Descriptions of malware behavior?

[Neil Gould]

Is there a good resource with a listing of malware and their impact on
users' systems? For example, if one wants to know what the "Artemis!"
malware does, where would one look, since Googling it turns up links to
conflicting information about it.

--
Neil

[FromTheRafters]

Artemis! is the particular detection engine (or routine) that made the
detection, not the malware name.

[David H. Lipman]

From: "FromTheRafters" <err...@nomail.afraid.org>

And most likely Heuristic detection.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[Neil Gould]

David H. Lipman wrote:
> From: "FromTheRafters" <err...@nomail.afraid.org>
>
>> Neil Gould wrote:
>>> Is there a good resource with a listing of malware and their impact
>>> on users' systems? For example, if one wants to know what the
>>> "Artemis!" malware does, where would one look, since Googling it
>>> turns up links to conflicting information about it.
>>>
>> Artemis! is the particular detection engine (or routine) that made
>> the detection, not the malware name.
>
> And most likely Heuristic detection.
>

OK, then what I'd like to know is whether there is a good resource (or set
of resources) to find out the impact and/or behavior of malware that has
been identified, even if identified "by" Artemis!.

--
Neil

[David H. Lipman]

From: "Neil Gould" <ne...@myplaceofwork.com>

There is none for Heuristics. One needs a specific declaration or for a
family of malware such as ; Zlob, Zbot, FakeAlert, Swen, NetSky, MyDoom,
Nimda, etc.

[FromTheRafters]

If you take the malware name, and search for it on the website of the
vendor that gave it that name, you sometimes get lucky. Not only is
there not such a resource as you describe - they all use different names
for the malware that they detect.

There used to be a website that attempted to cross-reference the
different names used for the same malware, but I don't remember hearing
of it lately, nor have I heard of another to replace it.

[David H. Lipman]

MITRE kept the Common Malware Enumeration (CME) project that is now defunct.

The naming convention was supposed to be that a CME suffix would add the
exclamation mark (!)and CME-### where ### is the number representing the
commonality.
Suffix example !CME-711
Full name example: Win32/Stration.DH@mm!CME-416

[kurt wismer]

On Feb 4, 5:08 pm, "Neil Gould" <n...@myplaceofwork.com> wrote:
> David H. Lipman wrote:

> > From: "FromTheRafters" <erra...@nomail.afraid.org>

i think your best bet is to actually contact the vendor, send them the
suspect sample, and explain that you need to know these things about
it.

for signature based detection, the industry seems to be moving away
from caring about names, and without a good, unique name it would be
impossible to look up in a database of malware symptoms and
capabilities. even when they still thought names were important, the
online malware description databases only had descriptions for a
fraction of the known malware out there because apparently there's no
money to be had in keeping those up-to-date (and now, with 10s of
thousands of malware instances being created each day, keeping such a
resource up to date would be impossible).

contact the vendor and let them figure out where to get the
information from, instead of trying to hunt it down yourself. even at
the best of times it would have been a crap shoot - but these days
trying to get that info without the vendor is pretty much a lost cause.

[Neil Gould]

Thanks for your explanation. That is consistent with my admittedly limited
experience in trying to find some basic answers to help friends sort out
some odd behavior on their systems.

--
Neil

[Neil Gould]

Thanks for the insights, David.

--
Neil

[Neil Gould]

It appears that you're right about there not being any good resource, but to
take it one step further, I doubt that the anti-malware vendor would be of
much help, either. They may know and not want to be bothered with providing
an explanation, or they may not, and just rely on the code structure of
previously identified malware to ferret it out during a scan.

Thanks...

--
Neil

[David H. Lipman]

From: "Neil Gould" <ne...@myplaceofwork.com>

Yep, it all depends.

For example if we discuss it in advance often I tell someone to submit the sample to
UploadMalware.Com and I'll analyze it and provide a report of my findings to the
submitter.

[kurt wismer]

On Feb 7, 10:58 am, "Neil Gould" <n...@myplaceofwork.com> wrote:
[snip]

> It appears that you're right about there not being any good resource, but to
> take it one step further, I doubt that the anti-malware vendor would be of
> much help, either. They may know and not want to be bothered with providing
> an explanation, or they may not, and just rely on the code structure of
> previously identified malware to ferret it out during a scan.

you're the customer. it's their job to make you happy. if they fail
then you move on to a vendor who will satisfy your needs.

[Grumpy]

On 02/07/2012 10:58 AM, Neil Gould wrote:

> It appears that you're right about there not being any good resource, but to
> take it one step further, I doubt that the anti-malware vendor would be of
> much help, either. They may know and not want to be bothered with providing
> an explanation, or they may not, and just rely on the code structure of
> previously identified malware to ferret it out during a scan.

you could just switch to linux and stop worrying about such things...
--
Perhaps my purpose in life is to serve as a warning to others
Registered Linux User #393236

[David H. Lipman]

From: "Grumpy" <maxp...@hotmail.com>

> On 02/07/2012 10:58 AM, Neil Gould wrote:
>
>> It appears that you're right about there not being any good resource, but to
>> take it one step further, I doubt that the anti-malware vendor would be of
>> much help, either. They may know and not want to be bothered with providing
>> an explanation, or they may not, and just rely on the code structure of
>> previously identified malware to ferret it out during a scan.
>
> you could just switch to linux and stop worrying about such things...

Man, you are Grumpy ;-)

[Grumpy]

On 02/08/2012 06:10 PM, David H. Lipman wrote:
> From: "Grumpy"<maxp...@hotmail.com>
>
>> On 02/07/2012 10:58 AM, Neil Gould wrote:
>>
>>> It appears that you're right about there not being any good resource, but to
>>> take it one step further, I doubt that the anti-malware vendor would be of
>>> much help, either. They may know and not want to be bothered with providing
>>> an explanation, or they may not, and just rely on the code structure of
>>> previously identified malware to ferret it out during a scan.
>>
>> you could just switch to linux and stop worrying about such things...
>
> Man, you are Grumpy ;-)
>

well, I pop in here every once in a while and it's the same 'ol same 'ol

oy vey

[Bear]

On 2/8/2012 1:21 PM, Grumpy wrote:
> On 02/07/2012 10:58 AM, Neil Gould wrote:
>
>> It appears that you're right about there not being any good resource,
>> but to
>> take it one step further, I doubt that the anti-malware vendor would
>> be of
>> much help, either. They may know and not want to be bothered with
>> providing
>> an explanation, or they may not, and just rely on the code structure of
>> previously identified malware to ferret it out during a scan.
>
> you could just switch to linux and stop worrying about such things...

Or simply stick with Windows and have a great recovery plan. Tis what I
do because IME it is the richest computing environment.

I could care less if I get infected...it takes 15 minutes to remedy the
issue.

I disagree with the prevention first concept. There is no silver bullet.

BTW, Linux /is/ virtually impervious to malware as malware hasn't access
to root. Only about 800 pieces of malware have been discovered that
affect Linux since Linux has been around. Not so for Windows where 10's
of thousands of new malware are discovered every year.

So if you are a Windows user, you had better be recovery conscious.
Unless you are a malware expert or ready to shell out the bucks for
those who are, cleaning is a shot in the dark and takes a lot of
experience and time - even for the experts. Besides, the experts are
always a step behind the malware purveyors...it's the nature of the game.

I think Dustin and David would have to agree that even them and other
malware experts are challenged at times in this game.

--
Bear
http://bearware.info
The real Bear's header path is:
news.sunsite.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail

[David H. Lipman]

From: "Grumpy" <maxp...@hotmail.com>

| On 02/08/2012 06:10 PM, David H. Lipman wrote:
>> From: "Grumpy"<maxp...@hotmail.com>
>>
>>> On 02/07/2012 10:58 AM, Neil Gould wrote:
>>>
>>>> It appears that you're right about there not being any good resource,
>>>> but to
>>>> take it one step further, I doubt that the anti-malware vendor would be
>>>> of
>>>> much help, either. They may know and not want to be bothered with
>>>> providing
>>>> an explanation, or they may not, and just rely on the code structure of
>>>> previously identified malware to ferret it out during a scan.
>>>
>>> you could just switch to linux and stop worrying about such things...
>>
>> Man, you are Grumpy ;-)
>>
| well, I pop in here every once in a while and it's the same 'ol same 'ol
|
| oy vey

[kurt wismer]

On Feb 8, 2:21 pm, Grumpy <maxpr...@hotmail.com> wrote:
[snip]

> you could just switch to linux and stop worrying about such things...

yeah, it's not like rootkits originated in the *nix world or anything.

oh, wait...

[Neil Gould]

Grumpy wrote:
> On 02/07/2012 10:58 AM, Neil Gould wrote:
>
>> It appears that you're right about there not being any good
>> resource, but to take it one step further, I doubt that the
>> anti-malware vendor would be of much help, either. They may know and
>> not want to be bothered with providing an explanation, or they may
>> not, and just rely on the code structure of previously identified
>> malware to ferret it out during a scan.
>
> you could just switch to linux and stop worrying about such things...
>

Let's see... I can worry about these things, or how I'm going to continue to
work, since the apps I depend on are not available under *nix... Hmmm?

