info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Anti-virus wars start up again (Its time to party like its the 1999)
7 views
Skip to first unread message
Virus Guy
Jan 27, 2012, 11:37:36 PM1/27/12
to
What a joke.
I thought that big corps were getting wise to the fallacy of AV
protection 5 years ago. Seems they were only getting dumber if today
they're shelling out for $1 million+ contracts for AV garbage-ware.
Because as we all know, AV products today are really good at telling you
that your system got hacked - a few weeks ago.
----------------------------
http://news.techeye.net/security/anti-virus-wars-start-up-again
Anti-virus wars start up again
Its time to party like its the 1999
27 Jan 2012 09:16
It is starting to look like the anti-virus wars are starting up again.
For those who came in late, the 1990s were a time where AV companies
were engaged in hand-bag warfare which was as ruthless as it was
entertaining. It was a time when there was a lot of competition in the
marketplace and hacks were taken to secret briefings to explain why the
other side were such rubbish. It was a time when you used to get press
releases like "McAfee has asked Dr Solomon's Software to reduce the
virus detection rate of Dr Solomon's product because McAfee is unable to
keep up with the volume of viruses, and can't achieve the same level of
virus detection."
These days it has been comparatively quiet. Network Associates which
famously slagged off Dr Solomon during a staff barbecue, is now McAfee
again and part of Intel. It seems that only Kaspersky has managed to
retain the bile which was a trademark of those times.
Still, imagine our surprise, when Reuters ran a story this morning where
McAfee rejected a claim that several large corporate customers had
recently switched over to using products from rival Symantec. Needless
to say the comment came from Symantec Chief Financial Officer James Beer
who claimed that his outfit was taking share in the anti-virus software
market away from McAfee, which was bought by Intel.
====================
http://www.reuters.com/article/2012/01/26/us-mcafee-symantec-idUSTRE80P23S20120126
Intel bought McAfee in a $7.7 billion deal meant to spur growth at the
world's top chipmaker and also help it better protect its products from
hackers. Investors are still waiting to see whether that bet will yield
results.
McAfee laid off about 3 percent of its workers, or about 250 employees,
in December.
====================
This was vintage 1990s stuff, and once upon a time we would have said
"yeah right" and probably ignored it. This was mostly because Beer
declined to identify who the customers were.
But now McAfee Senior Vice President for Finance and Accounting Edward
Hayden has struck back saying that the claim was false. He pointed out
that his company had booked a record amount of business in its December
quarter, signed its biggest deal ever and closed more sales over $1
million than it had in any single period.
He said he was "not aware of any major account" that lost to Symantec
during the quarter.
Again, all unprovable stuff and vintage "he said, we say" stuff from
1997. Would the vice president of finance know if he had lost any major
customers anyway?
I thought that big corps were getting wise to the fallacy of AV
protection 5 years ago. Seems they were only getting dumber if today
they're shelling out for $1 million+ contracts for AV garbage-ware.
Because as we all know, AV products today are really good at telling you
that your system got hacked - a few weeks ago.
----------------------------
http://news.techeye.net/security/anti-virus-wars-start-up-again
Anti-virus wars start up again
Its time to party like its the 1999
27 Jan 2012 09:16
It is starting to look like the anti-virus wars are starting up again.
For those who came in late, the 1990s were a time where AV companies
were engaged in hand-bag warfare which was as ruthless as it was
entertaining. It was a time when there was a lot of competition in the
marketplace and hacks were taken to secret briefings to explain why the
other side were such rubbish. It was a time when you used to get press
releases like "McAfee has asked Dr Solomon's Software to reduce the
virus detection rate of Dr Solomon's product because McAfee is unable to
keep up with the volume of viruses, and can't achieve the same level of
virus detection."
These days it has been comparatively quiet. Network Associates which
famously slagged off Dr Solomon during a staff barbecue, is now McAfee
again and part of Intel. It seems that only Kaspersky has managed to
retain the bile which was a trademark of those times.
Still, imagine our surprise, when Reuters ran a story this morning where
McAfee rejected a claim that several large corporate customers had
recently switched over to using products from rival Symantec. Needless
to say the comment came from Symantec Chief Financial Officer James Beer
who claimed that his outfit was taking share in the anti-virus software
market away from McAfee, which was bought by Intel.
====================
http://www.reuters.com/article/2012/01/26/us-mcafee-symantec-idUSTRE80P23S20120126
Intel bought McAfee in a $7.7 billion deal meant to spur growth at the
world's top chipmaker and also help it better protect its products from
hackers. Investors are still waiting to see whether that bet will yield
results.
McAfee laid off about 3 percent of its workers, or about 250 employees,
in December.
====================
This was vintage 1990s stuff, and once upon a time we would have said
"yeah right" and probably ignored it. This was mostly because Beer
declined to identify who the customers were.
But now McAfee Senior Vice President for Finance and Accounting Edward
Hayden has struck back saying that the claim was false. He pointed out
that his company had booked a record amount of business in its December
quarter, signed its biggest deal ever and closed more sales over $1
million than it had in any single period.
He said he was "not aware of any major account" that lost to Symantec
during the quarter.
Again, all unprovable stuff and vintage "he said, we say" stuff from
1997. Would the vice president of finance know if he had lost any major
customers anyway?
FromTheRafters
Jan 28, 2012, 8:51:00 AM1/28/12
to
Virus Guy wrote:
> What a joke.
>
> I thought that big corps were getting wise to the fallacy of AV
> protection 5 years ago. Seems they were only getting dumber if today
> they're shelling out for $1 million+ contracts for AV garbage-ware.
>
> Because as we all know, AV products today are really good at telling you
> that your system got hacked - a few weeks ago.
AV is still useful for preventative (albeit reactive) protection against
> What a joke.
>
> I thought that big corps were getting wise to the fallacy of AV
> protection 5 years ago. Seems they were only getting dumber if today
> they're shelling out for $1 million+ contracts for AV garbage-ware.
>
> Because as we all know, AV products today are really good at telling you
> that your system got hacked - a few weeks ago.
most *viruses*. As for hacks and general malware it seems to have taken
more of a removal after-the-fact role as viruses become less prevalent.
IMO this has led to them being more of an enabling influence on those
bad behaviors that users always tend toward.
It's the damned marketing schemes that are a joke.
[...]
Bear
Jan 28, 2012, 9:45:34 AM1/28/12
to
strategies from reaction to recovery.
I make a factory (with MS Upates) and pristine image and use the
pristine image. As time goes on and enough MS Updates have happened or I
decide to make a permanent change to my system I reload the pristine
image make the updates and changes and re=image that which becomes the
new pristine image and keep the old one as a backup. I continue this
approach but only keep the two latest images (the factory clean image is
permanent.
The pristine image is the factory image with all MS and other updates
and all of your data and programs. Every now and then, I load the
factory image and load the new MS updates and re-image that.
This insures, as well as can be, that you always have a clean system.
This means you keep at least three images. If you run into malware
re-actively, simply re-load your most current pristine image. Such takes
30 minutes or less - usually much less time than it takes to react
properly to malware.
IMO, most discussion about how to deal with malware is made moot with
this approach. This doesn't mean prevention attempts aren't important!
--
Bear
http://bearware.info
The real Bear's header path is:
news.sunsite.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail
FromTheRafters
Jan 28, 2012, 12:40:05 PM1/28/12
to
being that some types of malware can hose your recovery scheme. That is,
all but the original pristine image as laid out in your stated scheme
are at risk - even updates of that original pristine image are
susceptible to corruption.
Everyone should have disaster recovery plans for the kind of disasters
that cannot be outright prevented. These just *happen* - they don't lurk
and data diddle for months before being discovered and pose a threat to
even your off-site backups.
