|
Geemer posted:How do you trust your computer not to be infected already? Maybe it's such a good malware that you can't even find it. Why I bring this up is that banks want to limit liability as much as possible and it shouldn't surprise anyone that if they get wind of your computer being the sole reason or even just a contributing factor for your account getting breached that they gain the ability to tell you to deal with the matter yourself since they're not at fault. I was trying to dig up a news piece on this very thing happening but in my cursory search I couldn't find the article I knew about where this did happen. So yes. My statement about consumer protection laws is more than apt here. Khablam posted:How have you concluded the threat chance of a machine that shows clean to the list of things he mentioned? Of course there is a chance. I have never disputed that. What I am saying and what you're failing to understand here is that you cannot prove that the infection has been resolved. Again, does the concept of "risk assessment" allude you? Read my above post for why any person should be paranoid. It's not without justification and I think you're arguing with me because I've proven time and time again that you're wrong.
|
#
?
Oct 22, 2015 19:50
|
|
|
|
| # ? Jun 7, 2024 16:28 |
|
|
everyone calm down. I'm sure when this guy was going over threat models with his $500/hr lawyer customers they decided together that it wasn't worth keeping garden variety malware off of the machines.
|
|
#
?
Oct 22, 2015 19:53
|
|
|
OWLS! posted:Man, I respect you infosec guys, and I get why you have to be in paranoia mode at all times, but sometimes you gotta break it down for the mortal folks. It isn't about winning fans. Having wrong ideas about computer security is loving dangerous. Selling wrong ideas about computer security, and passing them off as "good enough", is really loving dangerous. We don't usually get mad at people who just don't have a clue ("mortals" as you put it). What gets us really mad is people who don't have a clue acting as though they do, arguing against people with clues, and especially people selling their nonexistent clues to other people and lulling them into a false sense of security. We may sound paranoid to an outsider but oh man you should see what someone who is actually honestly paranoid about this stuff looks like. Check out #badbios if you want a taste.
|
|
#
?
Oct 22, 2015 19:58
|
|
|
mindphlux is in the wonderful MSP world and it's not possible to win with the clients security-wise. You will never convince them to have proper security policies in place, like having standardized images, a budget for spare machines, and the like. They will cheap out on anything and everything and when things inevitably go to poo poo they will try to throw you under the bus and make everything your problem. But of course, that doesn't stop me from getting them to agree in writing that system cleanliness without a reformat is not guaranteed, death is certain etc. I never ever tell my clients their system is clean unless I reformatted them completely.
|
|
#
?
Oct 22, 2015 20:03
|
|
|
univbee posted:mindphlux is in the wonderful MSP world and it's not possible to win with the clients security-wise. You will never convince them to have proper security policies in place, like having standardized images, a budget for spare machines, and the like. They will cheap out on anything and everything and when things inevitably go to poo poo they will try to throw you under the bus and make everything your problem. But of course, that doesn't stop me from getting them to agree in writing that system cleanliness without a reformat is not guaranteed, death is certain etc. I never ever tell my clients their system is clean unless I reformatted them completely. I'm in the MSP world and I'll just say that if you can't sell your clients on that then you're poo poo at your job
|
|
#
?
Oct 22, 2015 20:07
|
|
|
Dessert Rose posted:We may sound paranoid to an outsider but oh man you should see what someone who is actually honestly paranoid about this stuff looks like. Check out #badbios if you want a taste. I have an idea that I have no idea how deep that particular rabbit hole goes but in the end, we're still just talking about computer viruses on an ancient comedy forum.
|
|
#
?
Oct 22, 2015 20:11
|
|
|
go3 posted:I'm in the MSP world and I'll just say that if you can't sell your clients on that then you're poo poo at your job To clarify, I don't manage the sales where I am, although I do push for sensible solutions (both internally and to my clients) as much as possible, and things are getting better; my writeup was maybe a bit overblown and based on working for other outfits I got the gently caress out from, but the scars still run deep. We've mostly got them locked down, so issues which require (or should require) a total flatten-reinstall are fewer and further between, and the more problematic clients who don't listen are going to be ejected soon.  The last case we had (an AppLocker infection) got an imposed no-other-option total reinstall.
|
|
#
?
