An old trick I used to do was searching for something along the lines of
"http://*:*@" member
and you would get a bunch of sites with direct links into passworded member sites. Microsoft will put a stop to this with their latest update to IE however.
The user does not have to supply the password, the trojan should be able to do all the above without root access.
Just the same as under windows with the admin/user accounts.
I was just showing that the trojan could even get root access if it wanted to - with the amount of local root exploits it probably wouldn't even need a password. Windows however has very few local root exploits because it doesn't use setuid.
Actually the problem is probably worse under Linux than windows. Because of setuid programs, there are a lot more local root exploits under Linux than windows (which has very few, due to no concept of setuid root).
Therefore, a Linux virus could 'get root' under a normal user account a hell of a lot easier than one could under Windows. With root access, a virus then becomes a lot more serious.
The same can be done with a securely coded mail client and correct user account under windows.
But for ease of use, and pressure to have admin privs, you have this insecure situation under Windows. The same will be true of Linux if it were to go mainstream.
And I suppose the Linux kernel is whats stopping that from happening?
I could write a mail client under windows which doesn't execute attachments when you click on them, and requires you to save the file to disk and rename it to execute, therefore windows is also secure!
I could write a client under Linux which sets the execute bit and runs attachments when you click on them, therefore Linux is insecure!
You should already be running your mail client under windows without admin privs, which achieves the same thing. However:
I suppose non-root users can't send e-mail? Afterall, that is a major component of what the mydoom virus does.
And I suppose non-root users can't listen on a port for incomming instructions to execute? Or run a proxy server on a non-privleged port?
And will it stop a trojan which asks 'Root password needed to continue:' and then proceeds to use it to screw your system? If users are dumb enough to run arbritrary code, they will be more than happy to supply a root password.
Linux is no more secure than windows against trojans.
Wouldn't it have been more fun to have changed the pictures? I thought google actually stored the thumbnails and served them up.
If not, there are a various protections you can use to prevent the image being shown on another server (using the referrer is one, not particularly robust/compatible method) Many free websites use this method.
If google doesn't store the thumbnail, then it is not the google servers hammering them (as the site claims) but all the users doing the search. Thus it is irrelevant of how many servers google has.
So somehow using Linux means you don't have an e-mail address... Heres a hint, 'impacted' does not mean 'infected' - it means that you are affected in some way (ie - an inbox full of crap).
From the ICF screenshot when a program attempts to open a port:
"Some software can be harmful. Only allow software from publisheres you trust to accept online connections"
Hmm... If you don't trust the software, why the hell are you running it in the first place? IMHO this may prevent a lot of spyware crap, but the real solution is to not run the programs in the first place. Technically, the 'programs' (spyware) can just disable the ICF feature when run (if running as admin).
On the other hand, if not run as admin, they couldn't disable the ICF and this feature should be quite useful.
Re:I wanted a Linux Annoyances paperback book
on
PC Annoyances
·
· Score: 1
Windows uses some COM, but mostly it uses shared and static libaries just like Linux. I guess the equivalent to glibc would be msvcrt.dll (Visual C Runtime Library), and this is just a DLL with a bunch of exported APIs just like glibc.
The C runtime and just about every other implementation has just been done a lot better under Windows. It has been designed by proffessionals with backwards compatibility in mind. Frankly I dont know how Linux users actually get anything done with the amount of fucking around that OS requires to just run properly.
How is that a "bad" comment though? Sarcastic yes, and poking fun at the joke of a desktop OS that is Linux, but not necessarily bad.
The only people that would think of that as bad is Linux apologists who are trying to ignore the fact that even though most basic features of an operating system/windowing environment/general computing environment do not exist in Linux. (note that it shouldnt be up to the Mail client to implement this feature, it should be a single line API call to the OS)
Except the person seeing them do that has already paid to see the movie. In theory, they have paid a higher price because of the bootlegger too.
So I don't see this as an incentive to not report them. If they have the money to throw around on the ridiculous cost of movies, and wanted to watch it in the cinema rather than a poor cam job, then I'm sure they would rather the DVD anyway.
