They don't know about the source or nature of the transaction underlying the money, just that when it obeys certain flows, they're supposed to flag it.

productise

productise productise productise !

Re:productise

productise...
Yup, goes right into the Bullshit Bingo Dictionary.
And this from theRegister of all places!

Other surveillance?

[mi]

Cisco researchers found that malware leaves recognisable traces even in encrypted traffic.

"Malware" can't be the only thing... Can the same algorithms not be used to detect bomb-making instructions, racism, and counter-revolutionary activities?

Re:Other surveillance?

If you had read TFA you would have your answer. All this does is traffic analysis on netflow meta data it doesn't have anything to do with payload. Idiots just keep slashdot going on its downward spiral.

No they can't

[ByteSlicer]

They can recognize traffic patterns in TLS streams, created by malware on IP connected devices.
They can't detect the malware itself in the stream.

Re:No they can't

I think that would imply the break of aes (or any other used TLS encryption method) if you can detect the difference between random noise and malware in flight of the encrypted TLS stream using session keys and a fair key exchange. I think you should rephrase it to 'TLS traffic patterns' to make it more correct.

Re:No they can't

[amorsen]

It is trivial to distinguish between random noise and malware in TLS. Just look at packet sizes and timing.

Even worse, if the adversary has access to the same static web pages, it can't be much trouble to detect which pages the victim is trying to access.

It is ridiculous that neither IPSEC nor TLS do anything to mitigate against that type of attacks. The least they could do was to put everything into predictable full-MTU packets as far as possible. The only tunnelling protocol that attempts anything like that is SEAL, as far as I know. And no one implements SEAL (possibly because the author seems a bit abrasive).

Re:No they can't

are you sure? what if compression is used? what when streaming a legit big file (all packets MTU sized and lots of them quite fast)?

Re: No they can't

So just fuck latency,

Re:No they can't

As a network engineer, everything you just said is wrong. So very wrong, I am baffled as to why you would believe what you wrote or why someone would mod you up. You have wasted the time of everyone that has read your rambling nonsense. Thus I know you do not even have the background knowledge to understand a rebuttal when you think it's trivial to determine the contents of an encrypted channel via packet sizes and timing. Might as well believe divine revelation can defeat encryption.

Re:No they can't

That or the GP knows a shit ton more than you about the field, because there's a whole hell of a lot more information leaking than you're aware of. You're taking the very stupid and naive perspective that we need to decrypt the contents of a channel to gain an understanding of it.

-Bill

Re: No they can't

It is possible to get quite a lot of information on an encrypted stream by timing and packet size analysis. There are many academic papers. One even managed to produce (low quality, but understandable) audio from a VoIP call. For the VoIP thing: they did target an app with very bad padding in their homegrown AES based encryption, but the app was widely used in some countries.

Snake Oil?!?

[OfficeLackey]

This just sounds really fishy to me. What's the encryption, A Ceaser cypher? The whole point of modern encryption is that the same input renders wildly different outputs. Their is no pattern to speak of. I'm sorry, I'm just not buying it... (figuratively or literally)

Re:Snake Oil?!?

[Kurdy]

I agree with you; if there is recognizable patterns, that means that current encryption methods are not strong enough....

Re:Snake Oil?!?

[GregMmm]

I've seen the demo of this software and it look very impressive. No this is not Snake Oil. The "patterns" of traffic once mapped a number of times, even encrypted, apparently can be detected to be a certain kind of traffic. One would need to know what the pattern would look like, or certain behaviors to make a mapping of a new pattern. So it's not really so much the "know" what's in the payload, but by seeing the same encrypted pattern of traffic they can "know" the payload. Kind of like a part of chaos theory. A certain order in the chaos.

Re:Snake Oil?!?

[will_die]

It does not break the encryption. It is combination of a netflow analyser and looking at unencrypted info such as the certificate and the first couple of frames.
With the certificates it is looking for self-signed or known bad fields. With the netflow you can look for patterns, for example a n internal clients connects to an external server every hour and exchanges just a few bytes.
This software goes a little further by linking those all together from all the sites running this.

Re: Snake Oil?!?

As soon as this method becomes widespread, the best malware will send bogus traffic in order to mimic legit traffic.

What the TLAs could do is to globally spot Command and Control servers and then tip off police to shut them down. Why is this not happening?

