Re: Multi_VA trashed my system (Can David H Lipman please look a this) - Page 3

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

cquirkenews@nospam.mvps.org says...
Quoted text here. Click to load it

And you keep missing the point if the certification.

The entire point if this discussion was cleaning a machine, cleaning a
machine, not how do we keep users from being compromised again, not how
do we prevent exploits from being used against users, not how do we
protect people from things they should know about.

Your presumption is wrong, concerning "will magically not be exploitable
in the same way that it was before". I presume that they will be
compromised again, and I put things in place to try and limit their
exposure (if they want them) and to provide an explanation of why they
got into the mess to start with. I do not certify the machine as being
clean during all future use as you suggest.

So, unless the vendor ships the OS with a virus/trojan or other malware,
and we're not talking about holes, exploits, vendor provided spyware
that just checks for software updates, we're talking malware as would be
accepted by the US Court system, a wipe/reinstall in a clean environment
would be all that's needed to certify the machine as clean.

Technically speaking, if you wiped/reinstalled Windows XP Pre-SP1, and
did not apply any updates/patches, the machine would legally be
considered clean also.

If you don't understand what I've written above - that wiping and
reinstalling provides a legally certifiable clean machine at the time of
return to the customer, then you don't need to reply again.

--

spam999free@rrohio.com
remove 999 in order to email me

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

On Sun, 21 May 2006 05:08:48 +0200, "cquirke (MVP Windows shell/user)"

Quoted text here. Click to load it

Apps will play well with the scheme if they are included in the backup
(of Windows+apps). One way, as I mentioned in a previous post,
is to set aside a relatively small normally hidden partition for the
purpose. A special boot disk can be devised for use when Restore
is desired. It does the chores of hiding/unhiding and modifying the
boot.ini file of the default partition. You boot to either the
bootable backup of Windows to do a restore, or to the default Windows.
I've arranged such a scheme for testing and eval purposes and it works
out ok.
  
Quoted text here. Click to load it

Determination of "clean" (the best you can do) is the same for the
backup as it is for the default. You simply can't achieve perfection.
Quoted text here. Click to load it

Its not a issue of "clickless attack" so far as I can see. The user
has to figure out a way to purposely Run email attackments with sane
email apps which don't allow the user to Run them. He must Save them
to a folder and Run them from there in order get infested. The issue
here is the old one that you used to love to grind on about,
particularly concerning Pegasus :) You don't want to leave any
attackments buried in email archives on the customer's machine since
he might later on Save and Run them.

I wonder if you've developed a util (since I know you code) to
strip attachments out of email archives of most apps. I've never
seriously addressed the issue myself. But I can see that it's not
a simple or trivial issue, and I wonder how you handle it with
customers. It would be tempting to eradicate all their email
archives (with their permission, of course) and tell them they
will have to rebuild their folder structures. It's really a bad
practice to leave anything you want to keep in email archives.
Email apps tend to screw up once in awhile, and lose folders.
I've trained my wife to Save all messages she wants to keep
in a special area I created on her PC for the purpose. She's
trained to not leave any attachments in email archives, and
to delete all unsolicited attackments immediately. That sort of
thing would be part of the safe hex training I'd give customers
if I were to be foolhardy enough to go into the repair
business :)    
 
Art
http://home.epix.net/~artnpeg


Re: Multi_VA trashed my system (Can David H Lipman please look a this)

Leythos wrote:
Quoted text here. Click to load it
[snip]
Quoted text here. Click to load it

i think i'm with dustin on this one - saying you can do anything with
100% effectiveness is the problem here...

i know customers demand that sort of thing but it's a technically
unreasonable constraint and historically those that have claimed "100%"
have generally been selling snake-oil...

100% makes people feel *too safe* for their own good and should be
avoided if at all possible...

[snip]
Quoted text here. Click to load it

but apparently not wise enough to give the 100% figure a wide berth...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

kurtw@sympatico.ca says...
Quoted text here. Click to load it

How wide a "berth" around 100% do you thing is acceptable while still
being able to call it 100%?

100% can't be 99.9%, can't be 98%, can't be almost good enough.
Something is either 100% clean or it's not clean, it is very black and
white.

