"... will try to generate and connect to 50,000 web URLs a day..."
It will query only 500 out of 50,000 generated domain names.
This part I still don't get. It means that either the authors plan to register a huge number of domains (very unlikely as in it makes it way too obvious who is behind this worm), or only about 1% of the infected hosts will succeed in connecting to the correct host to receive instructions. Still a large number of course, but how about the other 99% of infected hosts? Are they just going to sit idle? Or if using that p2p functionality to propagate instructions: how are they going to find each other?
For me... well yes and no. I'm really wondering what it is going to do in the first place.
Yes: because it could be a wake-up call to computer security. But then I have been thinking that since the i-love-you virus or what was it, the first one to propagate by e-mailing itself to everyone in the outlook address book. Many people know or at least should know about viruses and worms by now, but many/most still don't care.
No: because in case of a truly malicious attack the results could be quite horrible for the infected users, the Internet or even the world as a whole.
OK risking off-topic now... but it may be me or are the Chinese really taking over? The last few years when I read about US based research, particular fundamental research, almost always I see Chinese names on the list. Often only Chinese names, or the main researcher being Chinese.
Now I know there are indeed more and more Chinese, particularly mainlanders, going to the US to study and do their PhD. Here again it's a Chinese student that is in the news for some outstanding achievement.
Where are all the "native" Americans gone? (with native I mean born and raised in the country, not only the "native Americans" kind of natives). Why don't we see more American (as in English or otherwise European) names on this kind of research?
Any/.er on one of the ISPs involved in the filtering?
If so, a simple shell script could show whether sites are blocked. I suspect a DNS lookup for those domains will either not resolve or resolve to a common "domain parking" address or so provided by the ISP in question. Then way we can see soon enough which sites of the list are accessible from the filtered ISPs and which not. The inaccessible ones that are accessible from other ISPs are on the list for sure. There may be more URLs on the ACMA list of course that are missed this way but at least it filters out non-existent and third-party-added URLs.
So this has been a very very limited trial. I wonder what they were actually testing then: the technical part of filtering should be trivial, or the public reaction?
By the way what is there in it for the ISPs to sign up for the trial? Publicity?
Getting root (administrator) privileges in Windows appears trivial for most current malware, so getting to the BIOS is not that hard from there.
It makes me more wonder why doesn't a motherboard have a jumper that disables BIOS updates? That would be quite a strong safety measure. Anyone capable of knowing why to, and how to execute a BIOS update is certainly capable of opening/closing that jumper for the procedure.
I have the feeling that this grey-trapping is in combination with grey-listing. The honey pot e-mail server presumably uses greylisting by itself: it is as I understand meant to be the same server as that handles your regular mail.
So only mails that pass the greylisting will be trapped, so that are mails, presumably spam, that pass the greylisting and are sent from a real mailserver.
Those servers you want to trap and blacklist.
Now the problem arises indeed when junk is being sent through legitimate servers, in my case that is a very real problem as many Chinese webmail services are used by spammers, and by customers of mine as well. So I don't want to blacklist them.
The handful of mails that makes it through greylisting and spamassassin I can deal with manually. I used to get about 300 spam a day, greylisting takes care of the first 280, then spamassassin takes care of another 16 or so, and the last four well I can handle. I do have the strong feeling though that spamassassin is less accurate at detecting spam coming through real mail servers, probably because there are no/less obviously faked headers as well.
In Hong Kong, none as far as I know. I have a 6 Mbps ADSL, and no bandwidth caps that I am aware of. There is probably a "fair use policy" but I have never heard of anyone being capped.
The same line is used for their digital TV service; when using the Now TV I see my bandwidth drop to 3 Mbps.
Hong Kong has it. 30 Mbit (down, 10 Mbit up) for cheap (about USD 33 per month) and up to 1,000 Mbit for those with more money to waste (about USD 280 per month). This is for residential use, by the way. Available in residential buildings.
Admittedly not available everywhere (like for me: I only can get traditional ADSL but then I'm living in a village so no surprise there), still this is nothing new. Good for the UK that they are catching up with their former colony.
Many of the ideas you mention are out there already (and unless you are truly brilliant, I bet most if not all the ideas you had for the prototype come from existing technologies).
Most if not all of those technologies have been implemented already. As a result there are direct examples or even complete chunks of source code to copy into your own creation. Many of those implementations will be open source, making this relatively easy. The exploit it uses is a known one, with probably at least proof-of-concept implementations around, and maybe even further developed code for sale on the black market.
