Yes that's correct - by definition a trojan is malicious software disguised as legitimate software. But what's your point? Who said there was a "security issue" with Mac?
90% of the problems on Windows are attributed to users installing malicious software. This is what Mac users go about claiming they are immune to, which is ridiculous.
Claiming to be immune to trojans is like claiming your OS is incapable of running software that can send an e-mail, afterall, that is all some trojans do (ie spam bots).
That's also assuming any combination of letters would make a valid word. If you were to use a dictionary and made combinations from that it would be a lot smaller.
"the namespace as every day has a different unique namespace of 50,000 domains"
Yes I am aware of that. But it still increases the number of domains watched over time. i.e If the update was guaranteed to be on the first day, then they would just have to register those 50,000 domains to prevent the author from doing it, or put watches on those domains and investigate everyone who registers them. But if it's unknown what day it will occur, then they have to watch a different set of 50,000 for every potential future day it may occur on. That's a lot more domains they have to investigate/register/watch over time and for future possible dates.
e.g if it costs $1 for every domain watched/investigated, then it will cost a lot more (read: be less practical to catch them out) the longer the author waits to do an update. An update on the first day would cost $50,000. An update after a few months could cost investigators $4,500,000+ to watch out for them.
April 1st is when the worm will *start* looking for updates. It will continue looking from that date on, with a different set of domains each day. So there is no reason why the authors would register one of the domains and put out an update on the first day. If anything, they would wait a while to increase the number of domains security researchers have to watch out for. Also, the authors may not have any reason to update it just yet - it seems to be quite successful in its current iteration. They may be waiting for a buyer to purchase a block of the botnet for example.
They use a huge amount to make it impossible for people to put a watch-list on every domain. 50,000 per day, over months is a number too large to watch every domain. People are anxious about the April 1st, but that's unlikely to be when an update occurs. That's just when the worm starts looking for updates. An update is more likely to come much later, or whenever they require pushing out a spambot etc.
You only need a subset to connect to the rendez-vous domain. The worm keeps a list of the last 100 or so IPs that are confirmed to be infected. It then pushes out the update to them. So 1% is actually an ideal number (ie 1 in 100). These guys are quite smart, and are using the latest crypto-algorithms, published just weeks before the worm had the update, so they know their stuff.
I just hope they also go after the affliates, and make them pay. These are the guys creating the trojans and viruses infecting millions of people. Even if Traffic Converter goes down, they are still sitting on many millions of ill gotten gains and shouldn't be allowed to get away with that. They will just move on to TrafficConverter3.biz and do it again.
Traffic Converter have a note on their site www.trafficconverter2.biz:
On March 18th, in the evening, with no warnings, the German Merchant Processing was cut off. Merchant was at the bank personally (without intermediaries), proved and with the arrangements on the highest level. Up until now the bank was not replying to our inquiries, but finally we received answers from them your Merchant was blocked and the account frozen until the determination of the facts. According to unofficial channels, we have been able to ascertain the following: "I am sorry to inform you that both VISA and MC have done a surprise on site visit at the offices in Frankfurt. They are actually there as we speak. They have instructed WC to freeze your account until further notice and both of these companies have different reasons for doing so:
VISA; they want to investigate where all the volume comes from. MC; High CB`s the past few days."
This is absolutely unprecedented case when two of the largest payment system called the requirement to block the Merchant. We also have a reason to believe that the situation was caused by the recent publication about us and our products in Washington Post: http://voices.washingtonpost.com/securityfix/
There are, as you can see, some very serious accusations. Including the relation to Conficker, which we actually are not implicated with (and can prove it if necessary).
As a result of this situation: - No money to pay; - No capacity to process products (not because we're not working, but because this volume is not endure any processor) - There is a chance to get ourselves under prosecution and let down Webmasters. So, the decision was made to âefault and shut down the Traffic Converter. In case we resolve this issue and manage to refund the money from the bank, we will pay you off all debts as quickly as possible. If we manage to get the stable traffic conversions we have demonstrated during the year and a half, we will contact you on individual basis. Thanks to everyone for succesful business cooperation.
