lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 22 Feb 2009 09:43:30 -0800
From: Kurt Buff <kurt.buff@...il.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure <Full-Disclosure@...ts.grok.org.uk>
Subject: Re: Oh Yeah, botnet communications

On Thu, Feb 19, 2009 at 21:21,  <Valdis.Kletnieks@...edu> wrote:
> On Thu, 19 Feb 2009 23:38:37 EST, T Biehn said:
>
>> God Valdis,
>> Dont concentrate on the mundane, the core issue is the unpredictable nature
>> of it.
>> You have them all coordinate reading the news at 12:00 AM GMT.
>> You build some silly algorithm that ensures they pick the right article.
>
> Right, so now you need this insanely complicated system to make sure that you
> get the right article at midnight, even if you have a race condition or you're
> getting an old copy because of a caching proxy in the path or if they hit
> different boxes on a load balancer and the articles update a few seconds apart,
> and then make sure they all pick the "right" article - which means they need to
> *agree* on the right article without knowing for sure what article the *other*
> bots are looking at.  And that also means that the botnet owner (or at least
> a system they have) has to *also* be online so it can also check CNN and figure
> out what domain to register - which sucks if Godaddy just put up the "Down for
> 3 hours due to unexpected system problem" sign or any of a zillion other failure
> modes in trying to register that next domain in real time.  You can't register
> the next 3-4 day's worth of domains ahead of time and make sure they went
> live.
>
> Lots of failure modes there.
>
> Or you can just hash the damned clock once an hour, which seems to be quite
> sufficient to keep the average botnet running.
>
> *THAT* is why they don't base it off a news RSS feed - all these mundane issues
> make it *harder*.  You wanna do it the hard way that has more ways to fail and
> sprout bugs, be my guest.  Most of the coders out there prefer something
> just a bit simpler.

Not necessarily as insanely complicated as you might think - an RSS
feed can include some interesting numbers, such as stock quotes, etc.,
where the non-integer portion of the number(s) are pretty random, and
reporting on them is pretty standardized.

And, I don't think, for the purposes of discussion, it *has* to be an
RSS feed. It could be any publicly available, regularly updated text,
including www.wsj.com.

Kurt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