|
It's not even necessarily a bomb. What he was expecting to happen was that he would be able to monitor the traffic to the site to map out where the infections were and how they were spreading, and possibly interrupt command-and-control for the virus by cutting the hackers off from a control domain they seemingly forgot to register. Certainly he had no idea it would do what it did, but he's not loving Homer, for Pete's sake. He was an experienced security researcher with an extensive background in malware who had successfully taken apart and tracked several other botnets before. Implying otherwise is some serious armchair infosec poo poo, cut it out.
|
#
?
May 15, 2020 23:26
|
|
|
|
| # ? May 20, 2024 00:36 |
|
|
Cup Runneth Over posted:He was an experienced security researcher with an extensive background in malware who had successfully taken apart and tracked several other botnets before. Implying otherwise is some serious armchair infosec poo poo, cut it out. Thank you. Amazed by some of these comments.
|
|
#
?
May 15, 2020 23:33
|
|
|
trashy owl posted:Thank you. It's been a running theme since it happened, but I can't believe I'm hearing it in response to a very well-written article that laid out all of those facts. Just read it! Furthermore, the really heroic act was not registering the domain but sacrificing his own health for weeks to keep it running 24/7 and stop the worm in its tracks despite being barraged by traffic and actively DDoSed.
|
|
#
?
May 16, 2020 00:51
|
|
|
For my money the most heroic thing he’s done was to get arrested in the us, handle it like an adult, and make it out the other side
|
|
#
?
May 16, 2020 03:04
|
|
|
The Fool posted:For my money the most heroic thing he’s done was to get arrested in the us, handle it like an adult, and make it out the other side Yeah, the way he handled himself with that was good. The other thing was far more lucky than heroic. I'm not saying he's dumb, far from it. But it was know-how, a guess, and a HUGE helping of luck.
|
|
#
?
May 16, 2020 03:10
|
|
|
Yeah he got really lucky with the trial judge too, who was fairly lenient. He's a pretty all around nice dude.
|
|
#
?
May 16, 2020 04:16
|
|
|
The part that always puzzled me about the wannacry domain thing was, instead of taking a (possibly educated) guess and registering it and making it visible to the whole world, why not just add the domain to your hosts file or add it to your own private dns server instead so whatever effect it has is contained. Then once you’ve confirmed that it is the disable trigger, register it publicly and you don’t have to say it was a guess, but rather something you verified first. It seems he did the equivalent of, it builds so yolo in production, rather than, ok it works in QA so let’s now put it in prod and confirm that it works for everyone.
|
|
#
?
May 16, 2020 07:00
|
|
|
To be honest dude was what, like 23 when it happened? I'm not going to expect the same level of thought from (basically) a college kid that knows how to write malware as I would somebody that actually has experience (either professionally or just from living) with analyzing risk. There's a lot of ways to be an "infosec professional"
|
|
#
?
May 16, 2020 07:22
|
|
|
beuges posted:The part that always puzzled me about the wannacry domain thing was, instead of taking a (possibly educated) guess and registering it and making it visible to the whole world, why not just add the domain to your hosts file or add it to your own private dns server instead so whatever effect it has is contained. Then once you’ve confirmed that it is the disable trigger, register it publicly and you don’t have to say it was a guess, but rather something you verified first. They'll use DNS so they can point it to new hosts if that IP gets taken down. If you use hosts file you have no way of changing the client to a new IP if the first one gets taken offline.
|
|
#
?
May 16, 2020 07:32
|
|
|
Internet Explorer posted:They'll use DNS so they can point it to new hosts if that IP gets taken down. If you use hosts file you have no way of changing the client to a new IP if the first one gets taken offline. Yeah, a lot of botnet software will have DNS server IPs hardcoded and query them directly instead of trusting whatever default resolution behavior is for a given system.
|
|
#
?
May 16, 2020 07:51
|
|
|
D. Ebdrup posted:VERY VERY FRIGHTENING! Right ? 
|
|
#
?
May 16, 2020 08:28
|
|
|
mllaneza posted:Right ?  Something that's the diametrically opposite is CHERI in x86 - or, as phk put it, valgrind in hardware.
|
|
#
?
