|
Reminds me of something about 22 years ago, on a Unix terminal at a University:
A mischievous student had written a program which looked exactly like the login screen; when someone logged in, it would capture the username and password, and store them secretly, then give a 'wrong username/password' error message, and then display the actual login screen. The student would think that he had initially entered the password wrongly.
It was heard that writing such a program on a Unix terminal really required a very good knowledge of Unix internals, and we also heard that this student was dismissed from the University, and immediately hired by a computer security company.
Faintly remember that this is termed as masquerading.
|
|
|
|
|
Overnight spAmazon sent no fewer than 3 identical emails nagging me to update the CC I am using for my single Subscribe and Save order (a program that lets me get something sent at a fixed interval in turn for a discount - presumably because it lets them use cheaper shipping) because it will expire at the end of next month. 3 emails on the same subject in <6 hours would be excessive in any case; but adding extra elephants to the fail is that the card in question is an Amazon rewards card; and the bank behind it hasn't sent me a new card yet.
Based on past experience with the bank, I expect to get the new card in a few weeks. OTOH the timing of when this card was scheduled to expire is strongly suggestive that it was motivated by the first phase deadline for switching over to a chip card; which means that any snafu in that pipeline could delay it.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
Yesterday spAmazon made me walk 5 miles to receive my package, and I got two identical emails (along with promotions as usual) stating the delay.
Beauty cannot be defined by abscissas and ordinates; neither are circles and ellipses created by their geometrical formulas.
Carl von Clausewitz
Source
|
|
|
|
|
Today Amazon had the postperson hand me a brand new waterproof hat a full 3 days ahead of the expected delivery date.
|
|
|
|
|
|
Muharrem B. wrote: Do you use it? No, haven't used a scanner in 10 years. Haven't had a virus either.
Muharrem B. wrote: Does it work? If you are the type that runs code without knowing what it does, open executables, then yes, it works "most of the time".
For companies it is different; they'll need to have one. Especially large companies would come under fire if they lost all their data over an old and outdated virus. And in large companies there is always a manager that opens the executable.
Always.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Eddy Vluggen wrote: Haven't had a virus either.
As far as you know.
|
|
|
|
|
Let me rephrase; there is no process running without my knowledge, and any communication is logged (using WinPCap).
Virusses require resources and rights to spread
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Eddy Vluggen wrote: there is no process running without my knowledge As far as we know our computer has never had an undetected error!
|
|
|
|
|
Not the same;
You cannot guarantee no one is in the house if you don't know what windows are open, which doors are locked - but if you close all, then someone would have to tear down a wall to get in there.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
There's this movie, I forgot which one, but these guys are trying to rob a bank or something.
The crooks use your reasoning so their solution, make sure they're already inside when all doors and windows get locked.
The next morning, when everything opens up, they simply walk out with the loot
|
|
|
|
|
The equivalent thereof would be to have my installation medium infected; something rather uncommon.
Yes, we've had an original Win95-CD that was infected once - but the chance of an infection is kinda "low"; at that point a scanner hardly helps, there is never a 100% guarantee
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Eddy Vluggen wrote: there is never a 100% guarantee This is the life we chose, the life we lead. And there is only one guarantee: none of us will see heaven their computer completely free of unwanted sh*t
|
|
|
|
|
Spoiler alert:
"Inside Man"
|
|
|
|
|
Does the house even exist if you're not there though?
How do you know so much about swallows? Well, you have to know these things when you're a king, you know.
modified 31-Aug-21 21:01pm.
|
|
|
|
|
Eddy Vluggen wrote: And in large ALL companies there is always a manager that opens the executable.
FTFY
|
|
|
|
|
Eddy Vluggen wrote: No, haven't used a scanner in 10 years. Haven't had a virus either.
Yeah, I never crashed my car, but I will always use my seatbelt. Better safe than sorry.
