Real Day-1 DLC can be okay. There's a bit of lead time between the game going gold and it hitting customer's hands. There's enough time for some development to take place.
This is like Day minus-30 DLC. The content was almost (if not wholly) completed by the time it was sent to the presses. Enough that 24KB was enough to enable it. That's different.
A long time ago, I read about a court decision (which I can't find now, but maybe someone else will have better Googling skills) regarding licensing of content. The general ruling was that no explicit license is required for using the content in its intended way. That is, you don't need a specific license to read a book that you've purchased. You don't need a specific license to watch a movie that you've purchased. By extension, you don't need a specific license to install software you've purchased if the purpose of that disc is to install the game.
Software companies made a big deal of licensing 20 or so years ago under the guise that you need a license in order to make copies, and that computing necessarily made copies into RAM. This is completely wrong, and goes against both common sense and "bench law." But it was seemingly the precursor to some of the consumer-hostile EULAs we've been seeing lately. And sadly, courts have been upholding EULAs in a general sense lately.
So the idea that you have to have a license in order to use software is crazy. And somewhat by extension, the idea that you can impose additional license terms blows my mind. I still have some old software (on 5.25" disks) which didn't have a license agreement, either in the box or on the disks. No one seriously thought that it was legal for them to copy it outside of fair use (for backups.)
What different does it make if this extra content was done when the rest of the game was done, which seems to be a sticking point with some people? They obviously felt the extra content added value to the game and could be charged for, and that the whole shmear was worth $5 more than the original package. I don't see how any promises were broken, even implied ones.
There are a lot of issues, and they largely have to do with perception.
What they're calling DLC isn't really DLC at all. The "download" part is just some code to unlock the content you already have. So at a minimum, there's some deception going on that goes beyond normal marketing. What used to be sold as expansions (based upon the popularity of the game--gamers had a real impact on whether or not the content was ever released) is now part of the normal development process but sold separately, quite probably at a considerably higher price per unit of enjoyment.
It's a feeling that they're exploiting their fan base, whether or not it's logical (I'm not going to debate that part.)
I did respond to what you wrote. You seem to have forgotten what you wrote. Nowhere in that post did you mention 0-days. If that was your point, you failed miserably in making it.
The author claims this technique will work on already infected machines, but I don't see how that is possible. If starting from a known clean machine, though, this technique seems pretty foolproof.
The author assumes that you can detect malware if it is not in memory corrupting your scan. The author then presents a way to prove that your memory is not corrupted by a virus.
The rootkit could be lying about the total amount of RAM, sure, but that won't help if we have started from a known clean machine.
The external verifier (which verifies the hash) takes care of that. If the rootkit lies about the amount of RAM to the process which writes pseudo-random data, then the checksum will fail when the external verifier computes it.
You can't detect known malware that way if it virtualizes the computer, because you will only scan for the memory the malware is willing to show you.
Ah, there's where the bit about "knowing how much RAM you have" matters.
The virus has three choices: 1) Be overwritten, thus being eliminated (and showing you all of the RAM in your system.) 2) Swap part of what you're writing to disk. 3) Present less RAM than you actually have.
If you know how much RAM you have, you can detect choice 3. If you can detect latency between secondary storage and RAM, you can dectect choid 2. If the virus doesn't mind disappearing for the rest of the computer's runtime, you can mitigate damage via choice 1.
Now you may not know what kind of malware is on your computer, but you know that something is there.
Fine, except the article claims that this detects 0-days. Which it only does if the 0-day defends itself. So it might find a 0-day, and it might not. Running this could show a positive, but a negative still doesn't mean that you're safe. It's marginally better than what we have now in exchange for a lot more work.
That's what the swapping is for. You swap everything out of RAM (except for the detection process.) Now you have a clean RAM playground. You prove this with the hash and the external verification. Now that you have clean RAM, you know that the virus can't be actively doing anything. This is pretty sound.
Now you have to figure out whether there's a virus that was swapped out. This is much harder, and not really covered well. spun adds some assumptions, like the presence of a clean system. I can't find any mention of that in the article, though.
In other words, there is no way to use an external machine to assist you in determining things like memory used by a process because you can't have both a clean machine and one infected by malware and have them identical enough to get a meaningful comparison.