May 16, 2020 10:10
|
|
|
I just started a job as the finance guy at a startup (not a tech company). IT is nominally under my purview, partly because I'm running everything administrative at the moment and partly because I am the only person in the organization who is remotely competent at computers. I have already sold most people on setting up 2FA (and am trying to make it a policy), which saved our bacon when someone got their Office 365 credentials phished. Our biggest problem right now is vendors getting their emails hacked and sending fake invoices, links to malicious sites, etc. A previous (Fortune 500) employer lost hundreds of thousands of dollars and had to institute new control procedures after getting hit with altered invoices, so I understand how big of a threat this can be (both in terms of financial loss as well as reputation damage for the vendor whose credentials got phished). I realize that in a perfect world we would have a dedicated infosec resource, comprehensive training to close the biggest hole (human behavior), and so on. Instead, you have me, a well-meaning layman who knows enough to know he doesn't know enough, trying to reprogram a bunch of entrepreneurs and shore up our systems with a limited budget. Was looking at adding Office 365 Advanced Threat Protection (the plan that includes training and some sort of basic incident response) and Exchange Online Protection to our current subscriptions for all users. I could probably also find the budget to replace Malwarebytes (not my choice, our outside IT guy did that one before I started) as our endpoint security solution, although I know this thread's opinion on those in general. I think the next biggest priorities should be device management/encryption (we have a lot of business travel, some international - go with Intune for this since we're an O365 shop?) and backup/disaster recovery (another thread, but recommendations welcome - I use a NAS and Backblaze B2 for my personal stuff but there's probably an easier solution for small business). Thoughts? Bearing in mind that I can dedicate at most 10% of my time to IT so whatever poo poo we get needs to mostly just work, with minimal intervention by me or our outside IT guy. Of course, priority #1 is getting a solid CYA in writing before I become "the guy who set all of this stuff up," but this isn't the office politics thread 
|
|
#
?
May 16, 2020 14:12
|
|
|
trashy owl posted:Yeah, a lot of botnet software will have DNS server IPs hardcoded and query them directly instead of trusting whatever default resolution behavior is for a given system. Sure but I'd imagine that a professional security researcher would have a sandboxed lab where one could route IP addresses to whichever local box you like? Or have I been watching too many movies? Basically, instead of going out to the public internet and registering a domain, wouldn't you first fake the domain being registered inside your lab and see what it does? Although I suppose I'd probably have just gone cowboy and done it as soon as the idea entered my head at 23 also.
|
|
#
?
May 16, 2020 15:08
|
|
|
What you should really do is focus on the SANS top 20 instead of throwing money and expensive tools at the problem. https://www.cisecurity.org/controls/cis-controls-implementation-groups/ From what you describe you're in Implementation Group 1, so filter on that and ensure your meeting those needs first. Also get a security assessment done and make sure you have some sort of Cyber Insurance policy in place. Mustache Ride fucked around with this message at 15:18 on May 16, 2020 |
|
#
?
May 16, 2020 15:10
|
|
|
beuges posted:Basically, instead of going out to the public internet and registering a domain, wouldn't you first fake the domain being registered inside your lab and see what it does? Yes but you don't win the public race by exercising an abundance of caution before acting
|
|
#
?
May 16, 2020 15:19
|
|
|
Mustache Ride posted:What you should really do is focus on the SANS top 20 instead of throwing money and expensive tools at the problem. https://www.cisecurity.org/controls/cis-controls-implementation-groups/ This is really helpful, although basically everything I mentioned (backup, device encryption, antimalware software) is on that list, so I'm not sure how that's a subsitute. More like an augmentation. Just to be clear, right now we are small group housed in a temporary shared office (when we're even there, mostly WFH right now) with no permanent IT infrastructure. Our permanent office is under construction and will eventually host 20-25 people with a few smaller remote offices. So at the moment I'm trying to do what I can at a very small scale and with no centralized management/monitoring capability to speak of (e.g. Active Directory). quote:get a security assessment done and make sure you have some sort of Cyber Insurance policy in place. Cyber policy is on our to-do list and I plan to push for a dedicated security budget (including outside expertise) in 2021, although I may have a chance to slip it into 2020 as part of the office build-out. How would you go about finding and vetting a vendor?
|
|
#
?
