Abstract:
With the attention received by the ``ILOVEYOU'' worm that floated around the Internet in the early part of May 2000, many people are wondering why their anti-virus software didn't prevent them from becoming infected and how they can protect themselves in the future. Here we argue that this approach to the problem, though popular, is fatally flawed and simply cannot work.
1. Introduction
Apparently everyone is looking for a solution to the problem of rogue software. When asked how to defend against such attacks, some ``experts'' will immediately jump into a discussion of firewalls, intrusion detection systems, and anti-virus software. Commonly, you'll also hear the word ``vigilance'' thrown in there someplace.
The picture is especially grim among end-users and non-expert information technology managers. Experts at least will recognize the roles of policy and education, though some of them need to be prompted to say much on that topic.
We have known about problems like this ``in the wild'' (as opposed to ``in the laboratory'') at least since 1988, when graduate student Robert T. Morris released his worm on the Internet. That worm, intended to be harmless, contained a fatal flaw in logic that would cause it to crash the machine it infected.
Before we get too deep into this discussion, we're going to have to spell out some terminology because this article is aimed at non-experts and the media have done such a ridiculous job mangling terms. (Note ye well, would-be defenders of the media's actions in this regard: using the wrong words for things won't make them any more understandable to non-experts. This practice does nothing more than confuse the issue, diluting the precision of our terminology, making it difficult for anyone to determine what is being said.)
1.1 Viruses, Worms, and Trojan Horses (Oh my!)
We have not attempted to compile a comprehensive list of every term used to describe the kind of destructive software that people think about when they heard a word like ``virus''. We merely want to illustrate the primary types of this software and to explain the primary differences among them so the topic at hand can be clearly understood, irrespective of the reader's background.
Virus
A code fragment that attaches itself to an executable program. Just as a biological virus does not exist without a ``host'', neither can a virus exist without some other program to which it can attach. 1
Worm
A program that will duplicate itself, usually through some sort of network connection.
Trojan Horse
A program with a hidden feature. An example would be a program that claims to display something entertaining on the user's screen but secretly deletes the user's files as the expected behavior is taking place.
Rogue Software
Any software whose job is to do something ``bad'', including viruses, worms, and trojan horses.
Malware
This is a relatively new term that has generally been used to apply to software that combines the properties of a virus and a worm. That is, instead of being a standalone executable program that replicates, it's a piece of software that uses a popular ``host'' like JavaScript, VBScript, or some application macro language to do its work. If part of that work includes replication via a network connection, voilĂ , you have malware. ExploreZip, Happy99, Melissa, and the ILOVEYOU variants are all examples.
1.2 Detecting Rogue Software
If a computer infected with rogue software were to be continuously reinfected, one of two things would likely happen, exposing the fact that the computer has a problem:
1.
The machine would run out of disk space holding instance after instance of the rogue software.
2.
The machine would run out of memory or processor cycles needed to manage each instance of the rogue software.
Relatively early examples of rogue software including PC-based viruses and the 1988 Internet Worm made an attempt to stay hidden for as long as possible by taking precautions to see whether the intended target was already infected. Some of these attempts were more effective than others.
Typically, the way to identify whether the intended target was already infected was to examine the machine for a particular ``signature'', a small stream of data that would be (theoretically) unique to that software. If the signature was found, the software would not install itself. If the signature was not found, the software would continue, installing itself, and looking for new targets.
In today's malware, similar mechanisms can exist, but often do not. The primary reason for this is that email-based malware does not tend to burden the individual machine that the victim is running, but rather the servers that provide email delivery services. Further, compared to most PC-based viruses, today's malware is very primitive.
In practice, server-based solutions simply throw away messages whose Subject header appears to match one of the known patterns for malware messages. Client-side solutions are not much more sophisticated, typically looking for a combination of factors, or something closer to the root cause, like a client that is attempting to execute some VBScript code attached to email.
Either way, it's an arms race: a significant change by the malware itself, particularly in the case of malware that has the ability to mutate, and the detector--client or server-based--is rendered useless.
This sells lots of software, pays lots of consultants, and it can even put out the fire. But it's no solution to the problem.
