The hard drive in my Compaq x86 workstation has been humming nicely for more than 5 years. Due to the nature of my work at the institute, the number of writes to the hard drive have easily exceeded 100000 during that time.
During which you weren't purchasing new drives for your machine.
I can see why hard drive manufacturers might like the idea of a limited-life-span device...
Why the negative spin? I kind-of like the idea of someone calling me in a panic having deleted an important file and me being able to recover it easily and get on to more interesting tasks.
If it is such a burden being unable to hide incriminating files, add a shred option to the recycle bin or context menu which will force the removal of previous versions as well. If anything, get rid of confirmation on deleting files if recovery is easy, and save the confirmation dialog for when someone right clicks a file and picks "shred".
Every disk gets full after about 1-1.5 month. It's an unbreachable law, true for every disk that sees some use.
I used to think this too. I still do, in 95% of cases. I think the problem is that we're used to disk capacities that require some management as to what is kept and what is not. When you go sufficiently overboard, it ceases to be a problem.
One thing I have noticed with three computers I work with (not true for the other dozens I work with), is that they actually have sufficient space. One I is used for web browsing only, and it has a 200GB. It has taken months to get to its current use (around 120GB) and has many more months to go. One is used as a server for a very specific app, has an 80GB drive and uses only 20GB, with another 100MB being added each month or so. Obviously there is some life left in that. The third is a general-purpose Unix machine in the midst of a whole bundle of other machines. It has a 200GB drive, with about 10GB in use. When we need a bucket of space, we use that one. By the time we need any space back, the current data is obsolete and can be deleted easily.
But take my main development machine. I could slap another x hundred gig in it and I'd use it all up in a month or two, and not be sure what to delete.
We are conditioned to selectively retain, backup, and delete data to remain within constraints. My point is that (IMHO) given enough space, eventually you'll reach a limit where you no longer fill the drive in a month or two. That limit may be in the hundreds of terrabytes for some people, so as a general rule we're not really seeing it.
If your aim is to hide the fact you are running on a virtual machine, you are quite correct. VMware may not be the best choice.
But calling for a "better emulator" because you are using a tool for a purpose outside of the one it was designed for is a bit rude. It's a bit like asking for a better spreadsheet than Excel because you are having trouble writing a book with it. Not quite the right tool for the job.
VMware does a nice job of hosting a guest operating system inside another. They don't try to hide the fact it is a virtual machine at all (check driver names, certain memory ranges, disk serials, presence of VMware tools, etc). I'd rather have the option of running at a decent speed without being burdened by the virtual machine going to great lengths to hide itself from the guest.
Having said that, having an optional toggle to turn on machine-hiding features would be really, really nice, and no doubt make the tool much more useful for hosting honeypot systems.
Now what I want to see is software that monitors the knocking and phones home to us if one of our users is smacking the crap out of one of our laptops, so we can spring in on them and catch them in the act. That would rock.
Exactly what I was thinking. This is a pretty weird combination of corps. I would've thought AMD would sooner buy nvidia than ATI.
I can understand the move now it has been made but I never would have guessed it. The dice fell badly for my particular combo. My dev machine has AMD for the value and nVidia for the Linux drivers. My laptop has Intel for the availability and ATI for the price. Whoops!
Thanks for that divide overflow.:) I knew if I mentioned that then someone with some more detailed info would back me up. 15 years ago, truly scary. I've never seen that chart before, that's pretty interesting too.
I'm sure when the tech guy came to set up his DSL, he wasn't thinking, "Oh man, I got to make sure my files are secure." I can't imagine that anyone would have this thought first and foremost every living second.
A previously unpaid writer who (basis of lawsuit) thinks that he may be coming into $2.7m soon due to his writing probably does have the scripts foremost in his mind. Unless of course he was distracted at that very moment wondering where the best place would be to procure some good coke and hookers. This isn't a matter of hindsight or forbidden techie knowledge. Hindsight is when you lose a couple of weeks work due to a destructive virus that you forgot to back up. Techie knowledge is knowing about regular backups and that computers can be unreliable. Having one copy of a (potentially) incredibly valuable script in a single location and mysteriously having no recent printouts to OCR or any backups of any sort (hard or soft) anywhere isn't just something you attribute to lacking hindsight or tech knowledge. That's just plain gross negligence or stupidity on his part. The point of my post is that he certainly wasn't acting consistently with someone who seriously believed that he was about to come into a healthy chunk of change.
