Announcement

Collapse
No announcement yet.

This is quite interesting

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #61
    Re: This is quite interesting

    Originally posted by Telengard

    I swear I didn't mean it to be so controversial

    The original topic of this thread was not security.
    Yes, I for one know what happened, and it was not in any way your fault.

    As to the second - you are right of course, it just swung that way

    Comment


      #62
      Re: This is quite interesting

      Originally posted by Telengard
      I swear I didn't mean it to be so controversial
      It happens, and can happen in any forum. I wouldn't sweat it.

      Originally posted by Telengard
      Generally speaking Linux desktop users are more likely to fall victim to phishing or man-in-the-middle attacks than an actual virus, but that does not mean it is impossible.
      +1 - It would not be very difficult to trick someone who believes they are invulnerable. They let their guard down making them much easier targets.

      A classic mistake is to give up personal information no matter how insignificant. For example lets say someone posted an IP address and said "attack me". An IP address typically gives up someones location unless it is masked by a proxy or simply a fake.

      If you have an internet handle from for example a forum, that can lead to a real name. A real name plus an internet handle can lead to an email address. This can for example lead to information about a former employer.

      A real name + the location from the posted IP can lead to a physical address, and a telephone phone number. This can lead to property records, spousal information, etc. You see where this can go, all from an IP posted in a forum. Not very smart.

      Now you have the persons name, address, phone number, internet service provider, information about their former employer and quite possibly a lot of other information, it would be trivial to make up a story to get the user (or the users spouse) to download and execute something on the computer which exposed the computer in some way to attack.

      In this example lets use a uuencoded binary payload that contains a private key, an ssh daemon and a reverse tunnel. Lets execute it as the user on a high port so the user will not notice that its there. Maybe instead we can inject a script that sleeps for a while, waking up now and then and copying any new data found in $HOME to the attackers home base. Lets randomize it to mask its pattern.

      What if the attacker turned on the camera on your laptop and watched you? There was a guy in the news that just got busted doing this very thing. My point ultimately is that the platform doesn't really matter, and no one platform ultimately protects better than any other.

      Originally posted by Telengard
      Someone already mentioned the IRC daemon which was compromised at its primary distribution site. Gentoo shipped the compromised daemon to its users. It would not have happened if the binaries had been signed and if the distribution site had included an MD5 hash of the original file.
      Signing them would have mitigated it alone, however the MD5 could have been swapped out pretty easily if it was hosted on the same server. This doesn't however eliminate an author gone rogue. If one of the authors of this IRC daemon for example decided to place bad code in the source it may well go unnoticed when another author signs the package.

      Note, I am in no way saying that these authors are malicious, I simply am using them as an example.

      Originally posted by Telengard
      However if someone makes a statement which is provably false then I don't think providing the evidence of falsehood should be considered accusatory rhetoric. We definitely don't need this fine community polluted with personal attacks. Our goal should be to inform users with the facts as best we understand them.
      This. It is often easier for someone that does not "get it" to make accusations rather than to accept the facts presented.

      Back on topic though, how 'bout those posts?
      Don't blame me for being smarter than you, that's your parent's fault.

      Comment


        #63
        Re: This is quite interesting

        Pretty abstract stuff. lol However, I certainly agree that running mystery executables is a possible way to get your computer compromised. It is also generally avoided by anyone who cares one way or the other. I imagine the fashion hounds with the laptops and built in cameras and stuff could be vulnerable, but I would be careful about generalizing on that issue.

        Regarding personal information, I'm not sure if the distribution of the basics is preventable. I personally am very sensitive about it, but still everybody knows me and where I live. The person and the place are one and the same. That is traditional and goes back thousands of years. Note all the "von" and "van" and "de la" names. To me a life of anonymity would be deeply embarrassing. I would be ashamed of myself if I couldn't look someone in the eye, shake their hand, and tell them my name. Despite that philosophy, if you get within 20 maybe even 100 miles of my place people will know the house. I can't avoid that. Perhaps I am different in some way, but note that I am not hiding under any assumed names here and am willing to say what I mean as the person I am.

        Those of us who use the internet will also find our phone numbers and addresses plastered all over the place by ICANN. Perhaps it's their idea of a joke, but it's reality. The phone book works in a similar way for people who use phones. As for where I have worked, CBC, Cultural Alliance, etc etc etc, that's all a matter of public record. Where I draw the line is at birth date and mother's maiden name - although those are not really that hard to find if you want. What I'm trying to say is that someone who is worried about their name and address being part of their public profile is probably in need of a lifestyle change - if not a body guard. I personally consider that very unhealthy and will actively campaign against it. Don't get me wrong though, despite being strongly against it, I make a point of helping people who are lost and will always be here if they need me for support.