1.3 Circumventing the Detector
Attempting to avoid detection, some rogue software will use more sophisticated means of hiding itself. Some can mutate over time so that as detectors are created for the original rogue software, successive generations will change their identity, rendering the detectors useless against the new generations. In practice, virus detectors are able to identify these mutant versions and to stop them, but this is probably only because the virus writers aren't especially clever in their means of mutation.
Solutions for email-based malware typically come in two forms:
1.
Either server-based or client-based software that will identify and discard the messages through which the malware attempts to spread and
2.
Client-based software that will identify and remove the malware itself, hopefully returning the infected machine to its pre-infection condition.
Generally, the first category is the most important, as this is where both infection and propagation take place. Infected machines aren't generally interesting because the malware has already run its course, doing whatever damage it will to the victim and spreading, often by means of email to everyone in the victim's email address book.
Malware that spreads via email is in a simple, easy-to-identify form. It's a message that claims to be sent from the victim to an individual in the victim's address book. The Subject header is typically unchanged, and the text of the message will say something that encourages the recipient to view the attached data. The attached data, when evaluated by the appropriate interpreter, infects the recipient's machine, starting the process over again.
In general, the user will have to run the attachment explicitly. However, a certain feature present in Microsoft's Outlook is that of automatically opening attachments. Microsoft claims this is an ``ease of use'' feature. We assert that this is nothing more than an ``ease of abuse'' feature, because it places the same level of trust in data that comes from an unknown source as it has with data from a known source. Blurring the boundaries of ``operating system'' vs. ``application'' and ``program'' vs. ``data'' is not only generally poor design, but is what makes malware possible.
2. The Issue of Trust
The real issue at stake here is one of trust. Who trusts whom? If the malware were to arrive via email, claiming to be from some random user, of whom the target has never heard, the message would be much more likely to go unread, and the target unaffected. Many people will open the mail, however, because it claims to be from someone they know. (This is an important distinction: without proof, perhaps in the form of a valid cryptographic-strength digital signature, there is absolutely no reason to believe that mail is actually from whom it claims to be.)
2.1 Software Trusts ``Local'' Data
Computers implicitly trust the data ``local'' to them. The very programs that they run are in fact data that are from a known source, either the internal hard drive, or perhaps a known and trusted local area network connection. In many cases, this is a generally reasonable thing to do, since a machine whose local data cannot be trusted is likely to have bigger and more serious problems than the sort of thing that the sort of malware we've seen so far covers.
2.2 Software Shouldn't Trust ``Remote'' Data
With the rise of the Internet, it is now possible for anyone to get data from anywhere. Bad guys and good guys alike are thrown together onto the same, ubiquitous network. Thus, data that comes from an unknown source should be distrusted, since it could well be from said bad guy.
The contents of email are such data. Email often originates from outside of the local area network. As such, it could be from literally anywhere, sent by literally anyone. This is why malware spreads: a bad guy has to inject it into the network in the first place. If no one ever trusted any such data, the malware would fail to infect anyone.
Thus, having been bitten by these sort of problems in the past, many users have demanded software that will take precautions to warn the user when something potentially dangerous has been requested. Computists around the world spend countless hours now answering dialogue boxes that say ``Are you sure?''
2.3 Software Trusts its Users
Software trusts data it considers to be local. Software generally distrusts data it considers to be remote. But more important than the trust that software places in data is the trust that it places in users. Though certain ``dangerous'' requests might prompt an ``Are you sure?'' from the computer, if the user answers ``Yes, I'm sure'', the computer will typically do its best to fulfill the request. This is as it should be, for computers are the tools of humans.
However, to maintain the integrity of the computer and its data, a basic dependency upon the user is now placed. When the computer asks ``Are you sure?'' there is never any consideration to the question ``is the user qualified to know?'' And the answer is that many times, the user is not. The spread of ILOVEYOU and its predecessors is evidence of this.
As long as there are users who can be fooled, malware will continue to plague us. So far we've been very lucky that the malware has been largely benign and too primitive to avoid even the most trivial forms of detection.
3. The Only Solution
Part of the last paragraph is key and it bears repeating here. As long as there are users who can be fooled, malware will continue to plague us. The problem, therefore, can be solved one of two ways:
1.
Get rid of the users or
2.
Help them to avoid getting fooled.