--
Neil

[Beauregard T. Shagnasty]

Neil Gould wrote:

Wine!!! ;-)

--
-bts
-This space for rent, but the price is high

[David H. Lipman]

From: "Beauregard T. Shagnasty" <a.non...@example.invalid>

Stop wining BTS ;-)

or would you like some cheese for you wine ? ;-)

<big grin>

[Ant]

"Bear" wrote:

> BTW, Linux /is/ virtually impervious to malware as malware hasn't access
> to root.

I don't believe that for a minute. A limited Win user also doesn't
have root access. The main problem, apart from social engineering, is
exploitable software vulnerabilities which lead to root (system)
access. If you follow Bugtraq you will see just how many of these
apply to various distributions of Linux and other unix-like systems.

> Only about 800 pieces of malware have been discovered that
> affect Linux since Linux has been around.

I don't know where that comes from but it may be true.

> Not so for Windows where 10's
> of thousands of new malware are discovered every year.

More likely a few dozen or less. You'll find that while the packers
vary every day or hour, the underlying malware is the same.

The reason Windows is targeted is because that's the OS of the general
public and provides the greatest return to criminals. If a 'nix
variant held market dominance you can be sure that would be the choice
or target for malware.

[David H. Lipman]

From: "Ant" <n...@home.today>

Like there are no new Linux RootKits either.
zer0byte.com/2012/01/19/kbeast-kernel-beast-linux-rootkit-2012

[FromTheRafters]

Bear wrote:
> On 2/8/2012 1:21 PM, Grumpy wrote:
>> On 02/07/2012 10:58 AM, Neil Gould wrote:
>>
>>> It appears that you're right about there not being any good resource,
>>> but to
>>> take it one step further, I doubt that the anti-malware vendor would
>>> be of
>>> much help, either. They may know and not want to be bothered with
>>> providing
>>> an explanation, or they may not, and just rely on the code structure of
>>> previously identified malware to ferret it out during a scan.
>>
>> you could just switch to linux and stop worrying about such things...
>
> Or simply stick with Windows and have a great recovery plan. Tis what I
> do because IME it is the richest computing environment.
>
> I could care less if I get infected...it takes 15 minutes to remedy the
> issue.

What happens *while* you're 'infected' and how long are you going to run
in that infected state before you decide to reload the known clean image?

> I disagree with the prevention first concept. There is no silver bullet.

Why do you seem to equate prevention with silver bullets? Nobody is
suggesting and silver bullet. The bottom line is that without prevention
you have already lost the battle. Not all malware will be as well
behaved as the malware we are now accustomed to. This commercially
motivated stuff wants to persist and dig in, but cryptovirological
ransomware can still ruin your day.

> So if you are a Windows user, you had better be recovery conscious.

This advice goes equally well for non-Windows users. There are
catastrophes, other than malware attacks, which cannot be prevented.
*That* is why you need a recovery/restore scheme, not so you can operate
while infected without a care because it is so easy to recover.

[...]

[Bear]

On 2/9/2012 6:54 PM, FromTheRafters wrote:

> Bear wrote:

>
> What happens *while* you're 'infected' and how long are you going to run

> in that infected state before you decide to reload the known clean image?!

I could run as long as I could run, but why! Why should I want to! The
only reason I would use an infected machine is to experiment with
cleaning it or identifying it for a purpose. I really don't understand
your question...it seems somewhat naive.

>
>> I disagree with the prevention first concept. There is no silver bullet.
>
> Why do you seem to equate prevention with silver bullets? Nobody is
> suggesting and silver bullet. The bottom line is that without prevention
> you have already lost the battle. Not all malware will be as well
> behaved as the malware we are now accustomed to. This commercially
> motivated stuff wants to persist and dig in, but cryptovirological
> ransomware can still ruin your day.

Prevention versus silver bullets ... since silver bullets don't exist,
total prevention is impossible but always necessary to continue to do
the best you can with it. Luck prevails most of the time. A time will
likely come that one will run across malware that defeats even the best
prevention. Hopefully not, but the risk is always there. Best to be
prepared for it at any moment.

As for already losing the battle, well that is just wrong. Ransonware
has to have something you used to have to make it worth anything. That
is easy to prevent. I don't think I'll get anywhere with this debate and
I'm not really inclined to try.

I'm confident in my methodology and think it impossible to penetrate. I
keep nothing worth anything on any computer connected to the outside,
especially truly sensitive data. I do make online purchases, but use a
service with excellent fraud guard. Every thing I have is locked up safe
in multiple locations on and off-site.

I also have multiple computers and external hard drives. Hardware can be
damaged and files can be stolen or destroyed, but nothing harmful. If
you do not protect yourself in this manner, you are foolish.

>
>> So if you are a Windows user, you had better be recovery conscious.
>
> This advice goes equally well for non-Windows users. There are
> catastrophes, other than malware attacks, which cannot be prevented.
> *That* is why you need a recovery/restore scheme, not so you can operate
> while infected without a care because it is so easy to recover.

You totally misunderstand my methodology and don't seem willing to try.
I'm not concerned with non-windows users. Windows provides the richest
environment for computing mainly because that is the worldwide dominant
OS and all the vendors and developers (and malware programmers) know it.
I'll stay with it until something significant changes my mind.

You also seem to be hung up on "operating while infected...". I have no
intention to do so. I suppose that is about the best red-herring you can
throw up.

Please understand that I am not trying to ridicule you. I've been
computing since 1980 and have a lot of applied experience. I've given
much sustained deep thought to these processes. I've used that
experience to develop the best plan for myself...and don't mind sharing
it with those who are interested.

I read much discussion about security, malware etc. but never see any
one with as sound a logic as I have developed for myself. The arguments
are the same, ancient ideology and a losing battle. I am beginning to
see some folks approach it close to my logic, but none have truly
crossed over yet. To bad.

Regular users have a much better chance and ability to approach security
with my process than any other I've seen. Sure, basic security is
important. Most people can't do it. Anyone can do what I do. It's very
simple but requires discipline and a complete understanding of the
methodology. It isn't complex. Yes I use prevention and promote it. It
isn't nearly enough or the most important.
>
> [...]

[FromTheRafters]

Bear wrote:
> On 2/9/2012 6:54 PM, FromTheRafters wrote:
>> Bear wrote:
>
>>
>> What happens *while* you're 'infected' and how long are you going to run
>> in that infected state before you decide to reload the known clean
>> image?!
>
> I could run as long as I could run, but why! Why should I want to! The
> only reason I would use an infected machine is to experiment with
> cleaning it or identifying it for a purpose. I really don't understand
> your question...it seems somewhat naive.

Some malware's purpose is to use your computing power to replicate
itself and attack more machines. Your nonchalant 'fix-it-later' attitude
does nothing to fight malware.

That doesn't mean it isn't a good idea apart from the malware arena.

[...]

> Prevention versus silver bullets ... since silver bullets don't exist,
> total prevention is impossible but always necessary to continue to do
> the best you can with it. Luck prevails most of the time. A time will
> likely come that one will run across malware that defeats even the best
> prevention. Hopefully not, but the risk is always there. Best to be
> prepared for it at any moment.

Agreed.

> As for already losing the battle, well that is just wrong. Ransonware
> has to have something you used to have to make it worth anything. That
> is easy to prevent.

Sounds somewhat naive.

> I don't think I'll get anywhere with this debate and
> I'm not really inclined to try.

Agreed.

[...]

[Bear]

On 2/9/2012 9:08 PM, FromTheRafters wrote:
> Bear wrote:
>> On 2/9/2012 6:54 PM, FromTheRafters wrote:
>>> Bear wrote:
>>
>>>
>>> What happens *while* you're 'infected' and how long are you going to run
>>> in that infected state before you decide to reload the known clean
>>> image?!
>>
>> I could run as long as I could run, but why! Why should I want to! The
>> only reason I would use an infected machine is to experiment with
>> cleaning it or identifying it for a purpose. I really don't understand
>> your question...it seems somewhat naive.
>
> Some malware's purpose is to use your computing power to replicate
> itself and attack more machines. Your nonchalant 'fix-it-later' attitude
> does nothing to fight malware.
>
> That doesn't mean it isn't a good idea apart from the malware arena.
>
> [...]

Sigh. You totally have a closed one track mind. I don't mean use the
machine and fix it later. I mean image the infected machine and save
that image. If you want to investigate the malware and try to clean it.
You can do that now or later once you have the image. The infected image
also allows you to retrieve something from that system if needed or
reload the infected image if your cleaning borks the system and you want
to try again. If you don't have a clean replacement image this is even
more important for various reasons.

But you don't use the infected machine. You reload your clean image and
use that. Sigh...totally closed mind.

>
>> Prevention versus silver bullets ... since silver bullets don't exist,
>> total prevention is impossible but always necessary to continue to do
>> the best you can with it. Luck prevails most of the time. A time will
>> likely come that one will run across malware that defeats even the best
>> prevention. Hopefully not, but the risk is always there. Best to be
>> prepared for it at any moment.
>
> Agreed.
>
>> As for already losing the battle, well that is just wrong. Ransonware
>> has to have something you used to have to make it worth anything. That
>> is easy to prevent.
>
> Sounds somewhat naive.
>

LOL.