May 16, 2020 15:54
|
|
|
Rufus Ping posted:Yes but you don't win the public race by exercising an abundance of caution before acting
|
|
#
?
May 16, 2020 15:59
|
|
|
Discussion Quorum posted:
I don't know your situation, but it sounds like if they're using the finance guy to also be the IT architect and they're also using an outside vendor as some sort of break/fix guy. Then priority 1 should probably either getting them to get rid of the contractor and spring for an actual IT dude to set you guys up or buy a better contract that allows for the contractor to basically architect, admin, and setup your infrastructure.
|
|
#
?
May 16, 2020 16:21
|
|
|
That's the correct answer. Your approaches so far seem reasonable and correct. But this stuff isn't easy and if you don't have the expertise in-house, find a vendor you can trust.
|
|
#
?
May 16, 2020 16:28
|
|
|
Rufus Ping posted:Yes but you don't win the public race by exercising an abundance of caution before acting Or the much more real race against an incredibly aggressive worm currently irreversibly encrypting the files of millions of businesses, hospitals, and government organizations and putting lives at risk. C’mon. Using a hosts file is the right idea but don't pretend like there wasn't a real time pressure or that MalwareTech (a wanted criminal at the time) was somehow looking to massively increase his profile and get bombarded with media attention by coming out as a hero doing something you all have already asserted he had no way of knowing would have any positive effect. loving LOL. If you're absolutely determined to look down on MalwareTech, at least do us all a favor and be honest about why: you think he's too young to be a professional, you look down on his lifestyle, you don't think criminals can be rehabilitated, etc., whatever your bias is, rather than casting aspersions on his motives and judgment.
|
|
#
?
May 16, 2020 16:38
|
|
|
Discussion Quorum posted:So at the moment I'm trying to do what I can at a very small scale and with no centralized management/monitoring capability to speak of (e.g. Active Directory). You have Azure Active Directory, which means if you pop for the EMS license (or the M365 E3 license) you'll get Intune which you can use for a lot of the endpoint management needs you're going to have. If everything you have is SaaS or build in Azure, it should be relatively easy to remain a Cloud Only organization which helps from a lot of aspects.
|
|
#
?
May 16, 2020 16:46
|
|
|
Internet Explorer posted:That's the correct answer. Your approaches so far seem reasonable and correct. But this stuff isn't easy and if you don't have the expertise in-house, find a vendor you can trust. That's fair, and I'm not trying to be a goon in a well. Just trying to balance what I can do now vs. what I can slip into our mid-year budget update vs. what I can win in 2021. I am not dealing with dumb people (they are in fact brilliant ops people, scientists, and salespeople), nor with people who don't trust my judgement; but they are entrepreneurs and not very technically sophisticated, and the purse strings are ultimately controlled by outside investors. I'm confident I can get to where I need to be, but I'm still feeling out how fast I can turn up the heat before the frog gets antsy example: I think I have some headroom room in our build-out budget and am trying to reserve as much of it as possible for real actual professionals (TM) rather than equipment Zaepho posted:You have Azure Active Directory, which means if you pop for the EMS license (or the M365 E3 license) you'll get Intune which you can use for a lot of the endpoint management needs you're going to have. If everything you have is SaaS or build in Azure, it should be relatively easy to remain a Cloud Only organization which helps from a lot of aspects. That's exactly the kind of feedback I was hoping for. Thanks. Discussion Quorum fucked around with this message at 16:54 on May 16, 2020 |
|
#
?
May 16, 2020 16:52
|
|
|
If you're a Microsoft shop and use their cloud products (O365/M365/Azure), their Security and Compliance pieces could get you quite a long way. https://servicetrust.microsoft.com/ViewPage/SCCIntroPage and https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-securitycompliance-center
|
|
#
?