        As for IP, well that's a funny one. My public IP is within 300 miles of here, but what is someone going to do with that?

        Regarding this thread. It certainly has turned into a security discussion, and yes, it might be a good idea to start that elsewhere. Telengard's original idea is a good one and should probably be started elsewhere too. It's hard to address it at this point.

        Comment


          #64
          Re: This is quite interesting

          Originally posted by Ole Juul
          Despite that philosophy, if you get within 20 maybe even 100 miles of my place people will know the house. I can't avoid that.
          I don't know about where you live, but photographs of my own house, driveway, and street are currently indexed in Google's database. Anyone who types the name of my city and street into Google maps can easily see pictures of my front lawn.
          Welcome newbies!
          Verify the ISO
          Kubuntu's documentation

          Comment


            #65
            Re: This is quite interesting

            Yes Google maps is cool. In this area they don't give us much detail, but you can still zoom in to the level where my workshop and cottage show up. Unfortunately you can't see who's parked outside, or if I'm on the roof. Anyway, that's an historical building in a town which has been almost a ghost town. It is the old general store and was built in 1912 when the town started. Have a look if you like - Google 1841 Front street Coalmont BC. That's all just lots of fun, and I really enjoy looking at the satellite view of where I grew up in Denmark - you can see the cars in that area - tracing the route I walked to school etc, is way cool. However, I'm all for putting some brakes on this because at some point this is going to be a problem. A little more detail and frequent updates and someone from out of the area is going to be able to tell if you're home or not. Of course some people advertise that on the net too, (GPS, twitter, etc) but I think that is going too far, security wise. Still, now you all know where I live, I hope some of you will drop in for coffee some time.

            Comment


              #66
              Re: This is quite interesting

              I do wish I could feel free to disclose so much about myself. In my experience though, the more strangers know about me the more excuses they find to hate and persecute me.

              Even for people who are acculturated differently though, there are too many crooks and deviants to take such risks. It is my belief that the only way to protect your personal freedom is by protecting your anonymity. Well, unless you can afford a team of lawyers to keep you out of trouble anyway.
              Welcome newbies!
              Verify the ISO
              Kubuntu's documentation

              Comment


                #67
                Re: This is quite interesting

                Originally posted by zlow
                .....
                A classic mistake is to give up personal information no matter how insignificant. For example lets say someone posted an IP address and said "attack me". An IP address typically gives up someones location unless it is masked by a proxy or simply a fake.
                Could it be that the person who posted his IP address was really telling you that IF you believe Linux to be just as insecure as Windows then that IP address is your chance to put your skill where your mouth is. IOW, prove it!

                BTW, an IP address isn't sacred nor is it secret. If you own a website your IP is easily obtained, directly through one of the five Whois-servers, or. if you use a proxy, indirectly with the appropriate sleuthing tools by packet analysis.

                If you have an internet handle from for example a forum, that can lead to a real name. A real name plus an internet handle can lead to an email address. This can for example lead to information about a former employer.

                A real name + the location from the posted IP can lead to a physical address, and a telephone phone number. This can lead to property records, spousal information, etc. You see where this can go, all from an IP posted in a forum. Not very smart.

                Now you have the persons name, address, phone number, internet service provider, information about their former employer and quite possibly a lot of other information, it would be trivial to make up a story to get the user (or the users spouse) to download and execute something on the computer which exposed the computer in some way to attack.
                So, you know his handle. You know his IP. On various websites he's mentioned his real name, which can be easily googled to learn he lives in Lincoln, NE, and what his address is, he's mentioned where he used to work before he retired, he's also mentioned his computer consulting business, his criminal forensics business, that he taught science and math for 10 years in high school and 8 years in college. his pilot's license, he is a dead shot with firearms, and his political persuasions. His phone number was in a phone book and now its on the Internet where anyone can look it up. He's 6' 6" and 245 lbs, has eye problems, genetic foot problems, is allergic to Aspartame, partially bald, and loves dark chocolates. He's been married for 48 years to the same wonderful gal and has two children and three grandchildren. His auto license plate is "BUG JULY".

                So what? That info isn't going to get his into his computer or his bank account in any way shape or form, any more than reading all this stuff in the newspapers will. All of it is or was in the newspapers at one time or another, in one city or another. He did business all over the mid-West.

                It's not even valuable for "social engineering".