Oct 22, 2015 20:11
|
|
|
Dessert Rose posted:Check out #badbios if you want a taste. Actually, since you mentioned it, could you elaborate a bit on this? I remember the big brouhaha about it back in 2013 or so, with people getting really spooked, and then sort of nothing. No real analysis, and even some stuff coming out (I may be misremembering) saying it was overblown somewhat? Anybody done any analysis on it, or is it anecdotes or what?
|
|
#
?
Oct 22, 2015 20:18
|
|
|
OSI bean dip posted:Of course there is a chance. I have never disputed that. What I am saying and what you're failing to understand here is that you cannot prove that the infection has been resolved. Again, does the concept of "risk assessment" allude you? You're basically tasking yourself to prove a negative, and concluding in your "risk assessment" that the absence of a threat is proof that there is one, and that existence of a threat is proof there is one. This is paranoia by any definition and the reason people think you're a loony. quote:I've proven time and time again that you're wrong If you're doing this to mission critical machines then you're right and there's no need to really say anything about it; doing anything else just isn't worthwhile. If you're doing this every time your mom's PC gets a toolbar you're probably in need of help. Khablam fucked around with this message at 20:21 on Oct 22, 2015 |
|
#
?
Oct 22, 2015 20:18
|
|
|
OWLS! posted:Actually, since you mentioned it, could you elaborate a bit on this? I remember the big brouhaha about it back in 2013 or so, with people getting really spooked, and then sort of nothing. No real analysis, and even some stuff coming out (I may be misremembering) saying it was overblown somewhat? Anybody done any analysis on it, or is it anecdotes or what? Nothing happened because it wasn't real.
|
|
#
?
Oct 22, 2015 20:19
|
|
|
Khablam posted:You're the IT equivalent of the anti-vax people, where evidence there's no harm is just more proof to them there is, and no-ones opinion is worth anything to you if you disagree, and such any differing opinion is moot to you. You have never "proven" anything in this or any thread, you've simply kept screaming whilst the people less invested walk away.
|
|
#
?
Oct 22, 2015 20:27
|
|
|
Wiggly Wayne DDS posted:Anti-vax? Well we can talk about herd immunity, and how quacks make the situation worse but I feel like you may be on the wrong side of the argument in that case. Being on the wrong side of the argument is his gimmick
|
|
#
?
Oct 22, 2015 20:29
|
|
|
OWLS! posted:Actually, since you mentioned it, could you elaborate a bit on this? I remember the big brouhaha about it back in 2013 or so, with people getting really spooked, and then sort of nothing. No real analysis, and even some stuff coming out (I may be misremembering) saying it was overblown somewhat? Anybody done any analysis on it, or is it anecdotes or what? As it turns out, all you can really do with the speakers built into computers for transferring data is to very very slowly (on the order of a few dozen bytes per minute) transfer data, assuming you even had a BIOS/EFI embedded malware listening and sending through the speaker. Some university research crew performed experiments using consumer hardware and got at most 300 baud transfer in ideal scenarios, since speakers aren't all that hot at being microphones - and in situations where they simulated conditions being worse like say a laptop across the room from a desktop it dropped down to about 30-40 successfully transferred bytes per minutes. So in ideal conditions, like 99 megabytes could be transferred over a month, in normal conditions, you could transfer like 1.75 megabytes. So the thing he was claiming about it spreading by sound is right out, because at best it could put out tiny updates to what's already there, and there's no practical way for it to infect anew. If he even had any malware actually going on, it'd have been because some expert had broken in and brought the stuff onto the systems by way of physical access.
|
|
#
?
Oct 22, 2015 20:44
|
|
|
reminder that these ~400 bytes took down 1/3 of the internetpre:4500 0194 cf09 0000 8011 e630 c0a8 0164 c0a8 016a 049f 059a 0180 ac8d 0401 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 01dc c9b0 42eb 0e01 0101 0101 0101 70ae 4201 70ae 4290 9090 9090 9090 9068 dcc9 b042 b801 0101 0131 c9b1 1850 e2fd 3501 0101 0550 89e5 5168 2e64 6c6c 6865 6c33 3268 6b65 726e 5168 6f75 6e74 6869 636b 4368 4765 7454 66b9 6c6c 5168 3332 2e64 6877 7332 5f66 b965 7451 6873 6f63 6b66 b974 6f51 6873 656e 64be 1810 ae42 8d45 d450 ff16 508d 45e0 508d 45f0 50ff 1650 be10 10ae 428b 1e8b 033d 558b ec51 7405 be1c 10ae 42ff 16ff d031 c951 5150 81f1 0301 049b 81f1 0101 0101 518d 45cc 508b 45c0 50ff 166a 116a 026a 02ff d050 8d45 c450 8b45 c050 ff16 89c6 09db 81f3 3c61 d9ff 8b45 b48d 0c40 8d14 88c1 e204 01c2 c1e2 0829 c28d
|
|
#
?
