lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 20 Feb 2009 09:27:03 -0500
From: Jordan Bray <jordanbray@...il.com>
To: Elazar Broad <elazar@...hmail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Oh Yeah, botnet communications

On Thu, 19 Feb 2009 23:38:37 EST, T Biehn said:

> God Valdis,
> Dont concentrate on the mundane, the core issue is the unpredictable
nature
> of it.
> You have them all coordinate reading the news at 12:00 AM GMT.
> You build some silly algorithm that ensures they pick the right article.

Right, so now you need this insanely complicated system to make sure that
you
get the right article at midnight, even if you have a race condition or
you're
getting an old copy because of a caching proxy in the path or if they hit
different boxes on a load balancer and the articles update a few seconds
apart,
and then make sure they all pick the "right" article - which means they need
to
*agree* on the right article without knowing for sure what article the
*other*
bots are looking at.  And that also means that the botnet owner (or at least
a system they have) has to *also* be online so it can also check CNN and
figure
out what domain to register - which sucks if Godaddy just put up the "Down
for
3 hours due to unexpected system problem" sign or any of a zillion other
failure
modes in trying to register that next domain in real time.  You can't
register
the next 3-4 day's worth of domains ahead of time and make sure they went
live.

Lots of failure modes there.

Or you can just hash the damned clock once an hour, which seems to be quite
sufficient to keep the average botnet running.

*THAT* is why they don't base it off a news RSS feed - all these mundane
issues
make it *harder*.  You wanna do it the hard way that has more ways to fail
and
sprout bugs, be my guest.  Most of the coders out there prefer something
just a bit simpler.


P.S.  I really need to get this reply all thing down...
-- 
/me

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