Backup/restore/recovery schemes are for disaster recovery and general
security (risk reduction) and not an antimalware or antivirus scheme
which are IMO *supposed to be* preventative in nature.
First, prevent infestation of malware as best you can, then treat what
*will still* get through (there are no 100% effective detectors) as a
disaster and hope that your disaster recovery plan wasn't infiltrated.
kurt wismer
Jan 28, 2012, 2:27:49 PM1/28/12
to
can prevent going through the following cycle at the first stage,
that's a lot of effort you don't have to expend.
next is detection of preventative failures, because no prevention can
ever be perfect.
next is diagnosis of what you failed to prevent, because you need to
know everything it did in order to know what steps need to be taken in
recovery. you also need to know where it came from if you're going to
involve the authorities as well as what files to send to vendors so
they can improve their products. you also need to know how the
compromise was able to succeed for when you re-evaluate your defenses.
next is reporting to authorities, because if nothing is done about the
person responsible for the compromise they will most likely continue.
home users may not consider this a meaningful step, since their
individual losses aren't likely to be enough to warrant the
authorities' time, but their compromise could be part of something
much bigger. of course for enterprises, reporting to authorities
becomes much more meaningful. additionally, reporting to authorities
can include reporting malware samples to vendors. this has meaningful
benefits to all sectors.
after that is recovery (don't want to do it before reporting to
authorities as you may be compromising opportunities to gain valuable
intelligence about the person or people involved, or lose access to
the malware samples). with the kinds of malware out there these days,
recovery can easily extend beyond the confines of your hard drive, so
while good backups and/or drive images are a must, they are only the
beginning.
finally there's re-evaluation of your defenses, because there may be
improvements you can make so that prevention will work even better the
next time.
this is a feedback loop that has the potential to make prevention
incrementally better with each iteration, as well as taking select
attackers out of the equation in the future. making prevention better
with each iteration is important because you don't want to expose the
same vulnerabilities to attackers over and over again - you'll just
get pwned the same way over and over again.
there once was this concept of the PDR triad (prevention, detection,
recovery), but laziness has turned that into something that is done on
automatic, without thought or rigor, and without any of the implicit
steps that lead to improvements - that's why i expand it out to
explicitly list those steps.
Bear
Jan 28, 2012, 3:31:41 PM1/28/12
to
this much easier than trying to clean their computer which is iffy. As
for the Pristine images becoming corrupt is a possibility which /is/ the
reason for keeping a factory image with MS updates, though your pristine
images are made from your factory image and no surfing/use time is on
them which makes it more unlikely - thus the name pristine. Your factory
recovery disks or a factory image stored on your computer is nice - but
MS updates can mount up to the point of days to add them though that
/is/ the last recourse.
>
> Everyone should have disaster recovery plans for the kind of disasters
> that cannot be outright prevented. These just *happen* - they don't lurk
> and data diddle for months before being discovered and pose a threat to
> even your off-site backups.
Very true.
> Everyone should have disaster recovery plans for the kind of disasters
> that cannot be outright prevented. These just *happen* - they don't lurk
> and data diddle for months before being discovered and pose a threat to
> even your off-site backups.
>
> Backup/restore/recovery schemes are for disaster recovery and general
> security (risk reduction) and not an antimalware or antivirus scheme
> which are IMO *supposed to be* preventative in nature.
I list a myriad of reasons for maintaining images, on my website = hard
> Backup/restore/recovery schemes are for disaster recovery and general
> security (risk reduction) and not an antimalware or antivirus scheme
> which are IMO *supposed to be* preventative in nature.
drive crashes etc. You can't depend on prevention. There is no silver
bullet. This ideology is wrong IMO but prevalent among mostly techs or
very experienced users. It might be good for them/us, but not average users.
>
> First, prevent infestation of malware as best you can, then treat what
> *will still* get through (there are no 100% effective detectors) as a
> disaster and hope that your disaster recovery plan wasn't infiltrated.
>
NO! First make your images. Then prevent as best you can. If you get
> First, prevent infestation of malware as best you can, then treat what
> *will still* get through (there are no 100% effective detectors) as a
> disaster and hope that your disaster recovery plan wasn't infiltrated.
>
infected and unless you are an expert at cleaning malware or want to pay
one, reload your image. Self-sufficient.
Even experts (I know this as fact) miss malware and /think/ they got it all.
Bear
Jan 28, 2012, 3:33:43 PM1/28/12
to
On 1/28/2012 1:27 PM, kurt wismer wrote:
> the first step is prevention, certainly agree with you there. if you
> can prevent going through the following cycle at the first stage,
> that's a lot of effort you don't have to expend.
This is wrong. What are you going to do? Wait till you are infected than
> the first step is prevention, certainly agree with you there. if you
> can prevent going through the following cycle at the first stage,
> that's a lot of effort you don't have to expend.
make an image? First make your recovery plan before you go out into the
wild. Then work on prevention.
Bear
Jan 28, 2012, 3:35:31 PM1/28/12
to
On 1/28/2012 1:27 PM, kurt wismer wrote:
> next is diagnosis of what you failed to prevent, because you need to
> know everything it did in order to know what steps need to be taken in
> recovery. you also need to know where it came from if you're going to
> involve the authorities as well as what files to send to vendors so
> they can improve their products. you also need to know how the
> compromise was able to succeed for when you re-evaluate your defenses.
This takes hours and more in many cases. Most average users will never
> know everything it did in order to know what steps need to be taken in
> recovery. you also need to know where it came from if you're going to
> involve the authorities as well as what files to send to vendors so
> they can improve their products. you also need to know how the
> compromise was able to succeed for when you re-evaluate your defenses.
be able to do such. Your advice may work for expert users but they are
few and far between. It takes less than 30 minutes to restore a clean image.
Bear
Jan 28, 2012, 3:37:34 PM1/28/12
to
On 1/28/2012 1:27 PM, kurt wismer wrote:
> after that is recovery (don't want to do it before reporting to
> authorities as you may be compromising opportunities to gain valuable
> intelligence about the person or people involved, or lose access to
> the malware samples). with the kinds of malware out there these days,
> recovery can easily extend beyond the confines of your hard drive, so
> while good backups and/or drive images are a must, they are only the
> beginning.
So you are going to recover from factory images or media? Because you
> authorities as you may be compromising opportunities to gain valuable
> intelligence about the person or people involved, or lose access to
> the malware samples). with the kinds of malware out there these days,
> recovery can easily extend beyond the confines of your hard drive, so
> while good backups and/or drive images are a must, they are only the
> beginning.
haven't made your recovery images yet.
kurt wismer
Jan 28, 2012, 6:58:43 PM1/28/12
to
On Jan 28, 3:33 pm, Bear <bearbottoms1+...@gmail.com> wrote multiple
posts:
maybe, in future, you could read my posts all the way through and let
them sink in a bit before you replied. that way you wouldn't need to
reply multiple times to the same post, and i wouldn't have to try and
piece your thoughts back together into a cohesive whole.
> On 1/28/2012 1:27 PM, kurt wismer wrote:
>
the doors and windows, i would normally think it goes without saying
that you must first acquire a car, a hammer, and some nails.
however, since i was critical of leaving other steps in the
traditional PDR triad as implicit, i suppose it's only fitting that
"prepare" be made explicit too. so the 0th step is to prepare for your
next malware encounter. now my hexad is a septad.
