Berkeley CSUA MOTD:Entry 22083
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/05/24 [General] UID:1000 Activity:popular
5/24    

2001/8/11-12 [Computer/SW/OS/Windows] UID:22083 Activity:insanely high
08/11   http://www.cs.berkeley.edu/~nweaver/warhol.html
        \_ nweaver d-d-d-definitely needs a gf
           \_ FIND ME ONE THEN, DAMMIT! -nweaver
              \_ You can find one yourself.  Lower your standards,
                 look in new places.
                 \_ you mean masturbating in your soda office won't find
                    you a girlfriend?
        \_ grammar error in Paragraph 4, Sentence 1.
           \_ you mean a grammatical error?
        \_ Interesting idea. What makes you think that the
           "bad guys" haven't already though about and
           implemented something like this?
           \_ help nick realize his dream!
        \_ the only way this is going to happen is if you find
           a service that's not commonly firewalled off. like http
           or ssh.
           \_ OH, like IIS?
              \_ Doh!
        \_ nweaver, your simulation is already done. For years scientists
           have already simulated the outbreak of disease. Assume a variant
           of bubonic plaque breaks out from Africa. More than 1/3 of the
           human beings will die before they receive treatment. It's called
           the "next plaque." We're already breeding super plaque of the
           next generation. It's just a matter of time. Since 1/3 of
           humanity will die anyways, who cares about wormhole. Complex
           systems grow and die quickly. That's just a fact of life.
           \_ Bubonic "Plaque", eh?  Is that what happens when you don't
              visit the dentist for a really, really long time?
           \_ man, you are SOME dipshit! bravo!
2025/05/24 [General] UID:1000 Activity:popular
5/24    

You may also be interested in these entries...
2010/4/28-5/10 [Computer/SW/OS/Windows] UID:53807 Activity:nil
4/28    Win 3.1 was more widely adopted than Win 3.0.  Win XP (5.1) was more
        widely adopted than Win 2k (5.0).  Now it looks like Win 7 (6.1) is
        going to be more widely adopted than Vista (6.0).  Is this a trend on
        Microsoft x.0 versions being bad?
        \_ duh.
        \_ "more widely adopted" ... well... what are you basing these numbers
	...
2010/2/18-3/9 [Computer/SW/WWW/Browsers] UID:53713 Activity:nil
2/18    Why is there now Firefox 3.5.8 when there was already 3.6 a month ago?
        \_ Why is there Windows XP SP3 when there was already Vista?
           Generally companies manage patches for at least two levels of
           product.  -tom
           \_ I see.  So Fx 3.6 is more like a new version than an update to
              3.5.x.  --- OP
	...
2009/8/4-13 [Computer/SW/OS/Windows] UID:53239 Activity:kinda low
8/3     VMWare + Windows XP + Validation question. I need to test stuff with
        Service Pack 3 installed. I have a valid key that I own (yeah yeah I
        actually *bought* a copy, please don't flame me for supporting evil
        M$). Is it possible to register the key once, and then duplicate it
        for testing purposes?  Will Windows or Microsoft detect copies and
        disable the rest the copies?
	...
2009/6/1-3 [Computer/HW/CPU] UID:53068 Activity:high
5/31    History of winners and losers by *popularity*:
        VHS > Beta Max
        USB2 > Firewire
        x86 > PowerPC > Everything Else > DEC Alpha > Itanium
        BlueRay > HDDvd
        \_ It's too early to tell RE: "Blue"Ray. They may both turn out to be
	...
2009/2/20-25 [Computer/SW/OS/Windows] UID:52610 Activity:nil
2/20    I'm using Cygwin/X on XP.  All the X indows (xterm, emacs)
        seem to have a keyboard repeat rate and a repeat delay that's different
        than the one XP uses for other Windows apps.  When I do "mode con
        rate=xx delay=yy", it only changes Windows apps but not the X apps.
        How do I change the keyboard repeat rate and delay for X?  Thanks.
        \_ man xset
	...