--

spam999free@rrohio.com
remove 999 in order to email me

Re: Multi_VA trashed my system (Can David H Lipman please look a this)


Quoted text here. Click to load it

As a black and white issue, though, you can't claim 100% since you
don't know with absolute certainty that a fresh installation is clean.
It has happened, in fact, that supposedly clean installation media
directly from the source was contaminated by someone at the source.
I also remember the true story about a BIOS directly from the source
that was infested with some malware (or at least a joke program, I
don't recall the details). No matter how small the probability may
seem to be, it is never zero.

The subject interests me because of making backups. How do I know
that I'm not backing up malware? The answer is obviously that you
do the best you can but you can never be certain.

Concerning a repair business, I lean far more toward the idea of
starting a prevention business :) Coupled with that, I envision
installing backup hard drives in removeable trays and teaching
people how to use them to backup/restore Windows, programs
and data, just in case. I would teach customers the basic elements
of safe hex, and make sure they are properly firewalled, etc.
Basically, my customers would be those who were hit with big
bills from guys like you and Dustin, and decided to repent and sin no
more since it's too costly :)

(No, I don't want hear about alternate OS. Windows is fine.)

Art

http://home.epix.net/~artnpeg

 
make sure they had

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

says...
Quoted text here. Click to load it

Yes, you are correct, but, if I restore the machine to it's AS-PURCHASED
condition, then I'm not liable for "missing" any malware, as the
computer would have shipped with it.

I'm looking at things from the "Liability" point, not from the technical
point, although there is little difference.

Quoted text here. Click to load it

Many types of malware doesn't infect/compromise different types of data
files, and most that does is easily detectable. There is always a chance
you will backup malware if you backup anything, and more if you backup
the full system.

Quoted text here. Click to load it

A typical customer pays a 1.5hr call for me to wipe their machine and
rebuild it, they install the apps and such, I install the OS, security
updates, the firewall settings, the Administrator account and the
Limited account, the browser security settings, etc....

Since we don't normally do residential customers, I do them as a
learning experience and take CO-OP's with us or bring their machines
back here. In reality, if we find something interesting, we may spend 5
or 6 hours tracing through it and learning about something if it's one
we've not actually seen before - then we wipe/reinstall and do as I've
mentioned and we're done. Oh, for residential customers, and remember
that we don't do them as a norm, we would charge $99/hr.


--

spam999free@rrohio.com
remove 999 in order to email me

Re: Multi_VA trashed my system (Can David H Lipman please look a this)


Quoted text here. Click to load it

I recently did a "from scratch" install of Win 2K and it took over 4
hours by the time I had sp4, the rollup and all critical patches
downloaded and installed using Wideband service. This was a smooth
install without any glitches, and I'm fairly experienced doing it. Of
course, not all all that time is productive working time ... to some
extent other things can be done while waiting for this and that to
complete. But what other productive things can be done while a large
partition is being formatted, etc., at a customer's site? Also, a fair
amount of attention must be paid to the Windows install process to
keep it going as fast as possible. And what if the customer doesn't
have wideband service? I guess you keep all the updates for each
OS on CD?

I can't imagine cutting my time down to 1.5 hours at a customer's
site any way I look at it and try to imagine being able to do the
things you mention with my eyes closed since I've done it so many
times :) You are one fast boy!

Quoted text here. Click to load it

I'd have trouble getting that in my area, which is rural central
Pennsylvania near Harrisburg. Maybe $50 or $60 but people aren't
going to want to pay for several hours plus travel expenses just
to recover from malware. If there isn't any valuable data involved,
people can simply purchase a new PC for the money they'd have to pay
to get the ailing one fixed. I can see where money might be made in
data recovery. And I'm half way serious about my idea of a malware
prevention service. I suspect someone could do OK with that.

Art
http://home.epix.net/~artnpeg


Re: Multi_VA trashed my system (Can David H Lipman please look a this)

says...
Quoted text here. Click to load it

Sorry, I should have been more specific, I think I said "the customer
pays a 1.5 call". We do this sort of as a not-for-profit service when we
help them out.

In reality, most of the customers that we deal with have FULL OEM
licenses or DELL OEM Full Licenses - and we have images that have been
SYSPREP'd that we can load on many types of machines, do a
repair/reinstall if needed, and then add in the different drivers as
needed.
 
