AV versus no AV?
-
@Haxton-Fale said in AV versus no AV?:
do you think ransomware comes with a pre-generated pubkey and C&C is able to match a particular infected PC to the appropriate privkey upon call?
Typically comes with a few tens of pubkeys and picks a random handful to use.
Part of the ransom protocol involves the victim sending a few files to the perp so that the perp can demonstrate their ability to decrypt them before any money changes hands; this is what allows the perp to work out which pubkey(s) the encryptor picked, and therefore which privkey(s) to supply in the decryptor sold to the victim.
There's any amount of these shitful little schemes floating about in the wild. I'm not surprised to hear that some of them are carelessly coded. Most aren't; organized crime has access to coders at least as competent as those who work for AV vendors.
Edit: here's what appears to be part of the source code for one of them.
-
@flabdablet said in AV versus no AV?:
Most aren't; organized crime has access to coders at least as competent as those who work for AV vendors.
That's a statement that doesn't really help. Many AV vendors seem to be scraping the barrel when it comes to code qualityβ¦
-
@dkf Yeah, but to be fair that's just Sturgeon's Law applied to AV vendors in particular.
90% of everything is shit. Applies to code every bit as much as to anything else.
-
@flabdablet said in AV versus no AV?:
90% of everything is shit
90% of everything is worse than the top 10%!
Half of everything is below the average!
-
@flabdablet said in AV versus no AV?:
that's just Sturgeon's Law applied to AV vendors in particular
I suspect that they're trying to allow the 90% value to be lowered for the rest of software by making sure that a higher proportion of AV software is only worthy of being printed on soft and very absorbent paper with regular perforationsβ¦
(The ad-blocking you mentioned earlier was a top tip.)
-
@dkf said in AV versus no AV?:
The ad-blocking you mentioned earlier was a top tip
-
@Polygeekery said in AV versus no AV?:
I hate firewalls on Windows.
I don't get firewalls as a separate thing from the OS kernel. You don't install a "filewall" to enforce filesystem permissions, it just happens whenever a program does the relevant system calls.
I guess the point is to do other stuff like looking inside the packets to allow some things and disallow others? But that ends up being a Bad Idea 90% of the time.
And I actually hate firewalls that operate on a network level (the ones that do anything other than allowing/disallowing communication between certain pairs of networks). Like they try to stop malware or control what users do by blocking certain stuff, but that simply doesn't work. It's a mere annoyance that ends up affecting legitimate software much more than malware authors, because malware doesn't care about doing things the "proper" way. All they achieve is getting everything, legitimate or not, routed through port 80 with hole punching, and we're back to square one.
-
@RaceProUK I don't think I've ever used antivirus software, not since the Atari ST days.
Why would I need it?
-
@gordonjcp Multiple layers of defence
-
@RaceProUK said in AV versus no AV?:
@gordonjcp Multiple layers of defence
-
@ben_lubar No thanks; I don't box vegetables
-
@Jaloopa said in AV versus no AV?:
@ben_lubar said in AV versus no AV?:
Ok, let's say the Java applet's executable had, instead of opening a connection, gone through your documents folder and encrypted all your files and then displayed a ransomware message on your screen. How does blocking an outgoing connection help you?
If it can't dial out, the encryption key is still on your machine. If it has dialled out it could have sent it and deleted it
From what I found in the ransomware samples I collected, the default action when they can't send out the password is to just "die", and you'll lost the key for decryption forever. (They encrypt all the files before sending the key out, not sending the key before encrypting files)
There is another variant that instead of creating the keys locally, it attempts to connect to their server to download a public key plus a token that they can use it to identify what private key they should send you when they receive money. Blocking outgoing connection by default can help combat this kind of ransomware.
-
@marczellm said in AV versus no AV?:
I was running Norton
I had a Norton, once. Bloody thing pissed all its oil onto the road in front of the rear wheel. Vertically split crankcases - yet another great British invention.
-
@ben_lubar said in AV versus no AV?:
@RaceProUK said in AV versus no AV?:
@gordonjcp Multiple layers of defence
Yeah, @RaceProUK is a Brit, but that's no reason to call her a wanker.
-
@RaceProUK defence against what, time-travelling Atari ST users trying to overwrite the boot sector on my floppy that I don't have any more?
-
@gordonjcp Maybe you should keep up with tech news
-
@RaceProUK Tech news flash, viruses haven't been a thing since we all swapped pirated copies of Starglider in the school playground.
Modern operating systems don't get them.
-
@RaceProUK said in AV versus no AV?:
Maybe you should keep up with tech news
I'm pretty sure that what sort of computer specific people have doesn't really count as tech news. Even celebrity gossip would be a bit of a stretch.