May 16, 2020 17:44
|
|
|
Cup Runneth Over posted:Or the much more real race against an incredibly aggressive worm currently irreversibly encrypting the files of millions of businesses, hospitals, and government organizations and putting lives at risk. C’mon. Using a hosts file is the right idea but don't pretend like there wasn't a real time pressure or that MalwareTech (a wanted criminal at the time) was somehow looking to massively increase his profile and get bombarded with media attention by coming out as a hero doing something you all have already asserted he had no way of knowing would have any positive effect. loving LOL. you keep creating these motivations and capabilities that just don't add up to the reality of what happened. it's an issue with a lot of security news though, people rush in having read an article that glosses over the details and shout down anyone informed telling them that's not how it happened
|
|
#
?
May 16, 2020 17:52
|
|
|
Discussion Quorum posted:I just started a job as the finance guy at a startup (not a tech company). IT is nominally under my purview, partly because I'm running everything administrative at the moment and partly because I am the only person in the organization who is remotely competent at computers. The additional capabilities in Office 365 ATP are decent and probably the easiest piece of email security you can add at your size. It’s relatively straightforward to deploy. Just know going in that doing this right is probably more than 10% of your time.
|
|
#
?
May 16, 2020 18:21
|
|
|
Wiggly Wayne DDS posted:why are you latching onto this being a personal bias at all? there was nothing stopping him from sinkholing the domain and getting the same effect - it only needed to resolve. instead he put a lot of effort into keeping the company's servers up to watch all of the traffic coming in. can you see why this comes off badly? speaking of glossing over details quote:It took a few hours longer for Hutchins and his colleagues at Kryptos Logic to understand that WannaCry was still a threat. In fact, the domain that Hutchins had registered was still being bombarded with connections from WannaCry-infected computers all over the globe as the remnants of the neutered worm continued to spread: It would receive nearly 1 million connections over the next two days. If their web domain went offline, every computer that attempted to reach the domain and failed would have its contents encrypted, and WannaCry's wave of destruction would begin again. the kill switch wasn't just "this record can be resolved in DNS", it was getting a response from a server at that domain. servers go down, botnet goes active again, so it was pretty important to keep those servers up! Wired really wants to tell a rehabilitation story and it's hard to see exactly how legit it really is, but "he is obviously sketchy because he had to keep the servers alive" is just plain wrong
|
|
#
?
May 16, 2020 20:23
|
|
|
Wiggly Wayne DDS posted:why are you latching onto this being a personal bias at all? there was nothing stopping him from sinkholing the domain and getting the same effect - it only needed to resolve. instead he put a lot of effort into keeping the company's servers up to watch all of the traffic coming in. can you see why this comes off badly? No, because I read the article, and I understand that keeping the servers up was not to watch all of the traffic coming in, but to keep the worm from encrypting any more files. The domain didn't "only need to resolve" -- it needed to connect, and if the servers went down, the worm would not be able to connect and would reactivate. You seriously think CloudFlare and Amazon donated their unlimited services to him so he could monitor the worm's traffic? Again: Come on. Wiggly Wayne DDS posted:you keep creating these motivations and capabilities that just don't add up to the reality of what happened. it's an issue with a lot of security news though, people rush in having read an article that glosses over the details and shout down anyone informed telling them that's not how it happened You clearly don't understand the reality of what happened, and are clearly not informed, I'll just assume your bias is that you are ignorant and have bought into other people attacking the guy. It's ironic that you would accuse me of "creating these motivations and capabilities that just don't add up," though.
|
|
#
?
May 16, 2020 21:10
|
|
|
Discussion Quorum posted:I just started a job as the finance guy at a startup (not a tech company). IT is nominally under my purview, partly because I'm running everything administrative at the moment and partly because I am the only person in the organization who is remotely competent at computers. If you can get your rear end on E5 licenses, Defender ATP, Intune, and MFA everywhere, you'll be in a fantastic spot Malwarebytes is a waste of money. Defender does everything you need.
|
|
#
?
May 16, 2020 21:25
|
|
|
Potato Salad posted:If you can get your rear end on E5 licenses, Defender ATP, Intune, and MFA everywhere, you'll be in a fantastic spot
|
|
#
?