>> I don't think I'll get anywhere with this debate and
>> I'm not really inclined to try.
>
> Agreed.
>

Agreed.

[FromTheRafters]

Bear wrote:
> On 2/9/2012 9:08 PM, FromTheRafters wrote:
>> Bear wrote:
>>> On 2/9/2012 6:54 PM, FromTheRafters wrote:
>>>> Bear wrote:
>>>
>>>>
>>>> What happens *while* you're 'infected' and how long are you going to
>>>> run
>>>> in that infected state before you decide to reload the known clean
>>>> image?!
>>>
>>> I could run as long as I could run, but why! Why should I want to! The
>>> only reason I would use an infected machine is to experiment with
>>> cleaning it or identifying it for a purpose. I really don't understand
>>> your question...it seems somewhat naive.
>>
>> Some malware's purpose is to use your computing power to replicate
>> itself and attack more machines. Your nonchalant 'fix-it-later' attitude
>> does nothing to fight malware.
>>
>> That doesn't mean it isn't a good idea apart from the malware arena.
>>
>> [...]
>
> Sigh. You totally have a closed one track mind. I don't mean use the
> machine and fix it later. I mean image the infected machine and save
> that image. If you want to investigate the malware and try to clean it.

I understand that, you're not understanding my point.

> You can do that now or later once you have the image. The infected image
> also allows you to retrieve something from that system if needed or
> reload the infected image if your cleaning borks the system and you want
> to try again. If you don't have a clean replacement image this is even
> more important for various reasons.

All beside the point.

> But you don't use the infected machine. You reload your clean image and
> use that. Sigh...totally closed mind.

Yeah, I noticed that about you.

Once you've convinced users that they have addressed the malware issue
by having a good backup plan, they may forgo adding software that
actually *does* address malware. My point is that they won't know that
they are infected, and damage can be done while the infected user
session is in progress - which may be for an extended period.

Your worthy backup plan should be presented as a disaster recovery plan
and *not* as an anti-malware plan because it doesn't really address the
malware problem at all.

Despite appearances, malware isn't really about writing to disk and
trying to remain persistent, it is about using your computing power to
do whatever the programmer wanted it to.

[David H. Lipman]

From: "FromTheRafters" <err...@nomail.afraid.org>

< snip >

> Your worthy backup plan should be presented as a disaster recovery plan and *not* as an
> anti-malware plan because it doesn't really address the malware problem at all.
>
> Despite appearances, malware isn't really about writing to disk and trying to remain
> persistent, it is about using your computing power to do whatever the programmer wanted
> it to.

Y E S !

[Neil Gould]

Cheese!!! ;-D

Such emulations only work on low-level stuff, but there are plenty of native
*nix apps (OO, Gimp, etc.) for those. The pro-level apps and drivers don't
fare as well, and I have no time to play around trying to make things work
with no tech support.

--
Neil

[Dustin]

FromTheRafters <err...@nomail.afraid.org> wrote in
news:jh38bs$2l9$1...@dont-email.me:

> Your worthy backup plan should be presented as a disaster recovery
> plan and *not* as an anti-malware plan because it doesn't really
> address the malware problem at all.

Agreed. His plan is better suited for hardware failure and/or physical
theft. It does *nothing* for malware. Except to provide a very false sense
of security, as the image is vulnerable to whatever got the box in the
first place.

Speaking of images, unless you do an exact sector for sector duplicate,
it's not forensic and not really a complete backup. By Default,
Acronis/ghost don't do this, but they can.

> Despite appearances, malware isn't really about writing to disk and
> trying to remain persistent, it is about using your computing power
> to do whatever the programmer wanted it to.

Absolutely!


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

[FromTheRafters]

Dustin wrote:
> FromTheRafters<err...@nomail.afraid.org> wrote in
> news:jh38bs$2l9$1...@dont-email.me:
>
>> Your worthy backup plan should be presented as a disaster recovery
>> plan and *not* as an anti-malware plan because it doesn't really
>> address the malware problem at all.
>
> Agreed. His plan is better suited for hardware failure and/or physical
> theft. It does *nothing* for malware. Except to provide a very false sense
> of security, as the image is vulnerable to whatever got the box in the
> first place.
>
> Speaking of images, unless you do an exact sector for sector duplicate,
> it's not forensic and not really a complete backup. By Default,
> Acronis/ghost don't do this, but they can.

Earlier, I was wondering if his recommended EaseUS fell into that
category. Anyway, its forensic value also depends on using an approved
program being operated by an approved person doesn't it? I would think
an image made by the tech or by the user would be pretty useless whereas
the actual infected drive would have real value.

That is, they're *not* the same.

[...]

[Dustin]

FromTheRafters <err...@nomail.afraid.org> wrote in
news:jh3hct$qbq$1...@dont-email.me:

Ive done forensic recovery under contract. The actual drive for evidence
is sector by sector imaged and you work from that, not the original.

> That is, they're *not* the same.

Typical user images aren't forensic in nature, no. :)

[David H. Lipman]

From: "Dustin" <bughunte...@gmail.com>

> FromTheRafters <err...@nomail.afraid.org> wrote in
> news:jh3hct$qbq$1...@dont-email.me:
>
>> Dustin wrote:
>>> FromTheRafters<err...@nomail.afraid.org> wrote in
>>> news:jh38bs$2l9$1...@dont-email.me:
>>>
>>>> Your worthy backup plan should be presented as a disaster recovery
>>>> plan and *not* as an anti-malware plan because it doesn't really
>>>> address the malware problem at all.
>>>
>>> Agreed. His plan is better suited for hardware failure and/or
>>> physical theft. It does *nothing* for malware. Except to provide a
>>> very false sense of security, as the image is vulnerable to whatever
>>> got the box in the first place.
>>>
>>> Speaking of images, unless you do an exact sector for sector
>>> duplicate, it's not forensic and not really a complete backup. By
>>> Default, Acronis/ghost don't do this, but they can.
>>
>> Earlier, I was wondering if his recommended EaseUS fell into that
>> category. Anyway, its forensic value also depends on using an
>> approved program being operated by an approved person doesn't it? I
>> would think an image made by the tech or by the user would be pretty
>> useless whereas the actual infected drive would have real value.
>
> Ive done forensic recovery under contract. The actual drive for evidence
> is sector by sector imaged and you work from that, not the original.
>
>> That is, they're *not* the same.
>
> Typical user images aren't forensic in nature, no. :)
>

Very true.

[Bear]

On 2/10/2012 8:07 AM, FromTheRafters wrote:
> All beside the point.

No it isn't. It is part of the point. You yourself agreed with my silver
bullet explanation which sets the stage for my premise which you seem to
disagree with foolishly. What is your alternative plan? I'm all
ears...please be specific.

>
>> But you don't use the infected machine. You reload your clean image and
>> use that. Sigh...totally closed mind.
>
> Yeah, I noticed that about you.

Why then do you keep repeating it?

>
> Once you've convinced users that they have addressed the malware issue
> by having a good backup plan, they may forgo adding software that
> actually *does* address malware. My point is that they won't know that
> they are infected, and damage can be done while the infected user
> session is in progress - which may be for an extended period.

That happens to folks whether they have a backup plan or not. If people
want to forgo prevention tools, and some do fine as such, that's on
them. I don't recommend it.

>
> Your worthy backup plan should be presented as a disaster recovery plan
> and *not* as an anti-malware plan because it doesn't really address the
> malware problem at all.

I'm not trying to address the malware problem...it's there. My goal is
to be self reliant and invulnerable to it...and share that information
with those who may be interested.

>
> Despite appearances, malware isn't really about writing to disk and
> trying to remain persistent, it is about using your computing power to
> do whatever the programmer wanted it to.

If you don't know it's there it will. Happens all the time. Malware does
just about every conceivable thing it can do. Once you become aware that
you are infected, your options should be your most concern. That is what
I am addressing.

[Bear]

On 2/10/2012 9:30 AM, Dustin wrote:
> FromTheRafters<err...@nomail.afraid.org> wrote in
> news:jh38bs$2l9$1...@dont-email.me:
>
>> Your worthy backup plan should be presented as a disaster recovery
>> plan and *not* as an anti-malware plan because it doesn't really
>> address the malware problem at all.
>
> Agreed. His plan is better suited for hardware failure and/or physical
> theft. It does *nothing* for malware. Except to provide a very false sense
> of security, as the image is vulnerable to whatever got the box in the
> first place.

Absolutely wrong.

>
> Speaking of images, unless you do an exact sector for sector duplicate,
> it's not forensic and not really a complete backup. By Default,
> Acronis/ghost don't do this, but they can.

My method is as forensic as you can get...with a fallback from that
which is pure.

>
>> Despite appearances, malware isn't really about writing to disk and
>> trying to remain persistent, it is about using your computing power
>> to do whatever the programmer wanted it to.
>
> Absolutely!
>

Malware does every conceivable thing that can be done with it. You're
speaking out your ass.