Oct 22, 2015 21:12
|
|
|
go3 posted:I'm in the MSP world and I'll just say that if you can't sell your clients on that then you're poo poo at your job Do you not read the pissing me off thread? Every few pages there is someone talking about how their client refuses to get off of XP/2003, or buy any sort of backup system. Some companies just refuse to do what is needed.
|
|
#
?
Oct 22, 2015 21:43
|
|
|
Nintendo Kid posted:As it turns out, all you can really do with the speakers built into computers for transferring data is to very very slowly (on the order of a few dozen bytes per minute) transfer data, assuming you even had a BIOS/EFI embedded malware listening and sending through the speaker. Some university research crew performed experiments using consumer hardware and got at most 300 baud transfer in ideal scenarios, since speakers aren't all that hot at being microphones - and in situations where they simulated conditions being worse like say a laptop across the room from a desktop it dropped down to about 30-40 successfully transferred bytes per minutes. So in ideal conditions, like 99 megabytes could be transferred over a month, in normal conditions, you could transfer like 1.75 megabytes. Basically this, though it could be bad. #badbios was never proven to even exist. The lone researcher whom it infected never managed to infect anybody's machines but his own. Is it possible somebody was targeting only him because of ~reasons~? Sure. Is it likely? Not really. Pushing even a few bytes over an otherwise air-gapped device can be a big deal, however. Such a BIOS-inhabiting device could, for example, parse keyboard inputs looking for likely userid and password combinations, and send those over the air. Still, applications for using speakers to transmit data probably have more applications in corporate espionage or nation-states spying on one another than on "I'm going to get Jim's bank account." For the truly paranoid, of course, as alluded above there really isn't anything a normal person a can do about the Evil Maid vector of attack. Once someone has physical access to the hardware, all bets are off.
|
|
#
?
Oct 22, 2015 23:38
|
|
|
Ynglaur posted:#badbios was never proven to even exist. 
|
|
#
?
Oct 22, 2015 23:53
|
|
|
Mr Chips posted:ahh, but was it ever proven not to exist? drat. I just lost an argument on the Internet.
|
|
#
?
Oct 23, 2015 00:45
|
|
|
In my business environment, if I get malware on my machine, I get a new piece of hardware and my documents copied over (but nothing executable and no source trees) while they analyze the victim machine. "In a business environment" doesn't excuse putting the business at unnecessary risk, and it's irresponsible to let customers think you've remediated the situation by buffing out the scratches just because they don't want to wait for the body work. (That's part of why I stopped doing security consulting many years ago. Clients wanted guarantees I couldn't give them, or me to give them approval for expedience that didn't match their stated threat stance. If someone at the customer wants to say it's all better because they deleted the php script payload from the web root, they can do that, but I'm not going to.)
|
|
#
?
Oct 23, 2015 04:20
|
|
|
Wiggly Wayne DDS posted:Anti-vax? Well we can talk about herd immunity, and how quacks make the situation worse but I feel like you may be on the wrong side of the argument in that case. The answer is really, really important.
|
|
#
?
Oct 23, 2015 19:08
|
|
|
Tapedump posted:Wait, is this indicative of your own siding with the anti-vax stance, or is it just you drawing an analogy to the info sec argument here?
|
|
#
?
Oct 23, 2015 20:04
|
|
|
Wiggly Wayne DDS posted:Analogy, but when we're talking about infections and how poor solutions make a situation worse the line really becomes blurred. Oh. But it's okay because I'll just state that it's not worth my client's time to go and do things the right way and then go on about someone being a "loony" when they call me out on my inability to comprehend the problem at hand. And that is why we have things in the state they are because people don't want to take the time to understand things.
|
|
#
?
