Yeah like all the people they are wanting to spy on use windows?
I thought about this a few years ago and the most that could be done is monitoring your traffic at the isp.
Due to this the only internet service that is not always encrypted is email (still pgp on important stuff). newsgroups are encrypted, irc is encrypted.. even the web is encrypted now through certain providers.
I don't have anything to hide but I have a right to privacy:)
As long as its well documented on what you do while the system is live they is no issue when you finally pull the plug on the drive.
I understand what you mean about changing things but its not common sense that dd would change anything on the hdd during imaging. When you take a snapshot of the ram on the live system your also using an md5 hash of the image before and after which can be verified in court to show no tampering of the evidence from the infected host to your evidence locker.
After when imaging the drive you can also run md5 on the hdd in question and then again on your image you collected using dd.
I know they are the collision issues with md5 hashes but its still far off saying the md5 hashes match but the evidence is still tampered with.... show me evidence that dd does indeed change things and I will reconsider this (I don't mean user error with dd either as hashes will verify that mistake).
Take for instance the slammer worm. the worm only stays in memory so pulling the plug on a live system is pointless... you could get some amount of info from the swapfile (still doubtful) but you would have nothing to show it was infected to begin with.
I am fully aware slammer was noisy as hell with traffic generation but if it was something different you would be in trouble.
I would not just kill the machine yet either. As long as you document your findings and what you do to the system (with witnesses) you can do a few things first.
On the live system you can not trust anything so a cd or other media containing your tools statically compiled to investigate are needed.
you can use dd to make a bit for bit copy of ram, pipe this through netcat to your forensics box, or cryptcat is sensitive info is on the compromised machine. A good idea would also be to calculate an md5 checksum for the image either side of the netcat pipe to verify its not messed up.
then run lsof to check what ports are open and by what applications and pull the plug out the wall on the compromised host.
then make sure boot priority in the bios does not boot the hdd in question and run knoppix or something like F.I.R.E and run md5 on the drive, pipe it to your machine with nc and then md5 that image.
I know i missed something but am on the phone so i guess will wait to get flammed:)
Well this has happened a few times with reverse engineering.. a new worm or virus in this case comes out... everyone takes it apart and comment on certain bits of the code.
the creater reads it and releases his now corrected version a few hours later.. or copycats i guess:)
Through they is a real buzz when a new worm comes out and you can take it apart.. I will never be as fast as any anti-virus venders but still entertaining none the less.
After searching around I am still yet to find one example of an error going in kerry's favour.
I don't believe people are not looking.. but something tells me that if (when) one is found the media would be all over it.
I'm sure blackboxvoting.org would also report it the moment one is found... As they are trying to prove but that electronic voting is just not accurate without decent auditing.
But Its not hard to see a trend that errors are always in favour of bush no wonder they are also looking into fraud.
Sort of makes you wonder how the Bush administration would have acted if the tables were turned this election...
I bet the issue would be dragged out in court the instant a report circulated about kerry accidently got a few thousand votes in error:)
With selling software for zero amounts of pounds to education and the various things like the eu sueing and now this... How much money could microsoft afford to lose?
The way this is looking they would not stand to last more then 5 or so years.
they boot into windows and get an rpc error and told to restart,... checked the registry keys and msblast.exe has been found in a few.... not sure if this will work but using system restore in safemode and disabling dcom could sort this to get the patch.
Slashdot Mirror
Yeah like all the people they are wanting to spy on use windows?
:)
I thought about this a few years ago and the most that could be done is monitoring your traffic at the isp.
Due to this the only internet service that is not always encrypted is email (still pgp on important stuff).
newsgroups are encrypted, irc is encrypted.. even the web is encrypted now through certain providers.
I don't have anything to hide but I have a right to privacy
Saw this ages ago on attrition, seem to fit well
http://www.attrition.org/postal/dilbert_email.jpg
As long as its well documented on what you do while the system is live they is no issue when you finally pull the plug on the drive.
I understand what you mean about changing things but its not common sense that dd would change anything on the hdd during imaging. When you take a snapshot of the ram on the live system your also using an md5 hash of the image before and after which can be verified in court to show no tampering of the evidence from the infected host to your evidence locker.