Oh, and your comment on deleting from the recycle bin (assuming Windows) necessarily being malicious seems flawed. There may have been insufficient space on the drive and so the techie could have (stupidly) permanently deleted the file to make space.
The techie, assuming the charges are true, was a twit. And don't trust techies with valuable data- even if they are good they need to know that something is valuable and to protect it. That's as far as I can agree with you, I'm afraid. The rest, not so.
So he had scripts that might be worth $2.7m. And he kept the only copies of it on a laptop. And no printouts. Because a writer wouldn't want to print out his work in progress from time to time to proofread it. And no set of prior versions to revert to. What about the person offering $2.7m. Did they have at least part of a copy? That's a lot of money for something sight unseen. So he gives the laptop containing the one and only copy of a script potentially worth $2.7m to a techie? And when the techie says the files aren't needed and tries to delete the files, the writer doesn't immediately rip the damn thing out of his hands?
What's this guy do for fun, leave his sole copy of a million-dollar script sitting on the roof of his car when he gets it repaired and sues the mechanics if they lose it? Seriously.
I don't know about you, but the second someone suggests something I have is worth $2.7m, I go home, I get about 20 CDs, I burn copies of them and the backups. I buy a cheap safe and store some in there. I buy a lockbox, drop three copies in it, and store it at a trusted friends place. I conceal extra copies around my house or office in case I'm targeted. I print out what I have, and prior versions as proof that I developed the script should its ownership ever come into doubt. Some of those printouts go offsite.
Methinks the writer may have been just a teency, teency bit dishonest here. Maybe SBC and AT&T should have been hit for the costs of data recovery, but not much more. The vast majority of the fault was due to the writer.
Screen Capture. Sleep. Write. It will take forever, but you can cap all of the images and reproduce a 24-30FPS stream.
Run it overnight on a spare PC if need be. Some copyright infringers sell their wares, so someone will step up, sell it, and down the chain people will hand it out to their friends for free.
It'll probably reduce a lot of casual copying though.
The counter problem is that we have different religions that are willing to kill huge numbers of other humans if they are not a member of the same religion.
We have a relatively small number of people who are willing to cite their religion as justification for already-present murderous tendencies, and a small number of gullible people who have been brainwashed into believing that doing so is the right thing to do. Don't believe the vocal extremists who claim to represent the majority of a religion, and definitely do not heed people who try to convince you of this lie to suit their own dark agendas.
The world would be a darker, bloodier place than it is if we still had crusades. We do not. We have a small minority of extremist nutcases, and no religion has a monopoly on those.
How would you react if someone told you that your daily commute to work crossed several mine fields that are 99% deactivated? Would you continue to drive the same route or go around?
I would go around, of course. Even if someone told me they were 100% deactivated.
Having said that, if my profession was post-conflict landmine disposal I would be much more comfortable knowing that I had close to 1% chance of permanent disability if I screw up than if it was close to 100%. If I lived near a former minefield I would be more comfortable knowing that stepping on the wrong spot would kill me less than 1% of time. So even 99% deactivation is better than nothing.
Of course, taking my original idea further, the mines could be set to deactivate after a certain time or on clock fault unless they got a wakeup code. That might work better than a deactivation code.
Having said that, landmines are horrible, horrible things. If people positively must kill or destroy, I'd rather a conscious intelligence behind it rather than the decision being left to an automated trap.
Okay, I'm too late for a chair joke, so I guess I'll share my other thoughts.
Maybe Google are hiring away Microsofties in strategic positions, deliberately targeting those who have greater worth that their current compensation, partly to gain and partly to hurt Microsoft in a completely legal way?
They do have an advantage over Microsoft that they are probably playing to their advantage; ethically compared to Microsoft, Google are freaking angels.
The only thing that might stop a new virus is installed antivirus software, most of which you can get at Staples for $40 (the corporate edition might cost twice that). I wouldn't want to base my security model on "the attacker will be to lazy to go to the store".
The type of person who writes malware probably doesn't have much of an issue with just copying the software rather than paying.;) And for the people doing it professionally, I don't imagine $40 is a particularly expensive testbed, agreed.
As for new research, it doesn't matter at all - you can't install a college paper on your systems.