So you will need some highly skilled programmers, but almost surely a small group will do. Maybe even a small group of friends that have a programming daytime job (possibly in computer security) and do this as a hobby.
Or is programming such a worm really so much more work than I guess? Call me naive but the management of the worm and the botnet is I think the hard part, particularly as this has to happen "live in the open" while staying under the radar and without leaving traces.
Standards compliance may be an issue for the average user, the other two points are far less important. The average user will just throw some more hardware at the problem. Moore's law takes care of all that nicely.
Good to see innovation is back in town. I won't be using IE anytime soon, at least not until there is a Linux or OS-X release of the browser. But I'm sure the Firefox, Opera, Chrome, etc. developers are going to take a good hard look at those features, and we'll see the best innovations appear in other browsers really soon. And hopefully even more nifty functions inspired by this.
The last two, three years have seen more innovation in the browser than the ten years before that. FF 1 was nice and up to par - adding tabs but not that much more, FF 2 was a serious improvement, but only in FF 3 I start to see very serious changes and improvements - it starts to feel experimental at times - in an innovative way, something that I don't feel in FF 2. Is it because MS has picked up their pace in UI innovation? Is it because Google has launched Chrome with its super-javascript-engine? Or maybe because alternative Safari has gained mainstream recognition with its Windows version and the iPhone version? Or more likely all of the above?
Interesting times ahead, for sure. Very interesting times. And a lot of hard hard work for anyone involved in browser development to keep their brainchild on top. What a little competition can do! For once I will say: go, Microsoft, go, you're starting to do well in this. Just make sure you stick to the standards as otherwise you won't make it against the competition. The competition is too strong for that kind of tricks already.
Microsofts market share is shrinking, and that alone is worrying for them. It is shrinking fast even, and is reaching the point where they can not be called the de-facto standard anymore. That, and that alone, is what worries them.
The ball thing works even in FF2.0.0.20 on OSx 10.3.9. Not very smooth (JS is relative slow still in that browser) but still, it works. Gravity also mostly works, haven't tried it much as it is too sluggish. Sad it can't work in IE which is years younger than this browser, which is ages in the computer world.
If served in NZ but living in UK he's already pretty immune to NZ law of course (something the USA unfortunately tends to forget). Laws are limited to a geographical region, usually a country.
In this case the person may ignore the summons and if he never returns to NZ may indeed not have to pay the punishment (jail, fines, whatever). After conviction, the only option left for NZ courts is to ask the UK police to arrest and extradite the person. And whether that is possible probably depends on the crime committed, and whether NZ and UK have an extradition treaty (which I'd expect they have).
Funny, now that I think about it, MS treats the coding of it's OS similar to a terrorist operation, small groups of people working on compartmentalized tasks, never knowing who is doing exactly what or what the desired end-product actually is.
Funny, now I think of it, this is EXACTLY how the whole Linux development goes on. You have a bunch doing the kernel, doing X, doing Gnome, doing Gimp, doing OOo, etc. All doing little parts of what is going to be the operating system, without having a clue of what the end product even could be. They just make sure that their little piece works fine. And for the software to communicate with each other they use some standard protocols.
Microsoft has at least some top management that will define the final look and feel (at least I assume so, any reasonable OS company would do so). So the little parts do not need to know the total, they just need to know what THEY have to do.
For example the printer server (like CUPS). They have to make sure they can address all kinds of printers on all kinds of ports, and then produce some interface for other software to talk to the printer server. The printer server people don't need to know the total picture. They just have to make sure their printer server works, and that they can answer requests according to specifications.
It seems the problem of Windows development may be that they do NOT work like that. That they want to keep it as a whole, finding interfaces to talk to all different programs in different ways, instead of standardising and creating independent components. Like Linux where you can add the components you need, and depending on the components you have a business work station (include word processor, image viewer, e-mail software), a multimedia station (install Gimp, some video editor, video and music players), or a server (do not install any GUI, instead Postfix, Apache and the rest).
The reason all these little programs can talk to each other is that they use certain standards. All open standards, official or not, some may have developed their own standard. But they use standard file formats, standard interfaces (named pipe, sockets, network) that other software also uses, and thus they can be patched together and generally work fine with each other. And then the distro producers (Mandriva, Ubuntu, Debian) test and make sure all works as expected, and optionally add bits of glue or eye candy to the whole.