2008/11/29-12/6 [Computer/SW/OS/FreeBSD, Computer/SW/OS/VM] UID:52129 Activity:moderate
11/29   I'm experimenting with virtualization, and as a poor college student
        I'm wondering what the best alternatives for virtualization are, and
        how best to cut my teeth on messing with non-linux platforms (or I
        guess interesting stuff on Linux would work too). Right now I've got
        FreeBSD7 running on KVM on my home computer (on a Core 2 Quad), and am
        somewhat at a loss as to how to use it. (More details: bridged
	...
2008/11/15-26 [Computer/SW/OS/Windows] UID:51993 Activity:nil
11/14   I have a bunch of pictures and I find that thumbs.db on
        Windows XP to be very useful, especially when you're on NAS
        and the network is slow. Having that said, my Win XP has
        stopped generating thumbs.db even though I've set it to generate
        thumbs.db (Properties->View->Uncheck "Do not cache thumbnails.").
        How do I force Windows to generate Thumbs.db? Googling seems
	...
2008/10/12 [Computer/SW/OS/Windows] UID:51487 Activity:nil
10/12   When XP boots up on my PC, the screen reads "Microsoft (R) Windows (R)
        5.01. 2600 Service Pack 3 Multiprocessor Free."  What does "Free" mean?
        Thx.
	...
2008/9/22-29 [Computer/SW/OS/OsX] UID:51261 Activity:nil
9/21    So I did it and got myself a Macbook Pro. Any suggestions for the best
        PC->Mac transition?  After finding out that Outlook is not supported
        under Mac; I bought parallels and am installing XP to grab my outlook
        mail archive (~1GB) from the original PC disk (the pc itself is
        basically dead). Any suggestions on a relatively painless import to
        entourage? The Mac Genius guy also reccomended an upgrade to 4GB and
	...
2008/9/18-19 [Computer/HW/Laptop] UID:51217 Activity:low
9/18    My  7 year old Dell laptop is slowly  decending into its death throws.
        I am seriously considering an Mac laptop; but am having a hard time deaa\
        ling with the price. Curious to find out  if people really think that
        the extra $$ upfront was a good investment. a 2K macbook pro with
        standard config can buy a high end dell laptop
        \_ I have both a MacBook Pro (and before that a PowerBook) and a
	...
Cache (8192 bytes)
www.cs.berkeley.edu/~nweaver/warhol.html
Netcraft Survey could be used to generate the hitlist for some services, without requiring a scan. Although random scanning works well initially, it begins to die out after the number of uninfected hosts goes down. This die down can be reduced through the use of permutation scanning. In a permutation scan, an already infected machine responds differently than a potential target, as a way of telling the scanning worm that the machine is infected. Not only does this prevent needless reinfections, but it can be used to impose coordination on the worm. In a permutation scan, all worms share a common pseudo random permutation of the IP address space. Such a permutation can be efficiently generated using any block cipher of 32 bits with a preselected key: simply encrypt an index to get the corresponding address in the permutation, and decrypt an address to get its index. Worms infected during the hitlist phase or local subnet scanning start just after their point in the permutation and scan through the permutation, looking for vulnerable machines. Whenever it sees an already infected machine, it chooses a new, random start point and proceeds from there. Worms infected by permutation scanning would start at a random point. This has the effect of providing a semi coordinated, comprehensive scan while maintaining the benefits of random probing. Each worm looks like it is conducting a random scan, but it attempts to minimize duplication of effort. This keeps the infection rate higher and guarantees an eventual comprehensive scan. Additionally, the worms could be programmed to comprehensively rescan the net at regular intervals. A timer could induce the worms to wake up and rescan the section of the next permutation in a sequence, starting at itself and ending at the next worm. This would cause every address to be completely rescanned at regular, predictable intervals, detecting any machines which come onto the network. A further optimization is a partitioned permutation scan. In this scheme, the worm has a range of the permutation that it is initially responsible for. When it infects another machine, it reduces its range in half with the newly infected worm taking the other section. When the range gets below a certain level, it switches to simple permutation scanning and otherwise behaves like a permutation scan. It offers a slight but noticeable increase in scanning efficiency. Modes of operation graph Figure 3: Simulated infection rates for Random, Permutation, and Partitioned Permutation scanning. The lines end when complete infection of all 1M vulnerable machines is achieved. All infections started with an initial population of 10,000 acquired by the hitlist scan. Finally, if a worm detects that it's internet-wide scanning is being ARP limited, it could switch to subnet permutation scanning. In this case, a different permutation is used to generate the upper 24 bits of the