...but the zombie nets are relatively recent developments.
How long ago do you consider recent? Zombie nets have been becoming increasingly problematic for at least the past 4 years... and that's just when I started being affected by them. At least it's slightly more difficult to infect machines now... in the good 'ol days, the zombie nets mostly spread by looking for win2k machines with a blank administrator password and open c$ share.
Now if someone could create an IM system that would default messages to an email when offline, that would be cool. Take the great features of both and make it a standard protocal. Heck we could even have security standard to help block some spammers
Err, you mean ICQ? It had offline message support back in 1998. Well, it wasn't quite what you describe... the server just held onto the messages and delivered them when the person went online next (as opposed to sending an e-mail, as you described).
I resisted using MSN for a long time because I thought that was a very important feature. Now I use gaim that does ICQ/AIM/MSN at the same time, and I leave it connected close to 24/7, so I don't have a great need for receiving offline messages, but sending them is would still be nice.
Well, that's what they're claiming won't work -- they're saying that if you use ethanol as the only energy source in the production of ethanol (well, not counting the solar energy that the plants use), you'd need 29% more at the start than you'd end up with after the conversion is done.
I was thinking about how to do that. I imagine it'd work reasonably well if you mapped all of the keys so that in command mode it'd be all of the same keys as if you were using qwerty, and then as soon as you go to insert mode, you'd be typing in dvorak.
Of course, you don't have to change keyboard layout to do that; you could merely bind the navigation keys to whatever hjkl happens to be in dvorak. In case those keys happen to correspond to other vi commands (who am I kidding... they *will*), keeping the rest of command mode as effectively qwerty is probably the sanest thing to do.
A minor nitpick: gigE and 10gigE are full duplex and don't have collisions. Full-duplex 100BaseTX or 10BaseT don't have collisions either (the usual situation these days, since switches are so cheap now and have far better performance than hubs, for that very reason).
1990 didn't have 200 MHz CPUs either. That's more like 1995-1996.
so, if I do the math... 10 years ago: 200 MHz CPU - 10Mbps ethernet Now: 3500MHz CPU - 1000Mbps ethernet Change: 17.5x MHz - 100x Mbps
17.5x is a lot smaller than 100x. Thus the problem has been made worse. That's not even including the fact that gigE is full duplex, when most networks 10 years ago weren't.
> Modern spam zombies use p2p network to send messages back and forth, they aren't controlled from centralized irc servers anymore.
That's exceedingly hard to get working properly, which is probably why it's still not a very common behaviour. In my experience, most of the botnets still seem to be controlled by a central IRC server, albeit they tend to use hacked up ircds that provide only the minimal functionality required (with little in the way of informational messages), making it hard to get much information out of the IRC servers used for centralized control.
I'm the security manager for the GameSurge IRC network, and that's just my personal experience on the matter. The average botnet used to attack things other than our IRC network may be different from what I've seen, however I'd still contest your claim that they aren't usually controlled from centrealized IRC servers anymore. Remember, most of the people running botnets are kids.
Well, this will actually be helpful when I'm trying to help my dad over the phone. For the longest time, I'd say "double click on My Computer" and he'd ask why he's going to my computer instead of his.
Something to keep in mind is that the phones tend to be good at voice, and not very optimized for data, whereas the cards are very optimized for data.
I don't remember where I saw it, but there was a chart of the different data rates available, and the cards had 2-3 times the maximum throughput as the phones, simply because the phones (while advertising that they can do "1X digital data" or GSM) can't use the higher data rates. It's really hard to get that information normally, too. They don't really want you to know.
As far as I know, STP only kills ports that STP decides are causing a loop. Seeing a MAC address on two ports just makes it think that the system has moved (think about what happens if you roam between APs) so it will direct all future packets to that MAC address to the last port it saw data come in from. So if both hosts are sending a lot of data, then the ensuing packetloss (because packets are going to the wrong place) makes it pretty miserable. If only one has a lot of traffic going, then they win most of the time, at the expense of the other. Either way, it's probably going to elicit a helpdesk call by the legitimate user if it happens for too long.
The above description only applies when two systems have the same MAC address, but different IP addresses, and the two systems are going through different switch ports.