To alcohol! The cause of, and solution to, all of life's problems - Homer Simpson
Our heads are round so our thoughts can change direction - Francis Picabia
|
|
|
|
|
AV is not a seatbelt, we already established that.
You wait until you are infected; your choice, your consequences. I prefer not to get infected at all.
This is where the thread ends, as it is useless to repeat the same statements
--edit
I was not paying enough attention, I assumed I was replying to the car-thread.
Go ask your doctor; is it better to check for STD's once a week, or is it safer to not have unsafe sex? Neither is a guarantee; but which would feel as "safe", and which as "sorry"?
If you are already infected, then the AV results might not be very trustworthy.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Eddy Vluggen wrote: AV is not a seatbelt, we already established that.
I never said it was, we're talking about an analogy.
Eddy Vluggen wrote: Go ask your doctor; is it better to check for STD's once a week, or is it safer to not have unsafe sex? Neither is a guarantee; but which would feel as "safe", and which as "sorry"?
Agree, but as in my analogy, it's not because you drive safe that you're free from suffering an accident, the same way as browsing safe does not free you from suffering an attack. The AV seatbelt acts like an antivirus, to save you from situations you cannot control. You can't possibly think you can control all scenarios. You can get infected even for browsing here on code project, which could have been targeted with a silent attack by hackers which explores a 0day flaw on the browser javascript engine.
As with the seatbelt, you have much better chances of survival if use an AV.
Eddy Vluggen wrote: If you are already infected, then the AV results might not be very trustworthy.
That's why it's the first thing I do when I setup an OS. And the seatbelt is the first thing I take care of when I get in my car. It's not guarantee but surely makes it safer.
To alcohol! The cause of, and solution to, all of life's problems - Homer Simpson
Our heads are round so our thoughts can change direction - Francis Picabia
modified 2-Sep-15 13:05pm.
|
|
|
|
|
Fabio Franco wrote: I never said it was, we're talking about an analogy. No, the seatbelt is not an analogy for an antivirus. The browser is merely one point of entry, and I do not consider a browser-toolbar a virus. It may be malware, but it does not replicate and infect files; it will not propagate over the network.
Fabio Franco wrote: it's not because you drive safe that you're free from suffering an accident, the
same way as browsing safe does not free you from suffering an attack. The seatbelt is protection that only helps once things have already gone wrong; you could be dead and wearing the seatbelt.
Fabio Franco wrote: As with the seatbelt, you have much better chances of survival if use an AV. Even more if you install five different products. Still, you're already in an accident. What you are proposing is damage control.
Fabio Franco wrote: You can't possibly think you can control all scenarios I never claimed I did; nor can the AV claim the same thing. To be fair, I added the claim at the end of this post.
Fabio Franco wrote: could have been targeted with a silent attack by hackers which explores a 0day
flaw Most virusses are not based on new exploits. Don't need to, most machines aren't that up to date either, and the most commonly targetted is not the system, but the user - there is your prime vulnerability. The bluddy manager that simply has to open the "Pamela.exe" attachment.
As for the AV, most of them can be killed from code. Meaning that if you need to invoke your seatbelt, you will feel the Windows. Now try running the restore-command on the infected and half-corrupted backup.
Fabio Franco wrote: with a silent attack by hackers Most virusses operate autonomous, and are not specifically designed by a hacker for a single target. Hackers and virii are different things, with different attack vectors.
Now, I said that there is never a 100% guarantee; but in all arrogance, I don't need to think of every scenario, I can prevent some scenario's altogether. Protecting a network is quite different from writing an AV and catering for every possible version of Windows out there, with different service packs and various levels of patching. If you want the 100% guarantee it will become rather expensive though; means checking a whole lotta code before we can compile a kernel, and means that all cables will be superglued to the system to prevent stuff from coming in or going out.
My first infection was BGS9, still have it on disk but I don't have any hardware that still supports it. What was yours?
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Eddy Vluggen wrote: I do not consider a browser-toolbar a virus.