address, with the lower 8 bits scanned in a sequential order for each entry. The worms, upon being scanned, give enough information to determine what scanning mechanism was used to infect itself, and what scanning mechanism it is using, so the other worms know how to respond and whether they should skip to a new location. Subnet permutation scanning is a poor choice when the worm is not ARP limited, because the linear scans are easily detected and blocked by intelligent firewalls, so it should only be used as a fallback mechanism when the scan rate has dropped below a threshold and the shift of modes results in a significant speedup in the scan rate. Infection Simulator A simple simulator was constructed for evaluating the virulence of such worms. It used a separate permutation to map between a 32 bit address space and a number of potential machines. Parameters include the number of vulnerable machines, the size of the initial population, the number of scans per second, and the time it takes to infect a machine. Results suggest that, for 1,000,000 vulnerable machines and a starting population of 10,000 from the hitlist scan, 1 minute to process the hitlist, 100 scans per second, and 1 second to infect a machine, complete infection will occur in roughly 8 minutes, with 99% infection occurring in 6 minutes and 30 seconds. A much slower scan rate of 10 scans per second requires 50 minutes to reach the 99% mark, and slightly over an hour for complete infection. A lower number of vulnerable hosts will naturally slow the rate of infection. Thus, if the number of vulnerable hosts is reduced to 250,000, the time is increased to a little over 20 minutes for complete infection at 100 scans/second. The source code for simulating 10 permutation scans, 11 partitioned permutation scans, and 12 random scans is included. The parameter for the number of outstanding infections per worm is ignored, as it would only affect the speed of hitlist scanning. Potential Targets and Multimode Worms There are three very good targets for active worms to exploit: Microsoft IIS, Microsoft Exchange, and the various P2P and messenger programs. A newly discovered exploit in any of these applications would enable a highly virulent worm. But although a single exploit can provide for an effective worm, a worm which exploits multiple services and multiple holes would spread farther, able to affect more machines in a single attack. Microsoft IIS is an amazingly vulnerable target, even in the aftermath of Code Red I and II. IIS is installed by default with Windows 2000 server and it provides a highly homogenious target. Furthermore, there is a continued negligence when it comes to maintaining patches, even on the part of Microsoft. The response following the initial breakout of Code Red demonstrated this clearly: a week after the first outbreak, the second outbreak corrupted nearly as many machines. Microsoft Exchange is less prevalent than IIS, but it makes for a highly attractive second target for a multimode worm. Since email needs to get into the corporation, this provides an excellent route for a worm to cut through firewalls. Once inside a firewall, a worm can cause considerable havoc since many internal networks are insecure. Finally, holes in the current generation of messenger applications (AOL IM, MSN messenger) and peer to peer file sharing programs (Napster, Kazaa) make for excellent targets for worms. Although most machines running these programs have comparatively poor network connections, these applications have a great advantage for spreading a worm: Each machine already has information about other machines running the program. Hitlist scanning isn't necessary for a worm attacking a peer to peer application, the worm simply propagates using the information built into the protocol and application before switching to subnet and permutation scanning as a way of shortcutting gaps and disconnects in the peer to peer structure. Windows XP will undoubtedly make this attack especially effective with its bundled messenger application. The only problem with P2P applications is that they are kept updated by the users as older versions can't connect. Thus, a worm which attacks a P2P application will need to use an unpublished exploit. Potential Defenses The most effective defenses: security by design, sensible defaults, and a diversity of targets, seem unlikely to happen until after a devastating worm is released. Although buffer overflow attacks have been understood for 2 decades, network services are still written in type-unsafe, bounds-unsafe languages. Security audits seem alien to developers while sensible defaults seem to be a myth. Until a major, highly damaging outbreak occurs, followed by the inevitable billion dollar lawsuits, software companies will probably continue their bad practices. Similarly, the Microsoft trend to use its monopoly powers to grow into new markets and force out competition has the side effect of producing homogeneous populations of computers. Homogeneous populations, whether in potatoes or computers, are always more vulnerable to diseases. Although counter worms seem like an attractive idea, they offer effectively no benefit. They require a patch to work and can only be used...