If you have two machines configured with the same MAC address and the same IP address, then you basically end up with the system being unusable. Whenever a packet to the other computer is seen, the OS sends a TCP reset or ICMP port unreachable (in the case of UDP). So basically, if there's much traffic going through the two computers at all, then neither of them can get anywhere, because the connections keep getting reset constantly (as opposed to mere packetloss when the IPs are different). You'd need a firewall on/both/ systems to avoid sending the reset responses for any hope of it working (and even then, you only end up as good as the two-IP scenario).
If you have two systems with the same MAC address but different IPs on the same AP/hub, then you can at least have a reasonable hope it'd work. I don't know if sane APs would let two instances of the same MAC address successfully associate though. I don't know how the association process works, so I can only speculate.
99.9% is misleading
on
Is IRC All Bad?
·
· Score: 3, Informative
I'm an admin on the GameSurge IRC network (irc.gamesurge.net). I can't really say much about the other networks, but on GameSurge at least, we don't permit warez distribution, among other illegal activities. Our 6 largest channels are for finding games to play, clan channels, or IRC games -- none of these activities are illegal.
So at the very least, that means that 10% of the channels he looked at aren't used for illegal purposes (presumably he used something like netsplit.de to determine the 10 largest networks, so we'd be in that list).
I seem to recall that DAL changed their policies to disallow file-sharing channels a while ago. If they're enforcing that, there goes another 10%. A quick glance on netsplit.de shows that the biggest QuakeNet channels aren't for warez either. I didn't check the other networks, but there's probably a couple more that are clean.
I'll admit it's likely that the biggest channels on some of the other networks will be like he writes, but surely not 99.9%. Less than 70% even!
> Yes. I use Comcast Cable in New Jersey. MAPS-DUL says smtp.comcast.net is a dial-up line, so I can't post to the gcc.gnu.org mailing lists, which reject emails from dial-ups and free accounts. I have to send the mail via ssh to my employer's computer and send from their IP.
Fair enough then. At the same time though, someone (preferably a lot of someones) really should be whiny and get them to fix it though.
Sympatico blocks outgoing port 25 too. But that's okay, since you can use their SMTP server. Is there any reason in particular that it *must* go through your mail server? Every ISP that I have used here (Ontario) permits relaying by anyone on their IP space, no matter what the "From:" address is, so you don't actually need to use an alternate SMTP server in most cases, even if you aren't using their provided e-mail account.
Actually, if this were a 17 year old instead of AOL, the FBI couldn't care less.
IRC networks deal with channels containing potentially thousands of drones (compromised windows machines waiting for commands to start DDoS attacks), and unless you can prove that there has been a significant amount of damage, they really don't care. Some ISPs don't really care either. Luckily the dyndns hostnames that most of the bots use to find their "control server" are generally run off places that do take abuse seriously. </rant>
Re:I'm as stumped as my girlfriend usually is
on
Telstar 4 is Down
·
· Score: 1
[ To read the rest of this bad screenplay, you must have a premium membership. Log on now to continue. ]
Hey! I just bought one, but it still won't let me see it!
I urge everyone reading this to be very diligent in your boycott of buying new music or going to see movies. I haven't bought a CD in 22 months and haven't seen a movie since (believe it or not) 1999. You can't cheat and plead, just one movie! It's the Matrix! I have to see it. Nothing but the bottom line is going to get through to these people. If these folks don't get the message and soon, you may find yourself asking for permission to write anything on your machine that moves bits around.
Though it sounds good, I do not think that would even work as a solution. They would simply blame the declining sales on piracy and the exact same thing will happen.
Personally, I don't listen to any music anyway, so the music industry has never received any money from me. I do watch movies though.
As an IRCOP on GamesNET, I spend some of my spare time tracking down packet kiddies that attack channels and/or servers./Most/ of the botnets these days still spread by simply scanning for open c$ shares using the Administrator account and no password. The DCOM exploit that's floating around really messes up the computer until it's rebooted (Windows NT doesn't like having RPC crash, which is what it does as soon as you close the shell it creates), so it's not even all that useful for spreading stuff.
All that the DCOM exploit did was reopened the people who don't keep their systems up to date open for infection. As most botnets disable the c$ hole they use to spread as they infect machines these days, it will simply replenish the supply to levels from around the beginning of the year.
