Problems with private justice (was Re: Spyware becomes increasingly malicious)
I guess the big question is, is there anyone (other than those profiting directly from CWS) that would complain if a provider were to do such a thing... looks like a psi-net pink contract inherited by cogent. but since the psi-cogent rollup was an asset sale rather than a corporate merger, cogent probably isn't bound by that contract. somebody needs to get on the phone, i guess. This is a problem with implementing private justice. Do you have all the facts? The CWS trojans are not downloaded from the Cool Web Search site. Could this be a Joe job by someone who doesn't like the owners of Cool Web Search? The owners of the Cool Web Search company deny they are the creators nor affiliated with the creaters of the CWS trojans. Maybe they are lying. Maybe other Joe jobs have lied too. Blocking or de-peering the service provider for Cool Web Search will not prevent you from being infected with CWS trojans any more than blocking or de-peering the service provider for Google will prevent you from being infected with Google trojans, or blocking and de-peering the service provider of Paypal will prevent people from sending you mail offering to update your Paypal account information, or blocking and de-peering SCO would prevent people from being infected with viruses which attacked the SCO web site. I don't have all the facts. Maybe someone else does.
RE: Spyware becomes increasingly malicious
William Warren wrote: I second that. The version I saw required a third party registry editor and booting up into the recovery console from an XP cd (safe mode didn't cut it) just to remove a hidden dll. Which is why I made the executive decision to re-image instead of trying to fix, as unfortunately a new variant requires spending more time learning it, which is not worth it. :-( What I don't understand is how exploiting bugs in a program (internet explorer) to install software without the consent or even acknowledgement from the owner/user is legal behavior. me puts the devil's advocate suit on There is a grey area between being legal and not being illegal. Compare to the junk fax issue: it was not legal either (as it spent the recipient's money without authorization) but it did take special legislation to make it specifically illegal. If you were to go to court it would not be a slam dunk by any means; it is going to take more nuisance that there has been so far for the legal system to do something about it. Trouble is, it does not prevent you from using the computer, mostly. Michel.
RE: Spyware becomes increasingly malicious
David Schwartz One wrong turn probing it can render a machine unusable until it's reloaded. Ah, I'm not the only one it appears. In the meantime, let's at least blackhole all their IPs on our networks. Does any of the regular lists keeps try of this and already blacklists? Michel.
RE: Problems with private justice (was Re: Spyware becomes increasingly malicious)
oops I just realized that I incorrectly quoted William Warren instead of Brian Battle in my previous post. Sorry guys, cut/paste casualty. /oops Sean Donelan wrote: Could this be a Joe job by someone who doesn't like the owners of Cool Web Search? The owners of the Cool Web Search company deny they are the creators nor affiliated with the creaters of the CWS trojans. Maybe they are lying. Maybe other Joe jobs have lied too. Good points. I don't have all the facts. Maybe someone else does. Yep, the guys that write the Trojans :-D As Brian says: Brian Battle wrote: The authors of these coolwebsearch variants are extremely intelligent programmers with far more understanding of the bowels of the windows platform than your average script kiddies. The problem I have is not with understanding of the bowels, but with the ability to produce bowel movements. Michel.
