The thing with spyware is that it's included in legitimate apps, typically, and the user has to click through an EULA. Also, all software sold with the intended purpouse of large-scale crime have to be explicitly designed for the fraud in question (code for capturing credit card numbers and passwords from browser sessions/committing various forms of DDOS attacks for example.) The purpose of the software is obvious from it's construction (which conveniently also sets it apart from how commercial pen testing tools are constructed, which have no need for the above features, not to mention how they are marketed.) Relatively benign hacking software not explicitly designed for large-scale economic crime (phearbot, phatbot, poison ivy) would certainly slip under the pen-test or remote administration heading while actually being used in a very large amount of semi-skilled targeted attacks, but on the other hand these are not at all as dangerous given the assumption that the attacker simply acts as a passive consumer that cannot modify the tools he has bought (which is the load-bearing point of first post), and that the crimes we are looking to prevent are DDOS/data encryption extortion and large-scale credit card fraud.
You mean like the catch-all German "hacker program" law, that has had the entire security industry up in arms? The one where you could in theory get arrested for possessing a copy of NMap? www.schneier.com/blog/archives/2007/08/new_german_hack.html
I honestly don't think you could pass of something this simple as a pen-test tool. You could probably pass it off as a pure remote administration utility. But this would require you to add lots of extraneous functionality that would seriously confuse the intended market, and you couldn't market it to them directly either (I guess this could work anyway if you could incite some really strange grassroots campaign.) On the upside, if the virus engines wouldn't recognize it, you wouldn't have to include signature-evading code (polymorphism, packing...).
But it's stuff like this we're really after: http://en.wikipedia.org/wiki/MPack_(software). People who code professional-grade malware generally do so to profit off of it. It's well known that in the existing ecosystem of digital crime the malicious hackers themselves rarely act as attackers in large-scale id/credit card theft; instead they sell it to people who do. Quoting this extremely enlightening interview: http://www.securityfocus.com/news/11476
"The project is not so profitable compared to other activities on the Internet. It's just a business. While it makes income, we will work on it, and while we are interested in it, it will live. Of course, some of our customers make huge profits. So in some ways, MPack could be looked at as a brand-name establishment project."
This particular piece of spyware is amateur stuff, aimed at paranoid spouses/bosses, but if we can hit the business of selling spyware (probably requiring the cooperation of the international banking system, as well as the governments of china and russia) it would totally cripple large-scale internet crime as we know it. It's a pipe dream, of course. But one can always dream.
The antivirus market is, as everyone knows, the most FUD-filled part of the security industry. The effectiveness of different antivirus products is largely anecdotal, and shifts rapidly because of the arms race between virus writers and antivirus manufacturers. As it stands now, even "expert" end user cannot ascertain the relative effectiveness of the suites, and because antivirus products are still heuristics-based with a few "depacker" routines built in, they only catch the really obvious fish. (One funny thing with this is, if you pack an executable with a common yet relatively complicated packer, say "redeye", it'l get caught, but if you just jump in and jumble up the instructions with a debugger you can make it "invisible" easily). Because of this reliance on FUD to sell, and because there *is* already fierce competition in the antivirus market, maybe this won't change much, unless MS locks other vendors out somehow. Or will it be a different form of competition, because of the now-asymmetrical playing field? MS has an advantage in that they have access to the code and people who wrote the code, and designed the OS architecture.
Yes, but couldn't you just have two layers of C&C? Using socks proxies on bots running on home computers spread out over tier-3 ISP IP pools that doesn't blacklist "bullet proof" countries, combined with a few cheap colocated hosts inside US borders for data storage, communicating back to hosts on safe territory is the method i would use if i wanted to use the simplest, cheapest and most reliable method, and wasn't the sharpest knife in the drawer. The really sharp solution would be to have a storm-like P2P botnet architecture with irregularly steganographed and encrypted connections back to C&C servers on safe ground (Eg, even if the "mothership connections" where discovered, they would look like they where coming from disparate botnets.) I think such a system could be maintained for the foreseeable future, as long as you keep adding new steganographic methods to the pool.
As i understand it, that is exactly what the security researchers did. What happened (by analogy) was that the person that the landlord in turn rented from kicked him out. I don't think you can really place the blame on the security researchers in this case.
Doesn't everyone do this subconsciously, when they feel they would benefit from it? I know i have to stop myself sometimes, when i put myself in "vulnerable mode" to make people trust me more. I don't try to con people, i just do it because it... works?
On the other hand, I'm into computer security. Maybe stuff like that is just part of the "security mindset" Bruce Schneier et. al. espouses?
2% sounds like a surprisingly small figure though.
Yeah, but a country isn't a house. For example, you do not, as the owner of the house, have exclusive right to regulate lethal force within it. Allowing closed communities to form with their own laws and moralities about such basic things as the freedom of speech isn't generally good for society, or the people in the communities. Look at North Korea or Saudi Arabia for example.
No matter of the people protesting Novell are a vocal minority subgroup that annoys most people. Having police roughing them up and removing evidence about doing so is bad PR for all free software, and it's completely immoral to rationalize this sort of reprehensible behavior just because you don't agree with with what they're protesting about. So they still live. So what, it still shows that this specific police force consists of thugs. Do you people feel relieved over not getting shot every time you pass customs at the US border?
Slashdot Mirror
Port john the ripper/aircrack-ng? Buy a few terabyte drives and start generating hash tables?