Quoted text here. Click to load it

Sure, I understand that issue too - cost/ROI. I had one chap with a Dell
Dimension 2300 (I think it was a 2300, it was one of their $400 units).
After getting a $700 phone bill due to malware dialing the UK, he wanted
me to certify that the machine was clean, but he had no media (lost it)
and no backups... I told him I would not certify it, unless I wiped it.
I also told him that to clean it and maintain the data, that it would
cost him 2.5 hours, while we took 6 hours because we wanted to dissect
the dialer.

--

spam999free@rrohio.com
remove 999 in order to email me

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

Quoted text here. Click to load it

We do, here. People go away, soemtimes for months, and it's not safe for them to
go
online when they get back until they've patched, so we keep a CD of all patches
since
2000 SP4 and XP SP1 (plus those service packs and XP's SP2).
Quoted text here. Click to load it

Any reasonably large commercial outfit ought ot be imaging their basic setup
with one
of the proprietary packages. The re-install then becomes a simple re-imaging job
taking
between 10 and 45 minutes depending on software used and size of image, plus a
bit of
tidying up.
Quoted text here. Click to load it

Where we have trouble is with undergraduates - we have no control over their
laptops,
and we often can't re-inst Windows as it's a version we don't have a licence
for, they
don't have the disk, it's in Chinese, blah blah blah. A full scan in
SafeMode+CommandPrompt with something decent, followed by a Safe Mode scan with
something else, then adware/spyware scans, sorting all the basic machine
security,
takes a day (elapsed - much less hands-on). And that's if there's nothing
special that
we have to take special steps for. It's a close call sometimes whether it'd be
simpler
to copy off all the data files and just wipe, if it's possible to re-inst
Windows.

Very occasionally we get asked to clean a student's machine and it turns out to
have an
illegal copy of Windows. Then we tell them to **** right off.
--
News: use seven bits;
or accept you cannot know
how it looks elsewhere.

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

On Fri, 19 May 2006 09:27:25 +0100, Befunge Sudoku

Quoted text here. Click to load it

I personally keep a file clone on a backup drive using XXCLONE for Win
2K and XXCOPY for Win 9X/ME. Restoring a bootable clone on Win 2K
takes about one minute per gig of files to restore on my PC. Restoring
Win 9X/ME might only take a munute or two since only files that differ
in size or date are copied. Files/folders not on the destination are
deleted (clone operation).

This is so quick and reliable, covering even drive failure scenario,
that I'm really enthused about the idea of installing recovery
packages on customer's machines and teaching them how to use
them. It could be done at a relatively low cost to customers.
They would be instructed to never update the backup drive
because of the problem of not knowing whether or not they're
backing up malware.  

BTW. I recently investigated the idea of doing a compromise
backup on a extra partition and then hiding that partition so
malware couldn't get at it. I discovered to my surpsrise that
Win 2K doesn't cooperate with the normal way of hiding
partitions via alteration of the file system byte in the partition
table. It can be done this way with Win 2K but it's risky since you
have to set the byte to zero and it's possible that the
subsequent use of certain utils might delete the partition.
But Win XP and Win 9X/ME users can use the usual way
of hiding, and the freeware utility SuperFdisk can be used
in these cases to hide and unhide at a low level not involving
the registry. This would be a poor man's way of protecting
his backup from most (but not necessarily all) malware,
and the method also suffers, of course, by not affording
a way out of a dying hard drive.

Art
http://home.epix.net/~artnpeg


Re: Multi_VA trashed my system (Can David H Lipman please look a this)


Befunge Sudoku wrote:

Quoted text here. Click to load it

Unfortunatly, we're required by our employer to clean these machines as
well, Knowing full well they're running pirated windows. This makes
cleaning an interesting task in and of itself, as a known pirated
windows system will not allow all updates from MS. It'll allow the
security patches only, to a limited extint. If the user was careless
enough to use the 1st key leaked, sp2 won't even install, short of
changing the key, and we won't do that.

It can become a really tricky situation. We have to clean these
machines even with the understanding it probably won't stay clean, not
so much for the user of this computer, but for the safety of everyone
else this computer might have hex with.

--

Regards,
Dustin Cook
http://bughunter.atspace.org


Re: Multi_VA trashed my system (Can David H Lipman please look a this)

On that special day, Art, (null@zilch.com) said...

Quoted text here. Click to load it

One side note:

That with the three mile island? Seeing what happened in the Ukraine
twenty years ago, you can count yourself lucky, really.