You also have to know a lot of things like how much memory a particular process has requested. Is this a web server? Does the number of requests it's served make a difference in how much memory is allocated? How about just the uptime (maybe there's a memory leak in a process somewhere.)
It sounds to me like the only way to guarantee detection is to start both machines up at the same time and see if there's any difference in RAM allocation. That could be valuable to some people, but it's far from a perfect solution.
I read the article three times and didn't see a reference to scanning anything that's swapped out. I can envision some things you could scan for:
1) Known signatures 2) Amount of allocated memory that was swapped out 3) Total allocated memory.
1 above works if the virus has a known signature.
I don't understand how 2 or 3 would be helpful. Processes can allocate more memory than the system physically has. Pagefiles have been around forever (in computing terms.) And while you could know some minimums on how much memory a process has, maximums would be much harder to calculate and somewhat pointless. Firefox can require a variable amount of memory. You'd have to know how much it had requested and compare it to how much it had allocated. You'd also have to assume that the Firefox process hadn't been modified to request extra space.
I really get the feeling that malware detection is similar to the halting problem, which I've always sort of likened to proving that there is not a god. You can't prove that there is no god, because any proof would rest within the physical world. Someone wanting to invalidate your proof could merely say, "God made the world look like that."
This system gets some help from outside the system, but only for verifying the contents of RAM. It doesn't determine whether or not processes or executables were modified to do malicious things.
Still, many malware agents slip through the cracks undetected... until the rules of the anti-virus programs are updated, that is.
...
Instead of looking for known patterns -- whether of instructions and data, or of actions -- wouldn't it be great if we could look for anything that is malicious? That may sound like a pipe dream.
Maybe it's just badly worded or written, but he's making it sound like he's found the panacea of virus detection. Unfortunately, it doesn't work on viruses which a) don't have a known signature and b) don't try to keep themselves in RAM (i.e. don't mind being swapped out.) I would think that if the virus can overwrite parts of the OS in memory that it would not detect those, either (e.g. it could overwrite services which are commonly started but uncommonly used and live in their process space--autoupdaters would be good candidates for this.)
Here you go, found with a pretty simple Google search.
Also, incidentally, older versions of RDP were susceptible to man-in-the-middle attacks to grab passwords and inject commands. I think newer versions do some certificate checking to verify the server to which they're connected.
People in the Linux mindset probably don't understand how BSD is structured. FreeBSD is a kernel and userland, whereas in GNU/Linux, Linux is the kernel and GNU is the userland.
Whether this makes it a BSD is up for discussion, just as is any denotation. More accurately, it is "built from BSD."
I'm thinking that the killer aspect of the iPad is the deal with AT&T. $30/mo for data only? Purchasable/changeable from the iPad itself? No Linux pad is going to get that. AT&T won't give you just a data plan unless you have some serious clout or a hearing disability.
A huge number of computers are infected with malware. Tech-savvy people are probably the lowest likely to be infected, pushing the percentages up even higher for your Ma, Pa, Grandma, and Grandpa (as the AC put it.) I would argue that these people "have problems" with their PCs, even if they don't know it. Then throw in the people who just want a simpler experience. The ones who complain and complain about how slow things are, how the computer doesn't do what they want it to, etc.
THEN consider the people who don't use a computer unless the absolutely have to, and who might be willing to use them more if they had something which sucked less.
Don't get me wrong. I'm pretty much against the iPad as designed. But I'm not against the concept of making things easier.
A car offers your grandma significant advantages over a bike. Does a Windows PC offer your grandma significant advantages over a car? I'm talking something on the same order of magnitude--being able to get a popup of your horoscope is not significant.
When people call me a thief for viewing pages without ads (by blocking Flash), I rebut with this. I trust Slashdot. I may not trust Slashdot's advertising partners. And Slashdot doesn't (and probably can't) vet the ads before they're displayed.
I've often been tempted to go all out with ad blocking, not because I hate ads, but because a new exploit could make e.g. simple images a vector for attack.
Texas criminal code lists four reasons for putting a person in prison: 1) Public safety 2) Vengeance 3) Rehabilitation 4) Deterrence of other citizens.
A prosecutor would consider these when determining whether or not to bring charges, and a jury would consider them during sentencing. Rehabilitation is only one of the four reasons, and if you go into a Texas court and poll jurors, they will overwhelmingly say that vengeance is the most important of the four. I've seen it happen several times.