There's always a few attacks against some host or another at any given point in time on the internet. It's been this way for years. I don't see how this will be a big deal.
Basically, the framework for notifying each device driver that the system is sleeping/waking up is not possible with 2.4. There were major changes in 2.5 to add support for this.
I wonder what kernel they're using. Linux 2.4.x does not support ACPI S3 sleep, and it seems surprising that they would ship a 2.5.x kernel. I can't wait to take a look at the sources they release.
I thought that 802.11b and bluetooth had very different goals... bluetooth sounded to me to have goals similar to USB, while 802.11b has goals similar to ethernet (ok, flawed analogy, but they're definitely not the same thing).
Bluetooth's range is probably more a result of its power requirements than the protocol itself... you don't want to waste a ton of power connecting a cell phone to a PDA for a low speed link. It's just easier than IR. An application I was reading about would be using a laptop to connect to a cell phone's GPRS while the phone is clipped on your belt, instead of having to sit it on the table for IR.
The article might as while try saying that connecting a PDA via IR is useless because you could use a cellular PCMCIA card.
Your test doesn't prove it DOESN'T use the address book. It only proves that it ALSO has canned addresses or can find or generate some in some other way.
Oops
I was refuting the general statement that my earlier post's parent made (that it only affects windows using the address book), but I made an overly general statement myself. From reading further, it appears AV companies have found that it both makes its own addresses and throws in the address book, just for good measure.
I guarantee the fellow/group behind fizzer connects with his linux box to control all of his 7337 bots.
Probably not, actually. It looks like the client is windows based. I say this because if you open up fizzer in reshacker, it shows a dialog that looks like the client interface. How such a dialog found its way into the worm is beyond me, but it's there nontheless.
It's YAOW (Outlook Worm). Same drill, you open an infected attachment, it copies itself to the address book as well as installs its payload.
Except it doesn't use the address book this time. Maybe the IE cache. I couldn't tell where it was getting the addresses from, but my system that I intentionally infected in order to investigate how it works didn't have any OE settings, let alone an address book.
Slashdot Mirror
...but the zombie nets are relatively recent developments.
How long ago do you consider recent? Zombie nets have been becoming increasingly problematic for at least the past 4 years... and that's just when I started being affected by them. At least it's slightly more difficult to infect machines now... in the good 'ol days, the zombie nets mostly spread by looking for win2k machines with a blank administrator password and open c$ share.
Now if someone could create an IM system that would default messages to an email when offline, that would be cool. Take the great features of both and make it a standard protocal. Heck we could even have security standard to help block some spammers
Err, you mean ICQ? It had offline message support back in 1998. Well, it wasn't quite what you describe... the server just held onto the messages and delivered them when the person went online next (as opposed to sending an e-mail, as you described).
I resisted using MSN for a long time because I thought that was a very important feature. Now I use gaim that does ICQ/AIM/MSN at the same time, and I leave it connected close to 24/7, so I don't have a great need for receiving offline messages, but sending them is would still be nice.
Well, that's what they're claiming won't work -- they're saying that if you use ethanol as the only energy source in the production of ethanol (well, not counting the solar energy that the plants use), you'd need 29% more at the start than you'd end up with after the conversion is done.
I was thinking about how to do that. I imagine it'd work reasonably well if you mapped all of the keys so that in command mode it'd be all of the same keys as if you were using qwerty, and then as soon as you go to insert mode, you'd be typing in dvorak.
Of course, you don't have to change keyboard layout to do that; you could merely bind the navigation keys to whatever hjkl happens to be in dvorak. In case those keys happen to correspond to other vi commands (who am I kidding... they *will*), keeping the rest of command mode as effectively qwerty is probably the sanest thing to do.
I think he's afraid of possible side effects.
"We don't go to Ravenholm anymore."
A minor nitpick: gigE and 10gigE are full duplex and don't have collisions. Full-duplex 100BaseTX or 10BaseT don't have collisions either (the usual situation these days, since switches are so cheap now and have far better performance than hubs, for that very reason).
1990 didn't have 200 MHz CPUs either. That's more like 1995-1996.
so, if I do the math...