After when imaging the drive you can also run md5 on the hdd in question and then again on your image you collected using dd.
I know they are the collision issues with md5 hashes but its still far off saying the md5 hashes match but the evidence is still tampered with.... show me evidence that dd does indeed change things and I will reconsider this (I don't mean user error with dd either as hashes will verify that mistake).
Take for instance the slammer worm. the worm only stays in memory so pulling the plug on a live system is pointless... you could get some amount of info from the swapfile (still doubtful) but you would have nothing to show it was infected to begin with.
I am fully aware slammer was noisy as hell with traffic generation but if it was something different you would be in trouble.
--
I would not just kill the machine yet either. As long as you document your findings and what you do to the system (with witnesses) you can do a few things first.
:)
On the live system you can not trust anything so a cd or other media containing your tools statically compiled to investigate are needed.
you can use dd to make a bit for bit copy of ram, pipe this through netcat to your forensics box, or cryptcat is sensitive info is on the compromised machine.
A good idea would also be to calculate an md5 checksum for the image either side of the netcat pipe to verify its not messed up.
then run lsof to check what ports are open and by what applications and pull the plug out the wall on the compromised host.
then make sure boot priority in the bios does not boot the hdd in question and run knoppix or something like F.I.R.E and run md5 on the drive, pipe it to your machine with nc and then md5 that image.
I know i missed something but am on the phone so i guess will wait to get flammed
Well this has happened a few times with reverse engineering.. a new worm or virus in this case comes out... everyone takes it apart and comment on certain bits of the code.
:)
the creater reads it and releases his now corrected version a few hours later.. or copycats i guess
Through they is a real buzz when a new worm comes out and you can take it apart.. I will never be as fast as any anti-virus venders but still entertaining none the less.
--
i'm sure most police forensics people have a copy of dd and netcat :)
After searching around I am still yet to find one example of an error going in kerry's favour.
:)
I don't believe people are not looking.. but something tells me that if (when) one is found the media would be all over it.
I'm sure blackboxvoting.org would also report it the moment one is found... As they are trying to prove but that electronic voting is just not accurate without decent auditing.
But Its not hard to see a trend that errors are always in favour of bush no wonder they are also looking into fraud.
Sort of makes you wonder how the Bush administration would have acted if the tables were turned this election...
I bet the issue would be dragged out in court the instant a report circulated about kerry accidently got a few thousand votes in error
--
I would recommend Derek Duke gets a plane as far away from it as possible.
--
as well as over a million civilian tracking camera's :)
Gentoo is the only linux distro I have used that impressed me enough to move a few machines from freebsd.
But at least the community is strong, I don't think this will have any effect on gentoo's future.
___
Why not just a good pc and vmware?
With selling software for zero amounts of pounds to education and the various things like the eu sueing and now this... How much money could microsoft afford to lose?
The way this is looking they would not stand to last more then 5 or so years.
___
And i just finished boot straping and emerging an hour ago.
:)
all well a few more hours wont hurt
---
I still doubt it even happened to be honest.
---
"I didnt do it.. no body saw me do it ..can't prove anything /me ducks
.
.
I'm saving for a wearable computer.... Then will never have to leave google again ;)
---
Probable would work sort of like this.
Mr clippy
--
+5 Redundant
--
will give it.
-5 Funny
--
just hard to tell 200 odd users an hour to blow away there o/s :)
they boot into windows and get an rpc error and told to restart,... checked the registry keys and msblast.exe has been found in a few.... not sure if this will work but using system restore in safemode and disabling dcom could sort this to get the patch.
anyone that can think of a better solution?
the call centre here is off the scale with people ringing in with rpc problems...
all xp users though
Already asked them.... They won't give any details other then links back to the sco website.
The employees Could be playing ignorent but sco uk didn't seem to have a clue what was happening.
--
Looking at this a positive way.... I can now wait and get a decent graphics card at xmas.
---
Her is a green rabbit, rats and a few others.
Rabbit