Quite true. I was thinking along the lines of a malware author developing software that almost nobody can find, which wasn't really the subject, so my mistake.
Sure, it'll take some work - but if it wasn't feasible we wouldn't hear about viruses any more.
We hear about a range of viruses, some fairly simple in function and some with capabilities designed to avoid specific products. I would say that for some viruses, the effort is made, and for others, it is not.
Right. After the attacker has *succeeded*, and infected a bunch of systems, then you can write a defense against it.
My point was that once it is out, damage is done to a number of systems, but given time someone will (may?) develop a means to detect it and stop it. Thus you need to achieve whatever purpose you set out for in the first hit before AV vendors start blocking you.
It'd be better to just get an OS patch out quickly.
Indeed, if your OS vendor supplies you with it in a timely fashion.;)
Yup. That's the reality of the attackers... not poor kids sitting in their parent's basements who can't drive to Staples because they don't have drivers licenses.
I'd say that there are both. Kiddies using virus toolkits, amateurs reversing exploits or rolling their own, and pros who are taking the time to do what they need to make a profit.
Right... but Antivirus software adds almost nothing that you couldn't get from reasonably quick OS patches.
Assuming you mean worms: Fast OS patches would certainly be nice, but occasionally a blackhat will find an exploit first. Yes, they should be handled by the OS, not a separate product. If you meant viruses: Viruses don't need exploits to spread, patches won't stop them. Blocking modification to executables in some intelligent way (that doesn't barf if you use a compiler) could work though.
AVs can sometimes clean up the mess caused by a virus or worm strike. They can pick up viruses in email attachments, or sitting in a new executable that you've just downloaded. They can often pick up known malware. They can contain generic tests to pick up some new malware. I'd argue they are still useful.
Having said that, when it comes to a new exploit, worm, or similar that it doesn't know about, or is actively hiding from, you're dead right, they don't do a damn thing.
Since the anti-virus software is available to the general public, the virus writers can test against it.
It'll always be possible to find something that the code won't detect. All anti-virus software does is adds another step to the virus development process.
Absolutely.
Having said that, you don't always have access to all versions of AV solutions (some do cost and a malware author might not find a warez version), and all research-in-progress at universities, AV labs, and whitehat/blackhat circles. Not all of it is available to the general public.
Also, even discounting the volume of software you don't have access to, finding a solution that requires reverse engineering multiple versions of multiple AV solutions is generally going to be a hard problem.
Also, just as one can examine AV code and find a way around it, once the exploit is out, one can examine it and find a weakness in the exploit.
Having said all that, once you put money behind the problem it becomes easier. Sure, defeating several dozen AV solutions is going to require a lot of work. But if you can sell off the victims computers for a commercial DDOS or blackmailing, set up spam bots, or collect credit card numbers, it suddenly becomes profitable. Once there is money behind it, you will find people who are willing to make that investment of time.
I've been telling people this for a while, mainly to blank stares; you cannot detect if you have a virus/keylogger/spyware on your system.... They only detect the known malware, but nobody knows about the undetected hacks.
Not true.
Many detection tools will look for specific signatures of known exploits. Thus this part of the detection will not detect anything else. We're in agreement up to this point.
However...
There are other means of detection. One can look to see if certain system calls have been hooked in some way, files placed in certain places, alternate calls to read the same file return different results, system behaviour typical of an exploit, so forth. Code sequences with known execution times can be run and if the results are too far off, you know something is up. Network traffic can be examined on the machine and passively tapped just off the machine, and the difference can be enlightening. Even if your malware author is a certified genius and masks every single possible activity (ha!), then how on earth are they going to hide the CPU power required to implement it? And so on and on...
I'd be surprised if there were many modern anti-malware utilities that didn't implement a few of the more basic generic checks. Your assertion is not true.
Heck, even in this case, bugs in the implementation of the virtualisation can be used to detect if we're running or not. Code sequences exist that can detect whether you're in a virtual machine by the subtle differences between a true machine and a virtual one. Look at VMware I/O addresses and drive IDs, for example. Any difference between the _huge_ interface between virtual machine and the real machine can potentially be tested for and used for detection.
Launch a watchdog application and let that watchdog application launch the real OS in a virtualized environment, as soon as a rootkit wants to fiddle
Or the watchdog could use a similar exploit to jump above the rootkit and look down to see what is running. If we're nested one level too deep then we've got a problem.