Re: Problems with private justice (was Re: Spyware becomes increasingly malicious)
LOL..not a problem..:) Michel Py wrote: oops I just realized that I incorrectly quoted William Warren instead of Brian Battle in my previous post. Sorry guys, cut/paste casualty. /oops Sean Donelan wrote: Could this be a Joe job by someone who doesn't like the owners of Cool Web Search? The owners of the Cool Web Search company deny they are the creators nor affiliated with the creaters of the CWS trojans. Maybe they are lying. Maybe other Joe jobs have lied too. Good points. I don't have all the facts. Maybe someone else does. Yep, the guys that write the Trojans :-D As Brian says: Brian Battle wrote: The authors of these coolwebsearch variants are extremely intelligent programmers with far more understanding of the bowels of the windows platform than your average script kiddies. The problem I have is not with understanding of the bowels, but with the ability to produce bowel movements. Michel. -- My Foundation verse: Isa 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD. -- carpe ductum -- Grab the tape
tunnel PMTUD with mss adjustment
Hello All, I have been talking to Company C' Tac trying to understand if this is a problem. ( For reference to some things mentioned here see http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml#subthirdtwo ) 1) C has a command to adjust the tcp mss option downward on packets that traverse an interface. 2) C has a command to set the ip mtu on an interface 3) C has a command that enables a IPSEC/GRE tunnel to conduct PMTUD on its path (by copying the df bit from encapsulated packet into the resulting packet) I had been trying to convince TAC that 1 and 3 might not work properly together and that is a problem. I gave them this scenario. Host A = HOST D || MTU 1500 Router A ( || MTU 1492 ) ( ISP A) IPSEC/GRE Tunnel A ( || MTU 1492 ) Initial MTU 1432 (ISP B ) ( || MTU 1492) Router B || Router C = HOST C (PMTUD works) || Router D || Firewall A (Breaks PMTUD) || Host B Router A and Router B are configured for int tunnel 0 tunnel path-mtu-discover ! Physical MTU (pppoe) - GRE - IPSEC transport mode ip mtu 1432 ip tcp adjust-mss 1392 Now lets assume that ISP B lowers mtu between ISP A to 1476 bytes and TUNNEL A detects this and both ROUTER A and ROUTER B lowers its tunnel mtu during an exchange of packets between HOST D and HOST C (which are configured for PMTUD and have the df bit set). Now the tunnel mtu is effectively 1416. When HOST A send a packet to HOST B with a mss-adjusted option of 1392, and HOST B sends an IP packet of length 1432 back to HOST A and Router B drops the packet (because it has DF set since HOST B is configured to do PMTUD and the packet is 16 bytes larger than the current tunnel mtu) and sends an ICMP unreachable which gets blocked by FIREWALL A, HOST A will find itself unable to communicate with HOST B because of a PMTUD blackhole. SO in this scenario the ip tcp adjust-mss fails to achieve its stated goal of miniming PMTUD blackholes by aggresively seeking to limit the PMTU to a known interface mtu size. What would be reasonable to expect is that the tunnel layer would inform the mss-adjust layer that the original assumption of interface mtu is no longer valid and behave accordingly. Had the adjustment of the MSS option in the packet from HOST A to HOST B taken into account the now 16 bytes lower tunnel mtu, and adjusted to 1376 instead of 1392, the packet from HOST B would have been sized at 1416 and would have traversed (hopefully) to HOST A safely. At this point I am just a tad confused, so I was wondering if any NANOGers had some light they could shed on this. Thanks, Joe
Re: Spyware becomes increasingly malicious
The authors of these coolwebsearch variants are extremely intelligent programmers with far more understanding of the bowels of the windows platform than your average script kiddies. If you get hit with the version I saw, it's no 10 minute piece of cake. It makes spywire more dangerous than viruses, which are written (in 99.99% cases) by more younger and less experienced persons (and without good QA, good project management etc). What I don't understand is how exploiting bugs in a program (internet explorer) to install software without the consent or even acknowledgement from the owner/user is legal behavior. To me, it's just like someone abusing It is not a bug; it is specially designed IE feature. MS always was proud of their full automation - install on demand, update automatically, add new software to start at a startup without need to be system admin, etc etc... As a result, we have a field full of bugs, pests, pets, spiders, spies and so on... They have _exactly_ what they designed. No one even bored to ask me 'do you want to allow this registry change' , because 'MS believe that their users are lamers so everything must be automated from the beginning to the