Drivers of automobiles need not be master mechanics. However, they do need to understand that the ton of steel that they're driving around needs to be used responsibly. Failing to drive responsibly has consequences ranging from minor inconvenience to the loss of human life. (Most of the time the damage will be somewhere in the middle.)
Users of computers need not be master hackers. However, they do need to understand that the hunk of silicon and plastic on their desks needs to be used responsibly. Failing to use computers responsibly has consequences ranging from minor inconvenience to the loss of human life. (Most of the time the damage will be somewhere in the middle.)
3.1 Educate
People who use computers need to understand the risks associated with computing. Some will resist, saying they need not know what the difference is between a Word document and a VBScript file in order to accomplish their jobs. They must be corrected and helped to understand the need to compute responsibly.
3.2 Guide
People who use computers need to be guided. That means a clear articulation of policy. Buzzword-laden corporate newspeak does not count. Rather than trying to cover every single case, establish general principles that easily translate into practices, without regard to the technology that happens to be popular at the second that the policy was drafted.
3.3 Assist
Only after the users have been educated and guided will technology be able to help curb the flow of malware. Technology itself can always be circumvented by users, so do not attempt to skip directly to this step.
Some technological and architectural considerations that help:
Properly designed and implemented software. There is no excuse for Microsoft Outlook's ``feature'' of automatically opening attachments, particularly executable ones. That bypasses the user's ability to exercise any measure of competence and to prevent his machine from being infected. That is a critically stupid misfeature and Microsoft's ``defense'' (``users requested it'') is no defense at all, it's a weak excuse that exposes Microsoft's complete failure to understand computing in a networked world.
Granting users minimum levels of access. Users who compute in environments where their access to the system is no greater than necessary to do their jobs pose a significantly smaller threat to an organization than users with privileges to do anything. Malware that deletes everything, for example, will only delete one user's files in the former environment. In the latter, it will wipe out everything.
Diversity in computing platforms. The reason why ILOVEYOU, Happy99, and friends were effective is because they were binary executable programs that would run on the targets' machines. Unix users, for example, could not fall victim to these menaces by virtue of being unable to run the Windows/x86 program. The greater the diversity in our computing environments, the fewer number of machines that can be targeted.
Safer software. What we mean by this is software that will not perform ``dangerous'' operations without specific authorization from a user with the competence to understand the issues at hand. Where potentially dangerous operations are not excluded by these other principles, they should be allowed only after confirmation that the associated risk is acceptable.
It's time we take a step back from the technology and assess our position. Instead of insisting on more and more features from vendors and giving them less and less time to implement them, we need to focus on the correctness of our systems' designs and implementations. People need to understand what they're using and how to avoid falling victim to these problems.
We need to get away from the syndrome of thinking that whatever the ``computer says'' is correct. When people are using tools that take reasonable precautions against doing the wrong thing and they understand how not to compromise the integrity of their systems, we'll all be in a much better position.
Saturday, June 30, 2007
Why Anti-Virus Software Cannot Stop the Spread of Email Worms.
Abstract:
With the attention received by the ``ILOVEYOU'' worm that floated around the Internet in the early part of May 2000, many people are wondering why their anti-virus software didn't prevent them from becoming infected and how they can protect themselves in the future. Here we argue that this approach to the problem, though popular, is fatally flawed and simply cannot work.
With the attention received by the ``ILOVEYOU'' worm that floated around the Internet in the early part of May 2000, many people are wondering why their anti-virus software didn't prevent them from becoming infected and how they can protect themselves in the future. Here we argue that this approach to the problem, though popular, is fatally flawed and simply cannot work.
Wednesday, June 13, 2007
What is Agloco?
Today's hottest Internet businesses are all about the power of social networks. Companies
like MySpace, Facebook, and YouTube have become worth billions. Social communities such as these rely on the users to build the community.
Agloco has asked a simple question:
The users created the community, so where's their share of the profit?
It was from this question that AGLOCO set out to
create the Internet's first Economic Network, harnessing the power of Internet-based social networks to directly benefit the Members who help to create the community.
In its simplest form this is how Agloco works:
- Agloco has developed a tool called the Viewbar. The
Viewbar subtly displays ads and discreetly runs on your computer for 5 hours or less ever month.
