funsec mailing list archives
Re: funsec idea
From: Mike Preston <mike () technomonk com>
Date: Thu, 01 Jan 2009 22:36:50 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I suppose one way would be to essentially take a leaf out of the p2p and malware playbooks... Indroducing "Fast-flux p2p downloads with signed and checksummed packages" :P Seriously though, a distributed directory with metadata with signatures of the original provider available during searches could potentially work somewhat. Although, if the attacker has full control of the end point there is little they really can't do and blocking any downloads they want is up to them... however we can force them into the whole blacklisting arms race against packages rather than into the blacklisting domains which is somewhat easier which is what they quite often currently do. I don't have all the answers myself and my gut feeling is to just secure machines better (even if this ends up being a box with many sandboxes with well defined secure communications paths between apps, kinda like what vmware is aiming at atm) in the first place to stop 'evil-hacksaws' getting on the systems in the first place. Mike RandallM wrote:
I agree Mike, hence my original post for some brain storming from some of the smartest people on the planet who read FunSec! ---------------------------------------------------------------------- Message: 1 Date: Thu, 01 Jan 2009 17:22:52 +0000 From: Mike Preston <mike () technomonk com <mailto:mike () technomonk com>> Subject: Re: [funsec] idea To: RandallM <randallm () fidmail com <mailto:randallm () fidmail com>>, funsec () linuxbox org <mailto:funsec () linuxbox org> Message-ID: <495CFBEC.4000905 () technomonk com <mailto:495CFBEC.4000905 () technomonk com>> Content-Type: text/plain; charset="iso-8859-1" Its not that bad an idea... However, you still need to find a way to find the sites in the first place, find out they are who they say they are and then authenticate the downloads. Not impossible, but not trivial either. Mike Preston RandallM wrote:Matt I am not referring to ddos but to the common folk being hit with the fake malware and anit viurs programs at tremendous rates lately.Have away to "get to" help sites and programs.On Thu, Jan 1, 2009 at 9:17 AM, Matt Jonkman <jonkman () jonkmans com<mailto:jonkman () jonkmans com><mailto:jonkman () jonkmans com <mailto:jonkman () jonkmans com>>> wrote:You pay big bucks to use akami. And they don't give theservice away.I don't think it's that big a threat these days. Good colowith somebasic anti-ddos isn't to tough to get if you're a frequenttarget. Ihaven't been hit for a half a year at least, and don't expect any anytime soon.MattRandallM wrote: > Ok, great stuff so far. Is akami the answer. How can that bedone. How> can we use that and how can it be tested. > > > > On Thu, Jan 1, 2009 at 12:11 AM, Matt Jonkman <jonkman () jonkmans com <mailto:jonkman () jonkmans com><mailto:jonkman () jonkmans com <mailto:jonkman () jonkmans com>>> <mailto:jonkman () jonkmans com <mailto:jonkman () jonkmans com><mailto:jonkman () jonkmans com <mailto:jonkman () jonkmans com>>>> wrote:> > I had a similar idea a few years ago (I may have beendrinkingat the > time too). > > Mine was more oriented to when we were taking a ddosevery week as> security projects. I proposed all of us poor open sourcesecurity> projects band together and do an akami type hosting.Everyonehosted > everyone that was part of the setup, and we used dns tospreadthe load. > > But alas, ddos isn't the problem it used to be. Probablygoodwe didn't > go through the effort to make it happen. > > Matt > > Paul Ferguson wrote: > > It's called Akamai. :-) > > > > - ferg > > > > On Wed, Dec 31, 2008 at 7:58 PM, RandallM <randallm () fidmail com <mailto:randallm () fidmail com><mailto:randallm () fidmail com <mailto:randallm () fidmail com>>> <mailto:randallm () fidmail com<mailto:randallm () fidmail com> <mailto:randallm () fidmail com <mailto:randallm () fidmail com>>>>wrote: > > > >> ok, I am drinking, after all it is the NYEcelebration. But, I> had this > >> idea pop in. Remember, it is a "first thought idea". That means I > am in > >> need of input to brainstorm with me on it. Here isthe initial> thought: > > > >> When fixing infected computers I find that: > >> 1. most people don't have programs installed forpreventivemuch less > >> combative > >> 2. depending on the infection one cannot downloadprogramsor go to > >> "helpful" sites to use. > > > >> malware sites often rotate IP or DNS in order to "hide". > > > >> Thought: > >> Why can't we using the same type of process provideaccess to> programs > >> and or sites in the same manor so that the malware infections cannot > >> "block" because the sites are not permanant? > > > >> Symantec is and always will be "www.symantec.com<http://www.symantec.com><http://www.symantec.com> > <http://www.symantec.com>", as with other sites. > >> they are blocked by malware infections (in variousways that I> would love > >> to > >> understand more). If there were "server" around the globe open with > >> online scanners and tools that rotated with DNS and or IP > addressing the > >> malware could not block it. > > > >> Can this be done with a revolving network of servers from volunteers? > > > >> Make sense or have I already drank too much? > > > >> -- > >> been great, thanks > >> Big R > > > >> _______________________________________________ > >> Fun and Misc security discussion for OT posts. > >> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > >> Note: funsec is a public and open mailing list. > > > > > > > > > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > > > -- > been great, thanks > Big R-- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net --------------------------------------------PGP: http://www.jonkmans.com/mattjonkman.asc-- been great, thanks Big R------------------------------------------------------------------------
- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6740 bytes Desc: S/MIME Cryptographic Signature Url : http://linuxbox.org/pipermail/funsec/attachments/20090101/9f461a79/attachment-0001.bin - ------------------------------ _______________________________________________ funsec mailing list funsec () linuxbox org <mailto:funsec () linuxbox org> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec End of funsec Digest, Vol 41, Issue 2 *************************************
-- been great, thanks Big R
------------------------------------------------------------------------
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkldRYIACgkQvhwPecbXDdxCzQCcCVRT1wP1mUrltgAAs0cAt3ky 8YMAnR1NnOKWWhIR8RN9L65oZXGmZDP8 =VlBL -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: funsec idea RandallM (Jan 01)
- Re: funsec idea Mike Preston (Jan 01)