May 16, 2020 21:33
|
|
|
Cup Runneth Over posted:The domain didn't "only need to resolve" -- it needed to connect, and if the servers went down, the worm would not be able to connect and would reactivate. You seriously think CloudFlare and Amazon donated their unlimited services to him so he could monitor the worm's traffic? Again: Come on. If he weren't at all interested in analysing the c+c traffic (he obviously was, it's literally his job), it would have been a lot easier to point the domain's A records at e.g. Google's anycast frontend and let them soak up the DDoS for him. This would return a 404 response, and InternetOpenUrlA would return a non-null value, as required to stop the spread. He strikes me as a nice enough guy, especially by infosec luminary standards, but he jumped the gun in the heat of the moment because he wanted to be the one to sinkhole it for whatever the next stage was (observing the traffic, mapping its spread, commandeering control of it, issuing some kill command, etc). I probably would have too had I been in his shoes. He got lucky in that merely registering the c+c domain was all that was required to kill it. He didn't know at the time that this would be the case and was flying by the seat of his pants on a cocktail of intuition and speed. Cup Runneth Over posted:If you're absolutely determined to look down on MalwareTech, at least do us all a favor and be honest about why: you think he's too young to be a professional, you look down on his lifestyle, you don't think criminals can be rehabilitated, etc., whatever your bias is, rather than casting aspersions on his motives and judgment. Suffice to say this is a bizarre and wholly inaccurate set of beliefs to project onto me lol
|
|
#
?
May 16, 2020 22:48
|
|
|
Cup Runneth Over posted:No, because I read the article, and I understand that keeping the servers up was not to watch all of the traffic coming in, but to keep the worm from encrypting any more files. The domain didn't "only need to resolve" -- it needed to connect, and if the servers went down, the worm would not be able to connect and would reactivate. You seriously think CloudFlare and Amazon donated their unlimited services to him so he could monitor the worm's traffic? Again: Come on. you do understand that if he just pointed the domain at anywhere online capable of handling the load to begin with then less machines would have been infected? as soon as the company servers were overloaded the connections started failing and the infection continued spreading. where is the tipping point in this situation for you? you seem to agree that registering the domain at all was risky, so is it adding a resolving ip afterwards that's too far? having it go to machines you control? not anticipating the load? not having a fallback plan for if the load got too high? how much of this do you think is in hindsight and overanalysed? how much of this has an impact in handling a similar scenario later? it is really weird you keep turning this technical chat back into the personality of the guy behind it. if this happens tomorrow would you evaluate the scenario differently if a connection to the domain resulted in it trying to grab an encryption key, failing, and effectively wiping all of the machines because of bad coding? it is perplexing that your opinion is that i've bought into some story created by people trying to attack the guy, i may be capable of having my own opinions and may have existed during this incident? maybe i just imagined that part though
|
|
#
?
May 16, 2020 23:43
|
|
|
Rufus Ping posted:If he weren't at all interested in analysing the c+c traffic (he obviously was, it's literally his job), it would have been a lot easier to point the domain's A records at e.g. Google's anycast frontend and let them soak up the DDoS for him. This would return a 404 response, and InternetOpenUrlA would return a non-null value, as required to stop the spread. Wiggly Wayne DDS posted:right so you seem adamant about your position and any attempt to inform the scenario is leading to you lashing out. i did mention sinkholing the domain, it needing to resolve - and crucially the use of the company's servers. you kind of dropped that last part to make it sound like i was only talking about registering a domain name, returning an invalid record, and calling it done. as rufus details there's plenty of online services that can handle the load if your goal is to just make a domain successfully resolve. consider that there were incentives in play to not only stop the spread, but try to listen to as many compromised machines as possible. cloudflare and amazon came into play way later in the picture, focus on the plan until they forced the issue. Of course he was interested in analysing the c+c traffic, but that's not why he, quote, "put a lot of effort into keeping the company's servers up." And again, even if in hindsight there were other things he could have done, even better things -- you two have alternated between attacking his motivations and casting aspersions on his credentials, describing him as reckless, ignorant, and fame-seeking. The thread in general has demeaned him as merely "registering a domain" and "pulling a Homer," literally downgrading his role to the equivalent of blindly wandering into a server farm, flicking a random switch, and getting carried out of it on the shoulders of a cheering crowd, and bitterly questioning whether he ought to be a considered a "hero." That's clearly not what happened, and I'm dead tired of the Monday morning quarterbacking. It's been 3 years. Stop trying to tear the man down. Absolutely you should take lessons from what could have gone wrong and how to prevent it, but that's not what you're doing. What you all are doing is painting him as a clout-chasing, incompetent buffoon