10 years ago: 200 MHz CPU - 10Mbps ethernet
Now: 3500MHz CPU - 1000Mbps ethernet
Change: 17.5x MHz - 100x Mbps
17.5x is a lot smaller than 100x. Thus the problem has been made worse. That's not even including the fact that gigE is full duplex, when most networks 10 years ago weren't.
> Modern spam zombies use p2p network to send messages back and forth, they aren't controlled from centralized irc servers anymore.
That's exceedingly hard to get working properly, which is probably why it's still not a very common behaviour. In my experience, most of the botnets still seem to be controlled by a central IRC server, albeit they tend to use hacked up ircds that provide only the minimal functionality required (with little in the way of informational messages), making it hard to get much information out of the IRC servers used for centralized control.
I'm the security manager for the GameSurge IRC network, and that's just my personal experience on the matter. The average botnet used to attack things other than our IRC network may be different from what I've seen, however I'd still contest your claim that they aren't usually controlled from centrealized IRC servers anymore. Remember, most of the people running botnets are kids.
Yep. For once we have an example of a good business plan:
.xxx TLD .xxx domains @ US$60/year
1. Get ICANN to make the
2. Sell
3. Claim it's to "protect children"
4. Profit!
(I'm surprised there aren't 1000 variants on that joke posted at +2 or higher already)
Well, this will actually be helpful when I'm trying to help my dad over the phone. For the longest time, I'd say "double click on My Computer" and he'd ask why he's going to my computer instead of his.
Sigh.
Something to keep in mind is that the phones tend to be good at voice, and not very optimized for data, whereas the cards are very optimized for data.
I don't remember where I saw it, but there was a chart of the different data rates available, and the cards had 2-3 times the maximum throughput as the phones, simply because the phones (while advertising that they can do "1X digital data" or GSM) can't use the higher data rates. It's really hard to get that information normally, too. They don't really want you to know.
Err, not quite.
/both/ systems to avoid sending the reset responses for any hope of it working (and even then, you only end up as good as the two-IP scenario).
As far as I know, STP only kills ports that STP decides are causing a loop. Seeing a MAC address on two ports just makes it think that the system has moved (think about what happens if you roam between APs) so it will direct all future packets to that MAC address to the last port it saw data come in from. So if both hosts are sending a lot of data, then the ensuing packetloss (because packets are going to the wrong place) makes it pretty miserable. If only one has a lot of traffic going, then they win most of the time, at the expense of the other. Either way, it's probably going to elicit a helpdesk call by the legitimate user if it happens for too long.
The above description only applies when two systems have the same MAC address, but different IP addresses, and the two systems are going through different switch ports.
If you have two machines configured with the same MAC address and the same IP address, then you basically end up with the system being unusable. Whenever a packet to the other computer is seen, the OS sends a TCP reset or ICMP port unreachable (in the case of UDP). So basically, if there's much traffic going through the two computers at all, then neither of them can get anywhere, because the connections keep getting reset constantly (as opposed to mere packetloss when the IPs are different). You'd need a firewall on
If you have two systems with the same MAC address but different IPs on the same AP/hub, then you can at least have a reasonable hope it'd work. I don't know if sane APs would let two instances of the same MAC address successfully associate though. I don't know how the association process works, so I can only speculate.
I'm an admin on the GameSurge IRC network (irc.gamesurge.net). I can't really say much about the other networks, but on GameSurge at least, we don't permit warez distribution, among other illegal activities. Our 6 largest channels are for finding games to play, clan channels, or IRC games -- none of these activities are illegal.
So at the very least, that means that 10% of the channels he looked at aren't used for illegal purposes (presumably he used something like netsplit.de to determine the 10 largest networks, so we'd be in that list).
I seem to recall that DAL changed their policies to disallow file-sharing channels a while ago. If they're enforcing that, there goes another 10%. A quick glance on netsplit.de shows that the biggest QuakeNet channels aren't for warez either. I didn't check the other networks, but there's probably a couple more that are clean.
I'll admit it's likely that the biggest channels on some of the other networks will be like he writes, but surely not 99.9%. Less than 70% even!