[Dustin]

Bear <bearbott...@gmail.com> wrote in
news:4f3594dd$0$282$1472...@news.sunsite.dk:

> My method is as forensic as you can get...with a fallback from that
> which is pure.

I already provided most of the requirements for a forensic image Bear. I
see no point in your comment here...?

> Malware does every conceivable thing that can be done with it. You're
> speaking out your ass.

Hehe. Bear, I always speak with the experience not only of that as a
researcher but also an established and well known former virus writer.
It's *you* who's speaking from his preverbial arse on this subject. Please
don't attempt to educate me on what malware can do, I wrote more than my
fair share.

[Bear]

On 2/10/2012 8:49 PM, Dustin wrote:
> Bear<bearbott...@gmail.com> wrote in
> news:4f3594dd$0$282$1472...@news.sunsite.dk:
>
>> My method is as forensic as you can get...with a fallback from that
>> which is pure.
>
> I already provided most of the requirements for a forensic image Bear. I
> see no point in your comment here...?
>
>> Malware does every conceivable thing that can be done with it. You're
>> speaking out your ass.
>
> Hehe. Bear, I always speak with the experience not only of that as a
> researcher but also an established and well known former virus writer.
> It's *you* who's speaking from his preverbial arse on this subject. Please
> don't attempt to educate me on what malware can do, I wrote more than my
> fair share.
>
>
>

Well don't be so flippant and limited on what malware can do and you
won't look so foolish which directs the need to correct you.

[Dustin]

Bear <bearbott...@gmail.com> wrote in
news:4f35d8ba$0$285$1472...@news.sunsite.dk:

> On 2/10/2012 8:49 PM, Dustin wrote:
>> Bear<bearbott...@gmail.com> wrote in
>> news:4f3594dd$0$282$1472...@news.sunsite.dk:
>>
>>> My method is as forensic as you can get...with a fallback from that
>>> which is pure.
>>
>> I already provided most of the requirements for a forensic image
>> Bear. I see no point in your comment here...?
>>
>>> Malware does every conceivable thing that can be done with it.
>>> You're speaking out your ass.
>>
>> Hehe. Bear, I always speak with the experience not only of that as a
>> researcher but also an established and well known former virus
>> writer. It's *you* who's speaking from his preverbial arse on this
>> subject. Please don't attempt to educate me on what malware can do,
>> I wrote more than my fair share.
>>
>>
>>
> Well don't be so flippant and limited on what malware can do and you
> won't look so foolish which directs the need to correct you.

You must be used to dealing with stupid people. Luckily, you won't find
many here. Your efforts to spin what myself and others have wasted time
trying to explain to you is just humourous at this point.

For example, I'll amuse myself by asking you to cite even one MID where
I limited what malware can do with regard to your backup plan?

Bear, make no mistake; the fact you've been playing with computers since
1980 does not in any possible way make you an expert on them in any
fashion. Someone with that much experience who can't code is a hobbyist
at best--In any event, IT *isn't* your forte.

You've yet to correct me on anything, btw. Simply stating it with a
smartass remark *doesn't* make it so. I don't claim to be perfect Bear,
but I likely do know a considerable amount about IT security than
yourself--Despite our age difference and amazing only 6 year lead you
have on me in so far as first official experience. I don't count the
mathlab computers or the logos/robotics class in 2nd grade that I
successfully hacked :) (I started young lol). I count from 1986 when I
got my first one at home. It was my 8th bday present which is probably
still the coolest thing anybodies ever gotten me.

[Dustin]

Dustin <bughunte...@gmail.com> wrote in
news:Xns9FF5E4657F779HHI2948AJD832@no:

> 1986 when I got my first one at home. It was my 8th bday present
> which is probably still the coolest thing anybodies ever gotten me.

Slight addition out of respect to my late nana, who I miss dearly...

I asked for a soundcard for a 286 computer I'd acquired the previous
summer for xmas one year. Needless to say, she hooked me up with one of
the best soundcards around for the time. I'll never forget the fun I had
that morning!

Bear,

I am a bit of a hardass, I was raised to be blunt and not sugar coat
things. I do not mean disrespect out of the gate. I know I come across
as an arrogant fucker at times, but that really isn't the intention.

It's a common misunderstanding due to my less than stellar interpersonal
skillset; When I mentioned I know computers very well, it really is due
to the time I've spent in front of them. It's a tradeoff.

I'm not interested in putting people beneath me nor do I look down on
others. If I comment on something you've written its because I want to
pass along to you more accurate/detailed knowledge on the subject you
brought up--Assuming I have knowledge to give. It's a really connected
world out there and even with the best of intentions, you still place
people in harms way without as accurate information as you can have for
the time.

Your backup plan is a fine one for disaster recovery, theft, and
hardware failure. It's just not suitable as is! for malware recovery. It
shouldn't be the primary plan for a malware issue.

Here's why I believe it's unsuitable in a nutshell:

The image still contains whatever vulnerability which allowed a security
breach in the first place. It's lacking OS/3rdparty software security
updates and patches. It gives the user a false sense of security if they
think inserting a disc and pressing reload makes the problem go away.
It's just a matter of time before the same one or worse comes back.

The system can be reloaded from image if thats the desire, but then
right off, it should be behind a secure hardware based firewall; get
updates to AV/AM first and do a full scan! Get updates to ALL os/other
software on the system. It should be network isolated from any other
machines for file sharing until you confirm its secure again.

The user should be instructed in safe hex and follow it. NOT assume just
reload and go is okay. If you tell them it is, they'll forgo the
additional actions layed out above and place not only themselves but
other systems at risk due to lazyness.

Your backup plan doesn't cover what should be done during image reload
(network isolation!) nor right after.

[Bear]

All I've seen you do is stomp around with a smart ass mouth talking
about how smart you are and only coders can know anything. I haven't
seen you provide any significant content or anything that could be
considered real help to promote a better computing environment of any
substance at all. You have a one track ancient closed mind approach to
today's threats that are not any use to users at all. It's time you were
called on it.

You have an ego issue and seem to need to attempt to protect your self
perceived status and speak without saying anything. If you are as good
as you think you are, you should be providing clear cut well presented
methodology for users to become self reliant with their own computers.
You never even come close to approaching that.

So regardless of what you know, you fail miserably at being helpful.
I've also witnessed a mentality of yours that is stuck in the past and
really don't have a clue how to direct people on a successful path to
enable themselves. It's pitiful.

[Dustin]

Bear <bearbott...@gmail.com> wrote in
news:4f35e96f$0$290$1472...@news.sunsite.dk:

Aren't you tired of resorting to these false comments? They've already
been disproven, several times now. You've previously claimed to have
lurked here for years; assuming that's true, then you can't possibly
claim Ive never helped anyone here. Further, You'd already know who I am
by handle and so wouldn't have stepped in shit by trying to tell me I'm
speaking from my ass concerning malware. Hell, I wrote and supported an
antimalware scanner and got a job offer by another well known
antimalware company because of it and the knowledge I have concerning,
coding Bear.

Todays threats are essentially the same as yesterdays and the day
before. It's all about the code at the end of the day. Not the paint or
new body style. As I still disassemble the "modern" trojans you call
malware, I'm hardly behind the times.

Again tho, you won't be calling me out on anything in so far as malware
is concerned. You've never disassembled any, You've never written any.
At the end of the day, you don't know much about it.

> You have an ego issue and seem to need to attempt to protect your
> self perceived status and speak without saying anything. If you are
> as good as you think you are, you should be providing clear cut well
> presented methodology for users to become self reliant with their own
> computers. You never even come close to approaching that.

You have a knack for writing a completely offtopic rant in a miserable
attempt to deflect the pile of poo you seem determined to keep stepping
in here. This isn't alt.comp.freeware; when you post shit, you will be
called on it.

Cite an MID where I said I'm smarter because I code. :) Fact is, if you
can't code and somebody else can at the hardware level, they DO KNOW
MORE than you about how the box works. That's just a fact, Jack.

Has absolutely nothing to do with ego.

> So regardless of what you know, you fail miserably at being helpful.

When you are able to provide a disassembly, analysis and followup with
specific instructions for helping someone, then we can compare
helpfulness. As I have on numerous occasions done that right here in
usenet, you are again! talking shit in a pathetic attempt to paint
yourself in some superior light over me. It's just not going to happen.
I'm not some dumbass end user in need of your education.

> I've also witnessed a mentality of yours that is stuck in the past

More deflection. I'm no push over Bear.

[Bear]

On 2/10/2012 9:40 PM, Dustin wrote:
> Dustin<bughunte...@gmail.com> wrote in
> news:Xns9FF5E4657F779HHI2948AJD832@no:
>
>> 1986 when I got my first one at home. It was my 8th bday present
>> which is probably still the coolest thing anybodies ever gotten me.
>
> Slight addition out of respect to my late nana, who I miss dearly...
>
> I asked for a soundcard for a 286 computer I'd acquired the previous
> summer for xmas one year. Needless to say, she hooked me up with one of
> the best soundcards around for the time. I'll never forget the fun I had
> that morning!
>
> Bear,
>
> I am a bit of a hardass, I was raised to be blunt and not sugar coat
> things. I do not mean disrespect out of the gate. I know I come across
> as an arrogant fucker at times, but that really isn't the intention.