On Jan 28, 3:35 pm, Bear <bearbottoms1+...@gmail.com> wrote:
> On 1/28/2012 1:27 PM, kurt wismer wrote:
>
destroy information that could have:
a) warned the victim that his bank account was in jeopardy
b) informed the victim wich vulnerable subsystem needed to be patched,
reconfigured, or disabled in order to prevent getting compromised by
similar malware in the future
c) identified which cloud-based email needed to be deleted to avoid
accidentally re-compromising the machine with the exact same malware
in the future
is this really the lesson you want to teach people? from my
perspective, this is precisely the thoughtless, lazy, half-arsed
approach i complained about before. simply restoring an image just
sets you up to get pwned again in exactly the same way. the best proof
of learning from your mistakes is to change direction - if you keep
doing the same thing you keep making the same mistake. pretending
there's an easy answer (just restore a clean image!) breeds laziness
and complacency and gives people a false sense of security.
now i realize that there are limits to what people are capable of, but
i never said they had to do it alone. they can get help if they need
to. they can also cut corners, but the more thorough their knowledge
of how their prevention failed this time, the better equipped they'll
be to improve it and not fail the next time.
On Jan 28, 3:37 pm, Bear <bearbottoms1+...@gmail.com> wrote:
> On 1/28/2012 1:27 PM, kurt wismer wrote:
>
> > after that is recovery (don't want to do it before reporting to
> > authorities as you may be compromising opportunities to gain valuable
> > intelligence about the person or people involved, or lose access to
> > the malware samples). with the kinds of malware out there these days,
> > recovery can easily extend beyond the confines of your hard drive, so
> > while good backups and/or drive images are a must, they are only the
> > beginning.
>
> So you are going to recover from factory images or media? Because you
> haven't made your recovery images yet.
yes, yes, recovery needs preparations. guess what - so does
prevention, so does detection, so does diagnosis, etc. making images
is an implementation detail, just like updating anti-virus software,
preparing a whitelist, generating a behavioural baseline for installed
software, collecting file integrity information, and so on and so
forth. you raised an important point (in your single-minded sort of
way) about the importance of preparedness, but you don't have to keep
banging that drum.
posts:
maybe, in future, you could read my posts all the way through and let
them sink in a bit before you replied. that way you wouldn't need to
reply multiple times to the same post, and i wouldn't have to try and
piece your thoughts back together into a cohesive whole.
> On 1/28/2012 1:27 PM, kurt wismer wrote:
>
> > the first step is prevention, certainly agree with you there. if you
> > can prevent going through the following cycle at the first stage,
> > that's a lot of effort you don't have to expend.
>
> > can prevent going through the following cycle at the first stage,
> > that's a lot of effort you don't have to expend.
>
> This is wrong. What are you going to do? Wait till you are infected than
> make an image? First make your recovery plan before you go out into the
> wild. Then work on prevention.
if i tell you to first drive to your parents house and then nail shut
> make an image? First make your recovery plan before you go out into the
> wild. Then work on prevention.
the doors and windows, i would normally think it goes without saying
that you must first acquire a car, a hammer, and some nails.
however, since i was critical of leaving other steps in the
traditional PDR triad as implicit, i suppose it's only fitting that
"prepare" be made explicit too. so the 0th step is to prepare for your
next malware encounter. now my hexad is a septad.
On Jan 28, 3:35 pm, Bear <bearbottoms1+...@gmail.com> wrote:
> On 1/28/2012 1:27 PM, kurt wismer wrote:
>
> > next is diagnosis of what you failed to prevent, because you need to
> > know everything it did in order to know what steps need to be taken in
> > recovery. you also need to know where it came from if you're going to
> > involve the authorities as well as what files to send to vendors so
> > they can improve their products. you also need to know how the
> > compromise was able to succeed for when you re-evaluate your defenses.
>
> > know everything it did in order to know what steps need to be taken in
> > recovery. you also need to know where it came from if you're going to
> > involve the authorities as well as what files to send to vendors so
> > they can improve their products. you also need to know how the
> > compromise was able to succeed for when you re-evaluate your defenses.
>
> This takes hours and more in many cases. Most average users will never
> be able to do such. Your advice may work for expert users but they are
> few and far between. It takes less than 30 minutes to restore a clean image.
in the same vein, one could also say it takes less than 30 minutes to
> be able to do such. Your advice may work for expert users but they are
> few and far between. It takes less than 30 minutes to restore a clean image.
destroy information that could have:
a) warned the victim that his bank account was in jeopardy
b) informed the victim wich vulnerable subsystem needed to be patched,
reconfigured, or disabled in order to prevent getting compromised by
similar malware in the future
c) identified which cloud-based email needed to be deleted to avoid
accidentally re-compromising the machine with the exact same malware
in the future
is this really the lesson you want to teach people? from my
perspective, this is precisely the thoughtless, lazy, half-arsed
approach i complained about before. simply restoring an image just
sets you up to get pwned again in exactly the same way. the best proof
of learning from your mistakes is to change direction - if you keep
doing the same thing you keep making the same mistake. pretending
there's an easy answer (just restore a clean image!) breeds laziness
and complacency and gives people a false sense of security.
now i realize that there are limits to what people are capable of, but
i never said they had to do it alone. they can get help if they need
to. they can also cut corners, but the more thorough their knowledge
of how their prevention failed this time, the better equipped they'll
be to improve it and not fail the next time.
On Jan 28, 3:37 pm, Bear <bearbottoms1+...@gmail.com> wrote:
> On 1/28/2012 1:27 PM, kurt wismer wrote:
>
> > after that is recovery (don't want to do it before reporting to
> > authorities as you may be compromising opportunities to gain valuable
> > intelligence about the person or people involved, or lose access to
> > the malware samples). with the kinds of malware out there these days,
> > recovery can easily extend beyond the confines of your hard drive, so
> > while good backups and/or drive images are a must, they are only the
> > beginning.
>
> So you are going to recover from factory images or media? Because you
> haven't made your recovery images yet.
prevention, so does detection, so does diagnosis, etc. making images
is an implementation detail, just like updating anti-virus software,
preparing a whitelist, generating a behavioural baseline for installed
software, collecting file integrity information, and so on and so
forth. you raised an important point (in your single-minded sort of
way) about the importance of preparedness, but you don't have to keep
banging that drum.
Bear
Jan 28, 2012, 7:25:26 PM1/28/12
to
On 1/28/2012 5:58 PM, kurt wismer wrote:
> On Jan 28, 3:33 pm, Bear<bearbottoms1+...@gmail.com> wrote multiple
> posts:
>
> maybe, in future, you could read my posts all the way through and
> let them sink in a bit before you replied. that way you wouldn't need
> to reply multiple times to the same post, and i wouldn't have to try
> and piece your thoughts back together into a cohesive whole.
It's how I chose to do it this time.
> On Jan 28, 3:33 pm, Bear<bearbottoms1+...@gmail.com> wrote multiple
> posts:
>
> maybe, in future, you could read my posts all the way through and
> let them sink in a bit before you replied. that way you wouldn't need
> to reply multiple times to the same post, and i wouldn't have to try
> and piece your thoughts back together into a cohesive whole.
>
>> On 1/28/2012 1:27 PM, kurt wismer wrote:
>>
>>> the first step is prevention, certainly agree with you there. if
>>> you can prevent going through the following cycle at the first
>>> stage, that's a lot of effort you don't have to expend.
>>
>> This is wrong. What are you going to do? Wait till you are infected
>> than make an image? First make your recovery plan before you go out
>> into the wild. Then work on prevention.
>
> if i tell you to first drive to your parents house and then nail
> shut the doors and windows, i would normally think it goes without
> saying that you must first acquire a car, a hammer, and some nails.
>
> however, since i was critical of leaving other steps in the
> traditional PDR triad as implicit, i suppose it's only fitting that
> "prepare" be made explicit too. so the 0th step is to prepare for
> your next malware encounter. now my hexad is a septad.
Outstanding...though I was making a point that getting recovery ready
>> On 1/28/2012 1:27 PM, kurt wismer wrote:
>>
>>> the first step is prevention, certainly agree with you there. if
>>> you can prevent going through the following cycle at the first
>>> stage, that's a lot of effort you don't have to expend.
