. I see one line that says the code can't run on Windows. It's absolutely right.
You need to read the article more closely. Here is what it says:
Unix/Solaris/Linux systems are vulnerable to having unwanted code placed on them. Windows- based systems are not subject to this problem
It should be obvious that the above line from the article is completely incorrect. There have been numerous reports of Windows bugs that allowed unwanted code to be placed on them. This line is what most here are objecting too.
Zach Nelson, CIO for Network Associates. But before you flame him, keep in mind that he may have been misquoted. (At least, I hope so.) He probably said something like "This particular attack runs on only Unix machines" (which is true, AFAIK) and the idiot reporter translated this into "Windows machines aren't vulnurable to this sort of attack" (which is patently false).
It is not a matter of "I'll believe it when I see it". We've seen the exact opposite for years. All you've got to do is check the Windows bug lists or the Risks Digest.
The best you could possibly claim without being a priori incorrect would be that the latest version of Windows with all service packs doesn't have this vulnurability. But even if you were to accept this (which, given Microsoft's track record is a little ridiculous. We've already had reports of two serious IIS holes with Win2000), you'd still be left with the problem that not everyone who runs Windows is up to the latest version/service pack.
They didn't say the code didn't run on Windows. That would have been correct. What they said was that Windows machines aren't vulnerable to this sort of attack. That's a crock of shit.
All a Windows version would need is "ActiveX" + "IP Stack" + "Thousands of cable modem and DSL systems managed by unknowledgable users".
I'm a WindowsNT programmer with a moderate amount of TCP/IP experience. I'm certainly no IP expert. The only "cracking" knowledge I have is what I've read in various places, including the risks digest, and others. I'm pretty damn sure I could do this on a Windows box.
All it would take would be to take advantage of any of the numerous holes that have allowed people to run arbitrary code on a windows box. Sure, many of these have been fixed, but I know the Windows user community. Lots of those machines are run by people with no clue.
Hell, my own machine would almost certainly succumb. I'm tempted to try. Good thing it is behind a firewall.
Were I to actually do this, I'd throw up some website somewhere, with an invasive ActiveX control, and throw some porn on it. I'm sure I'd attract enough suckers run a DDoS attack. And once that code is one their machine, the rest is trivial. Basic sockets programming. The "hard" part would be doing it in such a way as not to get caught, but I am pretty sure even that would only require a few days work and access to a public machine.
When you chose to live 50 miles from work and relied on your [car] and it dies do you feel cheated?
No, but if I chose to live 50 miles from work and relied on my car, but couldn't use it because some idiot kids were joyriding in it this morning for a couple of hours, you're damn right I'd be pissed!
(And I wouldn't excuse the whole thing if they brought it back in one piece, either.)
Say Amazon.com is down and I want/need to order a book. BarnesandNoble.com is up, so I'll just go over there and make my purchase. Boom, Amazon is out $20, and B&N is $20 richer.
You also have to add to this the chance that you say "Hey, I like this much better!" and then never go back to Amazon.com. They could be out a lot more than $20 in the long run!
Much has been made about the number of different client computers that had to have been hacked for this thing to reach the level it did against yahoo. Many have taken this to mean that there had to been some sort of organized effort. However, much also has been made about how the tools used were simple "script-kiddie" tools that require little knowledge, just the ability to follow some simple instructions.
When I hear something like "follow some simple instructions", I think "programmable". Is it possible that instead of some sort of organized group, this is the work of one guy with some sort of automated hacking tool that, once started, attempts to hack lots of systems, installing one of these DDoS clients?
Suppose you have an account on e-Trade. Suppose you are a day-trader. (Ok, you probably deserve what you get, but bear with me...) Suppose the stock you bought that morning goes up 1 point. You decide to sell.
e-Trade is down due to a DoS attack. By the time it is up, the stock is now 1 point below what you bought at.
Would you then be so sanguine about "no one really being hurt"?
Win 95 has poor connections (no daemons and such) and probably will not have a problem.