                I don't have to hack anyone's computer to read mine or my neighbors property value, how much his house has sold for, what he bought it for, how much he owes on it and what his back taxes are, or if he's in probate or sheriff's sale. I can log onto my state's public property information server and get it free. Ditto for the car tags, car title, traffic violations, criminal record, etc. All freely accessible. But, NONE of that info gets you into my computer, or shows you my bank account routing numbers, account numbers, or my SSN. In short, nothing you can use to create a financial document masquerading as me.

                In fact, even if you were able to break into my computer, which I doubt you can do, none of that financial information is on it.

                In this example lets use a uuencoded binary payload that contains a private key, an ssh daemon and a reverse tunnel. Lets execute it as the user on a high port so the user will not notice that its there. Maybe instead we can inject a script that sleeps for a while, waking up now and then and copying any new data found in $HOME to the attackers home base. Lets randomize it to mask its pattern.
                Do you think I am running windows? "Let's execute it as the user ..."? !


                What if the attacker turned on the camera on your laptop and watched you? There was a guy in the news that just got busted doing this very thing. My point ultimately is that the platform doesn't really matter, and no one platform ultimately protects better than any other.
                It wasn't quite like that. A kid was spied on via his laptop web camera by his school because he was using SCHOOL SUPPLIED laptops. The school had set up spy software on the laptop and had the passwords for remote activation in order to spy on the kids. It wasn't like some cracker hacked into the laptop without the kid's knowledge. It's not cracking or hacking when you own the machine and the passwords!


                ...
                It is often easier for someone that does not "get it" to make accusations rather than to accept the facts presented.
                .....
                Funny you should mention 'does not "get it"'. It's all about bringing "Windows thinking" to the Linux paradigm. That's what Rick Moen said about folk who "don't get" the Linux security model:

                Should I get anti-virus software for my Linux box?

                The problem with answering this question is that those asking it know only OSes where viruses, trojan-horse programs, worms, nasty Javascripts, ActiveX controls with destructive payloads, and ordinary misbehaved applications are a constant threat to their computing. Therefore, they refuse to believe Linux could be different, no matter what they hear.

                And yet it is.

                Here's the short version of the answer: No. If you simply never run untrusted executables while logged in as the root user (or equivalent), all the "virus checkers" in the world will be at best superfluous; at worst, downright harmful. "Hostile" executables (including viruses) are almost unfindable in the Linux world — and no real threat to it — because they lack root-user authority, and because Linux admins are seldom stupid enough to run untrusted executables as root, and because Linux users' sources for privileged executables enjoy paranoid-grade scrutiny (such that any unauthorized changes would be detected and remedied).

                Here's the long version: Still no. Any program on a Linux box, viruses included, can only do what the user who ran it can do. Real users aren't allowed to hurt the system (only the root user can), so neither can programs they run.
                The occasional mis-administration by some Linux project or staff member or developer has NEVER lead to the mass infection of tens or hundreds of thousands or millions of Linux boxes. The Linux security paradigm doesn't allow it. Rick goes on to explain the how and why, and mentions a TON of malware which are no threat to Linux. His article covers all of Linux, from the beginning up to March of this year:

                But how can you say there's no virus problem, when there have been several dozen Linux viruses?

                First of all, that's not what I said. (People keep failing to heed what these essays actually say.) I said that Linux systems' architecture and culture, by design, resist such petty nuisances, and create sufficient default protections that anyone careless enough to be exposed to Linux "malware" (viruses and such) has bigger and more fundamental worries: By and large, you can be hit at all only by being really dumb. By and large, you can suffer system (root) compromise from malware only by being mind-bogglingly dumb.

                Moreover, especially since the year 2000, even reckless, dumb Linux users have been adequately protected against the consequences of likely types of gross negligence, by automated system updaters.
                I think something could be learned from point IV:

                IV. The Ringers. Post-Compromise Rootkits (Trojan, Worm) and Attack Tools (not malware at all):

                Apologies to those for whom this subject is old hat, but the following nasty packages do not qualify as Linux malware in any meaningful sense:
                ...... skip dozens and dozens of malware ....
                Every one of those is some sort of post-attack tool; all are erroneously claimed on sundry anti-virus companies' sites (and consequently in various news articles) to be "Linux viruses". Some are actually "rootkits", which are kits of software to hide the intruder's presence from the system's owner and install "backdoor" re-entry mechanisms, after the intruder's broken in through other means entirely. Some are "worms" of the sort that get launched locally on the invaded system, by the intruder, to probe it and remote systems for further vulnerabilities. Some are outright attack tools of the "DDoS" (distributed denial of service) variety, which overwhelm a remote target with garbage network traffic from all directions, to render it temporarily non-functional or incommunicado.

