It is a fact that the largest US defense contractors had *thousands* of workstations and servers backdoored for *years* before anyone wised up to it. These are networks managed by professionals who really do take security seriously.
I don't think it's unreasonable to believe that tons of machines are trojaned prior to sale.
I have file system 0day. Be sure to dd the content to that flash drive and dd it back off!
There's no reason to use an asymmetric algorithm.
It's like tripwire, except it works on code in memory. It has an online database where hashes of known code are stored in various sizes... so the client will hash 4k and ask the server if this is known. If so, move on we know what it is. If not, split it into 2 blocks of 2k. Can we positively identify that? Anything not identified continues to be split into smaller and smaller pieces.
The software understands how processes are laid out so it's not going to hash your user data as that can't possibly provide a useful result.
The idea is that we need to be able to ask, "Is this really Microsoft Word 2010 patchlevel X running on my system? Has it been modified in anyway, even via hotpatching memory? If so, show me exactly where it has been modified so I can focus my analysis on that"
When you visit the site in Firefox for some reason it just tries to download something. I didn't try with other browsers. That's why I said use IE. Visit in IE and you see a little blurb about it with a couple different options for installing. It uses some Microsoft 1click installer framework... and yeah, this needs some serious release engineering work.
It's alpha code. It seems to work better on HyperV than VMWare too... In VMWare I have to close the target VM (run in background) in order to get it to work. Some kind of locking issue I guess.
Anyway, I think it's a really cool concept. I'm sure there will soon be a proper page put up to describe it, running on a standard port and everything.
Fair point, but it's not like getting something from port 80 or 443 really assures safety.
Like I said it's really alpha. I would not run it on any important VMs anyway.
Oh, and make sure you have
It's pretty alpha, and you will need to use IE to install it. This tool compares software in memory against known signatures, allowing you to confirm what's running on the system is really what you think it is. It works with HyperV and VMWare.
It's free. Thanks IO Active!
Call the kernel to access files, sockets, etc.
Also unless the developer is super 31337 and likes to write everything I expect shares library calls too.
By watching calls to those interfaces we can figure out what it does.
As far as the US government is concerned nothing is sovereign but themselves.
Yeah, registration expiry info is only available in WHOIS, not in the zone itself.
Dealing with other TLDs that allow second-level requires knowledge of their structures. Some of them have wildcards too, and that is detectable. Anyone doing this kind of automation can figure it out. It's not hard, it just sucks.
You don't have to answer all of them. You don't have to directly answer their questions either. You could just say things like:
- I don't want this. This system is not in my best interest.
- I don't want to register with anyone to query this data.
- Abuse mitigation should be handled by each registrar, this is a good way for them to differentiate themselves.
- I don't want to pay for this system at all
- Law enforcement should be given no special access at all. Nobody should accredit them.
You could also contact your registrar if you own a lot of domains and let them know you don't support this move at all. Ask them to oppose it.
dig @a.gtld-servers.net example.com in soa
If you don't get NXDOMAIN then it's registered.
Everyone go here and let them know we don't want this.
This is clearly another case of too many mad scientists, and not enough hunchbacks.