Smells like BS

You can sniff packets without decrypting them and tell the difference between "regular" data and "malicious" data? Smells like BS to me.

smells like shit

[jm007]

and this time it's not just my hygiene

"switched on latent features in its recent routers and switches"

and

"users need to sign up for Cisco's StealthWatch service and let traffic from their kit flow to a cloud-based analytics service that inspects traffic and uses self-improving machine learning algorithms to spot dodgy traffic"

it's what is NOT being revealed that truly is scary

Encrypted Traffic Analytics Whitepaper

[czmax]

https://www.cisco.com/c/dam/en...

"Encrypted Traffic Analytics extracts four main data elements: the sequence of packet lengths and times, the byte distribution, TLS-specific features and the initial data packet."

Unencrypted metadata analyis?

You know ... the stuff that can't be encrypted, as the routing systems have to be able to read it to do their job.

Like IP headers, timing, patterns in those, etc. (Like, if you identified a malware server or subnet, it doesn't matter if the traffic to/from it is encrypted. It's gonna be malware traflic.)

Evil bit

[Errol+backfiring]

Well, probably the logical thing to do: they set the evil bit.

okay... yeah... and?

[spikedvodka]

This seems somewhat "old news" certain applications still have fingerprints on packets that can be detected even if you can't read the data being exchanged.

Our Sophos XG firewall does this with many different torrent applications, and it ends up blocking non-VPNed, but still encrypted connections.

I'm a little sketchy about the "upload your traffic to us" part, but I guess that allows for more analysis across more hsots

SV

I smell a marketeer...

They can MAYBE recognize characteristics of a type of traffic (smtps look different than a torrent), but they can NOT decrypt TLS traffic, no matter how much they want to sell that...

at what edge to inspect? fiber on the ocean floors

as far as traffic analysis location, maybe those submarines and those big fiber cables on the ocean floor is a place to start.

i figured it was about time for their version of fail2ban en mass at the megapops in the emerald city (not seattle) -- just follow the yellow brick road.

But unlike APK's BS this works for every device

But unlike Alexander Peter Kowalski's retarded BS this works for all devices behind it.
Also it looks at certs which is another level of detection.
I would also be willing to bet that they are looking at destination address not host name which can be wildcarded so that the over 6x10^98 host names for a domain that can all point to the same IP would be blocked instead of being let through like your work does.
So not entirely like your bloated, overly complex, poorly designed work.
They probably don't have to create a new version of their software either when new TLDs are added.
Granted they will mostly be playing catch up like your work does but their distrust of self signed certs at least makes them somewhat proactive so unlike you they may actually stop something before it is known.

Wrong title

[gweihir]

What they actually can do is recognize TLS tunnels created and used my malware. They cannot detect anything in the encrypted stream of data. The way this works is carefully observing how exactly the TLS tunnel was established. This apparently differs enough between different implementations, that typical code used by malware for this purpose becomes identifiable.

Of course, as soon as the malware-makers just use more standard code, their tunnels become unrecognizable as well.

Caveat: I read the abstract, but not the paper.

Bad encryption

Obvious failure of encryption if it leaks critical information.

Calling BS on this one

[cmaurand]

Pure BS. A sales gimmick. Look at us. buy the latest and greatest overpriced hardware.

Aparently

It seems you cannot encrypt the evil bit.

https://www.ietf.org/rfc/rfc3514.txt

Three letters

You know which ones. Say them out loud.

That's so 2013

[Dharkfiber]

Fortinet and Palo Alto Networks have been doing this for years. Both can also decrypt SSL in real time (one better than they other, but who is counting right?) So this is a bit of a silly post. Looks like marketing to me.

Correct & it's why I wrote this... apk

See subject & APK Hosts File Engine 10++ SR-1 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Ads/script/malware rob speed/security/privacy/bandwidth.

Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivir + less security bugs/complexity & faster vs. av/addons/routers/remote dns!

Avoids DNSChangers in routers/IP settings & dns redirect (99++% of ISP DNS != patched vs. it) + DNS tracking & lighten DNS load & resolve faster via local RAM!

* Via what u NATIVELY have in a FASTER kernelmode IP stack (does more w/ less).

