Some people tend to think that this worm is harmless (just "spreading itself"). But the worm actually sends the harvested email adresses to an external site - www.av3.net [which I wouldn't dare to browse to].
Here are the technical details of the worm:
1) Arrives on the compromised computer as an HTML email containing Javascript. The email may have the following characteristics:
From: Varies Subject: New Graphic Site Message body: Note: forwarded message attached.
2) Once the email is opened the worm exploits a vulnerability in the Yahoo email service to run a script.
3) Sends a copy of itself to certain email addresses gathered from the Yahoo email folders.
4) Targets email addresses from the @yahoo.com and @yahoogroups.com domains.
5) Contacts the following URL:
[http://]www.av3.net/index.htm
6) Sends a list of email addresses gathered to the above URL.
I found that everything I use seems to take hours and hours to compress, encrypt and shred. Not to mention decompressing, decrypting and deleting on the other end.
It sounds you don't know what TrueCrypt really does. Real-time transparent encryption does not "compress" nor "shred" anything.
but I find it's usually best to suffix the title with a question mark, and let our ever-knowledgeable readers hash out the issue and decide for themselves.
Which is, unfortunately, the case with many Slashdot (and most Digg) stories. As soon as I see a sensationalistic title ending with a question mark, I automatically skip to the next story.
I was looking for a replacement for the aging (but good old) CVS for a long time. I took a look at Subversion and read that it supports the rename operation. I said wow this is exactly one of the reasons why we need to replace CVS with something better. So I installed Subversion and thought that we finally have a CVS-like software that supports rename. But then I found out that it actually was not a rename operation: it was move&delete operation. Our disapointment deepened when I read on their 'to do' list that they plan to add "full support for true rename" or something like that. It was a big disapointment and we had to look elsewhere.
That's not always true. If you modify a GPL-ed web application (or server software) and don't distribute it (only run it for / show output to your visitors) -- the you don't have to publish (open source) the modifications.
You indeed are missing the point completely. The police will know for sure you are hiding data (because otherwise you would not have used deniable file system). What will they do? Beat you until you spill out the password (a hit by phonebook on the head can't be detected).
You miss the point completely. TrueCrypt allows you to plausibly deny that there is any hidden data, because TrueCrypt by default works in a non-deniable mode.
If you have a system, where the only mode is deniable, then its mere usage tells that you are hiding data.
Imagine you are in front of a jury, questioned why do you use a stego filesystem, when it's significantly slower than regular file system? If you can't plausibly explain this, there is a compeling reason to believe you hide some data. Usage of such file system is to a great extent self-incriminating (because it has NO OTHER usage).
TrueCrypt has a feature called hidden volumes that provide plausible deniability.
Nope. The plausible deniability in TrueCrypt is based on the fact that the volume can't be identified. This concept is further enhanced (as I wrote), or brought to a higher level, by the hidden volume concept.
From the site:
Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:
1) Hidden volume (steganography).
2) No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).
Unfortunately, this won't work. Obviously, there is no reason to use a stego file system other than to hide data. Why? Because there is always certain overhead. The fact that you use a stego file system is a proof that hidden data exist.
It is necessary to use something that can be used in a non-deniable (regular) mode as well is in deniable mode. If you use Windows or Linux, I recommend the open source TrueCrypt.
If the police requests your encryption keys, you can actually give it to them (i.e. comply) without actually giving them access to your encrypted files.
All you need is TrueCrypt, which is open source on-the-fly disk encryption software for Windows and Linux.
The software provides something called Plausible Deniability and it is further enhanced by the so-called hidden volume method.
Basically, it is impossible to prove that you have TrueCrypt-encrypted data and you can even supply a key to decrypt a decoy volume containing some not-really-sensitive data. The bottom line, you comply with the law (order to decrypt) and your data stay private.
Oh, yes, I forgot to add that this problem does not exist on Windows XP/2000/2003/Vista as these OS's have a stable driver API. Only Linux is major PITA for such projects.