Maybe...Maybe not. True, there's no sendmail. But it certainly does have some open ports, so you have to trust in Redmond that there aren't any holes in, say, SMB. And it is a lot harder to figure out how to turn that sort of thing off under Windows.
But I think the bigger vulnerability is all of those things (Can you say "ActiveX"?) that make it possible for someone to run arbitrary code on a machine. Once there, you can open any damn port you want. One can imagine such a trojan horse spitting out an ip somewhere as its first action. Then it silently waits for a command.
What scares the crap out of me is the thought that there is a hugely growing number of Windows boxes being run by people who know little or nothing about even the basics of security that are permanently attached to the net. I can easily imagine some sort of worm program that exploited some piece of poor security in Win95/98 to install itself on tens of thousands of machines. If done correctly, using some sort of chaining scheme, the actual creator would not have to actually touch the vast majority of these systems, making him almost impossible to find. Just send some trigger sequence to one machine, which signals the two it infected, which signals the four it infected, etc, etc.
This would make sense if cops never made mistakes. Unfortunately, they are human and sometimes do.
In the US for a while the cops had something called a "no-knock" search. Essentially, they'd just burst in with guns drawn. Those who opposed this sort of thing were countered with arguments almost identical to yours.
Around that time, one guy was shot and permanently paralysed when he pulled a gun on some people who burst in to his house with guns drawn. A criminal who doesn't deserve protection? Well, guess what? That cops got the wrong address.
Now anyway, please go read Bruce Sterling's "The Hacker Crackdown", which contains a far greater example of how the police can make mistakes.
Remember, things like the 5th ammendment are NOT there to protect criminals. They are their to protect the innocent from police mistakes and misconduct.
While giving your credit card number over the internet is no more risky than giving it over the phone. It is easier to setup a scanner on tcp/ip than on voice traffic.
Not necessarily true, given the prevalence of portable phones. All you need is a good receiver.
that's what we have fraud protection for. Consumer protection prevents law breakers from totally wiping you out when you don't want to.
No, Consumer protection laws mean that we all pay a slightly higher price rather then a few of us getting wiped out. And consumer protection laws don't protect you from bounced checks, missed mortgaged payments and the like that occur in the time between when your identity is stolen and when you notice, and are able to convice the bank what is going on. Believe me, I had my debit card stolen once, and while I got every sent back, it was a royal pain in the ass. And I was also lucky that it was caught before the mortgage was due. Late fees get charged regardless of the reason.
And that all assumes that you are able to convice the powers that be that something happened. There are many, many horror stories floating around about "identity theft".
Well I don't object to charging although you admit that the code was crap and you sold it for $100,000. That's the kind of thing you keep the recipt for the refund.
I did not charge the $100,000. I was paid to fix the crap by the company that charged the $100,000. (And later paid to support the crap by another company that was suckered into paying the $100,000.) But none of that is to the point, which is that data can be very valuable.
Usually such data is secured on machines that are physically located within a building or in a system that is essentially secure to begin with.
Doesn't England have the concept of "innocent until proven guilty"? If so, wouldn't they have to prove that the random-looking data was actually encrypted data?
Most data that you have is not really that interesting. <P> If you are living in anything but abject poverty, there are certain people who would be very interested in things like your credit card numbers, bank account numbers, social security numbers, etc., especially in combination. <P> And I also have to mention that, while many FSF true believers may find this objectionable, I do have to mention that there were times when I had, on my home system, source code that sold for something like $100,000, in the course of some consulting projects. (That's what the source license cost. I wouldn't have paid a nickle for it though. It was crap.) <P> Perhaps not a common situation, but then, it is not uncommon for managerial types to have data on their systems that would be of great interest to their competitors. <P> Cryptography is not important just as a means to keep data from the government. <P>
Create a program that appends 10k of completely random data to a file. Run that program on as many files in your system as you can. (Can this be done on an executable? I don't know enough about the ELF and a.out formats to know. I'd imagine this wouldn't make a difference.)
Any encrypted data can then be appended in 10k chunks to a file or two of your choice.