given undeserved recognition. Time has exonerated him from any suspected wrongdoing related to WannaCry, and a federal judge exonerated him for his wrongdoing in Kronos, so have some respect for your colleagues. If you think that his security firm didn't do it out of the goodness of its heart, you're probably right. That's how capitalism works, after all. If you think they profited off the goodwill, I'd be astonished if they didn't. If you think he rushed to action because he was angling for fame and fortune out of greed and carelessness, I don't see any evidence to support that, even in hindsight, and I think it's a malicious aspersion to cast on him. I seriously doubt he was looking to get in the newspapers, and I certainly don't think he's an idiot. And, charitably, if you think he was a relatively inexperienced researcher who didn't exhaust every possible avenue of investigation before resorting to sinkholing the domain, you might be right, but who cares? At this point the only reason to argue it is to suggest that he bumbled his way into success while better infosec professionals (like yourself?) were doing their due diligence, and that he's no hero because of it, which is what it seems like you're doing. And frankly, I find that offensive, because his actions (all of them, not just registering the domain) did save countless lives, and they were admirable and self-sacrificing, and that line of reasoning is very much akin to claiming the reaction to a pandemic was overwrought because the predicted death count never materialized after safety measures were put in place. And I hope you can understand irritation at that in the current day. Wiggly Wayne DDS posted:it is really weird you keep turning this technical chat back into the personality of the guy behind it. if this happens tomorrow would you evaluate the scenario differently if a connection to the domain resulted in it trying to grab an encryption key, failing, and effectively wiping all of the machines because of bad coding? it is perplexing that your opinion is that i've bought into some story created by people trying to attack the guy, i may be capable of having my own opinions and may have existed during this incident? maybe i just imagined that part though This is not purely technical chat, don't be snide. There are clearly value judgments being made in this thread as to whether he deserves the recognition, if it was the right thing to do at the time, if his intentions were pure, etc., all based on a hindsight perspective of the situation. I thought speculative comments like "maybe he made the worm himself and is getting lauded for pulling the killswitch he put in" were inappropriate 3 years ago and I'm sure as hell tired of them now. If you want to discuss the technical details of the worm, that's great. I personally would propose that the killswitch was built in so that the hosts file trick could be used to stop it from infecting the computers of whoever made it (ostensibly North Korea, but you know how that is). If you want to relitigate the actions of a talented man three years ago because you still think he didn't deserve the hype, gently caress right off please. Rufus Ping posted:Suffice to say this is a bizarre and wholly inaccurate set of beliefs to project onto me lol You guys have some reading comprehension problems. I listed them as examples of what might motivate you to smear the guy, not a set of beliefs. Cup Runneth Over fucked around with this message at 00:29 on May 17, 2020 |
|
#
?
May 17, 2020 00:21
|
|
|
Cup Runneth Over posted:This is not purely technical chat, don't be snide. There are clearly value judgments being made in this thread as to whether he deserves the recognition, if it was the right thing to do at the time, if his intentions were pure, etc., all based on a hindsight perspective of the situation. I thought speculative comments like "maybe he made the worm himself and is getting lauded for pulling the killswitch he put in" were inappropriate 3 years ago and I'm sure as hell tired of them now. If you want to discuss the technical details of the worm, that's great. I personally would propose that the killswitch was built in so that the hosts file trick could be used to stop it from infecting the computers of whoever made it (ostensibly North Korea, but you know how that is). If you want to relitigate the actions of a talented man three years ago because you still think he didn't deserve the hype, gently caress right off please. Cup Runneth Over posted:Of course he was interested in analysing the c+c traffic, but that's not why he, quote, "put a lot of effort into keeping the company's servers up." And again, even if in hindsight there were other things he could have done, even better things -- you two have alternated between attacking his motivations and casting aspersions on his credentials, describing him as reckless, ignorant, and fame-seeking. The thread in general has demeaned him as merely "registering a domain" and "pulling a Homer," literally downgrading his role to the equivalent of blindly wandering into a server farm, flicking a random switch, and getting carried out of it on the shoulders of a cheering crowd, and bitterly questioning whether he ought to be a considered a "hero." That's clearly not what happened, and I'm dead tired of the Monday morning quarterbacking. It's been 3 years. Stop trying to tear the man down. Absolutely you should take lessons from what could have gone wrong and how to prevent it, but that's not what you're doing. What you all are doing is painting him as a clout-chasing, incompetent buffoon given undeserved recognition. Time has exonerated him from any suspected wrongdoing related to WannaCry, and a federal judge exonerated him for his wrongdoing in Kronos, so have some respect for your colleagues.