People feel the need to punish behavior they consider bad. I'll not make a comment on my opinion of this, other than to say folks in Texas are freaking crazy.
I was just pointing out a difference between what you said and what you (obviously) thought. You didn't give all the information, so your post sounded like maybe a troll or flamebait.
And it's entirely possible that the problem lies outside of pf+ftp-proxy. "Nothing in the logs" is another clue that pf+ftp-proxy may be working. So where's the real problem? I don't know.
As I mentioned elsewhere, I, too, think that FTP is a mess. I wholeheartedly share your pain and feelings on it.
That said all the firewalls have very good mechanisms now for watching ftp connection and adding temporary rules for any secondary ports needed.
Not if the command channel is encrypted. Then the firewall can't read the PORT command.
FTP really is a mess that needs to go away, but we still get vendors who require it for one reason or another. We even have a couple who sniff the FTP prompt using something like an expect script, so if you're not using a particular version/vendor of FTP, they will fail. Of course, this sort of thing could happen with any protocol.
Anyway, the guy you replied to obviously has some other issues besides just FTP being a crappy protocol:)
"I am having a problem, configured everything as found at open bsd web site, logs don't show any errors, a person with much more experience than I have in OpenBSD firewall configurations couldn't help either"./. moderator: "That's a flamebait, you can't be having a problem like that, that's impossible, you are starting a flamewar."
Yeah, it should have been modded "troll."
This is what you actually originally said:
I have the pf and ftp-proxy configured correctly
(emphasis mine)
If it was configured correctly, you wouldn't be having the problems. Lots of people use pf+ftp-proxy for exactly this purpose.
Slashdot Mirror
Real Day-1 DLC can be okay. There's a bit of lead time between the game going gold and it hitting customer's hands. There's enough time for some development to take place.
This is like Day minus-30 DLC. The content was almost (if not wholly) completed by the time it was sent to the presses. Enough that 24KB was enough to enable it. That's different.
A long time ago, I read about a court decision (which I can't find now, but maybe someone else will have better Googling skills) regarding licensing of content. The general ruling was that no explicit license is required for using the content in its intended way. That is, you don't need a specific license to read a book that you've purchased. You don't need a specific license to watch a movie that you've purchased. By extension, you don't need a specific license to install software you've purchased if the purpose of that disc is to install the game.
Software companies made a big deal of licensing 20 or so years ago under the guise that you need a license in order to make copies, and that computing necessarily made copies into RAM. This is completely wrong, and goes against both common sense and "bench law." But it was seemingly the precursor to some of the consumer-hostile EULAs we've been seeing lately. And sadly, courts have been upholding EULAs in a general sense lately.
So the idea that you have to have a license in order to use software is crazy. And somewhat by extension, the idea that you can impose additional license terms blows my mind. I still have some old software (on 5.25" disks) which didn't have a license agreement, either in the box or on the disks. No one seriously thought that it was legal for them to copy it outside of fair use (for backups.)
What different does it make if this extra content was done when the rest of the game was done, which seems to be a sticking point with some people? They obviously felt the extra content added value to the game and could be charged for, and that the whole shmear was worth $5 more than the original package. I don't see how any promises were broken, even implied ones.
There are a lot of issues, and they largely have to do with perception.
What they're calling DLC isn't really DLC at all. The "download" part is just some code to unlock the content you already have. So at a minimum, there's some deception going on that goes beyond normal marketing. What used to be sold as expansions (based upon the popularity of the game--gamers had a real impact on whether or not the content was ever released) is now part of the normal development process but sold separately, quite probably at a considerably higher price per unit of enjoyment.
It's a feeling that they're exploiting their fan base, whether or not it's logical (I'm not going to debate that part.)
I did respond to what you wrote. You seem to have forgotten what you wrote. Nowhere in that post did you mention 0-days. If that was your point, you failed miserably in making it.
The author claims this technique will work on already infected machines, but I don't see how that is possible. If starting from a known clean machine, though, this technique seems pretty foolproof.
The author assumes that you can detect malware if it is not in memory corrupting your scan. The author then presents a way to prove that your memory is not corrupted by a virus.
The rootkit could be lying about the total amount of RAM, sure, but that won't help if we have started from a known clean machine.