Oct 23, 2015 21:21
|
|
|
OSI bean dip posted:Oh. But it's okay because I'll just state that it's not worth my client's time to go and do things the right way and then go on about someone being a "loony" when they call me out on my inability to comprehend the problem at hand. Usually people only get as mad-angry as you do over this when they feel like their USP is being infringed upon. I get it, 10 years ago you were a ~genius~ if you could stop mom's PC from having that weird popup, but now that people have largely worked this out for themselves you need to constantly yell that they're doing it wrong to convince people you have value. To use the medical analogy again, you're a doctor getting hysterically angry that people can work out they have a common cold all on their own, and wailing about risk assessments and IT MIGHT BE MALARIA OR MENINGITIS OR CANCER OH GOD GET HELP. Not necessarily wrong, but effectively stupid in practice because the health service can't sustain everyone ~doing it properly~ in the eyes of paranoid skeptics. How are you doing on finding the example malware that avoids any detection at all against the list he posted?
|
|
#
?
Oct 24, 2015 11:22
|
|
|
Khablam posted:Usually people only get as mad-angry as you do over this when they feel like their USP is being infringed upon. I get it, 10 years ago you were a ~genius~ if you could stop mom's PC from having that weird popup, but now that people have largely worked this out for themselves you need to constantly yell that they're doing it wrong to convince people you have value. Sure. How about a rootkit where the OS is compromised before the bootloader is even engaged? I am sure your help desk experience will give me an enlightened response.
|
|
#
?
Oct 24, 2015 22:30
|
|
|
Khablam posted:Usually people only get as mad-angry as you do over this when they feel like their USP is being infringed upon. I get it, 10 years ago you were a ~genius~ if you could stop mom's PC from having that weird popup, but now that people have largely worked this out for themselves I'm dying 
|
|
#
?
Oct 24, 2015 23:42
|
|
|
OSI bean dip posted:Sure. How about a rootkit where the OS is compromised before the bootloader is even engaged? Better yet, a rootkit where the OS is compromised while it's being installed.
|
|
#
?
Oct 25, 2015 00:25
|
|
|
OSI bean dip posted:Sure. How about a rootkit where the OS is compromised before the bootloader is even engaged? Which one in particular does this whilst not appearing to an offline scan or the other rootkit tools mindplux mentioned? If it does this, then how are you concluding you have this particular infection in the first place? Why are you checking for it? Should you not then not expand your flatten-install technique as a daily startup procedure? e: To be more precise in what I'm saying: You keep saying "risk assessment" but in any risk assessment you will list and analyse hostile elements. You claim on one hand you base this on "risk assessment" yet on the other you seem to be unable to actually notarise the threat(s) you are talking about, instead when pressed you (usually) just wave your hand vaguely at some blog posts by half-insane researchers ranting that their speakers are infecting their machines, as an example of what can go wrong. I'm not denying a ~bad virus~ can or does exist, but when you look at malware as a whole my out-of-my-rear end "0.001%" figure for something successfully evading the list of things you claim to be "dangerously useless" is possibly overly pessimistic and it's probably a lot smaller. Khablam fucked around with this message at 00:51 on Oct 25, 2015 |
|
#
?
Oct 25, 2015 00:46
|
|
|
Khablam posted:To use the medical analogy again, you're a doctor getting hysterically angry that people can work out they have a common cold all on their own, and wailing about risk assessments and IT MIGHT BE MALARIA OR MENINGITIS OR CANCER OH GOD GET HELP. And you're the doctor who treats the symptoms instead of the disease.
|
|
#
?
Oct 25, 2015 02:58
|
|
|
Prosthetic_Mind posted:And you're the doctor who treats the symptoms instead of the disease. I like this analogy because that's often the appropriate course of action.
|
|
#
?
Oct 25, 2015 12:55
|
|
|
Khablam posted:I like this analogy because that's often the appropriate course of action. Don't worry. As soon as we invent perfect cloning while keeping memories intact, idiots will be screaming that as soon as you get the common cold, you should be killed and replaced with a fresh clone.
|
|
#
?
Oct 25, 2015 15:35
|
|
|
Prosthetic_Mind posted:And you're the doctor who treats the symptoms instead of the disease. So, we're all in agreement. The solution is to find and kill people who make malware. While we're at it, let's eliminate greed, fear, and perhaps poo poo-stirring. Meeting adjourned?
|
|
#
?