Assuming of course we can nest. If we can't, the failure to nest would show the problem.
Or you could always run something using heavy 3D, and if the CPU ignites then something's up.;)
I wish I could give my mod points away. I'm tired of being saddled with approving this garbage for the general public's consumption. Maybe I should start modding GNAA posts Insightful...
Find a Score:5 post that really doesn't deserve it but at first glance seems to. Mod it down as Troll. You'll get spanked in Metamod. Do this a few times and your mod point problem should go away. I've made the mistake of doing this once or twice, now I just reply to such posts rather than mod them.
Of course, it works modding down legit comments too, but in that case you're taking out an innocent at the same time and that's not cool.
Then again, you could just go into your prefs and disable the mod option. Preferences / Homepage (wtf?) / Willing to Moderate.
Personally, I like the Slashdot moderation system. It's far from ideal, but works much better than an small unaccountable elite whacking individual posts.
Well, the difference is we (speaking broadly here) would rather deal with a starving neighbor on a personal level through personal generosity and donations/gifts
Quite a lot of people share this worldview. However, far too many are quite content to let someone starve to death rather than go through the inconvenience of giving, especially when there is no obligation to do so. Enforcing it distributes the burden.
Could you see any government, for example, surviving solely on altruism from its constituents rather than taxes?
50 megs is a tad arbitrary. I think that 200~ish would be a better number...
I have DSL in my pocket right now. I didn't even realise it was there until I thought about it. The reason? It's on a business-card CD. In my wallet. Very, very convenient.
If I have my bag with me or I'm at home or work, I often have access to INSERT or Knoppix or something similar. But if I'm out and I get that penguin itch I can just reach into my pocket and voila, instant Linux boot on someone's machine.
I'm quite thankful there is a distribution that I can slip into my wallet.
Slashdot Mirror
The hard drive in my Compaq x86 workstation has been humming nicely for more than 5 years. Due to the nature of my work at the institute, the number of writes to the hard drive have easily exceeded 100000 during that time.
During which you weren't purchasing new drives for your machine.
I can see why hard drive manufacturers might like the idea of a limited-life-span device...
Why the negative spin? I kind-of like the idea of someone calling me in a panic having deleted an important file and me being able to recover it easily and get on to more interesting tasks.
If it is such a burden being unable to hide incriminating files, add a shred option to the recycle bin or context menu which will force the removal of previous versions as well. If anything, get rid of confirmation on deleting files if recovery is easy, and save the confirmation dialog for when someone right clicks a file and picks "shred".
Every disk gets full after about 1-1.5 month. It's an unbreachable law, true for every disk that sees some use.
I used to think this too. I still do, in 95% of cases. I think the problem is that we're used to disk capacities that require some management as to what is kept and what is not. When you go sufficiently overboard, it ceases to be a problem.
One thing I have noticed with three computers I work with (not true for the other dozens I work with), is that they actually have sufficient space. One I is used for web browsing only, and it has a 200GB. It has taken months to get to its current use (around 120GB) and has many more months to go. One is used as a server for a very specific app, has an 80GB drive and uses only 20GB, with another 100MB being added each month or so. Obviously there is some life left in that. The third is a general-purpose Unix machine in the midst of a whole bundle of other machines. It has a 200GB drive, with about 10GB in use. When we need a bucket of space, we use that one. By the time we need any space back, the current data is obsolete and can be deleted easily.
But take my main development machine. I could slap another x hundred gig in it and I'd use it all up in a month or two, and not be sure what to delete.
We are conditioned to selectively retain, backup, and delete data to remain within constraints. My point is that (IMHO) given enough space, eventually you'll reach a limit where you no longer fill the drive in a month or two. That limit may be in the hundreds of terrabytes for some people, so as a general rule we're not really seeing it.
If your aim is to hide the fact you are running on a virtual machine, you are quite correct. VMware may not be the best choice.
But calling for a "better emulator" because you are using a tool for a purpose outside of the one it was designed for is a bit rude. It's a bit like asking for a better spreadsheet than Excel because you are having trouble writing a book with it. Not quite the right tool for the job.
VMware does a nice job of hosting a guest operating system inside another. They don't try to hide the fact it is a virtual machine at all (check driver names, certain memory ranges, disk serials, presence of VMware tools, etc). I'd rather have the option of running at a decent speed without being burdened by the virtual machine going to great lengths to hide itself from the guest.