Remote execution from a javascript vulnerability of your browser can infect you with a virus. The javascript attack takes advantage of the browser privileges to inject a virus into an executable, therefore infecting the target machine.
Eddy Vluggen wrote: The seatbelt is protection that only helps once things have already gone wrong; you could be dead and wearing the seatbelt.
Yes, the same as if you navigated to a site that was target of an attack (and didn't know it) the damage is done, you already got screwed. If you have an AV it may and it may not prevent your infection. If you use a seatbelt it may or may not prevent your death. Odds are... I don't need to explain.
Eddy Vluggen wrote: Most virusses are not based on new exploits. Don't need to, most machines aren't that up to date either, and the most commonly targetted is not the system, but the user - there is your prime vulnerability. The bluddy manager that simply has to open the "Pamela.exe" attachment.
Of course, but are not limited to. That's where driving safe and browsing safe comes in.
Eddy Vluggen wrote: As for the AV, most of them can be killed from code. Meaning that if you need to invoke your seatbelt, you will feel the Windows. Now try running the restore-command on the infected and half-corrupted backup.
Not really, they require elevated privileges to be killed, which most attacks don't originally have. If it's from a browser, it does not have elevated priviliges, if its from an executable, it will require your permission. In this case, the Pamela.exe fits pretty well. But still, they are caught before they get to execute code, if their signature is identified.
My point is, for us that are tech savvy, are still vulnerable to non trivial attacks and even good drivers are vulnerable to accidents. We use protection to minimize the damage. I lost a couple of friends because they fail to acknowledge of the importance of the seatbelt. And to me the AV is important to safeguard our digital property. Does it mean that all the friends I have will die for not using a seatbelt? No, bu to me it's just plain negligent to not use one. As it is not to use an AV.
Eddy Vluggen wrote: Now, I said that there is never a 100% guarantee;
Nothing is 100%
Eddy Vluggen wrote: My first infection was BGS9, still have it on disk but I don't have any hardware that still supports it. What was yours?
I can't possibly remember the virus' name, I was too young (about 10 years old). I remember the sound it played when I executed the file in a 5 1/4 floppy disk on MS DOS. It played some watery sound (yes, I had a sound card on my 33MHz x286) outputted some joke text on the screen, then everytime I would boot to DOS it would play again then return to the command line. All other executable files did the same. That was over 20 years ago.
To alcohol! The cause of, and solution to, all of life's problems - Homer Simpson
Our heads are round so our thoughts can change direction - Francis Picabia
|
|
|
|
|
Eddy Vluggen wrote: always a manager that opens the executable
|
|
|
|
|
Every browser has had 0-day vulnerabilities, where just browsing to a website with clever Javascript can compromise your computer. That script could be shown on almost any website, not just "bad" websites, as a lot of hackers use advertising networks to spread this script and it can show up on anyone's site that displays ads. The most clever viruses are ones that you will never notice you got and have low impact on your PC so you will never notice them running. Kinda like the HPV sexually transmitted disease of the computer world. That's why HPV is so prevalent.
How do you *know* you don't have a virus running right now with a keylogger that waits for sequences of keys that appear to look like a credit card and sends them off? You don't sit there monitoring WinPCap constantly, you don't actually believe that checking WinPCap once in a while means you don't have a virus do you?
Look in your running processes list right now. How many rundll processes are running right now? Do you have any idea what dll's each rundll is running? When is the last time you checked? Do you maintain a list of which ones are actual system processes and which one your newest piece of software installed? How do you know that clever browser script didn't replace a system DLL with one that works just as well but also contains the infected code?
As someone who may have dabbed in the black-hat side of things a long time ago, I promise you that without an integrated pre-emptive AV scanner installed, it is *impossible* to know what is being compromised on your PC right now. Even if you do a complete file scan once in a while, there are very easy ways to conceal a virus from static file scans that many viruses employ.