From http://mtc.sri.com/Conficker/
* Connection 1: 81.23.XX.XX - Kyivstar.net, Kiev, Ukraine
* Connection 2: 200.68.XX.XXX - Alternativagratis.com, Buenos Aires, Argentina
The implications of these connections are as follows. The systems that performed these connections employed applications that computed a set of Conficker A domain names. However, these systems employed the Conficker B URL string request, which Conficker A victims are incapable of producing. Furthermore, Conficker B victims include a trigger to prevent connections to any Internet rendezvous points prior to 1 January 2009. This temporal trigger, along with the targeting of a Conficker A domain, indicates that these victims cannot be running B. Thus, these connections must either be associated with a hand-generated request with awareness of variant B's URL format, or a variant application that combined both functions with A and B, i.e., a hybrid test application. The Kiev Ukraine geolocation of connection 1 offers further potential interest because Kiev is also associated as a registered location of Baka Software (baka.kiev.ua).
Is it that difficult to get a warrant and a search for these guys? It seems pretty obvious to me they are responsible.
They don't have to keep a database of those used. They can just keep a counter, and allocate out ranges to other stores etc. Just like MAC addresses - all addresses are valid, but there is no central db and nobody keeping a db of all allocated, just a db of ranges and a counter. They would only need to track the use of a card on its first use.
I just waited in queue for 5 minutes or so, only to be taken to a 'download plugin' page, which probably isn't compatible with my browser Opera.
I don't get it, this game requires a plugin to play? If you require players to download and run client side non-sandboxed code, why not just have a standalone client rather than playing through your web browser?
It's a.msi installer too, so probably requires admin access. So what's the point of this?
Opera's statement that 'bundling leads to market share' is true though, not "provably false". Bundling certainly does lead to market share, IE would probably have very little otherwise, but due to bundling has 70% or so. With no bundling whatsoever, people would be forced to choose a browser they want to use, rather than being able to use the default and not have to choose.
You could also avoid the use of a challenge/response by combining with login delays. This way, first logins don't require a challenge/response (and therefore the don't require the use of javascript), but 2nd/3rd/4th attempts either require a 5/10/20 minute delay, or the delay can be bypassed by using a challenge/response.
This way people without javascript can still login without problem. It just means victims of a DoS may have to use a javascript enabled client to get around any delay an attacker may have caused, which shouldn't be much of an issue. The worst DoS damage an attacker cause is forcing a user to use a javascript enabled client.
This is a good approach, I believe yahoo were/are using this. The server includes a random challenge as part of the login page, and the client processes the challenge by continually performing md5 operations in javascript with the challenge until it finds a suitable match (see hashcash). The client must include the calculated "answer" as part of the login.
This prevents a script from running across millions of accounts and also helps to prevent a DoS against the server itself and not just the accounts. It has issues with clients with javascript disabled or fast/slow PCs however.
It's just under preferences for downloads. Select 'use default application' instead of 'use opera' for torrent files.
Why would you uninstall it after you fixed the problem? Just because it is "ridiculous", even though you will never have to do it again. Surely getting over that one-time-only config change is better than the 100% cpu usage and random crashes you get with browsers like Firefox all-the-time.
Unfortuantly they are only urging Gmail users to switch. The kind of people that use IE6 are the kind of people that use Hotmail and myspace, not gmail.
compiling C/C++ code into AS3 bytcode (which runs on AVM2) that can run on the Flash or Flex platform and boasts increased performance for computationally-intensive tasks
Increased performance over what exactly? Is there some other 'slower' bytecode that the VM runs? The summary fails to mention this. I don't see how compiling C++ to the AS3 bytecode would be any faster than compiling some Flash language to AS3 bytecode, or writing AS3 bytecode directly. I assume it is the AS3 bytecode itself that is faster, in which case the 'compiling C++' part is irrelevant to the increased performance.