The external verifier (which verifies the hash) takes care of that. If the rootkit lies about the amount of RAM to the process which writes pseudo-random data, then the checksum will fail when the external verifier computes it.
You can't detect known malware that way if it virtualizes the computer, because you will only scan for the memory the malware is willing to show you.
Ah, there's where the bit about "knowing how much RAM you have" matters.
The virus has three choices:
1) Be overwritten, thus being eliminated (and showing you all of the RAM in your system.)
2) Swap part of what you're writing to disk.
3) Present less RAM than you actually have.
If you know how much RAM you have, you can detect choice 3.
If you can detect latency between secondary storage and RAM, you can dectect choid 2.
If the virus doesn't mind disappearing for the rest of the computer's runtime, you can mitigate damage via choice 1.
Now you may not know what kind of malware is on your computer, but you know that something is there.
Fine, except the article claims that this detects 0-days. Which it only does if the 0-day defends itself. So it might find a 0-day, and it might not. Running this could show a positive, but a negative still doesn't mean that you're safe. It's marginally better than what we have now in exchange for a lot more work.
That's what the swapping is for. You swap everything out of RAM (except for the detection process.) Now you have a clean RAM playground. You prove this with the hash and the external verification. Now that you have clean RAM, you know that the virus can't be actively doing anything. This is pretty sound.
Now you have to figure out whether there's a virus that was swapped out. This is much harder, and not really covered well. spun adds some assumptions, like the presence of a clean system. I can't find any mention of that in the article, though.
In other words, there is no way to use an external machine to assist you in determining things like memory used by a process because you can't have both a clean machine and one infected by malware and have them identical enough to get a meaningful comparison.
You also have to know a lot of things like how much memory a particular process has requested. Is this a web server? Does the number of requests it's served make a difference in how much memory is allocated? How about just the uptime (maybe there's a memory leak in a process somewhere.)
It sounds to me like the only way to guarantee detection is to start both machines up at the same time and see if there's any difference in RAM allocation. That could be valuable to some people, but it's far from a perfect solution.
Except the article (and summary, for what it's worth) say that it does detect infected systems for 0-days.
I don't think anyone here is saying that the technique is wholly without merit, it's just not the end-all be-all that the article implies.
I read the article three times and didn't see a reference to scanning anything that's swapped out. I can envision some things you could scan for:
1) Known signatures
2) Amount of allocated memory that was swapped out
3) Total allocated memory.
1 above works if the virus has a known signature.
I don't understand how 2 or 3 would be helpful. Processes can allocate more memory than the system physically has. Pagefiles have been around forever (in computing terms.) And while you could know some minimums on how much memory a process has, maximums would be much harder to calculate and somewhat pointless. Firefox can require a variable amount of memory. You'd have to know how much it had requested and compare it to how much it had allocated. You'd also have to assume that the Firefox process hadn't been modified to request extra space.
I really get the feeling that malware detection is similar to the halting problem, which I've always sort of likened to proving that there is not a god. You can't prove that there is no god, because any proof would rest within the physical world. Someone wanting to invalidate your proof could merely say, "God made the world look like that."
This system gets some help from outside the system, but only for verifying the contents of RAM. It doesn't determine whether or not processes or executables were modified to do malicious things.
Yeah, but from the article:
Still, many malware agents slip through the cracks undetected... until the rules of the anti-virus programs are updated, that is.
...
Instead of looking for known patterns -- whether of instructions and data, or of actions -- wouldn't it be great if we could look for anything that is malicious? That may sound like a pipe dream.
Maybe it's just badly worded or written, but he's making it sound like he's found the panacea of virus detection. Unfortunately, it doesn't work on viruses which a) don't have a known signature and b) don't try to keep themselves in RAM (i.e. don't mind being swapped out.) I would think that if the virus can overwrite parts of the OS in memory that it would not detect those, either (e.g. it could overwrite services which are commonly started but uncommonly used and live in their process space--autoupdaters would be good candidates for this.)
http://www.milw0rm.com/exploits/7309
Here you go, found with a pretty simple Google search.
Also, incidentally, older versions of RDP were susceptible to man-in-the-middle attacks to grab passwords and inject commands. I think newer versions do some certificate checking to verify the server to which they're connected.
It's the BSD userland.