>>
>> This is wrong. What are you going to do? Wait till you are infected
>> than make an image? First make your recovery plan before you go out
>> into the wild. Then work on prevention.
>
> if i tell you to first drive to your parents house and then nail
> shut the doors and windows, i would normally think it goes without
> saying that you must first acquire a car, a hammer, and some nails.
>
> however, since i was critical of leaving other steps in the
> traditional PDR triad as implicit, i suppose it's only fitting that
> "prepare" be made explicit too. so the 0th step is to prepare for
> your next malware encounter. now my hexad is a septad.
first was the most important thing. You said otherwise.
one two three. In my comprehensive security plan on my website, I
explain that if a system becomes infected...image it. Then recover. You
can then take all the time you want and have all the records you need.
You know this right? You are making assumptions that are incorrect to
suit your debate.
>
> now i realize that there are limits to what people are capable of,
> but i never said they had to do it alone. they can get help if they
> need to. they can also cut corners, but the more thorough their
> knowledge of how their prevention failed this time, the better
> equipped they'll be to improve it and not fail the next time.
The neighborhood or family computer "expert" is rarely capable of expert
> now i realize that there are limits to what people are capable of,
> but i never said they had to do it alone. they can get help if they
> need to. they can also cut corners, but the more thorough their
> knowledge of how their prevention failed this time, the better
> equipped they'll be to improve it and not fail the next time.
help especially when it come to malware removal. Malware removal
requires such expertise or you are simply pissing in the wind. I speak
to the average user and relate to him what I think is the best approach
for him to take. If you are an expert user, you don't need any advise
how to manage your systems.
>
> On Jan 28, 3:37 pm, Bear<bearbottoms1+...@gmail.com> wrote:
>> On 1/28/2012 1:27 PM, kurt wismer wrote:
>>
>>> after that is recovery (don't want to do it before reporting to
>>> authorities as you may be compromising opportunities to gain
>>> valuable intelligence about the person or people involved, or
>>> lose access to the malware samples). with the kinds of malware
>>> out there these days, recovery can easily extend beyond the
>>> confines of your hard drive, so while good backups and/or drive
>>> images are a must, they are only the beginning.
>>
>> So you are going to recover from factory images or media? Because
>> you haven't made your recovery images yet.
>
> yes, yes, recovery needs preparations. guess what - so does
> prevention, so does detection, so does diagnosis, etc. making images
> is an implementation detail, just like updating anti-virus software,
> preparing a whitelist, generating a behavioural baseline for
> installed software, collecting file integrity information, and so on
> and so forth. you raised an important point (in your single-minded
> sort of way) about the importance of preparedness, but you don't have
> to keep banging that drum.
Of course it does...but you jumped into the discussion bypassing the
> On Jan 28, 3:37 pm, Bear<bearbottoms1+...@gmail.com> wrote:
>> On 1/28/2012 1:27 PM, kurt wismer wrote:
>>
>>> after that is recovery (don't want to do it before reporting to
>>> authorities as you may be compromising opportunities to gain
>>> valuable intelligence about the person or people involved, or
>>> lose access to the malware samples). with the kinds of malware
>>> out there these days, recovery can easily extend beyond the
>>> confines of your hard drive, so while good backups and/or drive
>>> images are a must, they are only the beginning.
>>
>> So you are going to recover from factory images or media? Because
>> you haven't made your recovery images yet.
>
> yes, yes, recovery needs preparations. guess what - so does
> prevention, so does detection, so does diagnosis, etc. making images
> is an implementation detail, just like updating anti-virus software,
> preparing a whitelist, generating a behavioural baseline for
> installed software, collecting file integrity information, and so on
> and so forth. you raised an important point (in your single-minded
> sort of way) about the importance of preparedness, but you don't have
> to keep banging that drum.
most important first step deliberately and supposedly authoritatively
after I had said recover preparation was the most important first
step...and your reply basically said it was not. It is why I pointed the
issue out.
It's ok though...I understand that sometimes it's hard not to get
personal in these groups.
FromTheRafters
Jan 28, 2012, 9:14:55 PM1/28/12
to
Bear wrote:
[...]
> I think images should be made first, not after and most people can do
> this much easier than trying to clean their computer which is iffy.
I guess I wasn't clear. My take on this is that images should be taken
apart and aside from any malware considerations. Even if malware didn't
exist at all, users should still have a backup and restore scheme in play.
Then, we move on to the malware arena. Prevention is first and foremost,
it *will* fail at some point so some kind of recovery plan next,
followed by the restore plan. Some people will restore and update rather
than recover because restoring an image is often easier than trying to
recover straight to the state the computer was in just before the
infestation.
People should not rely on their images to protect them from malware
infestation and the corruption that might ensue. The reason being that
it does not address the problem at all, but addresses disasters like
harddrive crashes or errant satellites crashing into your house or
business quite well.
[...]
[...]
> I think images should be made first, not after and most people can do
> this much easier than trying to clean their computer which is iffy.
apart and aside from any malware considerations. Even if malware didn't
exist at all, users should still have a backup and restore scheme in play.
Then, we move on to the malware arena. Prevention is first and foremost,
it *will* fail at some point so some kind of recovery plan next,
followed by the restore plan. Some people will restore and update rather
than recover because restoring an image is often easier than trying to
recover straight to the state the computer was in just before the
infestation.
People should not rely on their images to protect them from malware
infestation and the corruption that might ensue. The reason being that
it does not address the problem at all, but addresses disasters like
harddrive crashes or errant satellites crashing into your house or
business quite well.
[...]
kurt wismer
Jan 29, 2012, 2:28:22 AM1/29/12
to
On Jan 28, 7:25 pm, Bear <bearbottoms1+...@gmail.com> wrote:
[snip]
even in this reply you seem to present a recovery-centric over-all
approach.
the phrase "an ounce of prevention is worth a pound of cure" didn't
become a famous idiom for nothing.
[snip]
you're likely to get pwned again while you "take all the time you
want" to perform the diagnosis.
what i know is that without additional measures to prevent compromise
you just recovered from you are essentially putting the system into an
'about to be infected' state.
what i know is that you can't take those additional measures until
*AFTER* you perform diagnosis.
what i know is that restoring before involving the authorities tips
your hand to the attackers and gives them an opportunity to cover
their tracks before an investigation can even begin.
what i know is that good strategies can be rendered moot by bad
tactics.
what i know is that when someone says something like dealing with
malware can be easy or simple, they're selling the reader a false bill
of goods.
> > now i realize that there are limits to what people are capable of,
> > but i never said they had to do it alone. they can get help if they
> > need to. they can also cut corners, but the more thorough their
> > knowledge of how their prevention failed this time, the better
> > equipped they'll be to improve it and not fail the next time.
>
> The neighborhood or family computer "expert" is rarely capable of expert
> help especially when it come to malware removal.
and who said anything about getting help from them?
[snip]
preparation, you portrayed it as the entire process of dealing with
malware, and only threw in an off-hand mention to prevention at the
very end (with no mention of detection, no means of improving or
learning from past mistakes, etc).
FromTheRafters was right in the sense that when you encounter malware,
the first thing you want to try to do is prevention. yes you need to
make preparations but that is something that should already be in
place, not something you do when you encounter malware.
furthermore, there's more to preparations than just recovery
preparations - every stage potentially requires preparations, but you
only mention recovery. is it any wonder your statements haven't been
interpreted the way you're trying to spin them now?
[snip]
>> On 1/28/2012 1:27 PM, kurt wismer wrote:
[snip - since you borked the quote attribution anyways]
> > if i tell you to first drive to your parents house and then nail
> > shut the doors and windows, i would normally think it goes without
> > saying that you must first acquire a car, a hammer, and some nails.