Why does everyone seem to think Windows somehow allows malware due to 'holes' in the OS? Malware isn't any different to normal software from the OS' perspective. If you can write legitimate software than can send an email, or download an image and display it to the user, then you can write 'malware' that can send spam or display advertisements. Idiot.
Maybe so, but you still have the full size images on the camera. If someone were to get a hold of that they would be able to tell what camera took the images after a few weeks of intensive forensic study.
Troll? If they get a hold of the camera with the photos on it, they would already know what camera took the photos. Plus they would have all the meta data in the photos themselves. This technique is only useful when said exif meta-data is removed. Usually some post-processing is also performed at the same time if someone goes to the effort to remove this data.
How do the thieves know the stuff phones home? They don't, they will steal it anyway. And you won't get it back no matter ho many photos you take. You dumbass. Of course having your stuff stolen is a cheaper alternative to putting locks on your doors, but normal people don't want their stuff stolen.
Yeah ok, do that to a diamond ring. Fat lot of good phoning home does when your laptop is stolen and hocked. Sure you *might* get a photo of the thief, but how does that get your laptop back? Do you plan on tracking him down somehow, then asking who he sold it to, then tracking them down, then convincing them its your latptop etc etc etc ? no. You will need to claim on insurance either way. And you'd have cheaper premiums if you secured your house.
> Spoofing also wouldn't work because if more than one identical ID/Serial#s also create a fault.
So just don't use it at the same time, wtf? Why would you want to use an id while the house owner is there anyway? the whole point is to do a replay / spoof attack while the owner (and therefore serial# / id etc) *isn't* there. Lost a bit of credibility there.
A more believable counter-measure is a challenge-response which can't be spoofed.
Slashdot Mirror
Yes that's correct - by definition a trojan is malicious software disguised as legitimate software. But what's your point? Who said there was a "security issue" with Mac?
90% of the problems on Windows are attributed to users installing malicious software. This is what Mac users go about claiming they are immune to, which is ridiculous.
Claiming to be immune to trojans is like claiming your OS is incapable of running software that can send an e-mail, afterall, that is all some trojans do (ie spam bots).
That's also assuming any combination of letters would make a valid word. If you were to use a dictionary and made combinations from that it would be a lot smaller.
"the namespace as every day has a different unique namespace of 50,000 domains"
Yes I am aware of that. But it still increases the number of domains watched over time. i.e If the update was guaranteed to be on the first day, then they would just have to register those 50,000 domains to prevent the author from doing it, or put watches on those domains and investigate everyone who registers them. But if it's unknown what day it will occur, then they have to watch a different set of 50,000 for every potential future day it may occur on. That's a lot more domains they have to investigate/register/watch over time and for future possible dates.
e.g if it costs $1 for every domain watched/investigated, then it will cost a lot more (read: be less practical to catch them out) the longer the author waits to do an update. An update on the first day would cost $50,000. An update after a few months could cost investigators $4,500,000+ to watch out for them.
April 1st is when the worm will *start* looking for updates. It will continue looking from that date on, with a different set of domains each day. So there is no reason why the authors would register one of the domains and put out an update on the first day. If anything, they would wait a while to increase the number of domains security researchers have to watch out for. Also, the authors may not have any reason to update it just yet - it seems to be quite successful in its current iteration. They may be waiting for a buyer to purchase a block of the botnet for example.
They use a huge amount to make it impossible for people to put a watch-list on every domain. 50,000 per day, over months is a number too large to watch every domain. People are anxious about the April 1st, but that's unlikely to be when an update occurs. That's just when the worm starts looking for updates. An update is more likely to come much later, or whenever they require pushing out a spambot etc.