|
|
#
?
May 17, 2020 00:42
|
|
|
I don't think anyone cares about this at this point, but just a reminder that the purpose of WannaCry's domain name was sandbox detection. The domain name was intended not to resolve because if it did resolve it was probably running in a sandbox and disabled the malware components to hinder analysis. Analyzing the software in a sandbox completely changed its behavior, and while its easy to say he should have just blackholed that one domain, the more likely route is that they would blackhole all domains, triggering the sandbox detection and being worth nothing.
xtal fucked around with this message at 10:33 on May 17, 2020 |
|
#
?
May 17, 2020 02:31
|
|
|
The really funny thing is my first reaction is "jesus dude are you malwaretech? Why so weirdly defensive?" but then I'm pretty confident malwaretech would just be like "yeah it was kinda dumb and I got super lucky, I'm so glad it worked out and I'd be a lot more careful if I had to do it over " instead of melting down Strange times
|
|
#
?
May 17, 2020 02:31
|
|
|
meltdown may
|
|
#
?
May 17, 2020 05:27
|
|
|
Wiggly Wayne DDS posted:speaking of reading comprehension who the hell has put any of these conspiracy theories forward in this thread? were you reading a different forum and conflated threads and posters? Speaking of reading comprehension, you literally highlighted "3 years ago" in bold, and yet you apparently didn't read it. Please, for the love of God, actually read and absorb my posts before responding to them, or you're really wasting both of our time. Wiggly Wayne DDS posted:yes this is exactly like a pandemic, we thank you for your thoughtful insight It's called a virus for a reason and WannaCry put people's lives in danger, so yes, it's very comparable. Computer researchers even study worms like epidemics sometimes. If the worm had been allowed to spread further, more and more important institutions and systems would have been compromised and unable to render services, leading to deaths. Wiggly Wayne DDS posted:you really want to put the guy on a pedestal and really don't like any perspective on the issue. do you consider the guy your childhood hero? this entire conversation is really weird. the thread was talking about risk on the technical aspect, and in essence the societal issue of rewarding snap decisions. yet you flail acting like we're yelling about north korea, how he must have made the malware himself, and really we're the insane ones for stopping and going "really ill-advised action there, hope no one tries to copy him in the future given how badly it could have gone". can you stop for a second and read the last two pages and consider you're in an entirely different argument that has nothing to do with this thread? Do you seriously not know the US government blamed the worm on North Korea? lmbo. It's in the article, man, it's getting really hard to consider this good faith. I'm not trying to put him on a pedestal but I do consider him a hero. Not my childhood hero, but definitely someone worthy of respect who is being offensively demeaned. I could go back and cite specific examples from the last two pages since you're apparently blind to them, but I think the derail has continued long enough, and no one's mind is going to be changed here. His action was not that ill-advised, but there were definitely more precautions that could have been taken. That doesn't make what he did at the time any less virtuous and good. Cup Runneth Over fucked around with this message at 08:30 on May 17, 2020 |
|
#
?
May 17, 2020 08:27
|
|
|
RFC2324 posted:meltdown may
|
|
#
?
May 17, 2020 10:02
|
|
|
|
| # ? May 20, 2024 00:36 |
|
|
The person who wrote WannaCry is probably pissed that they can't argue with Marcus publicly
|
|
#
?
May 17, 2020 10:32
|
|