In the last 6 months or so, I've had my AV catch drive-by javascript exploit attempts twice. Before a browser runs any scripts, those are run through the AV. Just that right there is reason enough, even if you don't believe anything I just wrote.
|
|
|
|
|
Mike Marynowski wrote: Every browser has had 0-day vulnerabilities You worry about your browser. I worry about Skype displaying their Flash ad in a little browser in the chat-application. It is an open window, every friggin' WebBrowser component is a potential security risc, and when they run I wanna know what they load, and they will not load anything from a blacklisted domain.
Mike Marynowski wrote: The most clever viruses are ones that you will never notice you got and have low
impact on your PC so you will never notice them running. Yes; but unless their mere existence is an academic effort in propagation, they will have a purpose and attack one of the files, altering it (changing a fingerprint) or try to communicate (hello firewall).
Mike Marynowski wrote: You don't sit there monitoring WinPCap constantly, you don't actually believe
that checking WinPCap once in a while means you don't have a virus do you? No, nor do I monitor it manually. Still, WinPCap is there for the same reason as an AV, to monitor my succes at not getting infected.
Mike Marynowski wrote: Look in your running processes list right now. How many rundll processes are
running right now? ..aight, right click on the column names, add "startup path". Happy hunting. And yes, if it is the kind of thing you do if you think it is important. Do you run any code you come across?
Mike Marynowski wrote: How do you know that clever browser script didn't replace a system DLL with one
that works just as well but also contains the infected code? A browser script does not have enough rights to do anything that requires admin priviliges. That also happens to be the default on modern Windows machines. Since addins for the browser used to run under the users' credentials, that was a nice entry point too. Things like sandboxing have become the norm. ActiveX has to ask for certain priviliges.
OTOH, it is rather a cheap distribution channel for malware, and there are enough people that will grant those rights to any addin. They can do so, because the settings allow them to do so. In your case, I'd delete your browser and install the Linx browser. Try and run some Silverlight in there
Mike Marynowski wrote: As someone who may have dabbed in the black-hat side of things a long time ago,
I promise you that without an integrated pre-emptive AV scanner installed, it is
*impossible* to know what is being compromised on your PC right now. I had to give that guarantee to professional software, and did
As long as one is admin, one has complete control over what happens in the system. If it weren't so, we would have DRM. There is your other side of the coin - I can attach a debugger to any process.
Mike Marynowski wrote: In the last 6 months or so, I've had my AV catch drive-by javascript exploit
attempts twice The machine I guaranteed does not allow for JavaScript. You can't have safe elephanting without protection.
So no, not the setup for the average user, as those already freak out if a cooky cannot be set. Imagine that, browser-games would refuse to run, without cookies, Silverlight and Flash. Ain't policies involving proxies great?
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
You have a very naive view of security if you think you are safe using the above practices you just outlined. You just aren't for all the reasons I mentioned that you haven't actually rebutted. I'm not saying you *ARE* infected, I'm saying there is a statistically significant probability that you are and you have no way of knowing given your current practices.
Sorry, I meant svchost not rundll - "command line" usually won't tell you anything of importance for svc-hosted processes running, especially concealed viruses. Tracking svchost processes is notoriously difficult.
With regards to Javascipt not having admin rights - no, normally it doesn't, that's why they are called "0-day *VULNERABILITIES* - i.e. bugs in the browsers that grant JS full admin privileges without requiring UAC or anything else to intervene. Have you not heard of 0-day vulnerabilities? You actually browse the web with no Javascript enabled all the time? That's pretty excessive these days. Half the sites on the net don't work without Javascript anymore. You will be safer with a good free virus scanner than all your practices combined, and avoid all this hassle you are putting yourself through.
Even if you *can* manually check, which you actually can't with a cleverly programmed virus, but let's pretend there is a way to do it, like checking task manager command line - do you? No, you don't.
Please explain how you use WinPCap to regularly check if you are infected. I fail to see how this will help you in any way. You know that clever viruses hide themselves when commonly used detection and analysis tools are executed by the user, right?
|
|
|
|
|