Bascially, there is no source and destination, just a bunch of message passing between random nodes, the 'destination' just keeps and eye out for something that belongs to them. Put very basically. Theres a bunch of asymmetric crypto involved also. Look it up for more details.
And what about when the last seed dies? The problem with BT is you can only get stuff that is popular and current - there will nearly always be a bunch of people that only manage to get half the file and never be able to get the rest.
It mostly works for the moment, because people leave their torrents open while they download through the night, so the upload/download ratio becomes almost even (required for the economics of a p2p infrastructure to work).
Once clients get developed which stop sharing once a torrent has completed, and become popular, BT will die a miserable death. It is the same with all p2p apps, the new ones always seem good, because there are few abusers at first.
Because they are often hosted on unsuspecting peoples hijacked machines, through worms and trojans etc. They are often only compromised for a short period of time, just enough to gather a few dozen responses. So there is no point in attacking these machines, they arent going to be sticking around for long anyway, and dont even belong to the spammer.
Actually, a dictionary attack is inlikely to break 'My Dog has Fleas' because it is composed of multiple words, is fairly long, and has mixed case. Dictionary attacks typically involve just one or possibly two words strung together. Anymore and it becomes pretty impratical.
The only pratical way to find that password is through brute force. In this scenario, the longer the password and more possible different characters (ie lowercase and uppercase, and spaces) makes it more difficult. Thus, 'My Dog has Fleas' would be more secure than 'mdhfaymdt' against a brute force attack. The latter could be broken in a matter of hours through brute force.
Slashdot Mirror
The actual search string as taken from fravias site:
"http://*:*@www" supermodeltits
Doesn't seem to work well with all keywords though.
An old trick I used to do was searching for something along the lines of
"http://*:*@" member
and you would get a bunch of sites with direct links into passworded member sites. Microsoft will put a stop to this with their latest update to IE however.
googleDork (gOO gol'Dork) noun 1. Slang. An inept or foolish person as revealed by Google.
Wouldn't that mean the people with the sensitive information on the net are the googledorks, and not the people doing the searches?
If you are going to link to the definition, at least read it.
IF you consider theres a lot of VCD type encoded pornos which span 2 cds, thats 1gb or so a movie (admittedly not very well encoded).
So thats only 100 skin flicks - quite a few, but for a movie pirate burning and selling pirate porn, pretty believable.
The user does not have to supply the password, the trojan should be able to do all the above without root access.
Just the same as under windows with the admin/user accounts.
I was just showing that the trojan could even get root access if it wanted to - with the amount of local root exploits it probably wouldn't even need a password. Windows however has very few local root exploits because it doesn't use setuid.
Actually the problem is probably worse under Linux than windows. Because of setuid programs, there are a lot more local root exploits under Linux than windows (which has very few, due to no concept of setuid root).
Therefore, a Linux virus could 'get root' under a normal user account a hell of a lot easier than one could under Windows. With root access, a virus then becomes a lot more serious.
The same can be done with a securely coded mail client and correct user account under windows.
But for ease of use, and pressure to have admin privs, you have this insecure situation under Windows. The same will be true of Linux if it were to go mainstream.
And I suppose the Linux kernel is whats stopping that from happening?
I could write a mail client under windows which doesn't execute attachments when you click on them, and requires you to save the file to disk and rename it to execute, therefore windows is also secure!
I could write a client under Linux which sets the execute bit and runs attachments when you click on them, therefore Linux is insecure!
bah.
So it won't succeed because it is a pain in the arse to run anything under Linux?
What your saying is basically Linux is too difficult to use for a user to spread viruses under. I can see this changing over time however.
You should already be running your mail client under windows without admin privs, which achieves the same thing. However:
I suppose non-root users can't send e-mail? Afterall, that is a major component of what the mydoom virus does.
And I suppose non-root users can't listen on a port for incomming instructions to execute? Or run a proxy server on a non-privleged port?
And will it stop a trojan which asks 'Root password needed to continue:' and then proceeds to use it to screw your system? If users are dumb enough to run arbritrary code, they will be more than happy to supply a root password.
Linux is no more secure than windows against trojans.
Wouldn't it have been more fun to have changed the pictures? I thought google actually stored the thumbnails and served them up.