You only need a subset to connect to the rendez-vous domain. The worm keeps a list of the last 100 or so IPs that are confirmed to be infected. It then pushes out the update to them. So 1% is actually an ideal number (ie 1 in 100). These guys are quite smart, and are using the latest crypto-algorithms, published just weeks before the worm had the update, so they know their stuff.
I just hope they also go after the affliates, and make them pay. These are the guys creating the trojans and viruses infecting millions of people. Even if Traffic Converter goes down, they are still sitting on many millions of ill gotten gains and shouldn't be allowed to get away with that. They will just move on to TrafficConverter3.biz and do it again.
Traffic Converter have a note on their site www.trafficconverter2.biz:
On March 18th, in the evening, with no warnings, the German Merchant Processing was cut off. Merchant was at the bank personally (without intermediaries), proved and with the arrangements on the highest level. Up until now the bank was not replying to our inquiries, but finally we received answers from them your Merchant was blocked and the account frozen until the determination of the facts. According to unofficial channels, we have been able to ascertain the following:
"I am sorry to inform you that both VISA and MC have done a surprise on site visit at the offices in Frankfurt. They are actually there as we speak.
They have instructed WC to freeze your account until further notice and both of these companies have different reasons for doing so:
VISA; they want to investigate where all the volume comes from.
MC; High CB`s the past few days."
This is absolutely unprecedented case when two of the largest payment system called the requirement to block the Merchant. We also have a reason to believe that the situation was caused by the recent publication about us and our products in Washington Post:
http://voices.washingtonpost.com/securityfix/
There are, as you can see, some very serious accusations. Including the relation to Conficker, which we actually are not implicated with (and can prove it if necessary).
As a result of this situation:
- No money to pay;
- No capacity to process products (not because we're not working, but because this volume is not endure any processor)
- There is a chance to get ourselves under prosecution and let down Webmasters.
So, the decision was made to âefault and shut down the Traffic Converter. In case we resolve this issue and manage to refund the money from the bank, we will pay you off all debts as quickly as possible.
If we manage to get the stable traffic conversions we have demonstrated during the year and a half, we will contact you on individual basis.
Thanks to everyone for succesful business cooperation.
This was first mentioned on Whirlpool, I was reading the thread. It appears to be deleted now however:
http://forums.whirlpool.net.au/forum-alert.cfm?a=priv-deleted&t=1165021&v=0
The implications of these connections are as follows. The systems that performed these connections employed applications that computed a set of Conficker A domain names. However, these systems employed the Conficker B URL string request, which Conficker A victims are incapable of producing. Furthermore, Conficker B victims include a trigger to prevent connections to any Internet rendezvous points prior to 1 January 2009. This temporal trigger, along with the targeting of a Conficker A domain, indicates that these victims cannot be running B. Thus, these connections must either be associated with a hand-generated request with awareness of variant B's URL format, or a variant application that combined both functions with A and B, i.e., a hybrid test application. The Kiev Ukraine geolocation of connection 1 offers further potential interest because Kiev is also associated as a registered location of Baka Software (baka.kiev.ua).
Is it that difficult to get a warrant and a search for these guys? It seems pretty obvious to me they are responsible.
They don't have to keep a database of those used. They can just keep a counter, and allocate out ranges to other stores etc. Just like MAC addresses - all addresses are valid, but there is no central db and nobody keeping a db of all allocated, just a db of ranges and a counter. They would only need to track the use of a card on its first use.
I just waited in queue for 5 minutes or so, only to be taken to a 'download plugin' page, which probably isn't compatible with my browser Opera.
I don't get it, this game requires a plugin to play? If you require players to download and run client side non-sandboxed code, why not just have a standalone client rather than playing through your web browser?
It's a .msi installer too, so probably requires admin access. So what's the point of this?
Opera's statement that 'bundling leads to market share' is true though, not "provably false". Bundling certainly does lead to market share, IE would probably have very little otherwise, but due to bundling has 70% or so. With no bundling whatsoever, people would be forced to choose a browser they want to use, rather than being able to use the default and not have to choose.