Having said that, having an optional toggle to turn on machine-hiding features would be really, really nice, and no doubt make the tool much more useful for hosting honeypot systems.
Now what I want to see is software that monitors the knocking and phones home to us if one of our users is smacking the crap out of one of our laptops, so we can spring in on them and catch them in the act. That would rock.
Exactly what I was thinking. This is a pretty weird combination of corps. I would've thought AMD would sooner buy nvidia than ATI.
I can understand the move now it has been made but I never would have guessed it. The dice fell badly for my particular combo. My dev machine has AMD for the value and nVidia for the Linux drivers. My laptop has Intel for the availability and ATI for the price. Whoops!
I'm looking at my AMD/nVidia dev machine and my Intel/ATI laptop and I'm thinking... oh crap.
Thanks for that divide overflow. :) I knew if I mentioned that then someone with some more detailed info would back me up. 15 years ago, truly scary. I've never seen that chart before, that's pretty interesting too.
I'm sure when the tech guy came to set up his DSL, he wasn't thinking, "Oh man, I got to make sure my files are secure." I can't imagine that anyone would have this thought first and foremost every living second.
A previously unpaid writer who (basis of lawsuit) thinks that he may be coming into $2.7m soon due to his writing probably does have the scripts foremost in his mind. Unless of course he was distracted at that very moment wondering where the best place would be to procure some good coke and hookers. This isn't a matter of hindsight or forbidden techie knowledge. Hindsight is when you lose a couple of weeks work due to a destructive virus that you forgot to back up. Techie knowledge is knowing about regular backups and that computers can be unreliable. Having one copy of a (potentially) incredibly valuable script in a single location and mysteriously having no recent printouts to OCR or any backups of any sort (hard or soft) anywhere isn't just something you attribute to lacking hindsight or tech knowledge. That's just plain gross negligence or stupidity on his part. The point of my post is that he certainly wasn't acting consistently with someone who seriously believed that he was about to come into a healthy chunk of change.
Oh, and your comment on deleting from the recycle bin (assuming Windows) necessarily being malicious seems flawed. There may have been insufficient space on the drive and so the techie could have (stupidly) permanently deleted the file to make space.
The techie, assuming the charges are true, was a twit. And don't trust techies with valuable data- even if they are good they need to know that something is valuable and to protect it. That's as far as I can agree with you, I'm afraid. The rest, not so.
From the article:
Thomas said it's too early to discuss whether WinFS would make an appearance in future versions of Windows.
And how often have we heard rumours of WinFS appearing in the next Windows OS?
So he had scripts that might be worth $2.7m. And he kept the only copies of it on a laptop. And no printouts. Because a writer wouldn't want to print out his work in progress from time to time to proofread it. And no set of prior versions to revert to. What about the person offering $2.7m. Did they have at least part of a copy? That's a lot of money for something sight unseen. So he gives the laptop containing the one and only copy of a script potentially worth $2.7m to a techie? And when the techie says the files aren't needed and tries to delete the files, the writer doesn't immediately rip the damn thing out of his hands?
What's this guy do for fun, leave his sole copy of a million-dollar script sitting on the roof of his car when he gets it repaired and sues the mechanics if they lose it? Seriously.
I don't know about you, but the second someone suggests something I have is worth $2.7m, I go home, I get about 20 CDs, I burn copies of them and the backups. I buy a cheap safe and store some in there. I buy a lockbox, drop three copies in it, and store it at a trusted friends place. I conceal extra copies around my house or office in case I'm targeted. I print out what I have, and prior versions as proof that I developed the script should its ownership ever come into doubt. Some of those printouts go offsite.
Methinks the writer may have been just a teency, teency bit dishonest here. Maybe SBC and AT&T should have been hit for the costs of data recovery, but not much more. The vast majority of the fault was due to the writer.
Screen Capture. Sleep. Write. It will take forever, but you can cap all of the images and reproduce a 24-30FPS stream.
Run it overnight on a spare PC if need be. Some copyright infringers sell their wares, so someone will step up, sell it, and down the chain people will hand it out to their friends for free.
It'll probably reduce a lot of casual copying though.
The counter problem is that we have different religions that are willing to kill huge numbers of other humans if they are not a member of the same religion.