Retain the program that appends the random data. If anyone demands you decrypt some of the encrypted information appended to these files, just say "there is no encrypted data. I appended random info to these files to annoy people like you". (Which, AFAIK, is not illegal.)
Wouldn't they then have to prove that you actually had encrypted data? ("Innocent until proven guilty", at least in the states.)
Finally announced Linux, but we have to sit through another lame-ass song. I had my hopes up when he talked about playing a song about masturbation, but rather than playing the classic "I touch myself", he plays some moldy off-topic Doors song.
This stuff is making me cranky. (There needs to be a -1, cranky moderation option.)
Slashdot Mirror
Imagine a virus that infects the Seti@home client, and then get very, very scared.
Yeah, but you don't get much of a DDoS attack out of three machines...
(Moderate this "-1,No sense of humor")
You need to read the article more closely. Here is what it says:
Unix/Solaris/Linux systems are vulnerable to having unwanted code placed on them. Windows- based systems are not subject to this problem
It should be obvious that the above line from the article is completely incorrect. There have been numerous reports of Windows bugs that allowed unwanted code to be placed on them. This line is what most here are objecting too.
(I agree with your second paragraph, though.)
Zach Nelson, CIO for Network Associates. But before you flame him, keep in mind that he may have been misquoted. (At least, I hope so.) He probably said something like "This particular attack runs on only Unix machines" (which is true, AFAIK) and the idiot reporter translated this into "Windows machines aren't vulnurable to this sort of attack" (which is patently false).
The best you could possibly claim without being a priori incorrect would be that the latest version of Windows with all service packs doesn't have this vulnurability. But even if you were to accept this (which, given Microsoft's track record is a little ridiculous. We've already had reports of two serious IIS holes with Win2000), you'd still be left with the problem that not everyone who runs Windows is up to the latest version/service pack.
All a Windows version would need is "ActiveX" + "IP Stack" + "Thousands of cable modem and DSL systems managed by unknowledgable users".
All it would take would be to take advantage of any of the numerous holes that have allowed people to run arbitrary code on a windows box. Sure, many of these have been fixed, but I know the Windows user community. Lots of those machines are run by people with no clue.
Hell, my own machine would almost certainly succumb. I'm tempted to try. Good thing it is behind a firewall.
Were I to actually do this, I'd throw up some website somewhere, with an invasive ActiveX control, and throw some porn on it. I'm sure I'd attract enough suckers run a DDoS attack. And once that code is one their machine, the rest is trivial. Basic sockets programming. The "hard" part would be doing it in such a way as not to get caught, but I am pretty sure even that would only require a few days work and access to a public machine.
No, but if I chose to live 50 miles from work and relied on my car, but couldn't use it because some idiot kids were joyriding in it this morning for a couple of hours, you're damn right I'd be pissed!
(And I wouldn't excuse the whole thing if they brought it back in one piece, either.)
You also have to add to this the chance that you say "Hey, I like this much better!" and then never go back to Amazon.com. They could be out a lot more than $20 in the long run!
When I hear something like "follow some simple instructions", I think "programmable". Is it possible that instead of some sort of organized group, this is the work of one guy with some sort of automated hacking tool that, once started, attempts to hack lots of systems, installing one of these DDoS clients?
e-Trade is down due to a DoS attack. By the time it is up, the stock is now 1 point below what you bought at.
Would you then be so sanguine about "no one really being hurt"?
Though you wouldn't want cable modems on the same subnet!
<P>
Cable modem users are probably even better because they are continually connected, and their IPs don't change.
Maybe...Maybe not. True, there's no sendmail. But it certainly does have some open ports, so you have to trust in Redmond that there aren't any holes in, say, SMB. And it is a lot harder to figure out how to turn that sort of thing off under Windows.
But I think the bigger vulnerability is all of those things (Can you say "ActiveX"?) that make it possible for someone to run arbitrary code on a machine. Once there, you can open any damn port you want. One can imagine such a trojan horse spitting out an ip somewhere as its first action. Then it silently waits for a command.