I wonder why some people still think setting up new plants is a
solution to the rising of oil prices, instead of developing more energy
efficient devces, which make better use of the power already available.

Energy saving doesn't create any kind of waste, be it carbon dioxide or
nuclear.


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de


--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

On Fri, 19 May 2006 18:39:10 +0200, Gabriele Neukam

Quoted text here. Click to load it

With our higher prices of oil and gasoline, I've heard no talk of
nuclear, but much talk about energy saving and efficiencies.

Art
http://home.epix.net/~artnpeg


Re: Multi_VA trashed my system (Can David H Lipman please look a this)

Gabriele Neukam wrote:

Quoted text here. Click to load it

I'm originally from Harrisburg.

Quoted text here. Click to load it

We lived five miles west of Three Mile Island, in 1979 when it had its
problem. (That would be across the river.)

We were upwind...  :-)

Quoted text here. Click to load it

Three Mile Island Unit 2 is still performing perfectly. Several friends
worked on the island, but they've all retired now.

--
   -bts
   -Warning: I brake for lawn deer

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

Leythos wrote:
Quoted text here. Click to load it

???

by giving it a wide berth, i mean don't use the figure... if you 'call
it 100%' you're using the figure...

Quoted text here. Click to load it

clean?

gosh, next you'll be looking to 'certify' the computer is 'virus-free'...

(can anyone think of any other snake-oil hot-buttons that might apply?)

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

kurtw@sympatico.ca says...
Quoted text here. Click to load it

I'm not sure what you're trying to say here - are you suggesting that
you can't build a Windows XP system that's virus free at the time you
give it to a customer?

--

spam999free@rrohio.com
remove 999 in order to email me

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

Leythos wrote:
Quoted text here. Click to load it

no, i'm saying that you can't *know* that it's virus free... it may
actually be virus free or it may not be... there are no measures you can
perform that will necessarily always results in a virus free rebuilt
system...

the kinds of certainties you're trying to offer customers are only
possible if you constrain yourself to *known* malware...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

'kurt wismer' wrote:
| no, i'm saying that you can't *know* that it's virus free... it may
| actually be virus free or it may not be... there are no measures you can
| perform that will necessarily always results in a virus free rebuilt
| system...
|
| the kinds of certainties you're trying to offer customers are only
| possible if you constrain yourself to *known* malware...
_____

Sounds like solipsism to me.

Phil Weldon

| Leythos wrote:
| > kurtw@sympatico.ca says...
| >> (can anyone think of any other snake-oil hot-buttons that might apply?)
| >
| > I'm not sure what you're trying to say here - are you suggesting that
| > you can't build a Windows XP system that's virus free at the time you
| > give it to a customer?
|
| no, i'm saying that you can't *know* that it's virus free... it may
| actually be virus free or it may not be... there are no measures you can
| perform that will necessarily always results in a virus free rebuilt
| system...
|
| the kinds of certainties you're trying to offer customers are only
| possible if you constrain yourself to *known* malware...
|
| --
| "it's not the right time to be sober
| now the idiots have taken over
| spreading like a social cancer,
| is there an answer?"



Re: Multi_VA trashed my system (Can David H Lipman please look a this)

kurtw@sympatico.ca says...
Quoted text here. Click to load it

Again, you misunderstand, look at it from a legal point, not a purely
technical point: If you have to bet your house, wife, kids, lotus,
etc... on a system being clean and standing up to some formal inspection
by others, are you going to clean it or wipe/rebuild it back to factory
specs - noting that factory specs, if it contains a virus in the distro,
would absolve you of any responsibility for that.

I actually feel fairly certain I can clean any machine, but if I have to
provide a certification that the machine is clean, it's always going to
be a wipe/reinstall.

--

spam999free@rrohio.com
remove 999 in order to email me

Re: Multi_VA trashed my system (Can David H Lipman please look a this)

Leythos wrote:
Quoted text here. Click to load it

i think it is you who is misunderstanding me... i'm talking about a
situation where that bet isn't made at all... where the principals are
made to understand that the certainty that others might promise them is
not actually available under any circumstances but you will do your best...

Quoted text here. Click to load it

i can see no reason why one might be forced into such intellectual
dishonesty as to _certify_ that a machine is _clean_...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Site Timeline