Use ctrl-d to send a EOF to metafont, and it exits.
The difference being these are tested before use. They do blood tests and compare the results to breath tests before using these things.
When you get your water bill you trust they had accurate measuring equipment, the same with any other bill.
Rather than seeing the source code, they could just ask for them to be tested - like they would with anything else.
dont ell my mother?
But yes, it's not exactly difficult to have ascii art embed a message. It's text afterall.
You could also avoid the use of a challenge/response by combining with login delays. This way, first logins don't require a challenge/response (and therefore the don't require the use of javascript), but 2nd/3rd/4th attempts either require a 5/10/20 minute delay, or the delay can be bypassed by using a challenge/response.
This way people without javascript can still login without problem. It just means victims of a DoS may have to use a javascript enabled client to get around any delay an attacker may have caused, which shouldn't be much of an issue. The worst DoS damage an attacker cause is forcing a user to use a javascript enabled client.
This is a good approach, I believe yahoo were/are using this. The server includes a random challenge as part of the login page, and the client processes the challenge by continually performing md5 operations in javascript with the challenge until it finds a suitable match (see hashcash). The client must include the calculated "answer" as part of the login.
This prevents a script from running across millions of accounts and also helps to prevent a DoS against the server itself and not just the accounts. It has issues with clients with javascript disabled or fast/slow PCs however.
Torrent option hidden in the address bar?
It's just under preferences for downloads. Select 'use default application' instead of 'use opera' for torrent files.
Why would you uninstall it after you fixed the problem? Just because it is "ridiculous", even though you will never have to do it again. Surely getting over that one-time-only config change is better than the 100% cpu usage and random crashes you get with browsers like Firefox all-the-time.
Unfortuantly they are only urging Gmail users to switch. The kind of people that use IE6 are the kind of people that use Hotmail and myspace, not gmail.
Increased performance over what exactly? Is there some other 'slower' bytecode that the VM runs? The summary fails to mention this. I don't see how compiling C++ to the AS3 bytecode would be any faster than compiling some Flash language to AS3 bytecode, or writing AS3 bytecode directly. I assume it is the AS3 bytecode itself that is faster, in which case the 'compiling C++' part is irrelevant to the increased performance.
Why does everyone seem to think Windows somehow allows malware due to 'holes' in the OS? Malware isn't any different to normal software from the OS' perspective. If you can write legitimate software than can send an email, or download an image and display it to the user, then you can write 'malware' that can send spam or display advertisements. Idiot.
Troll? If they get a hold of the camera with the photos on it, they would already know what camera took the photos. Plus they would have all the meta data in the photos themselves. This technique is only useful when said exif meta-data is removed. Usually some post-processing is also performed at the same time if someone goes to the effort to remove this data.
How do the thieves know the stuff phones home? They don't, they will steal it anyway. And you won't get it back no matter ho many photos you take. You dumbass. Of course having your stuff stolen is a cheaper alternative to putting locks on your doors, but normal people don't want their stuff stolen.
Yeah ok, do that to a diamond ring. Fat lot of good phoning home does when your laptop is stolen and hocked. Sure you *might* get a photo of the thief, but how does that get your laptop back? Do you plan on tracking him down somehow, then asking who he sold it to, then tracking them down, then convincing them its your latptop etc etc etc ? no. You will need to claim on insurance either way. And you'd have cheaper premiums if you secured your house.
> Spoofing also wouldn't work because if more than one identical ID/Serial#s also create a fault.
So just don't use it at the same time, wtf? Why would you want to use an id while the house owner is there anyway? the whole point is to do a replay / spoof attack while the owner (and therefore serial# / id etc) *isn't* there. Lost a bit of credibility there.
A more believable counter-measure is a challenge-response which can't be spoofed.