Microsoft could be well off by starting to work like that. Kernel and GUI separate. Split off IE and Media Player. Set some goals for the new version, plan for each part what functionality it has to provide and how it is going to provide this to the outside world (e.g. API), and when the parts are done, glue them together. It may just work.
Sounds like that having the Server service listen to localhost/loopback (assuming there is such a thing in Windows) only would close the infection vector... it should definitely not be listening to incoming connections from other computers without being explicitly instructed to do so. So we can shove this on Microsoft's poor design.
And after the recent discussion here on/. about User Access Control in XP/Vista/Win7 it again makes me wonder whether Windows as it is can be fixed at all. Its security seems broken beyond repair.
[...]some 9 million Windows machines [...]. The worm [...] exploits a bug in the Windows Server service...
Without elaborating what Windows Server service that might be... Are there really that many vulnerable, not firewalled Windows servers connected to the Internet? Or is this a Server function that has no business on a Desktop that is getting infected?
In the first case blame the administrators (for not knowing how to properly protect a Windows server), in the second case blame Microsoft (for running servers on a desktop that should not be there in the first place). I would expect the second case as that I recall we have seen before, a virus exploiting a bug in a server function that can not even be stopped on a desktop.
The US patent system with its patents on business models and software is botched, but that is not the whole world. The idea and original implementation of patents is pretty good.
There is at the moment at least relative little innovation in China. It is a very small amount of money that gets invested in research and design. The West invests much more, as % of turnover/profits.
Furthermore the Chinese industry is not in a very good shape. Most of them are plain workshops doing assembly, and thus easily replaced by other companies. They don't have much if anything that makes a factory stand out, they don't have many own products. Mostly the design is done overseas, and the assembly in China. And workshops are of course easily replaceable by another.
It will query only 500 out of 50,000 generated domain names.
This part I still don't get. It means that either the authors plan to register a huge number of domains (very unlikely as in it makes it way too obvious who is behind this worm), or only about 1% of the infected hosts will succeed in connecting to the correct host to receive instructions. Still a large number of course, but how about the other 99% of infected hosts? Are they just going to sit idle? Or if using that p2p functionality to propagate instructions: how are they going to find each other?
For me... well yes and no. I'm really wondering what it is going to do in the first place.
Yes: because it could be a wake-up call to computer security. But then I have been thinking that since the i-love-you virus or what was it, the first one to propagate by e-mailing itself to everyone in the outlook address book. Many people know or at least should know about viruses and worms by now, but many/most still don't care.
No: because in case of a truly malicious attack the results could be quite horrible for the infected users, the Internet or even the world as a whole.
I think what you really mean is free (as in beer) software.
Not all free-as-in-beer software is open source,
Not all open source software is free-as-in-beer.
Though of course the vast majority of OSS is also free as in both beer and speech.
OK risking off-topic now... but it may be me or are the Chinese really taking over? The last few years when I read about US based research, particular fundamental research, almost always I see Chinese names on the list. Often only Chinese names, or the main researcher being Chinese.
Now I know there are indeed more and more Chinese, particularly mainlanders, going to the US to study and do their PhD. Here again it's a Chinese student that is in the news for some outstanding achievement.
Where are all the "native" Americans gone? (with native I mean born and raised in the country, not only the "native Americans" kind of natives). Why don't we see more American (as in English or otherwise European) names on this kind of research?
Any /.er on one of the ISPs involved in the filtering?
If so, a simple shell script could show whether sites are blocked. I suspect a DNS lookup for those domains will either not resolve or resolve to a common "domain parking" address or so provided by the ISP in question. Then way we can see soon enough which sites of the list are accessible from the filtered ISPs and which not. The inaccessible ones that are accessible from other ISPs are on the list for sure. There may be more URLs on the ACMA list of course that are missed this way but at least it filters out non-existent and third-party-added URLs.
So this has been a very very limited trial. I wonder what they were actually testing then: the technical part of filtering should be trivial, or the public reaction?
By the way what is there in it for the ISPs to sign up for the trial? Publicity?
Getting root (administrator) privileges in Windows appears trivial for most current malware, so getting to the BIOS is not that hard from there.
It makes me more wonder why doesn't a motherboard have a jumper that disables BIOS updates? That would be quite a strong safety measure. Anyone capable of knowing why to, and how to execute a BIOS update is certainly capable of opening/closing that jumper for the procedure.
In Hong Kong, I can get 3G in all underground tunnels. There are more than that I have tried but as far as I know it's available in all tunnels.