You are totally wrong, my friend. Stable Linux driver API is not necessary just for closed source binary-only drivers. It is also required for OPEN SOURCE 3rd party drivers that are not included in the kernel.
Take for example, TrueCrypt. They delive state-of-the-art cross-platform (Windows/Linux) on-the-fly disk encryption like nobody else does. The problem they (and their users) have is that they have to recompile the driver EACH FUCKING time a single bit in the kernel is changed. If every user of Linux was a developer able to compile drivers, everything would be ok. But it isn't.
As a web designer/dev I installed Internet Explorer 7 Beta 2 seven days ago. When I launch it, I see that the default option for search is Google -- not MSN!
If you're concerned about cross platform compatibility then use user space encryption rather than kernel space encryptiong.
Kernel-level encryption does not mean whole disk encryption. There is a free open-source on-the-fly disk encryption format that does not have to span an entire disk. It's called TrueCrypt. With it you can encrypt a partition and mount it under Windows and Linux. It can also create virual file-based drives.
organic computers that crunch numbers using living neurons.
Well, actually "living neurons" are not not good at crunching numbers. Sillicon chips are much faster and much more precise than any human brain as far as crunching numbers is concerned. In contrast, human brain is much better at intelligence and creativity (imagination).
Opera had two strong and FREE competitors. Even if it had only 1%, it would be absolutely incredible achievement for a commercial program. Now that Opera is free, all they need is time and Google's support.
Slashdot Mirror
Some people tend to think that this worm is harmless (just "spreading itself"). But the worm actually sends the harvested email adresses to an external site - www.av3.net [which I wouldn't dare to browse to].
Here are the technical details of the worm:
1) Arrives on the compromised computer as an HTML email containing Javascript. The email may have the following characteristics:
From: Varies
Subject: New Graphic Site
Message body: Note: forwarded message attached.
2) Once the email is opened the worm exploits a vulnerability in the Yahoo email service to run a script.
3) Sends a copy of itself to certain email addresses gathered from the Yahoo email folders.
4) Targets email addresses from the @yahoo.com and @yahoogroups.com domains.
5) Contacts the following URL:
[http://]www.av3.net/index.htm
6) Sends a list of email addresses gathered to the above URL.
If you did not open a mail whose subject was "New Graphic Site", you are not infected.
c /data/js.yamanner@m.html
Reference: Symantec advisory at http://securityresponse.symantec.com/avcenter/ven
I found that everything I use seems to take hours and hours to compress, encrypt and shred. Not to mention decompressing, decrypting and deleting on the other end.
It sounds you don't know what TrueCrypt really does. Real-time transparent encryption does not "compress" nor "shred" anything.
but I find it's usually best to suffix the title with a question mark, and let our ever-knowledgeable readers hash out the issue and decide for themselves.
Which is, unfortunately, the case with many Slashdot (and most Digg) stories. As soon as I see a sensationalistic title ending with a question mark, I automatically skip to the next story.
I was looking for a replacement for the aging (but good old) CVS for a long time. I took a look at Subversion and read that it supports the rename operation. I said wow this is exactly one of the reasons why we need to replace CVS with something better. So I installed Subversion and thought that we finally have a CVS-like software that supports rename. But then I found out that it actually was not a rename operation: it was move&delete operation. Our disapointment deepened when I read on their 'to do' list that they plan to add "full support for true rename" or something like that. It was a big disapointment and we had to look elsewhere.
> It means every change is visible to you,
That's not always true. If you modify a GPL-ed web application (or server software) and don't distribute it (only run it for / show output to your visitors) -- the you don't have to publish (open source) the modifications.
You indeed are missing the point completely. The police will know for sure you are hiding data (because otherwise you would not have used deniable file system). What will they do? Beat you until you spill out the password (a hit by phonebook on the head can't be detected).
You miss the point completely. TrueCrypt allows you to plausibly deny that there is any hidden data, because TrueCrypt by default works in a non-deniable mode.