"ping"
What scares the crap out of me is the thought that there is a hugely growing number of Windows boxes being run by people who know little or nothing about even the basics of security that are permanently attached to the net. I can easily imagine some sort of worm program that exploited some piece of poor security in Win95/98 to install itself on tens of thousands of machines. If done correctly, using some sort of chaining scheme, the actual creator would not have to actually touch the vast majority of these systems, making him almost impossible to find. Just send some trigger sequence to one machine, which signals the two it infected, which signals the four it infected, etc, etc.
In the US for a while the cops had something called a "no-knock" search. Essentially, they'd just burst in with guns drawn. Those who opposed this sort of thing were countered with arguments almost identical to yours.
Around that time, one guy was shot and permanently paralysed when he pulled a gun on some people who burst in to his house with guns drawn. A criminal who doesn't deserve protection? Well, guess what? That cops got the wrong address.
Now anyway, please go read Bruce Sterling's "The Hacker Crackdown", which contains a far greater example of how the police can make mistakes.
Remember, things like the 5th ammendment are NOT there to protect criminals. They are their to protect the innocent from police mistakes and misconduct.
Not necessarily true, given the prevalence of portable phones. All you need is a good receiver.
No, Consumer protection laws mean that we all pay a slightly higher price rather then a few of us getting wiped out. And consumer protection laws don't protect you from bounced checks, missed mortgaged payments and the like that occur in the time between when your identity is stolen and when you notice, and are able to convice the bank what is going on. Believe me, I had my debit card stolen once, and while I got every sent back, it was a royal pain in the ass. And I was also lucky that it was caught before the mortgage was due. Late fees get charged regardless of the reason.
And that all assumes that you are able to convice the powers that be that something happened. There are many, many horror stories floating around about "identity theft".
Well I don't object to charging although you admit that the code was crap and you sold it for $100,000. That's the kind of thing you keep the recipt for the refund.
I did not charge the $100,000. I was paid to fix the crap by the company that charged the $100,000. (And later paid to support the crap by another company that was suckered into paying the $100,000.) But none of that is to the point, which is that data can be very valuable.
Usually such data is secured on machines that are physically located within a building or in a system that is essentially secure to begin with.
One word: "laptop".
Doesn't England have the concept of "innocent until proven guilty"? If so, wouldn't they have to prove that the random-looking data was actually encrypted data?
If not, remind me never to go to England!
Most data that you have is not really that interesting.
<P>
If you are living in anything but abject poverty, there are certain people who would be very interested in things like your credit card numbers, bank account numbers, social security numbers, etc., especially in combination.
<P>
And I also have to mention that, while many FSF true believers may find this objectionable, I do have to mention that there were times when I had, on my home system, source code that sold for something like $100,000, in the course of some consulting projects. (That's what the source license cost. I wouldn't have paid a nickle for it though. It was crap.)
<P>
Perhaps not a common situation, but then, it is not uncommon for managerial types to have data on their systems that would be of great interest to their competitors.
<P>
Cryptography is not important just as a means to keep data from the government.
<P>
Create a program that appends 10k of completely random data to a file. Run that program on as many files in your system as you can. (Can this be done on an executable? I don't know enough about the ELF and a.out formats to know. I'd imagine this wouldn't make a difference.)
Any encrypted data can then be appended in 10k chunks to a file or two of your choice.
Retain the program that appends the random data. If anyone demands you decrypt some of the encrypted information appended to these files, just say "there is no encrypted data. I appended random info to these files to annoy people like you". (Which, AFAIK, is not illegal.)
Wouldn't they then have to prove that you actually had encrypted data? ("Innocent until proven guilty", at least in the states.)
For those who missed it, don't be bummed. It was just a rebroadcast of the keynote.
Finally announced Linux, but we have to sit through another lame-ass song. I had my hopes up when he talked about playing a song about masturbation, but rather than playing the classic "I touch myself", he plays some moldy off-topic Doors song.
This stuff is making me cranky. (There needs to be a -1, cranky moderation option.)