That is a sad thing for those around you and shows a lack of initiative
to educate yourself...rather to blame others.

>
> It's a common misunderstanding due to my less than stellar interpersonal
> skillset; When I mentioned I know computers very well, it really is due
> to the time I've spent in front of them. It's a tradeoff.

Son, I've spent likely much more time in front of computers than you
have in a much broader environment from personal to professional. I hire
people to do the blue collar work, but the real thinking and analyzing,
structuring and creating plans that work is the real game.

>
> I'm not interested in putting people beneath me nor do I look down on
> others. If I comment on something you've written its because I want to
> pass along to you more accurate/detailed knowledge on the subject you
> brought up--Assuming I have knowledge to give. It's a really connected
> world out there and even with the best of intentions, you still place
> people in harms way without as accurate information as you can have for
> the time.

You fail...just boast and demean. It's a lack of respect and
understanding which reduces intelligence.

>
> Your backup plan is a fine one for disaster recovery, theft, and
> hardware failure. It's just not suitable as is! for malware recovery. It
> shouldn't be the primary plan for a malware issue.

You are wrong. Simple as that. I suppose you think everyone needs a
coder. Maybe because your looking for work. With my plan, people don't
need you.

>
> Here's why I believe it's unsuitable in a nutshell:
>
> The image still contains whatever vulnerability which allowed a security
> breach in the first place. It's lacking OS/3rdparty software security
> updates and patches. It gives the user a false sense of security if they
> think inserting a disc and pressing reload makes the problem go away.
> It's just a matter of time before the same one or worse comes back.

Every computer is vulnerable. There is no silver bullet. It's not
lacking any of the above. There is no security...you can only do your
best and malware developers will always be one step ahead. If you want
to lock down your computer to the point it is virutally unusable...go
for it. Most people won't...that is the main point you miss. Your advice
helps no one...it is negative and aloof. It's always just a matter of
time or luck until the next infection. A good pristine recovery plan is
the only sure approach.

>
> The system can be reloaded from image if thats the desire, but then
> right off, it should be behind a secure hardware based firewall; get
> updates to AV/AM first and do a full scan! Get updates to ALL os/other
> software on the system. It should be network isolated from any other
> machines for file sharing until you confirm its secure again.

Basic shit...but 99% of the people don't use hardware based
firewalls...and aren't going to. Keeping systems and programs updated is
basic shit. Of course you want to remove any infected machines from any
network...basic shit.

>
> The user should be instructed in safe hex and follow it. NOT assume just
> reload and go is okay. If you tell them it is, they'll forgo the
> additional actions layed out above and place not only themselves but
> other systems at risk due to lazyness.

There you go again. I haven't met but a very few people who aren't aware
about safe hex...those are usually kids who should be taught. I can show
a 9 year old how to take care of himself in about an hour. Never need
pops again...you or anybody.

>
> Your backup plan doesn't cover what should be done during image reload
> (network isolation!) nor right after.

It doesn't have to. It is self contained by nature of the process. What
you threw network isolation in just for grins. The process automatically
takes it out of the network until it's ready again. You are reaching far
beyond your apparent means to attempt to find something without really
saying anything. If the process is lost on you, you can't help anyone in
today's world. I can show them in an hour how to become self reliant and
give them the confidence they need to maintain their systems squeaky
clean and they don't need a computer science degree. I haven't seen any
of that from you.

[G. Morgan]

Dustin wrote:

>> 1986 when I got my first one at home. It was my 8th bday present
>> which is probably still the coolest thing anybodies ever gotten me.
>
>Slight addition out of respect to my late nana, who I miss dearly...

Sounds like it, bummer. ;-(

>I asked for a soundcard for a 286 computer I'd acquired the previous
>summer for xmas one year. Needless to say, she hooked me up with one of
>the best soundcards around for the time. I'll never forget the fun I had
>that morning!

Those were not cheap back in the day! I remember a true Soundblaster
brand card was coveted by early adopters of MIDI music makers. They
were a luxury item, the rest of us listened to the PC speaker until the
clones came cheap.

[G. Morgan]

Bear wrote:

>Basic shit...but 99% of the people don't use hardware based
>firewalls...and aren't going to.

You're wrong. 99% of every user behind a router, is behind a hardware
firewall. That's probably about 90% of total users.

[Dustin]

Bear <bearbott...@gmail.com> wrote in
news:4f35ee24$0$281$1472...@news.sunsite.dk:

> On 2/10/2012 9:40 PM, Dustin wrote:
>> Dustin<bughunte...@gmail.com> wrote in
>> news:Xns9FF5E4657F779HHI2948AJD832@no:
>>
>>> 1986 when I got my first one at home. It was my 8th bday present
>>> which is probably still the coolest thing anybodies ever gotten me.
>>
>> Slight addition out of respect to my late nana, who I miss dearly...
>>
>> I asked for a soundcard for a 286 computer I'd acquired the previous
>> summer for xmas one year. Needless to say, she hooked me up with one
>> of the best soundcards around for the time. I'll never forget the
>> fun I had that morning!
>>
>> Bear,
>>
>> I am a bit of a hardass, I was raised to be blunt and not sugar coat
>> things. I do not mean disrespect out of the gate. I know I come
>> across as an arrogant fucker at times, but that really isn't the
>> intention.
>
> That is a sad thing for those around you and shows a lack of
> initiative to educate yourself...rather to blame others.

What?

>>
>> It's a common misunderstanding due to my less than stellar
>> interpersonal skillset; When I mentioned I know computers very well,
>> it really is due to the time I've spent in front of them. It's a
>> tradeoff.
>
> Son, I've spent likely much more time in front of computers than you
> have in a much broader environment from personal to professional. I
> hire people to do the blue collar work, but the real thinking and
> analyzing, structuring and creating plans that work is the real game.

You've wasted time. Don't call me son Bear, I'm not your kid. Coding is
the real game aside from hardware design. You provided the year 1980,
unless you were bsing. That gives you a 6 year jump as I'm not counting
anything Ive done prior to having my own. You have no idea the systems
Ive worked with since that time, but I do hold valid certs and have
professionally for over a decade.

Don't be condesending. There is no need for it and you already dont
compare if you want to know the truth. Coders understand the hardware.
Again, not ego, just simple facts.

> You fail...just boast and demean. It's a lack of respect and
> understanding which reduces intelligence.

While I find your attempt to talk down to me amusing, I also do find it
to be in poor taste. You make ignorant remarks. You're very defensive
when it comes to real techies/hackers examining your battle plans and
finding issues, huh? As that's all I've done here.

You keep trying to compare coding ability as that of an ego so you can
dismiss the fact that coders really know the systems better than you.
I've displayed NO ego towards you, simply cold hard facts from the point
of view of an expert, not some hobbyist as yourself.

>>
>> Your backup plan is a fine one for disaster recovery, theft, and
>> hardware failure. It's just not suitable as is! for malware
>> recovery. It shouldn't be the primary plan for a malware issue.
>
> You are wrong. Simple as that. I suppose you think everyone needs a
> coder. Maybe because your looking for work. With my plan, people
> don't need you.

I didn't mention coder a single time there, It had nothing to do with my
comment. I'm not looking for work, fyi. No, I don't think everyone needs
a coder, although without us, computers really wouldn't be all that
useful to the average joe. Which is I believe, your intended audience?

People like me wrote the software that lets you rewrite age old backup
plans and present them as something new and specifically created all by
yourself. That's right, imaging systems isn't a new technology either.
Many of us have been doing it before ever hearing of you or your
ignorant plan.

>>
>> Here's why I believe it's unsuitable in a nutshell:
>>
>> The image still contains whatever vulnerability which allowed a
>> security breach in the first place. It's lacking OS/3rdparty
>> software security updates and patches. It gives the user a false
>> sense of security if they think inserting a disc and pressing reload
>> makes the problem go away. It's just a matter of time before the
>> same one or worse comes back.
>
> Every computer is vulnerable. There is no silver bullet. It's not
> lacking any of the above. There is no security...you can only do your
> best and malware developers will always be one step ahead. If you
> want to lock down your computer to the point it is virutally
> unusable...go for it. Most people won't...that is the main point you
> miss. Your advice helps no one...it is negative and aloof. It's
> always just a matter of time or luck until the next infection. A good
> pristine recovery plan is the only sure approach.

Vulnerability risk can be mitigated. Security does infact exist. It's
not a matter of time or luck if proper security precautions are
followed. I said nothing about making the computer unusable but it does
provide further insight into your actual IT knowledge,rather, glaring
lack of....

Safer hex is sound advice and has helped many. It's been around longer
than BearWear reviews too. :)

Malware development is typically not some really difficult coding task.
The majority of the trash these days are simplistic trojans Bear. Easily
avoidable, no Luck involved. Just good policies and practices.