-
@gordonjcp said in AV versus no AV?:
Modern operating systems don't get them.
It must be fun living in a bubble of denial.
-
@gordonjcp said in AV versus no AV?:
Modern operating systems don't get them.
That you know of.
But most malware is more like a worm or a trojan rather than a true virus. Like anyone cares other than for purposes.
-
@RaceProUK Okay, you're going to need to explain that.
What modern operating system gets viruses?
-
@gordonjcp Windows and Android at least, possibly also iOS. Heck, if you looked hard enough, you could find one for Linux and one for OSX as well. Basically, any OS used by enough people to make it worthwhile.
-
@RaceProUK I've never used Windows. Is it based on TOS or something, how does a modern OS even get viruses?
-
@gordonjcp said in AV versus no AV?:
how does a modern OS even get viruses
The same way any OS gets viruses: stupid people running things they shouldn't or smart people finding ways to run things they shouldn't on someone else's computer.
-
@Adynathos said in AV versus no AV?:
@flabdablet said in AV versus no AV?:
Asking the users doesn't help in 90% of cases, because 90% of users have a deer-in-the-headlights freeze response when asked questions by pop-up message boxes.
I can imagine more convenient solutions, very similar to what the user already does.
For example, if a program wants to save a file, it will ask the OS to display a "Save As" dialog. The user will choose the file location and the OS will mark it as allowed for the program.
Or the files would be saved by default to a "workspace location for this program" (many programs have that already).An installer/updater would have permission to write to a chosen/default installation directory for the software, but nowhere else.
Sounds almost exactly what they did with the App infrastructure...
-
@Tsaukpaetra doesn't windows out all applications as of win 10 in a sandbox of sorts?
-
@lucas1 said in AV versus no AV?:
@Tsaukpaetra doesn't windows out all applications as of win 10 in a sandbox of sorts?
... Based on what I assume you meant, no, only apps specifically compiled for Windows 8+ (aka Windows Universal) have this feature, normal Win32-style apps do not and are in fact under the same permission scheme as Windows 7 (Well, technically Vista, but people trigger for some reason).
-
-
@gordonjcp said in AV versus no AV?:
I've never used Windows
How else do you get fresh air and daylight into your house/apartment ?
-
@TimeBandit said in AV versus no AV?:
How else do you get fresh air and daylight into your house/apartment ?
Daylight turns trolls into stone, remember? As for fresh air, vents maybe? XD
-
@Akko said in AV versus no AV?:
@TimeBandit said in AV versus no AV?:
How else do you get fresh air and daylight into your house/apartment ?
Daylight turns trolls into stone, remember? As for fresh air, vents maybe? XD
Vents are just Windows with bars in them.
-
What about BitDefender?
-
@Akko said in AV versus no AV?:
Daylight turns trolls into stone, remember?
I think you're thinking of gargoyles.
-
@hungrier Gargoyles, or grotesques?
-
@RaceProUK Gargoyles, who awakened in modern (1990s) New York City after a thousand years
-
@flabdablet said in AV versus no AV?:
"Noy", meaning "small", is actually one of the most common short names for both males and females here.
-
@Adynathos said in AV versus no AV?:
It tells us the location of the file with all the metadata the OS might store about it.
Was there any user action leading to this program processing the file?
Was this program selected to deal with files in this location or of this type?
Which program was used to create this file in the first place?The typical result of attempts at stuff like this is a firework of dialog boxes that perfectly trains the user to completely ignore them and click "accept" in a few milliseconds.
Never had that conversation?
What was that?
Oh, just something from the firewall.
So what did it say? That was too fast for me to even read the title!
No idea, I just accepted it, otherwise shit won't work.
Security defeated.For the same reason I just set an Icinga threshold for a DF check that's probably unsafe, but the "safe" one caused several boxes to light up red all the time and we know they're not gonna be fixed during their lifetime because that would mean a complete reinstallβand having to ignore those alerts all the time inevitably trains you to overlook them.
-
@LaoC said in AV versus no AV?:
The typical result of attempts at stuff like this is a firework of dialog boxes that perfectly trains the user to completely ignore them and click "accept" in a few milliseconds.
That's why it is important to only ask questions of the user rarely, when they might be able to make a decision usefully, and to present sufficient information that they might reasonably make a good decision in that specific case. Alas, that's actually difficult to get right.
-
@LaoC said in AV versus no AV?:
Never had that conversation?
Honestly? No. Mine seems to go more like this:
A thing just appeared asking me something!
What is it asking?
I don't know!
Well, why don't you read it?
It's asking whether I want to delete "file.txt".
Do you?
No!