                The news reporters and anti-virus companies in question should be ashamed of themselves: None of the above, in itself, can break into any remote Linux system. All must be imported manually and installed by an intruder who has cracked your system by other means.
                Notice how folks who believe that Linux is as vulnerable as Windows gloss over the main problem: getting INTO a Linux system in the first place. Getting in is ASSUMED: "Lets execute it as the user..." or "Maybe instead we can inject a script...". You assume what you are trying to prove by having the executable already saved as a file, most often in root, and ready to run.
                "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                – John F. Kennedy, February 26, 1962.

                Comment


                  #68
                  Re: This is quite interesting

                  Originally posted by Ole Juul
                  Yes Google maps is cool.
                  Agreed, it is fascinating.

                  This is amusing, especially that some appear to have contemplated the possibility that it was real

                  http://news.bbc.co.uk/1/hi/scotland/...d/10401345.stm

                  I recommend everyone takes a quick look at the car on the front of their drive. Whilst the number plate is blurred out, move the viewer to the side so you are looking at it from an angle. Does the number mysteriously appear? Mine does, and I'm not entirely sure what to do about it.

                  On general matters, the notion of privacy is an illusion. I happen to think that my online activities are probably the only opportunity I have to be to any degree whatsoever anonymous. Given the nature of my job, someone need only have my name and google it to find out where I work. Then on the UK Governments website they can find out more information about me. To top it all, because I am a company director, my name.address and date of birth is listed at UK Companies House. Because it's publicly registered, that information is then published in the online telephone directory (but minus phone number because I asked to be ex-directory).

                  Also, don't forget all the data the government has about you. If your government is anything like mine, there's a pretty good chance sensitive information about you will have been on a laptop or an unencrypted USB left on a train/bus/plane etc etc etc.

                  Comment


                    #69
                    Re: This is quite interesting

                    So you're from the UK eh? I can probably find all your particulars on a govt CD left on the bus or one of their many lost laptops then.

                    Comment


                      #70
                      Re: This is quite interesting

                      Yep, and while you are at it you could probably find out my unique taxpayer number and pay my tax bill!

                      Comment


                        #71
                        Re: This is quite interesting

                        The Liquidator: On general matters, the notion of privacy is an illusion. I happen to think that my online activities are probably the only opportunity I have to be to any degree whatsoever anonymous.
                        Now there are a couple of very interesting comments. I agree that much privacy is an illusion. I find it easy to dig up all kinds of information on the net and places like phone books. The only reason I sometimes do this kind of thing is out of interest in finding people that I have known in the past. If I was really serious, I'm sure my success rate would be much higher. I personally like people to find me. I like people and I like old friends. I actually want people to find me. In fact I wasn't kidding about inviting you all for coffee. I'd be even more interested in someone from 50 years ago dropping by or e-mailing me. That's why I put my e-mail address on the net. And, by the way, since it fits with this discussion, I have several e-mail addresses in plain view on the net and I've had two pieces of spam in the last year.

                        As for the second statement. That's even more interesting. You know, I believe you. Not using your real name actually gives you a fighting chance. People would actually have to work at digging up some info on you. I hadn't thought that someone would actually want real anonymity but there are probably a few legitimate reasons for it. I had though about it more like people were either shy or rude if they didn't use their real names on the net. Certainly many people cannot handle the anonymity well.

                        PS: How big is your tax bill? I'll see what I can do.

                        Comment


                          #72
                          Re: This is quite interesting

                          Actually I do give a clue to what I do in my forum name (it's a financial role rather than a violent one!) but potentially it's a role that can invoke conflict nonetheless, and every assignment I engage in is publicly registered, so I do indeed value my privacy when I can get it.

                          I remember one incident a few years back when I was engaged on an assignment only to find that one of the main players lived just around the corner from me Thankfully the case did not involve controversy so there was not a problem. However, it really does irk me that even though I opt out of pretty much everything I can be found with relative ease.

                          Comment


                            #73
                            Re: This is quite interesting

                            Originally posted by GreyGeek
                            IOW, prove it!
                            I have already told you that I have no interest in pen-testing your IP. Your public IP most likely isn't even your desktop but rather a router and the IP you gave is probably not even yours since it terminates in another state all together. I'm sorry, but your bait fails. It is just another example of you lying to prove your case.

                            Based on the fact that you are quite happy to use deception in your messages, I would have to say that most of the fluff that you posted about yourself probably isn't true either.

                            Originally posted by GreyGeek
                            It's not even valuable for "social engineering".
                            You keep believing that.

                            Originally posted by GreyGeek
                            Do you think I am running windows? "Let's execute it as the user ..."? !
                            You don't need root to execute malicious sofware, you only need root to destroy the computer or damage data owned by other users.