1. Companies pay Agloco to advertise (on the Viewbar)
2. Agloco pays us to take 2 minutes to install the Viewbar and sign up.
3. Agloco then pays us more if we build the network. i.e. after you sign up and install the Viewbar, you tell your best friend to do the same.
4. Agloco pays by the number of hours the Viewbar is run every month (5hr maximum)
5. More people in your network = more hours of Viewbar running = more money for everyone!
Reasons To Join
1. Agloco pays you for doing something you always do, surf the net.
2. It is free to join
3. Become part of the next generation of the Internet "The Economic Network"
4. It's your Internet, so own it!
like MySpace, Facebook, and YouTube have become worth billions. Social communities such as these rely on the users to build the community.
Agloco has asked a simple question:
The users created the community, so where's their share of the profit?
It was from this question that AGLOCO set out to
create the Internet's first Economic Network, harnessing the power of Internet-based social networks to directly benefit the Members who help to create the community.
In its simplest form this is how Agloco works:
- Agloco has developed a tool called the Viewbar. The
Viewbar subtly displays ads and discreetly runs on your computer for 5 hours or less ever month.
1. Companies pay Agloco to advertise (on the Viewbar)
2. Agloco pays us to take 2 minutes to install the Viewbar and sign up.
3. Agloco then pays us more if we build the network. i.e. after you sign up and install the Viewbar, you tell your best friend to do the same.
4. Agloco pays by the number of hours the Viewbar is run every month (5hr maximum)
5. More people in your network = more hours of Viewbar running = more money for everyone!
Reasons To Join
1. Agloco pays you for doing something you always do, surf the net.
2. It is free to join
3. Become part of the next generation of the Internet "The Economic Network"
4. It's your Internet, so own it!
Thursday, May 31, 2007
Join Agloco And Beceom a Millinor
The Viewbar is due for release any day now!
FOR ANYONE WHO HAS NOT JOINED AGLOCO NOW IS THE TIME TO DO SO!
Join now so you can be a founding member of Agloco. Also Agloco has stated the Viewbar will be released in order of sign ups. If you wait till it is already released you will be far in the back of the line.
For those of you who are already members get busy recruiting, here is a simple splash page you may use ( given The Agloco Network link is credited somewhere ) to quickly capture and recruit prospective Agloco'ers.
--- JOIN NOW ---
BECOME PART OF AN INTERNET PHENOMENON
Are You Ready To Capture Your Share of Internet Wealth?
Are you ready to earn money simply by surfing the web?
--- JOIN NOW ---
FOR ANYONE WHO HAS NOT JOINED AGLOCO NOW IS THE TIME TO DO SO!
Join now so you can be a founding member of Agloco. Also Agloco has stated the Viewbar will be released in order of sign ups. If you wait till it is already released you will be far in the back of the line.
For those of you who are already members get busy recruiting, here is a simple splash page you may use ( given The Agloco Network link is credited somewhere ) to quickly capture and recruit prospective Agloco'ers.
--- JOIN NOW ---
BECOME PART OF AN INTERNET PHENOMENON
Are You Ready To Capture Your Share of Internet Wealth?
Are you ready to earn money simply by surfing the web?
--- JOIN NOW ---
How Much Will You REALLY Make?
Okay this is a very good question for prospective Agloco'ers. Well if you read the last post of mine you would have stumbled upon some writings on the AllAdvantage company. As mentioned previously the AllAdvantage company was very successful at first, however towards the 2000's when the dot com spenders diminished, the companies finances followed. Another reason for the poor financial outcome of AllAdvantage was because of the amount of money that went back to the users of AllAdvantage. A reported 120 million of the 200 million raised was paid to the members of AllAdvantage.
Okay so the point of mentioning the AllAdvantage company, was to show what the same founders of Agloco are going to do different this time. Instead of paying in cash, and essentially running the company into the ground, this time Agloco has decided to issue SHARES (and cash). Yes that is right along with money we will also be issued shares in the Agloco company. So when Agloco says that their company is member owned they are not kidding.
Now, here is the thing many people are missing. The shares we earn (based on the number of hours of Viewbar time we have times the number of direct and indirect refs) will not be worth anything until the Agloco company goes public. Or until the Agloco company makes its ways on the stock exchange (expected 4th quarter 2007).
HOW MUCH WE MAKE DEPENDS ON THE INITIAL PUBLIC OFFERING.