Then click the "No" button...
-
@hungrier said in AV versus no AV?:
@Akko said in AV versus no AV?:
Daylight turns trolls into stone, remember?
I think you're thinking of gargoyles.
No, actually I am thinking of trolls, specifically the middle earth variant ;)
-
@Tsaukpaetra said in AV versus no AV?:
@Akko said in AV versus no AV?:
@TimeBandit said in AV versus no AV?:
How else do you get fresh air and daylight into your house/apartment ?
Daylight turns trolls into stone, remember? As for fresh air, vents maybe? XD
Vents are just Windows with bars in them.
Po-tay-to po-tah-to
-
@Deadfast said in AV versus no AV?:
Honestly? No. Mine seems to go more like this:
A thing just appeared asking me something!
What is it asking?
I don't know!
Well, why don't you read it?
It's asking whether I want to delete "file.txt".
Do you?
No!
Then click the "No" button...True, that's also a common one. Yours is the totally computer illiterate (who doesn't have them in the family?), mine is the self-proclaimed power user. Of course your guy would be quite safe with those dialog boxes as long as their default answer is the safe one, but he also wouldn't get anything done at all. Even if he moved up to the level of being able to read them without guidance, what would he do with an information like "wntf4k3krnl.exe is trying to open a connection to Π½Π°ΡΠΌΠ³Π΅55.ua port 49153. Allow/Deny"? He'd have to read them and accept the default because they might as well be in Tibetan, so we could just not ask and deny everything.
-
@Akko said in AV versus no AV?:
@Tsaukpaetra said in AV versus no AV?:
@Akko said in AV versus no AV?:
@TimeBandit said in AV versus no AV?:
How else do you get fresh air and daylight into your house/apartment ?
Daylight turns trolls into stone, remember? As for fresh air, vents maybe? XD
Vents are just Windows with bars in them.
Po-tay-to po-tah-to
-
@dkf said in AV versus no AV?:
That's why it is important to only ask questions of the user rarely, when they might be able to make a decision usefully, and to present sufficient information that they might reasonably make a good decision in that specific case. Alas, that's actually difficult to get right.
As an example, Windows UAC fails on all points, which makes it mostly useless.
-
@LaoC said in AV versus no AV?:
@Deadfast said in AV versus no AV?:
Honestly? No. Mine seems to go more like this:
A thing just appeared asking me something!
What is it asking?
I don't know!
Well, why don't you read it?
It's asking whether I want to delete "file.txt".
Do you?
No!
Then click the "No" button...True, that's also a common one. Yours is the totally computer illiterate (who doesn't have them in the family?), mine is the self-proclaimed power user. Of course your guy would be quite safe with those dialog boxes as long as their default answer is the safe one, but he also wouldn't get anything done at all. Even if he moved up to the level of being able to read them without guidance, what would he do with an information like "wntf4k3krnl.exe is trying to open a connection to Π½Π°ΡΠΌΠ³Π΅55.ua port 49153. Allow/Deny"? He'd have to read them and accept the default because they might as well be in Tibetan, so we could just not ask and deny everything.
And if the developers coded the behaviour correctly, when presented with a dialog that you don't know want to do with, you should try press "Esc" so no change should be done. You shouldn't need to identify the text on buttons to do the safe choice.
-
@ixvedeusi At least "sudo" have a whitelist for you to configure, but AKAIK UAC does not.
-
@LaoC said in AV versus no AV?:
Yours is the totally computer illiterate
The thing is, some of those people seem more illiterate in general than specific to computers. I mean if a windows pops up with a lot of text asking for what to do, WHY WOULD YOU NOT READ IT FIRST BEFORE DOING ANYTHING? I mean it should be common sense, completely independent of your knowledge about computers. If you get a letter from some government bureau, are you just going to send them a check "because that's what they wanted last time so I just assumed it was the same thing"? Argh I could go on like this for hours
-
-
@Akko said in AV versus no AV?:
WHY WOULD YOU NOT READ IT FIRST BEFORE DOING ANYTHING?
Because if the popup has happened a lot before asking (what appears to you to be) the same damn question over and over, why would you bother reading it yet again? No, the laziness takes over β and understandably so β and they just give the canned response, same as the hundred times before.
-
@ixvedeusi "sudo" kind of works for power-users that actually really understand the messages, as a safety net (i.e. as long as you don't use it, you hopefully can't screw up the system too much -- and hopefully the additional effort of using it makes you careful).
It is indeed no better than UAC for a basic user (i.e. 99% of users!), but it has I think its uses for the rest (i.e. all of us here!).
And obviously, "sudo" works best with this:
https://twitter.com/liamosaur/status/506975850596536320