People in the Linux mindset probably don't understand how BSD is structured. FreeBSD is a kernel and userland, whereas in GNU/Linux, Linux is the kernel and GNU is the userland.
Whether this makes it a BSD is up for discussion, just as is any denotation. More accurately, it is "built from BSD."
Er, I should add:
They won't give that to you without a dongle and a contract.
I'm thinking that the killer aspect of the iPad is the deal with AT&T. $30/mo for data only? Purchasable/changeable from the iPad itself? No Linux pad is going to get that. AT&T won't give you just a data plan unless you have some serious clout or a hearing disability.
Beg the question much?
A huge number of computers are infected with malware. Tech-savvy people are probably the lowest likely to be infected, pushing the percentages up even higher for your Ma, Pa, Grandma, and Grandpa (as the AC put it.) I would argue that these people "have problems" with their PCs, even if they don't know it. Then throw in the people who just want a simpler experience. The ones who complain and complain about how slow things are, how the computer doesn't do what they want it to, etc.
THEN consider the people who don't use a computer unless the absolutely have to, and who might be willing to use them more if they had something which sucked less.
Don't get me wrong. I'm pretty much against the iPad as designed. But I'm not against the concept of making things easier.
A car offers your grandma significant advantages over a bike. Does a Windows PC offer your grandma significant advantages over a car? I'm talking something on the same order of magnitude--being able to get a popup of your horoscope is not significant.
When people call me a thief for viewing pages without ads (by blocking Flash), I rebut with this. I trust Slashdot. I may not trust Slashdot's advertising partners. And Slashdot doesn't (and probably can't) vet the ads before they're displayed.
Here's a recent example of malware-infested ads appearing on a pretty big site:
http://news.cnet.com/8301-27080_3-10466753-245.html
Specifically ads included in the Drudge Report:
http://news.cnet.com/8301-27080_3-10466044-245.html
I've often been tempted to go all out with ad blocking, not because I hate ads, but because a new exploit could make e.g. simple images a vector for attack.
Texas criminal code lists four reasons for putting a person in prison:
1) Public safety
2) Vengeance
3) Rehabilitation
4) Deterrence of other citizens.
A prosecutor would consider these when determining whether or not to bring charges, and a jury would consider them during sentencing. Rehabilitation is only one of the four reasons, and if you go into a Texas court and poll jurors, they will overwhelmingly say that vengeance is the most important of the four. I've seen it happen several times.
People feel the need to punish behavior they consider bad. I'll not make a comment on my opinion of this, other than to say folks in Texas are freaking crazy.
True. I guess maybe Hatta's question was "What's the point?" And maybe the answer is "For people who don't use Bash."
I was just pointing out a difference between what you said and what you (obviously) thought. You didn't give all the information, so your post sounded like maybe a troll or flamebait.
And it's entirely possible that the problem lies outside of pf+ftp-proxy. "Nothing in the logs" is another clue that pf+ftp-proxy may be working. So where's the real problem? I don't know.
As I mentioned elsewhere, I, too, think that FTP is a mess. I wholeheartedly share your pain and feelings on it.
Maybe YOU were. Hatta (the person to whom I first replied) was talking about Bash/scp.
http://tech.slashdot.org/comments.pl?sid=1578336&cid=31431572
That said all the firewalls have very good mechanisms now for watching ftp connection and adding temporary rules for any secondary ports needed.
Not if the command channel is encrypted. Then the firewall can't read the PORT command.
FTP really is a mess that needs to go away, but we still get vendors who require it for one reason or another. We even have a couple who sniff the FTP prompt using something like an expect script, so if you're not using a particular version/vendor of FTP, they will fail. Of course, this sort of thing could happen with any protocol.
Anyway, the guy you replied to obviously has some other issues besides just FTP being a crappy protocol :)
"I am having a problem, configured everything as found at open bsd web site, logs don't show any errors, a person with much more experience than I have in OpenBSD firewall configurations couldn't help either". /. moderator: "That's a flamebait, you can't be having a problem like that, that's impossible, you are starting a flamewar."
Yeah, it should have been modded "troll."
This is what you actually originally said:
I have the pf and ftp-proxy configured correctly
(emphasis mine)
If it was configured correctly, you wouldn't be having the problems. Lots of people use pf+ftp-proxy for exactly this purpose.