If you have a system, where the only mode is deniable, then its mere usage tells that you are hiding data.
Imagine you are in front of a jury, questioned why do you use a stego filesystem, when it's significantly slower than regular file system? If you can't plausibly explain this, there is a compeling reason to believe you hide some data. Usage of such file system is to a great extent self-incriminating (because it has NO OTHER usage).
TrueCrypt has a feature called hidden volumes that provide plausible deniability.
Nope. The plausible deniability in TrueCrypt is based on the fact that the volume can't be identified. This concept is further enhanced (as I wrote), or brought to a higher level, by the hidden volume concept.
From the site:
Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:
1) Hidden volume (steganography).
2) No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).
Unfortunately, this won't work. Obviously, there is no reason to use a stego file system other than to hide data. Why? Because there is always certain overhead. The fact that you use a stego file system is a proof that hidden data exist.
It is necessary to use something that can be used in a non-deniable (regular) mode as well is in deniable mode. If you use Windows or Linux, I recommend the open source TrueCrypt.
If the police requests your encryption keys, you can actually give it to them (i.e. comply) without actually giving them access to your encrypted files.
All you need is TrueCrypt, which is open source on-the-fly disk encryption software for Windows and Linux.
The software provides something called Plausible Deniability and it is further enhanced by the so-called hidden volume method.
Basically, it is impossible to prove that you have TrueCrypt-encrypted data and you can even supply a key to decrypt a decoy volume containing some not-really-sensitive data. The bottom line, you comply with the law (order to decrypt) and your data stay private.
Oh, yes, I forgot to add that this problem does not exist on Windows XP/2000/2003/Vista as these OS's have a stable driver API. Only Linux is major PITA for such projects.
You are totally wrong, my friend. Stable Linux driver API is not necessary just for closed source binary-only drivers. It is also required for OPEN SOURCE 3rd party drivers that are not included in the kernel.
Take for example, TrueCrypt. They delive state-of-the-art cross-platform (Windows/Linux) on-the-fly disk encryption like nobody else does. The problem they (and their users) have is that they have to recompile the driver EACH FUCKING time a single bit in the kernel is changed. If every user of Linux was a developer able to compile drivers, everything would be ok. But it isn't.
> Posted anonymously to avoid accusations of karma whoring :)
You really thing I believe you? There are other reasons for which you may have posted it anonymously (and you know it).
Last time I checked, DMCA covers not only hosting but also mere linking to infringing materials.
As a web designer/dev I installed Internet Explorer 7 Beta 2 seven days ago. When I launch it, I see that the default option for search is Google -- not MSN!
Have I missed anything?
If you're concerned about cross platform compatibility then use user space encryption rather than kernel space encryptiong.
Kernel-level encryption does not mean whole disk encryption. There is a free open-source on-the-fly disk encryption format that does not have to span an entire disk. It's called TrueCrypt. With it you can encrypt a partition and mount it under Windows and Linux. It can also create virual file-based drives.
Yes, that's an excellent example of superiority of Open Source in the field of security.
Without any doubt Open Source is a prerequisite for security, as Open Source is a prerequisite for extensive peer review.
organic computers that crunch numbers using living neurons.
Well, actually "living neurons" are not not good at crunching numbers. Sillicon chips are much faster and much more precise than any human brain as far as crunching numbers is concerned. In contrast, human brain is much better at intelligence and creativity (imagination).
> Opera has been free (as in beer) for years.
No, it was adware. That's not exactly free as in beer, is it? At least, not what most people label freeware.
However, on my site, AWStats report that 7% of all visitors use Opera. My site is technology related with 5000 unique visits daily.
Opera had two strong and FREE competitors. Even if it had only 1%, it would be absolutely incredible achievement for a commercial program. Now that Opera is free, all they need is time and Google's support.
Interesting. Thanks for the link. However, note that Opera users has been cloacked by default for years (they identified themselves as IE).
> I don't know whether or not the parent was intended to be sarcastic
No, no, I did not. Opera is a good browser and now it's even freeware.