APK

P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/ (self check vs. infection built-in)

Not bad but hosts block it before it hits

See subject & APK Hosts File Engine 10++ SR-1 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Ads/script/botnets/malware rob speed/security/privacy/bandwidth.

Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivir + less security bugs/complexity & faster vs. av/addons/routers/remote dns!

Avoids DNSChangers in routers/IP settings & dns redirect (99++% of ISP DNS != patched vs. it) + DNS tracking & lighten DNS load & resolve faster via local RAM!

* Via what u NATIVELY have in a FASTER kernelmode IP stack (does more w/ less).

APK

P.S. - 99++% of malware/botnet C&C use hostnames... apk

Dangerous stupidity to impress shareholders

typical vorporate manager idiocy: gotta occasionally announce fantastic new stuff to keep shareholders happy.

Unfortunately, unlike suddenly pretending you have something to do with blockchains (to trick idiot investors into thinking you are a cheap way to get in on the "Bitcoin revolution") this is a stupid play with potential repercussions for the innocent.

This "digital fingerprinting" stuff has got to end, and that end can begin by admitting what it REALLY is: sloppy guesses made by glancing at a subset of the data. This is the sort of garbage that results in DMCA takedown notices being mass-issued because some automated system "thought" a bunch of home videos and such were actually ripped-off Hollywood junk, or that sorts photos and decides that black people are really monkeys (real examples of these screw-ups).

It SHOULD be obvious to any computer person that not looking at ALL the data means you are going to miss some of the data and thus miss the differences or make faulty conclusions about the content.

False positives

[Tony+Isaac]

I predict that this concept will ring alarm bells for a lot of normal traffic.

My company uses Trend Antivirus. In their wisdom, they turned on the "heuristic" behavior detection mode. Now, every time our software team writes software that renames a file, it has to be excluded from Trend's scanners. Apparently, ransomware does a lot of file renaming, therefore, any software that renames a lot of files is suspect.

So far, anti-malware isn't very good at detecting "suspicious" patterns, in my experience.

It works (for tons of threats + speed)

See subject: Wildcards create FALSE POSITIVES for innocents in a domain OR IP range. I target specifics avoiding that!

New gTLD's get added (tld's removed too) so I update (also vs. false positives too).

Your non-existent vaporware doesn't do ANYTHING (& you did better than MY program? Prove it)!

You say I copied my ware in other posts. I didn't. I based it off the GREAT Dr. Bruce Krell's C design PORTING that idea, not his code, to PASCAL (it's ALL api, even his), stupid!

BLOAT & OVERLY COMPLEX? It's minimal as possible for Win32/64 via straight lean API WinMain hWnd create, msgpass receive/dispatch, scheduler, threads, timer registrations + CreateWindowEx control creation 'on-the-fly'!

APK

P.S.=> Bottom line: You're TOO STUPID TO LIVE & proven on your FAULTY hypothesis (not even theory, no proof) https://yro.slashdot.org/comments.pl?sid=11532533&cid=55833641/ ... apk

Respected security pros & /.peers disagree

Respected security pros disagree w/ your bs totalling you & your stupidity https://it.slashdot.org/comments.pl?sid=11605299&cid=55916039/ you UNIDENTIFIABLE do-nothing hotair windbag blowhard "ne'er-do-well" snowflake!

Our /. peers also disagree w/ you too https://linux.slashdot.org/comments.pl?sid=11578773&cid=55884901/

* BOTTOM-LINE: Thanks for making ME look GOOD @ your expense you UNIDENTIFIABLE "ne'er-do-well" DO NOTHING troll!

APK

P.S.=> Lastly - FACT: You WISH you were me - the "Lord of Hosts" (so-to-speak) vs. a "jealous jowie" (lol) you are instead - & it's YOUR fault you lazy entitled SNOWFLAKE troll, not mine... apk

I never say "hosts cure all" & EAT YOUR WORDS

See subject: Nothing "cures all" & links in my post led to respected security pros saying hosts = good security https://developers.slashdot.org/comments.pl?sid=11549257&cid=55839269/ & I wouldn't WANT to be your peer - you're an UNIDENTIFIABLE anonymous "ne'er-do-well" mere TROLL do-nothing hotair spewing windbag bs artist + as I said - you're TOO STUPID to live & LEARN TO READ & click on a link w/ SOLID EVIDENCE that trashes you.