Unfortunately the above ground rail lines have less good coverage, but that is the fault of the individual providers.
You mean you left the basement already and for good?
I have the feeling that this grey-trapping is in combination with grey-listing. The honey pot e-mail server presumably uses greylisting by itself: it is as I understand meant to be the same server as that handles your regular mail.
So only mails that pass the greylisting will be trapped, so that are mails, presumably spam, that pass the greylisting and are sent from a real mailserver.
Those servers you want to trap and blacklist.
Now the problem arises indeed when junk is being sent through legitimate servers, in my case that is a very real problem as many Chinese webmail services are used by spammers, and by customers of mine as well. So I don't want to blacklist them.
The handful of mails that makes it through greylisting and spamassassin I can deal with manually. I used to get about 300 spam a day, greylisting takes care of the first 280, then spamassassin takes care of another 16 or so, and the last four well I can handle. I do have the strong feeling though that spamassassin is less accurate at detecting spam coming through real mail servers, probably because there are no/less obviously faked headers as well.
In Hong Kong, none as far as I know. I have a 6 Mbps ADSL, and no bandwidth caps that I am aware of. There is probably a "fair use policy" but I have never heard of anyone being capped.
The same line is used for their digital TV service; when using the Now TV I see my bandwidth drop to 3 Mbps.
Available NOW, not in a few years?
Hong Kong has it. 30 Mbit (down, 10 Mbit up) for cheap (about USD 33 per month) and up to 1,000 Mbit for those with more money to waste (about USD 280 per month). This is for residential use, by the way. Available in residential buildings.
Admittedly not available everywhere (like for me: I only can get traditional ADSL but then I'm living in a village so no surprise there), still this is nothing new. Good for the UK that they are catching up with their former colony.
Why is it that worms and viruses have better security than legitimate programs?
There is a commercial advantage to investing in security in worms and viruses, that writers of most legitimate programs do not have.
Many of the ideas you mention are out there already (and unless you are truly brilliant, I bet most if not all the ideas you had for the prototype come from existing technologies).
Most if not all of those technologies have been implemented already. As a result there are direct examples or even complete chunks of source code to copy into your own creation. Many of those implementations will be open source, making this relatively easy. The exploit it uses is a known one, with probably at least proof-of-concept implementations around, and maybe even further developed code for sale on the black market.
So you will need some highly skilled programmers, but almost surely a small group will do. Maybe even a small group of friends that have a programming daytime job (possibly in computer security) and do this as a hobby.
Or is programming such a worm really so much more work than I guess? Call me naive but the management of the worm and the botnet is I think the hard part, particularly as this has to happen "live in the open" while staying under the radar and without leaving traces.
Standards compliance may be an issue for the average user, the other two points are far less important. The average user will just throw some more hardware at the problem. Moore's law takes care of all that nicely.
Good to see innovation is back in town. I won't be using IE anytime soon, at least not until there is a Linux or OS-X release of the browser. But I'm sure the Firefox, Opera, Chrome, etc. developers are going to take a good hard look at those features, and we'll see the best innovations appear in other browsers really soon. And hopefully even more nifty functions inspired by this.
The last two, three years have seen more innovation in the browser than the ten years before that. FF 1 was nice and up to par - adding tabs but not that much more, FF 2 was a serious improvement, but only in FF 3 I start to see very serious changes and improvements - it starts to feel experimental at times - in an innovative way, something that I don't feel in FF 2. Is it because MS has picked up their pace in UI innovation? Is it because Google has launched Chrome with its super-javascript-engine? Or maybe because alternative Safari has gained mainstream recognition with its Windows version and the iPhone version? Or more likely all of the above?
Interesting times ahead, for sure. Very interesting times. And a lot of hard hard work for anyone involved in browser development to keep their brainchild on top. What a little competition can do! For once I will say: go, Microsoft, go, you're starting to do well in this. Just make sure you stick to the standards as otherwise you won't make it against the competition. The competition is too strong for that kind of tricks already.
Microsofts market share is shrinking, and that alone is worrying for them. It is shrinking fast even, and is reaching the point where they can not be called the de-facto standard anymore. That, and that alone, is what worries them.
The ball thing works even in FF2.0.0.20 on OSx 10.3.9. Not very smooth (JS is relative slow still in that browser) but still, it works. Gravity also mostly works, haven't tried it much as it is too sluggish. Sad it can't work in IE which is years younger than this browser, which is ages in the computer world.