>>
>> The system can be reloaded from image if thats the desire, but then
>> right off, it should be behind a secure hardware based firewall; get
>> updates to AV/AM first and do a full scan! Get updates to ALL
>> os/other software on the system. It should be network isolated from
>> any other machines for file sharing until you confirm its secure
>> again.
>
> Basic shit...but 99% of the people don't use hardware based
> firewalls...and aren't going to. Keeping systems and programs updated
> is basic shit. Of course you want to remove any infected machines
> from any network...basic shit.

Still condesending? :) If the user has a home network, they likely are
hardware firewalled and I'm sure more than 1% are using such a
configuration. You don't want the freshly loaded machine back on the
network for full access until you've updated it, in the event it was an
app or os compromisation issue. Next time, before you try to talk down
to me again, re-read what I actually wrote and type slower. otherwise,
it's too easy.

>>
>> The user should be instructed in safe hex and follow it. NOT assume
>> just reload and go is okay. If you tell them it is, they'll forgo
>> the additional actions layed out above and place not only themselves
>> but other systems at risk due to lazyness.
>
> There you go again. I haven't met but a very few people who aren't
> aware about safe hex...those are usually kids who should be taught. I
> can show a 9 year old how to take care of himself in about an hour.
> Never need pops again...you or anybody.

If only that were true. This statement is likely as accurate as your
stupid remark that 99% of people dont use a hardware firewall.

Seems to me, it's you who has the ego combined with an inferiority
complex. You've mentioned I might be seeking work, and several times,
never needing me thanks to YOUR ehm, joke! of a plan. Makes me wonder...

>>
>> Your backup plan doesn't cover what should be done during image
>> reload (network isolation!) nor right after.
>
> It doesn't have to. It is self contained by nature of the process.
> What you threw network isolation in just for grins. The process
> automatically takes it out of the network until it's ready again. You

What? Bear, Seriously, You're a fucking idiot.

As soon as the image boots, if it sees a network, its going to use it,
depending on the compromisation method, it's vulnerable. I didn't throw
the network isolation in for grins. That's a known precautionary measure
in the professionals field.

> are reaching far beyond your apparent means to attempt to find
> something without really saying anything. If the process is lost on

As I said, you're a fucking idiot. I was very simplistic in my
explanation. If your comprehension is that weak, you shouldn't be here.
Your in WAYYY over your head.

> you, you can't help anyone in today's world. I can show them in an
> hour how to become self reliant and give them the confidence they
> need to maintain their systems squeaky clean and they don't need a
> computer science degree. I haven't seen any of that from you.

That's funny! So you lied about how long youve been here, and you do
feel inferior to me. :)

[Dustin]

G. Morgan <seal...@osama-is-dead.net> wrote in
news:n5vbj7tcn0plhjv1s...@Osama-is-dead.net:

He's a real loon dude. Doesn't know his ass from a hole in the ground
based on the nonsense and offtopic personal attacks. Maybe he should have
done a little of the blue collar work he thinks he was too good to do.
Would have come in handy for his recovery plan me thinks.

[Dustin]

Bear <bearbott...@gmail.com> wrote in
news:4f35ee24$0$281$1472...@news.sunsite.dk:

> Son, I've spent likely much more time in front of computers than you
> have in a much broader environment from personal to professional. I
> hire people to do the blue collar work, but the real thinking and
> analyzing, structuring and creating plans that work is the real game.

Yep. It's you who has an ego problem. I'm not your Son. You may address me
as Dustin. Second, instead of thumbing your nose at blue collar work, you
should have learned to do some of it. Would have helped you better
understand these machines and realize how worthless your plan is
concerning malware.

I've met many like you, too good for blue collar work. In reality, too
stupid and/or just fuckin lazy. You have the ego, not me.

Money doesnt always mean your the smart one.

[G. Morgan]

Dustin wrote:


>He's a real loon dude. Doesn't know his ass from a hole in the ground
>based on the nonsense and offtopic personal attacks. Maybe he should have
>done a little of the blue collar work he thinks he was too good to do.
>Would have come in handy for his recovery plan me thinks.

He's worse in his own environment, in the freeware group he helped
destroy. Can't tell him nothin'.

[Dustin]

G. Morgan <seal...@osama-is-dead.net> wrote in

news:q5sbj7lj0o4efhh5j...@Osama-is-dead.net:

It was the 16bit soundblaster pro. :) Awesome card!

[FromTheRafters]

Bear wrote:
> On 2/10/2012 9:40 PM, Dustin wrote:

[...]

>> Your backup plan doesn't cover what should be done during image reload
>> (network isolation!) nor right after.
>
> It doesn't have to. It is self contained by nature of the process. What
> you threw network isolation in just for grins. The process automatically
> takes it out of the network until it's ready again.

Could you expand on that?

Do you have any idea how soon in the process network communication comes
into play? How do you propose that users get updates that are lacking in
the image that they choose to restore?

[Bear]

Ok, but I don't think that is what Dustin was referring to. He can
expand on it. You do have to configure the router if capable.

Consider every computer is shipped with a software firewall and every
user uses them for a good reason.

[Bear]

On 2/11/2012 12:22 AM, Dustin wrote:
> G. Morgan<seal...@osama-is-dead.net> wrote in
> news:n5vbj7tcn0plhjv1s...@Osama-is-dead.net:
>
>> Bear wrote:
>>
>>> Basic shit...but 99% of the people don't use hardware based
>>> firewalls...and aren't going to.
>>
>> You're wrong. 99% of every user behind a router, is behind a hardware
>> firewall. That's probably about 90% of total users.
>>
>
> He's a real loon dude. Doesn't know his ass from a hole in the ground
> based on the nonsense and offtopic personal attacks. Maybe he should have
> done a little of the blue collar work he thinks he was too good to do.
> Would have come in handy for his recovery plan me thinks.
>
>

No Dustin. Every post with you ends up being about you or how stupid
someone is. Try keeping it less personal and more on topic. Offer
alternative views not insults and you'll get less flac.

As for my recovery plan, it's as good as it gets, and anyone can do it
quickly and easily and free themselves from the need for help, besides
enabling total self reliance. Yours is too complicated and will not be
generally used except by a few wanna be geeks who will mostly fail. Seen
it all before!

BTW, I worked as a technician for eight years before I moved on. You
don't have a clue as to my professional background and it pales yours
compared to your own description of yours.

[Bear]

The group is fine and much better than ever. Only Pooh the troll is left
and he is well managed. :)

BTW, I make my own decisions and have no need for anyone telling me
anything. I like the opinions of others that are worthwhile and
sometimes integrate those into my knowledge-base, but not negative
ego-boosting and degrading diatribe from the likes of Dustin...such only
comes from ignorance and he demeans himself.

[Bear]

On 2/11/2012 12:17 AM, Dustin wrote:
> That's funny! So you lied about how long youve been here, and you do
> feel inferior to me.:)

Only cowards lie. I would like to hear your ideas and suggestions...the
rest is sickening. I feel sorry for you.

[Bear]

On 2/11/2012 7:16 AM, FromTheRafters wrote:
> Bear wrote:
>> On 2/10/2012 9:40 PM, Dustin wrote:
>
> [...]
>
>>> Your backup plan doesn't cover what should be done during image reload
>>> (network isolation!) nor right after.
>>
>> It doesn't have to. It is self contained by nature of the process. What
>> you threw network isolation in just for grins. The process automatically
>> takes it out of the network until it's ready again.
>
> Could you expand on that?

It's simple basic computer 101. Restart and boot to your restoration
media (out of network) and reload your image (out of network). Reboot
and you have a clean system back in network.

What the user wants to do with the imaged infected system file from
there is up to the user.

>
> Do you have any idea how soon in the process network communication comes
> into play?

During the boot process, computer 101.

> How do you propose that users get updates that are lacking in
> the image that they choose to restore?
>

The same way any updates are accomplished.

Look, I'm not demanding anything. I'm offering an updated alternative to
old ideas and practices, one which very few people are aware of the
power of it and self-reliance it provides them. If you don't like it or
want to do your own thing - be my guest.

My comprehensive security plan listed on my website covers the entirety
of the issues, but very few people actually go to that much effort. My
recovery plan simplifies it to the minimum effort needed for a user to
become self reliant and not lose anything or need anybodies help ever
again unless it is hardware failure and they can't exchange a hard drive
for example. If they give out banking data, that's on them...there is
enough information and warning constantly hammered towards them to learn
safe hex.

[FromTheRafters]

Bear wrote:
> On 2/11/2012 7:16 AM, FromTheRafters wrote:
>> Bear wrote:
>>> On 2/10/2012 9:40 PM, Dustin wrote:
>>
>> [...]
>>
>>>> Your backup plan doesn't cover what should be done during image reload
>>>> (network isolation!) nor right after.
>>>
>>> It doesn't have to. It is self contained by nature of the process. What
>>> you threw network isolation in just for grins. The process automatically
>>> takes it out of the network until it's ready again.
>>
>> Could you expand on that?
>
> It's simple basic computer 101. Restart and boot to your restoration
> media (out of network) and reload your image (out of network). Reboot
> and you have a clean system back in network.