Sorry to hurt your fun, but that's a quote from Andromeda, not his personal insanity.
d es /ep_207.html
http://www.laurabertram.net/eldoradodrift/episo
> Yes. I use Comcast Cable in New Jersey. MAPS-DUL says smtp.comcast.net is a dial-up line, so I can't post to the gcc.gnu.org mailing lists, which reject emails from dial-ups and free accounts. I have to send the mail via ssh to my employer's computer and send from their IP.
Fair enough then. At the same time though, someone (preferably a lot of someones) really should be whiny and get them to fix it though.
Sympatico blocks outgoing port 25 too. But that's okay, since you can use their SMTP server. Is there any reason in particular that it *must* go through your mail server? Every ISP that I have used here (Ontario) permits relaying by anyone on their IP space, no matter what the "From:" address is, so you don't actually need to use an alternate SMTP server in most cases, even if you aren't using their provided e-mail account.
Actually, if this were a 17 year old instead of AOL, the FBI couldn't care less.
IRC networks deal with channels containing potentially thousands of drones (compromised windows machines waiting for commands to start DDoS attacks), and unless you can prove that there has been a significant amount of damage, they really don't care. Some ISPs don't really care either. Luckily the dyndns hostnames that most of the bots use to find their "control server" are generally run off places that do take abuse seriously.
</rant>
[ To read the rest of this bad screenplay, you must have a premium membership. Log on now to continue. ]
Hey! I just bought one, but it still won't let me see it!
I urge everyone reading this to be very diligent in your boycott of buying new music or going to see movies. I haven't bought a CD in 22 months and haven't seen a movie since (believe it or not) 1999. You can't cheat and plead, just one movie! It's the Matrix! I have to see it. Nothing but the bottom line is going to get through to these people. If these folks don't get the message and soon, you may find yourself asking for permission to write anything on your machine that moves bits around.
Though it sounds good, I do not think that would even work as a solution. They would simply blame the declining sales on piracy and the exact same thing will happen.
Personally, I don't listen to any music anyway, so the music industry has never received any money from me. I do watch movies though.
As an IRCOP on GamesNET, I spend some of my spare time tracking down packet kiddies that attack channels and/or servers. /Most/ of the botnets these days still spread by simply scanning for open c$ shares using the Administrator account and no password. The DCOM exploit that's floating around really messes up the computer until it's rebooted (Windows NT doesn't like having RPC crash, which is what it does as soon as you close the shell it creates), so it's not even all that useful for spreading stuff.
All that the DCOM exploit did was reopened the people who don't keep their systems up to date open for infection. As most botnets disable the c$ hole they use to spread as they infect machines these days, it will simply replenish the supply to levels from around the beginning of the year.
There's always a few attacks against some host or another at any given point in time on the internet. It's been this way for years. I don't see how this will be a big deal.
Actually, it would prove rather difficult.
In fact, the Linux ACPI development project has declared it impossible.
I couldn't find the direct quote, but this sums up the situation.
Basically, the framework for notifying each device driver that the system is sleeping/waking up is not possible with 2.4. There were major changes in 2.5 to add support for this.
That's interesting
I wonder what kernel they're using. Linux 2.4.x does not support ACPI S3 sleep, and it seems surprising that they would ship a 2.5.x kernel. I can't wait to take a look at the sources they release.
I thought that 802.11b and bluetooth had very different goals... bluetooth sounded to me to have goals similar to USB, while 802.11b has goals similar to ethernet (ok, flawed analogy, but they're definitely not the same thing).
Bluetooth's range is probably more a result of its power requirements than the protocol itself... you don't want to waste a ton of power connecting a cell phone to a PDA for a low speed link. It's just easier than IR. An application I was reading about would be using a laptop to connect to a cell phone's GPRS while the phone is clipped on your belt, instead of having to sit it on the table for IR.
The article might as while try saying that connecting a PDA via IR is useless because you could use a cellular PCMCIA card.
Your test doesn't prove it DOESN'T use the address book. It only proves that it ALSO has canned addresses or can find or generate some in some other way.
Oops
I was refuting the general statement that my earlier post's parent made (that it only affects windows using the address book), but I made an overly general statement myself. From reading further, it appears AV companies have found that it both makes its own addresses and throws in the address book, just for good measure.