I am going to conservatively guess, that Agloco, when initially open for trade will not be less than $.50 per share. (Please any Tech minded traders out there give me your opinion) I will also wager a guess, that Agloco is not going to bust out an IPO like say at $400 per share. So lets stay conservative and realistic and use the stock price of $0.50, now my Agloco friends do not be phased.
Agloco has an earnings calculator on their website. Many people are getting confused and excited when they use this calculator. They type in relatively conservative numbers like:
Direct Referrals : 10
Avg Number of referral EACH of your referrals will get: 15
Nmbr . Hrs. Viewbar time: 5hrs (each)
Then they hit calculate and this is the number they get: 678017.5
WHAT THE F***?!
Yeah, ladies and gentlemen this is not a DOLLAR amount, nor a YEN amount. This is how many shares you will earn! (per month given all values stay the same every month...which they wont because you can A. Gain more referrals, B. peoples hours will differ)
Okay, so I hope I didn't burst your hope bubble. Remember that conservative $0.50 opening price? Well if you own 678017.5 shares, times that by the stock price and by golly THAT IS HOW MUCH YOU HAVE EARNED!
Which in this case is $339008.75 in a month... okay I myself have started thinking... that is still ALOT OF MONEY. Okay maybe I am not being conservative enough in my guesses.
Lets try again:
Direct Referrals : 5
Avg Number of referral EACH of your referrals will get: 2
Nmbr . Hrs. Viewbar time: 4hrs avg(each)
Hit calculate and this is what you get: 159
Times this by the $0.50 share price and you will earn $79.5 a month avg.
I would say I am very happy with the first result...BUT...I am very happy with the second result as well. I would say investing a total of $0
in a company and receiving an average $79.5 dollars in return is PRETT DAMN GOOD.
So as you can see the more referrals you get the more hours you will get, and that translates into more stock shares, and thus MORE MONEY.
So this is a lesson, if you want to make the big ones with Agloco you have to build a good network. Although no one should be complaining, because no matter what they make from Agloco, it was 100% return.
And so this concludes my interpretation of the potential earnings of Agloco.
PLEASE NOTE: I have no idea what the opening stock price will be. All my calculations were based on conservative values for demonstration purposes.
If there are any stock experts out their who have knowledge on the dot com industry, please comment and give us your opinion.
I hope this was of at least a little help,
So if you got my point, please Join Agloco Now so you can begin building a large network, I will stress this again:
More Direct Refs / Extended Refs = More Viewbar Hours = More Stock Shares = More Money!
Okay so the point of mentioning the AllAdvantage company, was to show what the same founders of Agloco are going to do different this time. Instead of paying in cash, and essentially running the company into the ground, this time Agloco has decided to issue SHARES (and cash). Yes that is right along with money we will also be issued shares in the Agloco company. So when Agloco says that their company is member owned they are not kidding.
Now, here is the thing many people are missing. The shares we earn (based on the number of hours of Viewbar time we have times the number of direct and indirect refs) will not be worth anything until the Agloco company goes public. Or until the Agloco company makes its ways on the stock exchange (expected 4th quarter 2007).
HOW MUCH WE MAKE DEPENDS ON THE INITIAL PUBLIC OFFERING.
I am going to conservatively guess, that Agloco, when initially open for trade will not be less than $.50 per share. (Please any Tech minded traders out there give me your opinion) I will also wager a guess, that Agloco is not going to bust out an IPO like say at $400 per share. So lets stay conservative and realistic and use the stock price of $0.50, now my Agloco friends do not be phased.
Agloco has an earnings calculator on their website. Many people are getting confused and excited when they use this calculator. They type in relatively conservative numbers like:
Direct Referrals : 10
Avg Number of referral EACH of your referrals will get: 15
Nmbr . Hrs. Viewbar time: 5hrs (each)
Then they hit calculate and this is the number they get: 678017.5
WHAT THE F***?!
Yeah, ladies and gentlemen this is not a DOLLAR amount, nor a YEN amount. This is how many shares you will earn! (per month given all values stay the same every month...which they wont because you can A. Gain more referrals, B. peoples hours will differ)
Okay, so I hope I didn't burst your hope bubble. Remember that conservative $0.50 opening price? Well if you own 678017.5 shares, times that by the stock price and by golly THAT IS HOW MUCH YOU HAVE EARNED!