                            Originally posted by GreyGeek
                            It wasn't quite like that.
                            Yes it was.

                            Originally posted by GreyGeek
                            said about folk who "don't get" the Linux security model
                            I do get the Linux security model. I am a lot more familiar with it than you realize. I know you can't comprehend this, but Rick seems to be speaking about Linux servers and not Linux use as a desktop. Reading the article it is implied that you have to elevate to root to damage the system or data that is stored by processes that run as different users which is absolutely true on a server but not necessarily true on a desktop. These are completely different use cases. He even mentions very early in his rant that user space malware can damage data that you own.

                            Originally posted by Rick
                            Here's the long version: Still no. Any program on a Linux box, viruses included, can only do what the user who ran it can do. Real users aren't allowed to hurt the system (only the root user can), so neither can programs they run.

                            Because of the distinction between privileged (root-run) processes and user-owned processes, a "hostile" executable that a non-root user receives (or creates) and then executes (runs) cannot "infect" or otherwise manipulate the system as a whole. Just as you can delete only your own files (i.e., those you have "write" permission to), executables you run cannot affect other users' (or root's) files. Therefore, although you can create (or retrieve), and then run, a virus, worm, trojan horse, etc., it can't do much. Unless you do so as "root". Which it's simple to avoid doing.
                            I think you do a lot of googling and you only half understand the concepts.

                            No one has glossed over how to get into a Linux system, I gave an example of how it could possibly be done without triggering any remote exploit. I also earlier gave you examples of how it could be done without having execute permission. I have even given multiple examples of 0-day vulnerabilities in Linux. You have chosen to ignore all of it.

                            All you are doing here is further destroying your credibility. It is not doing you any good to continue to attack me.
                            Don't blame me for being smarter than you, that's your parent's fault.

                            Comment


                              #74
                              Re: This is quite interesting

                              Originally posted by The Liquidator
                              I recommend everyone takes a quick look at the car on the front of their drive. Whilst the number plate is blurred out, move the viewer to the side so you are looking at it from an angle. Does the number mysteriously appear? Mine does, and I'm not entirely sure what to do about it.
                              This may help:

                              http://maps.google.com/support/bin/a...&answer=162873
                              Don't blame me for being smarter than you, that's your parent's fault.

                              Comment


                                #75
                                Re: This is quite interesting

                                @GreyGeek
                                sence you oferd it up hears a Nmap of your IP ........

                                vinny@desktop:~$ sudo nmap -A -P0 24.223.246.44
                                [sudo] password for vinny:

                                Starting Nmap 5.00 ( http://nmap.org ) at 2010-07-13 12:03 EDT
                                All 1000 scanned ports on user-0cdvthc.cable.mindspring.com (24.223.246.44) are closed
                                Device type: general purpose|switch|WAP|media device|firewall|broadband router
                                Running: Cobalt Linux 2.0.X, HP embedded, Linksys embedded, Netgear embedded, Teltronics embedded, WatchGuard embedded, ZyXEL ZyNOS 3.X
                                Too many fingerprints match this host to give specific OS details

                                TRACEROUTE (using port 3269/tcp)
                                HOP RTT ADDRESS
                                1 2.26 user-0cdvthc.cable.mindspring.com (24.223.246.44)

                                OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
                                Nmap done: 1 IP address (1 host up) scanned in 100.20 seconds
                                vinny@desktop:~$
                                looks prity tight to me ........but what do I know.......LOL

                                you gise/gals are geting deep.................but a wild read none the less........thanks for the entertanment and info.

                                I personaley dont think it's a good idea to keep credet card , bank# ,soshal securety# and the sutch on a box that's on the net but thats me..................

                                I dont know about what you all see on google maps/earth but when I look at my house the picturs and street view's are severall years old.........so whats the securety risk?

                                and as for identety theft...............LOL......hear have mine.

                                Charles V Wright ......AKA vinnywright,VINNY
                                1808 southview RD
                                lexington NC 27292

                                336-596-8333
                                charles.v.wright@gmail.com

                                keep in mind if your sucsesfull in pretending to be me you will shortley be swampt in BILLS at (my)new adress and will receve NO credit frome ENEYONE ......trust me on that.

                                thars no bank acct.'s no savings and no stature for ya.

                                that sead if eney of ya are in the naborhood come see us.

                                and have a glass of tee or a beer if your frendley ....or......a round with my pitbull and shotgun if you arnt

                                VINNY



                                i7 4core HT 8MB L3 2.9GHz
                                16GB RAM
                                Nvidia GTX 860M 4GB RAM 1152 cuda cores

                                Comment

                                Working...
                                X