>
> > however, since i was critical of leaving other steps in the
> > traditional PDR triad as implicit, i suppose it's only fitting that
> > "prepare" be made explicit too. so the 0th step is to prepare for
> > your next malware encounter. now my hexad is a septad.
>
> Outstanding...though I was making a point that getting recovery ready
> first was the most important thing. You said otherwise.
that may have been what you meant, but that's not how it came across.
> > shut the doors and windows, i would normally think it goes without
> > saying that you must first acquire a car, a hammer, and some nails.
>
> > however, since i was critical of leaving other steps in the
> > traditional PDR triad as implicit, i suppose it's only fitting that
> > "prepare" be made explicit too. so the 0th step is to prepare for
> > your next malware encounter. now my hexad is a septad.
>
> Outstanding...though I was making a point that getting recovery ready
> first was the most important thing. You said otherwise.
even in this reply you seem to present a recovery-centric over-all
approach.
the phrase "an ounce of prevention is worth a pound of cure" didn't
become a famous idiom for nothing.
[snip]
> > in the same vein, one could also say it takes less than 30 minutes
> > to destroy information that could have: a) warned the victim that his
> > bank account was in jeopardy b) informed the victim wich vulnerable
> > subsystem needed to be patched, reconfigured, or disabled in order to
> > prevent getting compromised by similar malware in the future c)
> > identified which cloud-based email needed to be deleted to avoid
> > accidentally re-compromising the machine with the exact same malware
> > in the future
>
> > is this really the lesson you want to teach people? from my
> > perspective, this is precisely the thoughtless, lazy, half-arsed
> > approach i complained about before. simply restoring an image just
> > sets you up to get pwned again in exactly the same way. the best
> > proof of learning from your mistakes is to change direction - if you
> > keep doing the same thing you keep making the same mistake.
> > pretending there's an easy answer (just restore a clean image!)
> > breeds laziness and complacency and gives people a false sense of
> > security.
>
> My post was not a comprehensive assessment of the issues. It is simple
> one two three. In my comprehensive security plan on my website, I
> explain that if a system becomes infected...image it. Then recover. You
> can then take all the time you want and have all the records you need.
> You know this right? You are making assumptions that are incorrect to
> suit your debate.
what i know is that if you restore to a pre-infected, vulnerable state
> > to destroy information that could have: a) warned the victim that his
> > bank account was in jeopardy b) informed the victim wich vulnerable
> > subsystem needed to be patched, reconfigured, or disabled in order to
> > prevent getting compromised by similar malware in the future c)
> > identified which cloud-based email needed to be deleted to avoid
> > accidentally re-compromising the machine with the exact same malware
> > in the future
>
> > is this really the lesson you want to teach people? from my
> > perspective, this is precisely the thoughtless, lazy, half-arsed
> > approach i complained about before. simply restoring an image just
> > sets you up to get pwned again in exactly the same way. the best
> > proof of learning from your mistakes is to change direction - if you
> > keep doing the same thing you keep making the same mistake.
> > pretending there's an easy answer (just restore a clean image!)
> > breeds laziness and complacency and gives people a false sense of
> > security.
>
> My post was not a comprehensive assessment of the issues. It is simple
> one two three. In my comprehensive security plan on my website, I
> explain that if a system becomes infected...image it. Then recover. You
> can then take all the time you want and have all the records you need.
> You know this right? You are making assumptions that are incorrect to
> suit your debate.
you're likely to get pwned again while you "take all the time you
want" to perform the diagnosis.
what i know is that without additional measures to prevent compromise
you just recovered from you are essentially putting the system into an
'about to be infected' state.
what i know is that you can't take those additional measures until
*AFTER* you perform diagnosis.
what i know is that restoring before involving the authorities tips
your hand to the attackers and gives them an opportunity to cover
their tracks before an investigation can even begin.
what i know is that good strategies can be rendered moot by bad
tactics.
what i know is that when someone says something like dealing with
malware can be easy or simple, they're selling the reader a false bill
of goods.
> > now i realize that there are limits to what people are capable of,
> > but i never said they had to do it alone. they can get help if they
> > need to. they can also cut corners, but the more thorough their
> > knowledge of how their prevention failed this time, the better
> > equipped they'll be to improve it and not fail the next time.
>
> The neighborhood or family computer "expert" is rarely capable of expert
> help especially when it come to malware removal.
[snip]
> > yes, yes, recovery needs preparations. guess what - so does
> > prevention, so does detection, so does diagnosis, etc. making images
> > is an implementation detail, just like updating anti-virus software,
> > preparing a whitelist, generating a behavioural baseline for
> > installed software, collecting file integrity information, and so on
> > and so forth. you raised an important point (in your single-minded
> > sort of way) about the importance of preparedness, but you don't have
> > to keep banging that drum.
>
> Of course it does...but you jumped into the discussion bypassing the
> most important first step deliberately and supposedly authoritatively
> after I had said recover preparation was the most important first
> step...and your reply basically said it was not. It is why I pointed the
> issue out.
go back and re-read what you wrote. you didn't portray it as recovery
> > prevention, so does detection, so does diagnosis, etc. making images
> > is an implementation detail, just like updating anti-virus software,
> > preparing a whitelist, generating a behavioural baseline for
> > installed software, collecting file integrity information, and so on
> > and so forth. you raised an important point (in your single-minded
> > sort of way) about the importance of preparedness, but you don't have
> > to keep banging that drum.
>
> Of course it does...but you jumped into the discussion bypassing the
> most important first step deliberately and supposedly authoritatively
> after I had said recover preparation was the most important first
> step...and your reply basically said it was not. It is why I pointed the
> issue out.
preparation, you portrayed it as the entire process of dealing with
malware, and only threw in an off-hand mention to prevention at the
very end (with no mention of detection, no means of improving or
learning from past mistakes, etc).
FromTheRafters was right in the sense that when you encounter malware,
the first thing you want to try to do is prevention. yes you need to
make preparations but that is something that should already be in
place, not something you do when you encounter malware.
furthermore, there's more to preparations than just recovery
preparations - every stage potentially requires preparations, but you
only mention recovery. is it any wonder your statements haven't been
interpreted the way you're trying to spin them now?
Dustin
Jan 29, 2012, 4:10:52 PM1/29/12
to
Virus Guy <Vi...@Guy.com> wrote in news:4F237B90...@Guy.com:
> What a joke.
>
> I thought that big corps were getting wise to the fallacy of AV
> protection 5 years ago. Seems they were only getting dumber if today
> they're shelling out for $1 million+ contracts for AV garbage-ware.
>
> Because as we all know, AV products today are really good at telling
> you that your system got hacked - a few weeks ago.
viruses are hacking now?
--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts
> What a joke.
>
> I thought that big corps were getting wise to the fallacy of AV
> protection 5 years ago. Seems they were only getting dumber if today
> they're shelling out for $1 million+ contracts for AV garbage-ware.
>
> Because as we all know, AV products today are really good at telling
> you that your system got hacked - a few weeks ago.
--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts
Bear
Jan 29, 2012, 4:55:31 PM1/29/12
to
On 1/29/2012 3:10 PM, Dustin wrote:
> Virus Guy<Vi...@Guy.com> wrote in news:4F237B90...@Guy.com:
>
>> What a joke.
>>
>> I thought that big corps were getting wise to the fallacy of AV
>> protection 5 years ago. Seems they were only getting dumber if today
>> they're shelling out for $1 million+ contracts for AV garbage-ware.
>>
>> Because as we all know, AV products today are really good at telling
>> you that your system got hacked - a few weeks ago.
>
> viruses are hacking now?
>
>
You know what he means!
> Virus Guy<Vi...@Guy.com> wrote in news:4F237B90...@Guy.com:
>
>> What a joke.