Which in this case is $339008.75 in a month... okay I myself have started thinking... that is still ALOT OF MONEY. Okay maybe I am not being conservative enough in my guesses.
Lets try again:
Direct Referrals : 5
Avg Number of referral EACH of your referrals will get: 2
Nmbr . Hrs. Viewbar time: 4hrs avg(each)
Hit calculate and this is what you get: 159
Times this by the $0.50 share price and you will earn $79.5 a month avg.
I would say I am very happy with the first result...BUT...I am very happy with the second result as well. I would say investing a total of $0
in a company and receiving an average $79.5 dollars in return is PRETT DAMN GOOD.
So as you can see the more referrals you get the more hours you will get, and that translates into more stock shares, and thus MORE MONEY.
So this is a lesson, if you want to make the big ones with Agloco you have to build a good network. Although no one should be complaining, because no matter what they make from Agloco, it was 100% return.
And so this concludes my interpretation of the potential earnings of Agloco.
PLEASE NOTE: I have no idea what the opening stock price will be. All my calculations were based on conservative values for demonstration purposes.
If there are any stock experts out their who have knowledge on the dot com industry, please comment and give us your opinion.
I hope this was of at least a little help,
So if you got my point, please Join Agloco Now so you can begin building a large network, I will stress this again:
More Direct Refs / Extended Refs = More Viewbar Hours = More Stock Shares = More Money!
Sunday, May 27, 2007
Free computer virus finds willing victims
HELSINKI, Finland (Reuters) -- Computer specialist Didier Stevens put up a simple text advertisement on the Internet offering downloads of a computer virus for people who did not have any.
Surprisingly, he found as many as 409 people clicking on the ad saying "Is your PC virus-free? Get it infected here!" during a 6-month advertising campaign on Google's Adword, said the IT security expert.
"Some of them must have clicked on it by mistake. Some must have been curious or stupid," said Mikko Hypponen, head of research at data security firm F-Secure.
There was no virus involved, it was an experiment aiming to show these kinds of advertising systems can be used for malicious intent, Stevens told Reuters.
Surprisingly, he found as many as 409 people clicking on the ad saying "Is your PC virus-free? Get it infected here!" during a 6-month advertising campaign on Google's Adword, said the IT security expert.
"Some of them must have clicked on it by mistake. Some must have been curious or stupid," said Mikko Hypponen, head of research at data security firm F-Secure.
There was no virus involved, it was an experiment aiming to show these kinds of advertising systems can be used for malicious intent, Stevens told Reuters.
Saturday, May 26, 2007
Did Girls Have There Own Rights?
Today I have seen an article in Minivan News website which gives me a shock. Or no when i see it i thought i m dreaming. I haven't really belive that an "Imaam" will do such crazy things. Lets See Wats In It.
"Island Shattered As Imam Accused Of Molesting Children"
Goidhoo island, a small community of 600 residents in Baa atoll, has been in shock since Sunday over allegations the island Imam has used Koran classes to sexually molest girls aged as young as six.
Five different girls aged between eleven and nineteen have accused the Imam, Ali Rasheed, of molesting them in incidents dating back to 1999, when he set up the Koran classes in the island mosque.
Three of the alleged victims are nieces of Rasheed, one by blood and two by marriage.
The mothers of three of the alleged victims reported the claims to the island office on Monday and Rasheed was arrested on Wednesday. But not before he was attacked by a group of island youths on his way to morning prayers that day.
"Island Shattered As Imam Accused Of Molesting Children"
Goidhoo island, a small community of 600 residents in Baa atoll, has been in shock since Sunday over allegations the island Imam has used Koran classes to sexually molest girls aged as young as six.
Five different girls aged between eleven and nineteen have accused the Imam, Ali Rasheed, of molesting them in incidents dating back to 1999, when he set up the Koran classes in the island mosque.
Three of the alleged victims are nieces of Rasheed, one by blood and two by marriage.
The mothers of three of the alleged victims reported the claims to the island office on Monday and Rasheed was arrested on Wednesday. But not before he was attacked by a group of island youths on his way to morning prayers that day.
Subscribe to:
Comments (Atom)