No you don't. You have an *almost* ready for the network computer *on*
the network. The more pristine your image, the further out-of-date it is
and the more need for updates to OS and user's choice software before it
is actually ready to join the network at large.

> What the user wants to do with the imaged infected system file from
> there is up to the user.

We won't get into that again as you've already shown your level of
expertise in that area.

>> Do you have any idea how soon in the process network communication comes
>> into play?
>
> During the boot process, computer 101.

Duh! *Where* during the boot process?

>> How do you propose that users get updates that are lacking in
>> the image that they choose to restore?
>>
> The same way any updates are accomplished.

Evasion noted.

> Look, I'm not demanding anything. I'm offering an updated alternative to
> old ideas and practices, one which very few people are aware of the
> power of it and self-reliance it provides them. If you don't like it or
> want to do your own thing - be my guest.

I haven't belittled your method(s) at all, I'm only informing you and
others that it is *not* a plan against malware. It is a plan (and a good
one) at mitigating the risk incurred by any disaster including the
aftermath of *some* types of malware attacks.

It is a total failure against other types of malware attack.

> My comprehensive security plan listed on my website covers the entirety
> of the issues, but very few people actually go to that much effort.

True, and that part of your plan is essentially a sandboxing technique.
You allow the malware to execute, and attempt to limit its scope by
having valuable data inaccessible to it and making all seemingly
persistent changes made by it 'optional'.

All-in-all I like your presented ideas for general security, but you
*do* leave users uninformed about the caveats of forgoing *prevention*.
Just because there is no 'silver bullet' doesn't mean that prevention
isn't better expounded as a first and foremost antimalware measure.

You show a defeatist attitude when you claim 'no silver bullet' and
continue on with ignoring how effective prevention can be even though it
has been known for a long time that perfect detection is provably
impossible to attain.

I cut my programming teeth in 1970, since we're comparing notes. :o)

[Bear]

On 2/11/2012 9:57 AM, FromTheRafters wrote:
> Bear wrote:
>> On 2/11/2012 7:16 AM, FromTheRafters wrote:
>>> Bear wrote:
>>>> On 2/10/2012 9:40 PM, Dustin wrote:
>>>
>>> [...]
>>>
>>>>> Your backup plan doesn't cover what should be done during image reload
>>>>> (network isolation!) nor right after.
>>>>
>>>> It doesn't have to. It is self contained by nature of the process. What
>>>> you threw network isolation in just for grins. The process
>>>> automatically
>>>> takes it out of the network until it's ready again.
>>>
>>> Could you expand on that?
>>
>> It's simple basic computer 101. Restart and boot to your restoration
>> media (out of network) and reload your image (out of network). Reboot
>> and you have a clean system back in network.
>
> No you don't. You have an *almost* ready for the network computer *on*
> the network. The more pristine your image, the further out-of-date it is
> and the more need for updates to OS and user's choice software before it
> is actually ready to join the network at large.

Then you don't understand the process I promote.

MANAGING A NEW COMPUTER (or restoring your existing one)
First Order of Business

Start with or restore the Manufacturer factory image
Install Manufacturer updates if available
Install MS Updates (could take a long time)
Run AppRemover (no install) and remove bundled security programs
Install Antivirus Program
Install portable PCDecrapifier and remove unwanted bundled programs then
remove it.
Install your imaging program and make an image and boot DVD
(In the future, reload and make a new factory + MS Updates image (you
will load and update this image as future MS Updates mount up, re-image
it, and then reload your pristine image if you have one. This way, you
will always have an updated factory image if you ever want to start
fresh again.))

Continue and Install Your Setup Programs and Clean Up

Install all of the programs that require setup (non-portable)
Transfer your Portable folder to My Documents (or wherever)
Use the likes of Ccleaner to clean crap files and make sure all of your
programs are updated

Make 1rst Pristine Image (this is the image you will use until MS
Updates mount up or you make permanent changes to your system)
When MS Updates mount up or you want to make permanent changes to your
system, re-load and update the original Pristine image and re-image
that. It will become your primary pristine image but save the original
pristine image as a second. (Do not re-image a pristine image that you
have been using for a while, always re-load it, make the changes and
then re-image which becomes the image you will use for a while.)
Always keep at least three images: Factory + MS Updates, Pristine Image,
and Secondary Pristine Image
Maintenance

As time goes on, reload your Factory Image and update it with new MS and
virus updates when enough mount up and make new updated Factory Image.

As time goes on and enough MS updates mount up or you wish to make a
permanent change to your system, reload your pristine image and make the
updates and save the original pristine image as a backup. You now have
three images.

Do this over and over as time goes on and always keep the Factory image
updated with MS updates, and the last two pristine images.

Always have a manufacturer factory image or recovery media as a last resort.

>
>> What the user wants to do with the imaged infected system file from
>> there is up to the user.
>
> We won't get into that again as you've already shown your level of
> expertise in that area.
>
>>> Do you have any idea how soon in the process network communication comes
>>> into play?
>>
>> During the boot process, computer 101.
>
> Duh! *Where* during the boot process?

Make your point!

>
>>> How do you propose that users get updates that are lacking in
>>> the image that they choose to restore?
>>>
>> The same way any updates are accomplished.
>
> Evasion noted.

Question answered. Why so hostile?

>
>> Look, I'm not demanding anything. I'm offering an updated alternative to
>> old ideas and practices, one which very few people are aware of the
>> power of it and self-reliance it provides them. If you don't like it or
>> want to do your own thing - be my guest.
>
> I haven't belittled your method(s) at all, I'm only informing you and
> others that it is *not* a plan against malware. It is a plan (and a good
> one) at mitigating the risk incurred by any disaster including the
> aftermath of *some* types of malware attacks.

If you are trying to say it isn't a plan to keep you from getting
infected, of course you would be correct and I agree as I have stated.
No one can develop a plan to keep from being infected (no silver
bullet). This is a plan to become self-reliant and recover if you become
infected without losing anything and returning to a pristine clean state
without anyone's help. You are pissing in the wind.

>
> It is a total failure against other types of malware attack.

No it isn't. If you are trying to say that when a person gets infected,
the malware may do whatever it's going to do, which is silly, I agree
because of course it is. You take that system out of action as soon as
you discover the infection. Then you restore a clean system. If you have
sensitive data (or any of the like) you don't want disclosed, I clearly
state in my comprehensive plan that it shouldn't be on any machine
connected to the Internet/network. What data is on the machine is always
backed up by the imaging process. For real-time changes between images,
my comprehensive plan covers that.

>
>> My comprehensive security plan listed on my website covers the entirety
>> of the issues, but very few people actually go to that much effort.
>
> True, and that part of your plan is essentially a sandboxing technique.
> You allow the malware to execute, and attempt to limit its scope by
> having valuable data inaccessible to it and making all seemingly
> persistent changes made by it 'optional'.
>
> All-in-all I like your presented ideas for general security, but you
> *do* leave users uninformed about the caveats of forgoing *prevention*.
> Just because there is no 'silver bullet' doesn't mean that prevention
> isn't better expounded as a first and foremost antimalware measure.

No I don't and I don't advise people to forgo prevention attempts. I
advise them that it isn't good enough. My security page covers all of
the bases. If you think something should be added to it...I'm all ears.

>
> You show a defeatist attitude when you claim 'no silver bullet' and
> continue on with ignoring how effective prevention can be even though it
> has been known for a long time that perfect detection is provably
> impossible to attain.

No...it is a fact that there is no silver bullet and people need to
understand this. They are not safe with prevention attempts at all. Most
people think they are safe until they get infected...then they change
antivirus and antispyware programs (some may even perform some system
hardening, but not many) and carry on thinking they are now safe again
until they get infected again and so on.

>
> I cut my programming teeth in 1970, since we're comparing notes. :o)

Gawd. I could care less. I care more about the content of what you have
to say...or not depending on the quality of that content. I've learned
many things from kids...fresh open minds without mindsets. I've learned
to keep open mine unlike the entrenched so called techs who hang on to
what they knew and refuse to change or keep up.

[Dustin]

Bear <bearbott...@gmail.com> wrote in
news:4f367f00$0$289$1472...@news.sunsite.dk:

> BTW, I worked as a technician for eight years before I moved on. You
> don't have a clue as to my professional background and it pales yours
> compared to your own description of yours.

I've been A+ certified for 12 years. That's +4 on you, just with the cert.
That's not including the techie work prior. It's so long ago I'm
grandfathered in, Mine *never* expires.

I know you had "blue collar" workers doing the hard stuff. It explains why
you are a glorified end user.

[Bear]

On 2/11/2012 10:56 AM, Dustin wrote:
> Bear<bearbott...@gmail.com> wrote in
> news:4f367f00$0$289$1472...@news.sunsite.dk:
>
>> BTW, I worked as a technician for eight years before I moved on. You
>> don't have a clue as to my professional background and it pales yours
>> compared to your own description of yours.
>
> I've been A+ certified for 12 years. That's +4 on you, just with the cert.
> That's not including the techie work prior. It's so long ago I'm
> grandfathered in, Mine *never* expires.
>
> I know you had "blue collar" workers doing the hard stuff. It explains why
> you are a glorified end user.
>

LOL. OK, we've had our fun. This bickering isn't good for the group.
Let's revert to content that may help someone.