>>
>> I thought that big corps were getting wise to the fallacy of AV
>> protection 5 years ago. Seems they were only getting dumber if today
>> they're shelling out for $1 million+ contracts for AV garbage-ware.
>>
>> Because as we all know, AV products today are really good at telling
>> you that your system got hacked - a few weeks ago.
>
> viruses are hacking now?
>
>
kurt wismer
Jan 29, 2012, 5:41:18 PM1/29/12
to
On Jan 29, 4:10 pm, Dustin <bughunter.dus...@gmail.com> wrote:
> Virus Guy <Vi...@Guy.com> wrote innews:4F237B90...@Guy.com:
spread on its own, there is an actual person behind the scenes
directing the attack (to varying degrees of precision).
(not that i'd call breaking into systems "hacking", though, but i know
many others do)
> Virus Guy <Vi...@Guy.com> wrote innews:4F237B90...@Guy.com:
>
> > What a joke.
>
> > I thought that big corps were getting wise to the fallacy of AV
> > protection 5 years ago. Seems they were only getting dumber if today
> > they're shelling out for $1 million+ contracts for AV garbage-ware.
>
> > Because as we all know, AV products today are really good at telling
> > you that your system got hacked - a few weeks ago.
>
> viruses are hacking now?
most malware these days is non-viral. since non-viral malware doesn't
> > What a joke.
>
> > I thought that big corps were getting wise to the fallacy of AV
> > protection 5 years ago. Seems they were only getting dumber if today
> > they're shelling out for $1 million+ contracts for AV garbage-ware.
>
> > Because as we all know, AV products today are really good at telling
> > you that your system got hacked - a few weeks ago.
>
> viruses are hacking now?
spread on its own, there is an actual person behind the scenes
directing the attack (to varying degrees of precision).
(not that i'd call breaking into systems "hacking", though, but i know
many others do)
Dustin
Jan 30, 2012, 11:05:10 PM1/30/12
to
Bear <bearbott...@gmail.com> wrote in
news:4f245b33$0$285$1472...@news.sunsite.dk:
Without knowing what infected you or how.. that image is going to get
0wned again. You accomplish nothing by doing this aside from giving the
user a very false sense that they are safe again. Very unprofessional and
irresponsible. Various individuals have tried to explain this but you
smugly dismiss them.
news:4f245b33$0$285$1472...@news.sunsite.dk:
0wned again. You accomplish nothing by doing this aside from giving the
user a very false sense that they are safe again. Very unprofessional and
irresponsible. Various individuals have tried to explain this but you
smugly dismiss them.
Bear Bottoms
Jan 31, 2012, 5:56:39 AM1/31/12
to
Dustin <bughunte...@gmail.com> wrote in
news:Xns9FEAEC89E863AHHI2948AJD832@no:
> Without knowing what infected you or how.. that image is going to get
> 0wned again. You accomplish nothing by doing this aside from giving
> the user a very false sense that they are safe again. Very
> unprofessional and irresponsible. Various individuals have tried to
> explain this but you smugly dismiss them.
With an image of the infected system, all information is there to do with
as you will. Nothing is lost. You are simply wrong.
news:Xns9FEAEC89E863AHHI2948AJD832@no:
> Without knowing what infected you or how.. that image is going to get
> 0wned again. You accomplish nothing by doing this aside from giving
> the user a very false sense that they are safe again. Very
> unprofessional and irresponsible. Various individuals have tried to
> explain this but you smugly dismiss them.
as you will. Nothing is lost. You are simply wrong.
David H. Lipman
Jan 31, 2012, 9:04:41 AM1/31/12
to
From: "Bear Bottoms" <bearbott...@gmail.com>
That's not true. You ignore that Delta and Data Factors.
The Delta Factor are those changes that have been made to the OS and
software since the image was made.
The Data Factor is the user data that can be lost with the restoration of an
image.
Dustin is correct.
For YOU this might be a "good fit" solution but is not an overall solution.
It is only a partial solution and requires a great deal of recognition and
preparation. The computer user who thinks the DVD drive in the desktop is a
cup holder will neither recognize this nor prepare for this. That a worsde
case scenario computer user and their are a wide variety of people and the
computer experience and knowledge. You have an overly simplistic POV that
only comes from your experience. One has to put themselves into the shoes
of a wide variety of computer users and see the state of affairs from their
eyes and their POV. You also need to perform "thought experiments" with
numerous "what if" scenarios to come up with broad spectrum solutions.
I stated it before that imaging and backups are just one aspect of disaster
recovery and not a solution for computer malware.
--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp
The Delta Factor are those changes that have been made to the OS and
software since the image was made.
The Data Factor is the user data that can be lost with the restoration of an
image.
Dustin is correct.
For YOU this might be a "good fit" solution but is not an overall solution.
It is only a partial solution and requires a great deal of recognition and
preparation. The computer user who thinks the DVD drive in the desktop is a
cup holder will neither recognize this nor prepare for this. That a worsde
case scenario computer user and their are a wide variety of people and the
computer experience and knowledge. You have an overly simplistic POV that
only comes from your experience. One has to put themselves into the shoes
of a wide variety of computer users and see the state of affairs from their
eyes and their POV. You also need to perform "thought experiments" with
numerous "what if" scenarios to come up with broad spectrum solutions.
I stated it before that imaging and backups are just one aspect of disaster
recovery and not a solution for computer malware.
--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp
FromTheRafters
Jan 31, 2012, 9:25:10 AM1/31/12
to
*forensically* as having the actual 'still infected' drive to examine is?
Ant
Jan 31, 2012, 11:40:38 AM1/31/12
to
"David H. Lipman" wrote:
> That a worsde case scenario computer user
"Worst case scenario" - I love quotes from Star Trek!
> That a worsde case scenario computer user
"It's life, Jim but not as we know it".
FromTheRafters
Jan 31, 2012, 1:13:10 PM1/31/12
to
Bear Bottoms
Jan 31, 2012, 6:00:18 PM1/31/12
to
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:BrOdnfttWNhnabrS...@giganews.com:
> From: "Bear Bottoms" <bearbott...@gmail.com>
>
>| Dustin <bughunte...@gmail.com> wrote in
>| news:Xns9FEAEC89E863AHHI2948AJD832@no:
>|
>>> Without knowing what infected you or how.. that image is going to
>>> get 0wned again. You accomplish nothing by doing this aside from
>>> giving the user a very false sense that they are safe again. Very
>>> unprofessional and irresponsible. Various individuals have tried to
>>> explain this but you smugly dismiss them.
>|
>| With an image of the infected system, all information is there to do
>| with as you will. Nothing is lost. You are simply wrong.
>
> That's not true. You ignore that Delta and Data Factors.
>
> The Delta Factor are those changes that have been made to the OS and
> software since the image was made.
>
> The Data Factor is the user data that can be lost with the restoration
> of an image.
>
> Dustin is correct.
Wow....how can both of you "experts" get it so wrong. It is an example
of ancient mentality hanging on in spite of a more learned approach.
exploring the malware from the mount. No! At any point and time, you can
reload that image and do what you will. You have lost nothing.
You should always first image a system that is infected before you do
anything else. After which, you can do whatever you wish to do with the
infected system, lose nothing, and if you muck it up you can reload and
start over. See, you can't project your mind-set away from the old
methods.
If anyone wishes to explore/analyze/attempt removal,"recognize and
prepare" and document to report, they can always reload the infected
image, do their thing and NOTHING is lost. Even with your narrow minded,
wrong, and not well thought out statements. Delta factor my ass. YOU
LOSE NOTHING - YOU CAN ALWAYS RELOAD THE INFECTED IMAGE and explore
away.