We have a relatively small number of people who are willing to cite their religion as justification for already-present murderous tendencies, and a small number of gullible people who have been brainwashed into believing that doing so is the right thing to do. Don't believe the vocal extremists who claim to represent the majority of a religion, and definitely do not heed people who try to convince you of this lie to suit their own dark agendas.
The world would be a darker, bloodier place than it is if we still had crusades. We do not. We have a small minority of extremist nutcases, and no religion has a monopoly on those.
How would you react if someone told you that your daily commute to work crossed several mine fields that are 99% deactivated? Would you continue to drive the same route or go around?
I would go around, of course. Even if someone told me they were 100% deactivated.
Having said that, if my profession was post-conflict landmine disposal I would be much more comfortable knowing that I had close to 1% chance of permanent disability if I screw up than if it was close to 100%. If I lived near a former minefield I would be more comfortable knowing that stepping on the wrong spot would kill me less than 1% of time. So even 99% deactivation is better than nothing.
Of course, taking my original idea further, the mines could be set to deactivate after a certain time or on clock fault unless they got a wakeup code. That might work better than a deactivation code.
Having said that, landmines are horrible, horrible things. If people positively must kill or destroy, I'd rather a conscious intelligence behind it rather than the decision being left to an automated trap.
I have an idea for a landmine feature. How about the ability to remotely turn them off when a conflict is over so we don't have to deal with this?
Or just not make the cursed things to start with?
Okay, I'm too late for a chair joke, so I guess I'll share my other thoughts.
Maybe Google are hiring away Microsofties in strategic positions, deliberately targeting those who have greater worth that their current compensation, partly to gain and partly to hurt Microsoft in a completely legal way?
They do have an advantage over Microsoft that they are probably playing to their advantage; ethically compared to Microsoft, Google are freaking angels.
The only thing that might stop a new virus is installed antivirus software, most of which you can get at Staples for $40 (the corporate edition might cost twice that). I wouldn't want to base my security model on "the attacker will be to lazy to go to the store".
;) And for the people doing it professionally, I don't imagine $40 is a particularly expensive testbed, agreed.
;)
The type of person who writes malware probably doesn't have much of an issue with just copying the software rather than paying.
As for new research, it doesn't matter at all - you can't install a college paper on your systems.
Quite true. I was thinking along the lines of a malware author developing software that almost nobody can find, which wasn't really the subject, so my mistake.
Sure, it'll take some work - but if it wasn't feasible we wouldn't hear about viruses any more.
We hear about a range of viruses, some fairly simple in function and some with capabilities designed to avoid specific products. I would say that for some viruses, the effort is made, and for others, it is not.
Right. After the attacker has *succeeded*, and infected a bunch of systems, then you can write a defense against it.
My point was that once it is out, damage is done to a number of systems, but given time someone will (may?) develop a means to detect it and stop it. Thus you need to achieve whatever purpose you set out for in the first hit before AV vendors start blocking you.
It'd be better to just get an OS patch out quickly.
Indeed, if your OS vendor supplies you with it in a timely fashion.
Yup. That's the reality of the attackers... not poor kids sitting in their parent's basements who can't drive to Staples because they don't have drivers licenses.
I'd say that there are both. Kiddies using virus toolkits, amateurs reversing exploits or rolling their own, and pros who are taking the time to do what they need to make a profit.
Right... but Antivirus software adds almost nothing that you couldn't get from reasonably quick OS patches.
Assuming you mean worms: Fast OS patches would certainly be nice, but occasionally a blackhat will find an exploit first. Yes, they should be handled by the OS, not a separate product. If you meant viruses: Viruses don't need exploits to spread, patches won't stop them. Blocking modification to executables in some intelligent way (that doesn't barf if you use a compiler) could work though.
AVs can sometimes clean up the mess caused by a virus or worm strike. They can pick up viruses in email attachments, or sitting in a new executable that you've just downloaded. They can often pick up known malware. They can contain generic tests to pick up some new malware. I'd argue they are still useful.
Having said that, when it comes to a new exploit, worm, or similar that it doesn't know about, or is actively hiding from, you're dead right, they don't do a damn thing.
Since the anti-virus software is available to the general public, the virus writers can test against it.
It'll always be possible to find something that the code won't detect. All anti-virus software does is adds another step to the virus development process.
Absolutely.