Oct 25, 2015 16:21
|
|
|
Khablam posted:Which one in particular does this whilst not appearing to an offline scan or the other rootkit tools mindplux mentioned? You're failing to provide answers with examples where I am supposedly wrong other than theoreticals. So far you've demonstrated that you can only think of what a tool outputs and have provided no notion of experience of working with real malware. Tell me, what experience do you have with malware? Is it just from the help desk that you work at? Once again, tell me how you address a rootkit where the OS has been compromised before its bootloader has been engaged. Cite the exact process and why you think that this methodology is foolproof. Don't go on about some other thing where all you're doing is trying to belittle me while failing to adequately answer my question. Also, to your "risk assessment" point: you're being completely obtuse and because of this I reserve the right to belittle you here. I've spelt out a perfect example where a typical user is at risk for having issues with their financial institution due to an infected machine, leading to a potential for real financial loss--was my post too complicated for you? If so, I'll gladly simplify it. To add: a "risk assessment" is not about "analysing hostile elements". A "risk assessment" involves researching the situation and determining the outcomes and consequences, leading to a result that'll let you determine if the risk is acceptable or not. Here's something from the US government if you need to learn a bit more because I think you probably do. Also, at no point have I brought up any "half-insane researchers" so I am not sure why you're choosing to say this. Hate to break it to you, but I have met the "half-insane researcher" you're alluding to and you don't even know half the truth of his nuttiness. So again, instead of trying to go on a feckless tirade about I am supposedly wrong here, why not answer my question? Surely your confidence in your response can be turned into a technical answer right? Lain Iwakura fucked around with this message at 18:23 on Oct 25, 2015 |
|
#
?
Oct 25, 2015 18:17
|
|
|
Uh, I was the one that brought up the badbios guy and I did it specifically as an example of someone who has in fact gone off the deep end. No one has brought that thing up as an actual risk.
|
|
#
?
Oct 25, 2015 23:28
|
|
|
Everyone knows that doing things the right way is actually too much work, so we might as well half rear end it.
|
|
#
?
Oct 27, 2015 03:27
|
|
|
also let's not bother to provide any positive examples of what we think 'the right way' is, and instead just troll people on the internet, it will be great, I promise.
|
|
#
?
Oct 27, 2015 07:51
|
|
|
mindphlux posted:also let's not bother to provide any positive examples of what we think 'the right way' is, and instead just troll people on the internet, it will be great, I promise.
|
|
#
?
Oct 27, 2015 08:48
|
|
|
Wiggly Wayne DDS posted:From the sounds of it you seem to be very keen on not learning anything, and are dismissing anything critical as trolling. no, I actually have asked about 5 times for examples of how you guys propose to handle malware/virus problems in a reasonable amount of time. I outlined my SOP line by line, please outline yours line by line. I don't claim that anything you're saying is technically incorrect, but flattening a system or spending hours isolating machines and doing packet/process traces every time a machine gets some java exploit or something is not practical.
|
|
#
?
Oct 27, 2015 14:53
|
|
|
Do your clients seriously not have spare machines? Because that's a pretty big deal. What do you do if their motherboard fries or their hard drive crashes?
|
|
#
?
Oct 27, 2015 15:01
|
|
|
mindphlux posted:no, I actually have asked about 5 times for examples of how you guys propose to handle malware/virus problems in a reasonable amount of time. I outlined my SOP line by line, please outline yours line by line.
|
|
#
?
Oct 27, 2015 15:04
|
|
|
|
| # ? Jun 7, 2024 16:28 |
|
|
mindphlux posted:no, I actually have asked about 5 times for examples of how you guys propose to handle malware/virus problems in a reasonable amount of time. I outlined my SOP line by line, please outline yours line by line. But your suggestion from earlier is good enough to tell people that your method should go into the OP? Do you tell your customers that they're putting themselves at risk by just having things "cleaned up" instead of addressed properly? This is why you're getting shitted all over here. You come into the thread, list off a bunch of tools without explaining anything about what each does (and I suspect that you don't anyway), and then cry foul when you're called out over it. If you had at least disclaimed, "this is a way that you could address your malware infection but you should think about the risk you have by not reformatting" then I wouldn't have given a drat because that is the way you should approach it. However, you instead didn't like the criticism I gave of your post and then went on some dumb tirade about how I am "trolling you" when in reality pointing out that you have no clue. Most people who go about suggesting ComboFix tend to be the type that think that it's an IT worker's wet dream. You just wanted to come into here and act like an "IT superhero" like most of your type believe you are, with a suggestion without warning. You don't even point out the problems that someone will have with the tools you suggest either. How did you know the person who requested help could use at least a third of them and knowing what they do? That's loving dumb and in some ways dangerous and negligent. Lain Iwakura fucked around with this message at 15:07 on Oct 27, 2015 |
|
#
?
Oct 27, 2015 15:05
|
|