Most people won't. I know this from EXPERIENCE. Your candid off-the-cuff
snide remarks are noted again.
news:BrOdnfttWNhnabrS...@giganews.com:
> From: "Bear Bottoms" <bearbott...@gmail.com>
>
>| Dustin <bughunte...@gmail.com> wrote in
>| news:Xns9FEAEC89E863AHHI2948AJD832@no:
>|
>>> Without knowing what infected you or how.. that image is going to
>>> get 0wned again. You accomplish nothing by doing this aside from
>>> giving the user a very false sense that they are safe again. Very
>>> unprofessional and irresponsible. Various individuals have tried to
>>> explain this but you smugly dismiss them.
>|
>| With an image of the infected system, all information is there to do
>| with as you will. Nothing is lost. You are simply wrong.
>
> That's not true. You ignore that Delta and Data Factors.
>
> The Delta Factor are those changes that have been made to the OS and
> software since the image was made.
>
> The Data Factor is the user data that can be lost with the restoration
> of an image.
>
> Dustin is correct.
of ancient mentality hanging on in spite of a more learned approach.
>
> For YOU this might be a "good fit" solution but is not an overall
> solution. It is only a partial solution and requires a great deal of
> recognition and preparation. The computer user who thinks the DVD
> drive in the desktop is a cup holder will neither recognize this nor
> prepare for this. That a worsde case scenario computer user and their
> are a wide variety of people and the computer experience and
> knowledge. You have an overly simplistic POV that only comes from
> your experience. One has to put themselves into the shoes of a wide
> variety of computer users and see the state of affairs from their eyes
> and their POV. You also need to perform "thought experiments" with
> numerous "what if" scenarios to come up with broad spectrum solutions.
You are limiting your concept of what I speak to mounting an image and
> For YOU this might be a "good fit" solution but is not an overall
> solution. It is only a partial solution and requires a great deal of
> recognition and preparation. The computer user who thinks the DVD
> drive in the desktop is a cup holder will neither recognize this nor
> prepare for this. That a worsde case scenario computer user and their
> are a wide variety of people and the computer experience and
> knowledge. You have an overly simplistic POV that only comes from
> your experience. One has to put themselves into the shoes of a wide
> variety of computer users and see the state of affairs from their eyes
> and their POV. You also need to perform "thought experiments" with
> numerous "what if" scenarios to come up with broad spectrum solutions.
exploring the malware from the mount. No! At any point and time, you can
reload that image and do what you will. You have lost nothing.
You should always first image a system that is infected before you do
anything else. After which, you can do whatever you wish to do with the
infected system, lose nothing, and if you muck it up you can reload and
start over. See, you can't project your mind-set away from the old
methods.
If anyone wishes to explore/analyze/attempt removal,"recognize and
prepare" and document to report, they can always reload the infected
image, do their thing and NOTHING is lost. Even with your narrow minded,
wrong, and not well thought out statements. Delta factor my ass. YOU
LOSE NOTHING - YOU CAN ALWAYS RELOAD THE INFECTED IMAGE and explore
away.
Most people won't. I know this from EXPERIENCE. Your candid off-the-cuff
snide remarks are noted again.
Bear Bottoms
Jan 31, 2012, 6:05:35 PM1/31/12
to
> Are you suggesting that an image of the infected drive is the same
> *forensically* as having the actual 'still infected' drive to examine is?
Yes. It /is/ the same. It is still an image of the actual 'still infected'
> *forensically* as having the actual 'still infected' drive to examine is?
drive. The mistake you are making is common...assumption. You are assuming
that one would explore the image from a mount. Wrong. If exploration for
whatever purposes is desired, you can reload the infected image and you
have it as it was...and it will do what it would do as if you never imaged.
Are you suggesting that an image is not the same system as it was after you
reload it?
FromTheRafters
Jan 31, 2012, 10:08:53 PM1/31/12
to
Bear Bottoms wrote:
> "David H. Lipman"<DLipman~nospam~@Verizon.Net> wrote in
> news:BrOdnfttWNhnabrS...@giganews.com:
>
>> Are you suggesting that an image of the infected drive is the same
>> *forensically* as having the actual 'still infected' drive to examine is?
Somehow, you've attributed *my* question to David.
> "David H. Lipman"<DLipman~nospam~@Verizon.Net> wrote in
> news:BrOdnfttWNhnabrS...@giganews.com:
>
>> Are you suggesting that an image of the infected drive is the same
>> *forensically* as having the actual 'still infected' drive to examine is?
> Yes. It /is/ the same. It is still an image of the actual 'still infected'
> drive. The mistake you are making is common...assumption.
you assume that I was assuming something that I'm not.
> You are assuming that one would explore the image from a mount.
> Wrong. If exploration for
> whatever purposes is desired, you can reload the infected image and you
> have it as it was...and it will do what it would do as if you never imaged.
>
> Are you suggesting that an image is not the same system as it was after you
> reload it?
answer, but probably not for the reason you may think.
Bear Bottoms
Feb 1, 2012, 5:33:17 AM2/1/12
to
FromTheRafters <err...@nomail.afraid.org> wrote in
news:jgaac8$mdb$1...@dont-email.me:
Isn't communication great :)
news:jgaac8$mdb$1...@dont-email.me:
Bear Bottoms
Feb 1, 2012, 5:35:04 AM2/1/12
to
> Bear Bottoms wrote:
>> "David H. Lipman"<DLipman~nospam~@Verizon.Net> wrote in
>> news:BrOdnfttWNhnabrS...@giganews.com:
>>
>>> Are you suggesting that an image of the infected drive is the same
>>> *forensically* as having the actual 'still infected' drive to
>>> examine is?
>
> Somehow, you've attributed *my* question to David.
>
>> Yes. It /is/ the same. It is still an image of the actual 'still
>> infected' drive. The mistake you are making is common...assumption.
>
> I'm not so sure that I'm the one assuming. I was asking a question and
> you assume that I was assuming something that I'm not.
>
>> You are assuming that one would explore the image from a mount.
>
> Again, it is you doing the assuming here.
OK, I'll play. How else could you have meant it?
>> "David H. Lipman"<DLipman~nospam~@Verizon.Net> wrote in
>> news:BrOdnfttWNhnabrS...@giganews.com:
>>
>>> Are you suggesting that an image of the infected drive is the same
>>> *forensically* as having the actual 'still infected' drive to
>>> examine is?
>
> Somehow, you've attributed *my* question to David.
>
>> Yes. It /is/ the same. It is still an image of the actual 'still
>> infected' drive. The mistake you are making is common...assumption.
>
> I'm not so sure that I'm the one assuming. I was asking a question and
> you assume that I was assuming something that I'm not.
>
>> You are assuming that one would explore the image from a mount.
>
> Again, it is you doing the assuming here.
kurt wismer
Feb 1, 2012, 12:49:01 PM2/1/12
to
On Jan 31, 5:56 am, Bear Bottoms <bearbottoms1+...@gmail.com> wrote:
> Dustin <bughunter.dus...@gmail.com> wrote innews:Xns9FEAEC89E863AHHI2948AJD832@no:
i don't think you're quite getting what dustin is saying.
if you put the system back to the state it was in before it got
infected, it will just get infected again. whatever got past your
defenses before will get past them again if they aren't augmented to
deal with what you just had. restoring a clean image doesn't augment
those defenses. without diagnostic information you can't perform that
augmentation.
if this needs to be said in pictures, so be it:
http://www.secmeme.com/2012/01/half-assed-recovery.html
> Dustin <bughunter.dus...@gmail.com> wrote innews:Xns9FEAEC89E863AHHI2948AJD832@no:
if you put the system back to the state it was in before it got
infected, it will just get infected again. whatever got past your
defenses before will get past them again if they aren't augmented to
deal with what you just had. restoring a clean image doesn't augment
those defenses. without diagnostic information you can't perform that
augmentation.
if this needs to be said in pictures, so be it:
http://www.secmeme.com/2012/01/half-assed-recovery.html
David H. Lipman
Feb 1, 2012, 1:46:57 PM2/1/12
to
Ant
Feb 1, 2012, 3:25:19 PM2/1/12
to
"FromTheRafters" wrote:
> Ant wrote:
>> "It's life, Jim but not as we know it".