end'... It is another weak side of MS design (first one is complexity) and other side of MS agriculture (first one is monoculture easily infected by mortal infection). I do not blame MS, but what about spyware on MAC-s - is it so easy to write and install spyware there? a bug in bind, and installing a rootkit, which last time It is a difference. This was a bug. Bind have not undocumented features. MS have millions of undocumented features, and (because they never opened their OS and never published full specs) every developer play a game 'find a feature before competitors and use it'. As a result, someone finds features which was not designed but just 'happened' -:). Anyway, this are a features, not a bugs. This is 100% legal at this point (and even if it is not legal, who bored about it outside of USA? No anyone!). I checked, could end up getting someone in legal troubles. For another hastily-thought-out analogy, it's like someone breaking into your house and reprogramming your cable box to keep changing the channel to the home shopping club every 30 seconds. -Brian
Looking for historical BGP announcement information
Hello, I am looking for a database that would have BGP inserts/withdrawals from mid 1999 time frame. Any help is appreciated. -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- --Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Re: Looking for historical BGP announcement information
I am looking for a database that would have BGP inserts/withdrawals from mid 1999 time frame. oregon route views project
Re: Spyware becomes increasingly malicious
On Mon, 12 Jul 2004 12:37:37 EDT, Hannigan, Martin [EMAIL PROTECTED] said: alt with at the browser level in MS Security Bulletin MS03-011. I have a hard time blaming MS for everything since in most cases of these things they do react. How do they force the users to update? Could they implement a switch that says no update, no working browser? At least for IE? Scob was dealt with via the hammer, this could be too. At some point, one needs to say I've pounded enough nails, it's time to look at alternate fasteners... pgpqqRbzw4Pd4.pgp Description: PGP signature
Re: Spyware becomes increasingly malicious
Brian Battle wrote: For another hastily-thought-out analogy, it's like someone breaking into your house and reprogramming your cable box to keep changing the channel to the home shopping club every 30 seconds. That would be the result of the broadcast bit. Pete
OT: xDSL hardware
Hi, I'm wondering if there are any ISPs here that are Covad partners that have found a need to terminate a DSL line alongside a T1 for backup. The problem I'm finding is that the Covad-supplied/approved routers are fairly feature-less, making any type of backup application impossible without some ugly hacks (put DSL in bridge mode, run ospf across both links). Is anyone aware of a WIC card that will work with the lower end Cisco gear (1700 or 2600 series) that will allow me to terminate an ADSL or preferably an SDSL line directly on the router? The idea being that the router is then aware of link up/down status... I found an ADSL card (WIC-1ADSL), but Covad is unable to tell us if this works with their dslams or not. I seem to recall an SDSL modem with a v.35 interface, does anyone know of such a thing that will work with Covad's dslams? Sorry for the OT... Charles -- Charles Sprickman [EMAIL PROTECTED]
RE: Spyware becomes increasingly malicious
Alexei Roudnev wrote: It is not a bug; it is specially designed IE feature. MS always was proud of their full automation - install on demand, update automatically, add new software to start at a startup without need to be system admin, etc etc... As a result, we have a field full of bugs, pests, pets, spiders, spies and so on... They have _exactly_ what they designed. No one even bored to ask me 'do you want to allow this registry change' , because 'MS believe that their users are lamers so everything must be automated from the beginning to the end'... Most of the lastest versions appear to install themselves using the ByteCode Verifier vulnerability in the Microsoft Virtual Machine. Fully patched systems don't get the stuff installed. I'm sure the authors are working on newer injection methods Though the blame might be placed on Microsoft for having a flaw in their code, this wasn't part of any IE feature. You can read more about this exploitable bug (not feature) at http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx I do not blame MS, but what about spyware on MAC-s - is it so easy to write and install spyware there? I don't really want to get into the argument of why people choose microsoft products to attack, but if someone was going to choose a product to attack, from which they were going to try and make the most money/impact off of, do you think they would choose the product with the largest user base? I think that's the case here. It would be a poor business decision not to, and these people are definetly out to make as much money as they can off of these exploits. This is 100% legal at this point (and even if it is not legal, who bored about it outside of USA? No anyone!). It really shouldn't be legal. It is someone gaining unauthorized access to computer systems and altering data on those machines. Not to mention that people are profiting from these intrusions. -Brian