I'm sure you will come up with something that may peak my interest.

[Dustin]

Bear <bearbott...@gmail.com> wrote in
news:4f36a403$0$282$1472...@news.sunsite.dk:

> On 2/11/2012 10:56 AM, Dustin wrote:
>> Bear<bearbott...@gmail.com> wrote in
>> news:4f367f00$0$289$1472...@news.sunsite.dk:
>>
>>> BTW, I worked as a technician for eight years before I moved on.
>>> You don't have a clue as to my professional background and it pales
>>> yours compared to your own description of yours.
>>
>> I've been A+ certified for 12 years. That's +4 on you, just with the
>> cert. That's not including the techie work prior. It's so long ago
>> I'm grandfathered in, Mine *never* expires.
>>
>> I know you had "blue collar" workers doing the hard stuff. It
>> explains why you are a glorified end user.
>>
>
> LOL. OK, we've had our fun. This bickering isn't good for the group.
> Let's revert to content that may help someone.

I personally didn't find this derailment all that fun. fyi, when I've
mentioned coder(s), I wasn't just claiming I could do this or that, I've
met many very talented coders. They are everywhere. I wanted to clear
that up. Also, I try to make damn sure not to claim something stupid
like being smarter than so and so. I know computers, you know airplanes.
We're both quite capable in our chosen paths. I'm not going to propose
to try and tell you how to fly one.

I've got no huge ego Bear, I'm not like that.

[Bear]

On 2/11/2012 1:08 PM, Dustin wrote:
> Bear<bearbott...@gmail.com> wrote in
> news:4f36a403$0$282$1472...@news.sunsite.dk:
>
>> On 2/11/2012 10:56 AM, Dustin wrote:
>>> Bear<bearbott...@gmail.com> wrote in
>>> news:4f367f00$0$289$1472...@news.sunsite.dk:
>>>
>>>> BTW, I worked as a technician for eight years before I moved on.
>>>> You don't have a clue as to my professional background and it pales
>>>> yours compared to your own description of yours.
>>>
>>> I've been A+ certified for 12 years. That's +4 on you, just with the
>>> cert. That's not including the techie work prior. It's so long ago
>>> I'm grandfathered in, Mine *never* expires.
>>>
>>> I know you had "blue collar" workers doing the hard stuff. It
>>> explains why you are a glorified end user.
>>>
>>
>> LOL. OK, we've had our fun. This bickering isn't good for the group.
>> Let's revert to content that may help someone.
>
> I personally didn't find this derailment all that fun. fyi, when I've
> mentioned coder(s), I wasn't just claiming I could do this or that, I've
> met many very talented coders. They are everywhere. I wanted to clear
> that up. Also, I try to make damn sure not to claim something stupid
> like being smarter than so and so. I know computers, you know airplanes.
> We're both quite capable in our chosen paths. I'm not going to propose
> to try and tell you how to fly one.
>
> I've got no huge ego Bear, I'm not like that.
>
>

My professional skills far exceed flying airplanes. I'm sick of hearing
about coders.

We've both proven we can be assholes. Let's see what else you've got for
a change.

[Dustin]

Bear <bearbott...@gmail.com> wrote in
news:4f36c1e8$0$288$1472...@news.sunsite.dk:

> My professional skills far exceed flying airplanes. I'm sick of
> hearing about coders.

I'm sick of reading your bullshit too. Ego I have eh? Take a good look
in the mirror.

> We've both proven we can be assholes. Let's see what else you've got
> for a change.

No. You've proven you don't know these machines as you claimed. You
chose to be a smartass with the date of 1980 (like it really means
something). A technician you said for 8 years, braggart, AND you come
up short.. way short.

Previous to that you were telling us how your career makes mine pale by
comparison... Since I've been a techie for nearly 17 years now, holding
valid IT certs for atleast 12 of those, and you've been doing it for 8
tells me you fucked up and underestimated me, OR your math skills are
absolutely terrible. The 17 years is based from age 18, otherwise I'd
have another ten years on you. If I include the computers from 2nd
grade, even more.

By techie I mean one who actually can replace blown caps, etc etc etc.
A real tech, not some wannabe like you evidently were in your 8 year
ehh, career.

My first experience with one wasn't a PC (they didn't exist yet). So
take your holier than thou too good for blue collar work and stick it
right up your inflated arse!

[Bear]

On 2/11/2012 2:20 PM, Dustin wrote:
> Bear<bearbott...@gmail.com> wrote in
> news:4f36c1e8$0$288$1472...@news.sunsite.dk:
>
>> My professional skills far exceed flying airplanes. I'm sick of
>> hearing about coders.
>
> I'm sick of reading your bullshit too. Ego I have eh? Take a good look
> in the mirror.
>

You approached it first...I countered.

>> We've both proven we can be assholes. Let's see what else you've got
>> for a change.
>
> No. You've proven you don't know these machines as you claimed. You
> chose to be a smartass with the date of 1980 (like it really means
> something). A technician you said for 8 years, braggart, AND you come
> up short.. way short.

We can carry on then. I do not lie and have not provided all of my
credentials. I'm not going to give any specific details. You brought
this discussion to this point not I. You are the one brandishing your
coder status as if it means something more than it does and wearing it
like a badge that makes only you capable of knowledge in these matters.
Clue-it's limited. You are the one guiding the discussion off topic with
your ego brandishing. In the early days I was a technician for 8 years
along with developing an aviation career. I also have 17 years military
along with an airline career which I retired from and the last 13 years
have held a professional technologists position in a world wide major
corporation which I am continuing. I bought my first personal computer
in 1980. I was training with and managing computer simulator systems in
1972 for a college and then the military...so it goes a bit further back
than even you think. My specialty has always been the technological
development aspects of each role along side the aviation roles. I hold
many many certificates. You won't get anywhere with me trying to
insinuate you out certificate me. Do you now feel a little less tall? LOL.

>
> Previous to that you were telling us how your career makes mine pale by
> comparison... Since I've been a techie for nearly 17 years now, holding
> valid IT certs for atleast 12 of those, and you've been doing it for 8
> tells me you fucked up and underestimated me, OR your math skills are
> absolutely terrible. The 17 years is based from age 18, otherwise I'd
> have another ten years on you. If I include the computers from 2nd
> grade, even more.

Answered!

>
> By techie I mean one who actually can replace blown caps, etc etc etc.
> A real tech, not some wannabe like you evidently were in your 8 year
> ehh, career.
>

Answered. Well beyond replacing blown caps.

> My first experience with one wasn't a PC (they didn't exist yet). So
> take your holier than thou too good for blue collar work and stick it
> right up your inflated arse!
>

So were mine...well before your time...and I kept advancing unlike your
sorry blue collar arse.

[Dustin]

Bear <bearbott...@gmail.com> wrote in
news:4f36e069$0$293$1472...@news.sunsite.dk:

> We can carry on then. I do not lie and have not provided all of my
> credentials. I'm not going to give any specific details. You brought

You don't have to give specific details. One can determine with a fair
degree of accuracy your IT knowledge based on the posts in your usenet
history.

> this discussion to this point not I. You are the one brandishing your
> coder status as if it means something more than it does and wearing
> it like a badge that makes only you capable of knowledge in these

I've already addressed this spin.

> hold many many certificates. You won't get anywhere with me trying to
> insinuate you out certificate me. Do you now feel a little less tall?
> LOL.

Why would I feel less tall? I understand these machines, and whats more,
I've *proven* it, many times over. You likely never will.

> Answered!

Smoke blowing is no answer.

> So were mine...well before your time...and I kept advancing unlike
> your sorry blue collar arse.

You kept advancing did you? Don't be so coy, mr arrogant sob. I'd rather
be blue collar anyday then ever be a bitch punk like you.

[Bear]

On 2/11/2012 4:49 PM, Dustin wrote:
> You kept advancing did you? Don't be so coy, mr arrogant sob. I'd rather
> be blue collar anyday then ever be a bitch punk like you.

I rest my case against you!

[Dustin]

Bear <bearbott...@gmail.com> wrote in
news:4f36f614$0$285$1472...@news.sunsite.dk:

> On 2/11/2012 4:49 PM, Dustin wrote:
>> You kept advancing did you? Don't be so coy, mr arrogant sob. I'd
>> rather be blue collar anyday then ever be a bitch punk like you.
>
> I rest my case against you!
>

*yawn*

[Bear]

On 2/11/2012 9:55 PM, Dustin wrote:
> Bear<bearbott...@gmail.com> wrote in
> news:4f36f614$0$285$1472...@news.sunsite.dk:
>
>> On 2/11/2012 4:49 PM, Dustin wrote:
>>> You kept advancing did you? Don't be so coy, mr arrogant sob. I'd
>>> rather be blue collar anyday then ever be a bitch punk like you.
>>
>> I rest my case against you!
>>
>
> *yawn*
>

*ROLLS EYES*