I miss 4chan.org in that list.
And of course slashdot.org - the best source on the whole Internet when it comes to tech related news, especially thanks to the comments.
The guy was being sued by his FATHER after he stole a quarter million from the father's business.
[...] it isn't a criminal case.
Euhm sorry how is theft not criminal? NZ may not be the rest of the world but I though theft is afaik a crime pretty much throughout the world.
If served in NZ but living in UK he's already pretty immune to NZ law of course (something the USA unfortunately tends to forget). Laws are limited to a geographical region, usually a country.
In this case the person may ignore the summons and if he never returns to NZ may indeed not have to pay the punishment (jail, fines, whatever). After conviction, the only option left for NZ courts is to ask the UK police to arrest and extradite the person. And whether that is possible probably depends on the crime committed, and whether NZ and UK have an extradition treaty (which I'd expect they have).
Funny, now that I think about it, MS treats the coding of it's OS similar to a terrorist operation, small groups of people working on compartmentalized tasks, never knowing who is doing exactly what or what the desired end-product actually is.
Funny, now I think of it, this is EXACTLY how the whole Linux development goes on. You have a bunch doing the kernel, doing X, doing Gnome, doing Gimp, doing OOo, etc. All doing little parts of what is going to be the operating system, without having a clue of what the end product even could be. They just make sure that their little piece works fine. And for the software to communicate with each other they use some standard protocols.
Microsoft has at least some top management that will define the final look and feel (at least I assume so, any reasonable OS company would do so). So the little parts do not need to know the total, they just need to know what THEY have to do.
For example the printer server (like CUPS). They have to make sure they can address all kinds of printers on all kinds of ports, and then produce some interface for other software to talk to the printer server. The printer server people don't need to know the total picture. They just have to make sure their printer server works, and that they can answer requests according to specifications.
It seems the problem of Windows development may be that they do NOT work like that. That they want to keep it as a whole, finding interfaces to talk to all different programs in different ways, instead of standardising and creating independent components. Like Linux where you can add the components you need, and depending on the components you have a business work station (include word processor, image viewer, e-mail software), a multimedia station (install Gimp, some video editor, video and music players), or a server (do not install any GUI, instead Postfix, Apache and the rest).
The reason all these little programs can talk to each other is that they use certain standards. All open standards, official or not, some may have developed their own standard. But they use standard file formats, standard interfaces (named pipe, sockets, network) that other software also uses, and thus they can be patched together and generally work fine with each other. And then the distro producers (Mandriva, Ubuntu, Debian) test and make sure all works as expected, and optionally add bits of glue or eye candy to the whole.
Microsoft could be well off by starting to work like that. Kernel and GUI separate. Split off IE and Media Player. Set some goals for the new version, plan for each part what functionality it has to provide and how it is going to provide this to the outside world (e.g. API), and when the parts are done, glue them together. It may just work.
OK thanks for the info.
Sounds like that having the Server service listen to localhost/loopback (assuming there is such a thing in Windows) only would close the infection vector... it should definitely not be listening to incoming connections from other computers without being explicitly instructed to do so. So we can shove this on Microsoft's poor design.
And after the recent discussion here on /. about User Access Control in XP/Vista/Win7 it again makes me wonder whether Windows as it is can be fixed at all. Its security seems broken beyond repair.
[...]some 9 million Windows machines [...]. The worm [...] exploits a bug in the Windows Server service...
Without elaborating what Windows Server service that might be... Are there really that many vulnerable, not firewalled Windows servers connected to the Internet? Or is this a Server function that has no business on a Desktop that is getting infected?
In the first case blame the administrators (for not knowing how to properly protect a Windows server), in the second case blame Microsoft (for running servers on a desktop that should not be there in the first place). I would expect the second case as that I recall we have seen before, a virus exploiting a bug in a server function that can not even be stopped on a desktop.
The US patent system with its patents on business models and software is botched, but that is not the whole world. The idea and original implementation of patents is pretty good.
There is at the moment at least relative little innovation in China. It is a very small amount of money that gets invested in research and design. The West invests much more, as % of turnover/profits.
Furthermore the Chinese industry is not in a very good shape. Most of them are plain workshops doing assembly, and thus easily replaced by other companies. They don't have much if anything that makes a factory stand out, they don't have many own products. Mostly the design is done overseas, and the assembly in China. And workshops are of course easily replaceable by another.