Re: OT: xDSL hardware
On Tue, 13 Jul 2004, Charles Sprickman wrote: I'm wondering if there are any ISPs here that are Covad partners that have found a need to terminate a DSL line alongside a T1 for backup. Yes. Not doing it currently, but when we did we used a FlowPoint 2200 in routed mode into the second ethernet port on a 2e/1serial 25xx. , with a /30 between the FP and the Cisco. Is anyone aware of a WIC card that will work with the lower end Cisco gear (1700 or 2600 series) that will allow me to terminate an ADSL or preferably an SDSL line directly on the router? The idea being that the router is then aware of link up/down status... Covad business class is SDSL. But - if the DSL line is backup to the T1, does the router 'need' to know that the DSL line is down ? I believe we just used weighted static routes. If the T1 was up use that, otherwise use the DSL. If both are down -- it won't really matter, will it ? :-) (Unless you are relying on SNMP monitoring from this router internally for an alarm). == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Off-Topic: N.Y. Buyout Firm Has Its Eye on MCI
Leucadia National Corp., a New York buyout firm, has expressed interest in acquiring a controlling stake in MCI Inc., raising new questions about the telecommunications giant's future just three months after it emerged from bankruptcy. http://www.washingtonpost.com/wp-dyn/articles/A45160-2004Jul12.html/?nav=yb-te1 - ferg -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED]
Re: OT: xDSL hardware
Is anyone aware of a WIC card that will work with the lower end Cisco gear (1700 or 2600 series) that will allow me to terminate an ADSL or preferably an SDSL line directly on the router? The idea being that the router is then aware of link up/down status... There is a WIC-1ADSL for 1700/2600. Not sure about an SDSL WIC. We have done a few T1/ADSL and ADSL/ISDN setups and it seems to work fairly well. I also spoke to a computer integrator that claimed they were working with Cisco to develop a ping like action for determining if the next hop was alive and if not set the interface down so it would failover to secondary interface / route. I assume it would be a 12.3(x) ish release. Eric
RE: xDSL hardware
Charles Sprickman wrote: I found an ADSL card (WIC-1ADSL), but Covad is unable to tell us if this works with their dslams or not. I doubt it would, as the WIC-1ADSL does only ADSL, not SDSL and all the Covad I have seen so far is SDSL. However, there is a Single Port G.shdsl WAN Interface Card (WIC-1SHDSL-V2), the question is does Covad use G.SHDSL or old-style proprietary SDSL. There are some low-end Cisco routers such as the 828 that do G.SHDSL as well. I don't get why you need to be aware of the link status though, as the SDSL is your backup not your primary. If the SDSL was the primary and the backup was dial-on-demand ISDN I would understand, but not with a T1. Michel.
Re: Off-Topic: N.Y. Buyout Firm Has Its Eye on MCI
On Jul 13, 2004, at 10:09 PM, Fergie (Paul Ferguson) wrote: Leucadia National Corp., a New York buyout firm, has expressed interest in acquiring a controlling stake in MCI Inc., raising new questions about the telecommunications giant's future just three months after it emerged from bankruptcy. http://www.washingtonpost.com/wp-dyn/articles/A45160-2004Jul12.html/? nav=yb-te1 Doesn't Leucadia also own ... WilTel? I forgot (and am not registered for the Washington Post). -- TTFN, patrick
Re: Off-Topic: N.Y. Buyout Firm Has Its Eye on MCI
they have a large stake yes..:) Patrick W Gilmore wrote: On Jul 13, 2004, at 10:09 PM, Fergie (Paul Ferguson) wrote: Leucadia National Corp., a New York buyout firm, has expressed interest in acquiring a controlling stake in MCI Inc., raising new questions about the telecommunications giant's future just three months after it emerged from bankruptcy. http://www.washingtonpost.com/wp-dyn/articles/A45160-2004Jul12.html/? nav=yb-te1 Doesn't Leucadia also own ... WilTel? I forgot (and am not registered for the Washington Post). -- My Foundation verse: Isa 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD. -- carpe ductum -- Grab the tape
Re: Off-Topic: N.Y. Buyout Firm Has Its Eye on MCI
Speaking on Deep Background, the Press Secretary whispered: Doesn't Leucadia also own ... WilTel? I forgot (and am not registered for the Washington Post). Using lynx bypasses the Post's BigBrotherBot... -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433