Having said that, you don't always have access to all versions of AV solutions (some do cost and a malware author might not find a warez version), and all research-in-progress at universities, AV labs, and whitehat/blackhat circles. Not all of it is available to the general public.
Also, even discounting the volume of software you don't have access to, finding a solution that requires reverse engineering multiple versions of multiple AV solutions is generally going to be a hard problem.
Also, just as one can examine AV code and find a way around it, once the exploit is out, one can examine it and find a weakness in the exploit.
Having said all that, once you put money behind the problem it becomes easier. Sure, defeating several dozen AV solutions is going to require a lot of work. But if you can sell off the victims computers for a commercial DDOS or blackmailing, set up spam bots, or collect credit card numbers, it suddenly becomes profitable. Once there is money behind it, you will find people who are willing to make that investment of time.
It's basically an arms race.
I've been telling people this for a while, mainly to blank stares; you cannot detect if you have a virus/keylogger/spyware on your system .... They only detect the known malware, but nobody knows about the undetected hacks.
Not true.
Many detection tools will look for specific signatures of known exploits. Thus this part of the detection will not detect anything else. We're in agreement up to this point.
However...
There are other means of detection. One can look to see if certain system calls have been hooked in some way, files placed in certain places, alternate calls to read the same file return different results, system behaviour typical of an exploit, so forth. Code sequences with known execution times can be run and if the results are too far off, you know something is up. Network traffic can be examined on the machine and passively tapped just off the machine, and the difference can be enlightening. Even if your malware author is a certified genius and masks every single possible activity (ha!), then how on earth are they going to hide the CPU power required to implement it? And so on and on...
I'd be surprised if there were many modern anti-malware utilities that didn't implement a few of the more basic generic checks. Your assertion is not true.
Heck, even in this case, bugs in the implementation of the virtualisation can be used to detect if we're running or not. Code sequences exist that can detect whether you're in a virtual machine by the subtle differences between a true machine and a virtual one. Look at VMware I/O addresses and drive IDs, for example. Any difference between the _huge_ interface between virtual machine and the real machine can potentially be tested for and used for detection.
Launch a watchdog application and let that watchdog application launch the real OS in a virtualized environment, as soon as a rootkit wants to fiddle
;)
Or the watchdog could use a similar exploit to jump above the rootkit and look down to see what is running. If we're nested one level too deep then we've got a problem.
Assuming of course we can nest. If we can't, the failure to nest would show the problem.
Or you could always run something using heavy 3D, and if the CPU ignites then something's up.
I wish I could give my mod points away. I'm tired of being saddled with approving this garbage for the general public's consumption. Maybe I should start modding GNAA posts Insightful...
Find a Score:5 post that really doesn't deserve it but at first glance seems to. Mod it down as Troll. You'll get spanked in Metamod. Do this a few times and your mod point problem should go away. I've made the mistake of doing this once or twice, now I just reply to such posts rather than mod them.
Of course, it works modding down legit comments too, but in that case you're taking out an innocent at the same time and that's not cool.
Then again, you could just go into your prefs and disable the mod option. Preferences / Homepage (wtf?) / Willing to Moderate.
Personally, I like the Slashdot moderation system. It's far from ideal, but works much better than an small unaccountable elite whacking individual posts.
"had my rear legitimately handed to me"
:P
I do not think that phrase means what you think it means.
Dude, "that penguin itch"? I think you may have a problem.
I can quit any time I want to. *clutches DSL business card CD and looks around nervously*
Well, the difference is we (speaking broadly here) would rather deal with a starving neighbor on a personal level through personal generosity and donations/gifts
Quite a lot of people share this worldview. However, far too many are quite content to let someone starve to death rather than go through the inconvenience of giving, especially when there is no obligation to do so. Enforcing it distributes the burden.
Could you see any government, for example, surviving solely on altruism from its constituents rather than taxes?
50 megs is a tad arbitrary. I think that 200~ish would be a better number...
I have DSL in my pocket right now. I didn't even realise it was there until I thought about it. The reason? It's on a business-card CD. In my wallet. Very, very convenient.
If I have my bag with me or I'm at home or work, I often have access to INSERT or Knoppix or something similar. But if I'm out and I get that penguin itch I can just reach into my pocket and voila, instant Linux boot on someone's machine.
I'm quite thankful there is a distribution that I can slip into my wallet.