If not, there are a various protections you can use to prevent the image being shown on another server (using the referrer is one, not particularly robust/compatible method) Many free websites use this method.
If google doesn't store the thumbnail, then it is not the google servers hammering them (as the site claims) but all the users doing the search. Thus it is irrelevant of how many servers google has.
So somehow using Linux means you don't have an e-mail address... Heres a hint, 'impacted' does not mean 'infected' - it means that you are affected in some way (ie - an inbox full of crap).
Shouldn't that be port 443 (https) for maximum security? Of course, doing 2048 bit crypto in your head isn't the easiest of things.
Or simply don't make a free player if you aren't willing to play nice.
Or at the very least, don't advertise it to people not interested in such crap.
From the ICF screenshot when a program attempts to open a port:
"Some software can be harmful. Only allow software from publisheres you trust to accept online connections"
Hmm... If you don't trust the software, why the hell are you running it in the first place? IMHO this may prevent a lot of spyware crap, but the real solution is to not run the programs in the first place. Technically, the 'programs' (spyware) can just disable the ICF feature when run (if running as admin).
On the other hand, if not run as admin, they couldn't disable the ICF and this feature should be quite useful.
Windows uses some COM, but mostly it uses shared and static libaries just like Linux. I guess the equivalent to glibc would be msvcrt.dll (Visual C Runtime Library), and this is just a DLL with a bunch of exported APIs just like glibc.
The C runtime and just about every other implementation has just been done a lot better under Windows. It has been designed by proffessionals with backwards compatibility in mind. Frankly I dont know how Linux users actually get anything done with the amount of fucking around that OS requires to just run properly.
How is that a "bad" comment though? Sarcastic yes, and poking fun at the joke of a desktop OS that is Linux, but not necessarily bad.
The only people that would think of that as bad is Linux apologists who are trying to ignore the fact that even though most basic features of an operating system/windowing environment/general computing environment do not exist in Linux. (note that it shouldnt be up to the Mail client to implement this feature, it should be a single line API call to the OS)
Except the person seeing them do that has already paid to see the movie. In theory, they have paid a higher price because of the bootlegger too.
So I don't see this as an incentive to not report them. If they have the money to throw around on the ridiculous cost of movies, and wanted to watch it in the cinema rather than a poor cam job, then I'm sure they would rather the DVD anyway.
Ever heard of onion routing? look it up.
Bascially, there is no source and destination, just a bunch of message passing between random nodes, the 'destination' just keeps and eye out for something that belongs to them. Put very basically. Theres a bunch of asymmetric crypto involved also. Look it up for more details.
wouldn't it be easier to just read the article?
And what about when the last seed dies? The problem with BT is you can only get stuff that is popular and current - there will nearly always be a bunch of people that only manage to get half the file and never be able to get the rest.
It mostly works for the moment, because people leave their torrents open while they download through the night, so the upload/download ratio becomes almost even (required for the economics of a p2p infrastructure to work).
Once clients get developed which stop sharing once a torrent has completed, and become popular, BT will die a miserable death. It is the same with all p2p apps, the new ones always seem good, because there are few abusers at first.
No, I see the point. the parent poster was talking about DDoSing the machines - I was explaining why _that_ wouldnt work.
Because they are often hosted on unsuspecting peoples hijacked machines, through worms and trojans etc. They are often only compromised for a short period of time, just enough to gather a few dozen responses. So there is no point in attacking these machines, they arent going to be sticking around for long anyway, and dont even belong to the spammer.
I know how to spell unlikely. Did you notice how close the u and i keys are together on the keyboard?
Actually, a dictionary attack is inlikely to break 'My Dog has Fleas' because it is composed of multiple words, is fairly long, and has mixed case. Dictionary attacks typically involve just one or possibly two words strung together. Anymore and it becomes pretty impratical.
The only pratical way to find that password is through brute force. In this scenario, the longer the password and more possible different characters (ie lowercase and uppercase, and spaces) makes it more difficult. Thus, 'My Dog has Fleas' would be more secure than 'mdhfaymdt' against a brute force attack. The latter could be broken in a matter of hours through brute force.