>
> http://www.youtube.com/watch?v=HhuzjkE65f8
Yes, indeed. Not that yootoob is practical on dialup but I do know the
song.
"Star Trekkin' across the universe,
Only going forward 'cause we can't find reverse"
> Ant wrote:
>> "It's life, Jim but not as we know it".
>
> http://www.youtube.com/watch?v=HhuzjkE65f8
song.
"Star Trekkin' across the universe,
Only going forward 'cause we can't find reverse"
Bear Bottoms
Feb 1, 2012, 5:37:01 PM2/1/12
to
kurt wismer <ku...@sympatico.ca> wrote in
news:7992562b-1daf-4cab...@k28g2000yqc.googlegroups.com:
That is basic 101 stuff. Dustin doesn't understand the concept.
news:7992562b-1daf-4cab...@k28g2000yqc.googlegroups.com:
Bear Bottoms
Feb 1, 2012, 7:49:42 PM2/1/12
to
Bear Bottoms <bearbott...@gmail.com> wrote in
news:Xns9FECA905F7C2Cbe...@130.225.254.104:
> news:7992562b-1daf-4cab-a8cf-f660957911c4
Like I said, the first thing you should do to an infected system is to
image it. Then you can do whatever you are going to do to the infected
system and if you muck it up, you can reload the infected image and try
again until you get or do whatever it is you want.
You can also mount the infected image from a clean reload and retrieve
files if you like or get other information you might want.
There is no silver bullet against malware. People are going to get
infected sooner or later (or again). Of course they should do their
best to prevent future infections. Only advanced users can determine
most of what Dustin and David refer to and most average users won't do
any of that. They usually need to ask for help...with the system I
describe, they won't need help to recover. This has already been said by
me...and went over the heads of Dustin, David and a few more.
news:Xns9FECA905F7C2Cbe...@130.225.254.104:
> news:7992562b-1daf-4cab-a8cf-f660957911c4
image it. Then you can do whatever you are going to do to the infected
system and if you muck it up, you can reload the infected image and try
again until you get or do whatever it is you want.
You can also mount the infected image from a clean reload and retrieve
files if you like or get other information you might want.
There is no silver bullet against malware. People are going to get
infected sooner or later (or again). Of course they should do their
best to prevent future infections. Only advanced users can determine
most of what Dustin and David refer to and most average users won't do
any of that. They usually need to ask for help...with the system I
describe, they won't need help to recover. This has already been said by
me...and went over the heads of Dustin, David and a few more.
FromTheRafters
Feb 1, 2012, 9:37:29 PM2/1/12
to
with the drive or its image. I understood your answer as it applies to
your usage of images and have no problem with that.
The average user isn't going to do the right thing, and IMO that is to
replace the drive with one that has a clean image and turn the infected
drive over to forensic analysts. They will make an image with a trusted
application being run by a licensed operator. Giving them an image made
by Easeus probably isn't *the same* as far as they are concerned.
Bear Bottoms
Feb 1, 2012, 10:09:46 PM2/1/12
to
FromTheRafters <err...@nomail.afraid.org> wrote in news:jgcste$aqb$1@dont-
email.me:
> Bear Bottoms wrote:
>> FromTheRafters<err...@nomail.afraid.org> wrote in
>> news:jgaac8$mdb$1...@dont-email.me:
>>
>>> Bear Bottoms wrote:
>>>> "David H. Lipman"<DLipman~nospam~@Verizon.Net> wrote in
>>>> news:BrOdnfttWNhnabrS...@giganews.com:
>>>>
>>>>> Are you suggesting that an image of the infected drive is the same
>>>>> *forensically* as having the actual 'still infected' drive to
>>>>> examine is?
>>>
>>> Somehow, you've attributed *my* question to David.
>>>
>>>> Yes. It /is/ the same. It is still an image of the actual 'still
>>>> infected' drive. The mistake you are making is common...assumption.
>>>
>>> I'm not so sure that I'm the one assuming. I was asking a question and
>>> you assume that I was assuming something that I'm not.
>>>
>>>> You are assuming that one would explore the image from a mount.
>>>
>>> Again, it is you doing the assuming here.
>>
>> OK, I'll play. How else could you have meant it?
>
> Exactly as I wrote it. I made no assumptions about what you were doing
> with the drive or its image. I understood your answer as it applies to
> your usage of images and have no problem with that.
Fair enough.
professionals would do or as they suggested.
> and IMO that is to
> replace the drive with one that has a clean image and turn the infected
> drive over to forensic analysts. They will make an image with a trusted
> application being run by a licensed operator. Giving them an image made
> by Easeus probably isn't *the same* as far as they are concerned.
>
They could do anything they decided to set up and/or what was required by
those they might decide to send it to...though I don't think sending some
one an image of /their/ computer is really a workable solution for
them...maybe so or some.
What I want them to do is learn to effectively use various image
techniques. Anyone with basic skills can easily learn this well enough to
become self-sufficient (no longer need the family or neighborhood geek or
pay money to get out of trouble). Much easier than learn to do what
Dustin/David suggest which takes a lot of effort, time, and experience.
That doesn't mean they shouldn't learn as much as possible about aspects of
what they suggest, just most people won't...some will.
email.me:
> Bear Bottoms wrote:
>> FromTheRafters<err...@nomail.afraid.org> wrote in
>> news:jgaac8$mdb$1...@dont-email.me:
>>
>>> Bear Bottoms wrote:
>>>> "David H. Lipman"<DLipman~nospam~@Verizon.Net> wrote in
>>>> news:BrOdnfttWNhnabrS...@giganews.com:
>>>>
>>>>> Are you suggesting that an image of the infected drive is the same
>>>>> *forensically* as having the actual 'still infected' drive to
>>>>> examine is?
>>>
>>> Somehow, you've attributed *my* question to David.
>>>
>>>> Yes. It /is/ the same. It is still an image of the actual 'still
>>>> infected' drive. The mistake you are making is common...assumption.
>>>
>>> I'm not so sure that I'm the one assuming. I was asking a question and
>>> you assume that I was assuming something that I'm not.
>>>
>>>> You are assuming that one would explore the image from a mount.
>>>
>>> Again, it is you doing the assuming here.
>>
>> OK, I'll play. How else could you have meant it?
>
> Exactly as I wrote it. I made no assumptions about what you were doing
> with the drive or its image. I understood your answer as it applies to
> your usage of images and have no problem with that.
>
> The average user isn't going to do the right thing,
I agree. They certainly aren't going to do as Dustin/David the
> The average user isn't going to do the right thing,
professionals would do or as they suggested.
> and IMO that is to
> replace the drive with one that has a clean image and turn the infected
> drive over to forensic analysts. They will make an image with a trusted
> application being run by a licensed operator. Giving them an image made
> by Easeus probably isn't *the same* as far as they are concerned.
>
those they might decide to send it to...though I don't think sending some
one an image of /their/ computer is really a workable solution for
them...maybe so or some.
What I want them to do is learn to effectively use various image
techniques. Anyone with basic skills can easily learn this well enough to
become self-sufficient (no longer need the family or neighborhood geek or
pay money to get out of trouble). Much easier than learn to do what
Dustin/David suggest which takes a lot of effort, time, and experience.
That doesn't mean they shouldn't learn as much as possible about aspects of
what they suggest, just most people won't...some will.
0 new messages