FACT: I'm YOUR SUPERIOR!
* I merely state fact that hosts do MORE for FAR LESS natively for FREE vs. other "so-called 'solutions'"...

APK

P.S.=> ... By using what you already have that's proven since 1973 iirc vs. ILLOGICALLY "Bolting on 'MoAr'" riddled w/ security issues (Antivirus/DNS/routers) + slowdowns & complexity for exploitation or crippled to not work by default that use more & do less (addons) vs. hosts in faster kernelmode... apk

I state facts you UNIDENTIFIABLE ac troll

See subject: Respected security pros agree w/ me https://developers.slashdot.org/comments.pl?sid=11549257&cid=55839269/ & so do /.ers https://linux.slashdot.org/comments.pl?sid=11578773&cid=55884901/ - NOT YOU, loser.

&

"YOUR KIND" (UNIDENTIFIABLE anonymous TROLL "ne'er-do-wells") merely READ & SPIT BACK things on /. on Program Whitelists https://tech.slashdot.org/comments.pl?sid=11579085&cid=55887967/ that are EASILY BEATEN via DLL injection or loading explorer.exe OR services w/ malicious extensions for hiding from whitelists, you by-rote DIMWIT stooge!

APK

P.S.=> I spent DECADES doing software development professionally as a programmer-analyst/software engineer & before + during that timeframe also as a network admin & DBA too (part of the job) - have you? Prove it.

I do it the leanest/meanest way an UNIDENTIFIABLE anonymous do-nothing "ne'er-do-well" bs artist like you can't even UNDERSTAND https://it.slashdot.org/comments.pl?sid=11605299&cid=55920951/ ) - you've done BETTER? Prove it... apk

I see proof you have NO BALLS... apk

See subject: ... & you've done nothing BETTER than I have. You're a mindless "spit back what I read & understand + create zero" by-rote DOLT & a do nothing unidentifiable anonymous trolling "ne'er-do-well"!

(I easily defeated all you spewed this exchange - hence your WEAK illogical ad hominem attacks, lol! They're "the best 'your kind' has...)

* Security pros say hosts = good security per a link in my last post (& I've even OVERTURNED 9 antivirus companies FALSE POSITIVES on MY hosts program too having them rescind/retract it which CLEARLY PROVES I AM BETTER THAN THEY ARE @ THIS GAME w/out question) & our /. peers like + use my work praising it too - NOT YOUR NON-EXISTENT BULLSHIT.

APK

P.S.=> The HUGE DIFFERENCE between someone like myself & a "by-rote menial" (if that in you) in yourself?

Minus guys like ME??

"YOUR KIND" = helpless in the art & science of computing - we create the tools you merely USE, user... apk

Progress

Lol

You missed one

An oversight, surely?

No, I didn't going to give you MY time

See subject? It's truth. You're not worth it (but I will here now as you need to hear this) - You're clearly a whacko psycho who is VERY ILL mentally in your constantly stalking me, not even on topic & YOU want '3 letters' 4U?

Pronouce them -> "FAQ" (albeit phonetically vs. alphabetically as if they were an acronym).

* LMAO!

(I'm sure even a loon like YOU will be able to manage that & "get it"... hope it makes you pissed even more (which, clearly, you MUST be stalking me constantly out of some obviously INSANE motivation on your part (seeing as you have to 'hide' by UNIDENTIFIAIBLE anonymous posts + stalk me/downmod bomb me via your doubtless MANY sockpuppet account names here on /. - yes, I know the LOW "mechanics" of "your kind" online, & you DO them & you KNOW it (how can you live w/ yourself having NO PRIDE or skills which is YOUR fault) as I've seen it 1,000's of times by the time you got out of diapers in this life)).

I mean, LOOK @ YOU NOW? Childish "wanting attention" for what?? Being a "ne'er-do-well" BOGUS TROLL on your part as always?? Please - do yourself a FAVOR & grow up or get over your 'butthurt' (which you caused for yourself as I have obviously PUBLICLY ANNIHILATED YOU BEFORE & your sorry ass can't handle it like a man).

APK

P.S.=> "Onwards & UPWARDS" = me & not you (not ever, & you KNOW it plus constantly prove it vs. myself, lol)... apk