The thing with spyware is that it's included in legitimate apps, typically, and the user has to click through an EULA. Also, all software sold with the intended purpouse of large-scale crime have to be explicitly designed for the fraud in question (code for capturing credit card numbers and passwords from browser sessions/committing various forms of DDOS attacks for example.) The purpose of the software is obvious from it's construction (which conveniently also sets it apart from how commercial pen testing tools are constructed, which have no need for the above features, not to mention how they are marketed.) Relatively benign hacking software not explicitly designed for large-scale economic crime (phearbot, phatbot, poison ivy) would certainly slip under the pen-test or remote administration heading while actually being used in a very large amount of semi-skilled targeted attacks, but on the other hand these are not at all as dangerous given the assumption that the attacker simply acts as a passive consumer that cannot modify the tools he has bought (which is the load-bearing point of first post), and that the crimes we are looking to prevent are DDOS/data encryption extortion and large-scale credit card fraud.
I totally meant to type "malware", but my head is muddled from a sleepless night. Spyware is of course only a part of the problem.
You mean like the catch-all German "hacker program" law, that has had the entire security industry up in arms? The one where you could in theory get arrested for possessing a copy of NMap?
www.schneier.com/blog/archives/2007/08/new_german_hack.html
I honestly don't think you could pass of something this simple as a pen-test tool. You could probably pass it off as a pure remote administration utility. But this would require you to add lots of extraneous functionality that would seriously confuse the intended market, and you couldn't market it to them directly either (I guess this could work anyway if you could incite some really strange grassroots campaign.) On the upside, if the virus engines wouldn't recognize it, you wouldn't have to include signature-evading code (polymorphism, packing...).
But it's stuff like this we're really after: http://en.wikipedia.org/wiki/MPack_(software). People who code professional-grade malware generally do so to profit off of it. It's well known that in the existing ecosystem of digital crime the malicious hackers themselves rarely act as attackers in large-scale id/credit card theft; instead they sell it to people who do. Quoting this extremely enlightening interview: http://www.securityfocus.com/news/11476
"The project is not so profitable compared to other activities on the Internet. It's just a business. While it makes income, we will work on it, and while we are interested in it, it will live. Of course, some of our customers make huge profits. So in some ways, MPack could be looked at as a brand-name establishment project."
This particular piece of spyware is amateur stuff, aimed at paranoid spouses/bosses, but if we can hit the business of selling spyware (probably requiring the cooperation of the international banking system, as well as the governments of china and russia) it would totally cripple large-scale internet crime as we know it. It's a pipe dream, of course. But one can always dream.
Several of the more business-oriented programming/software development courses on my (Swedish) campus is being taught in project groups using agile.
The antivirus market is, as everyone knows, the most FUD-filled part of the security industry. The effectiveness of different antivirus products is largely anecdotal, and shifts rapidly because of the arms race between virus writers and antivirus manufacturers. As it stands now, even "expert" end user cannot ascertain the relative effectiveness of the suites, and because antivirus products are still heuristics-based with a few "depacker" routines built in, they only catch the really obvious fish. (One funny thing with this is, if you pack an executable with a common yet relatively complicated packer, say "redeye", it'l get caught, but if you just jump in and jumble up the instructions with a debugger you can make it "invisible" easily). Because of this reliance on FUD to sell, and because there *is* already fierce competition in the antivirus market, maybe this won't change much, unless MS locks other vendors out somehow. Or will it be a different form of competition, because of the now-asymmetrical playing field? MS has an advantage in that they have access to the code and people who wrote the code, and designed the OS architecture.
Yes, but couldn't you just have two layers of C&C? Using socks proxies on bots running on home computers spread out over tier-3 ISP IP pools that doesn't blacklist "bullet proof" countries, combined with a few cheap colocated hosts inside US borders for data storage, communicating back to hosts on safe territory is the method i would use if i wanted to use the simplest, cheapest and most reliable method, and wasn't the sharpest knife in the drawer. The really sharp solution would be to have a storm-like P2P botnet architecture with irregularly steganographed and encrypted connections back to C&C servers on safe ground (Eg, even if the "mothership connections" where discovered, they would look like they where coming from disparate botnets.) I think such a system could be maintained for the foreseeable future, as long as you keep adding new steganographic methods to the pool.
As i understand it, that is exactly what the security researchers did. What happened (by analogy) was that the person that the landlord in turn rented from kicked him out. I don't think you can really place the blame on the security researchers in this case.
Terry Pratchett once said that he was surprised people who program computers don't spend more time programming people.
Doesn't everyone do this subconsciously, when they feel they would benefit from it? I know i have to stop myself sometimes, when i put myself in "vulnerable mode" to make people trust me more. I don't try to con people, i just do it because it... works? On the other hand, I'm into computer security. Maybe stuff like that is just part of the "security mindset" Bruce Schneier et. al. espouses? 2% sounds like a surprisingly small figure though.
No, of course not. But an open-source sponsor company still chooses to associate with an obviously oppressive government. And that's not good at all.
Yeah, but a country isn't a house. For example, you do not, as the owner of the house, have exclusive right to regulate lethal force within it. Allowing closed communities to form with their own laws and moralities about such basic things as the freedom of speech isn't generally good for society, or the people in the communities. Look at North Korea or Saudi Arabia for example.
No matter of the people protesting Novell are a vocal minority subgroup that annoys most people. Having police roughing them up and removing evidence about doing so is bad PR for all free software, and it's completely immoral to rationalize this sort of reprehensible behavior just because you don't agree with with what they're protesting about. So they still live. So what, it still shows that this specific police force consists of thugs. Do you people feel relieved over not getting shot every time you pass customs at the US border?