Paperghost Postbag

Come on, it's been a while. Ask some questions on stuff, and I'll answer said questions at some random moment in the future. Fire away.

Paperghost Postbag

Fire away, questions answered sometime in the future or whatever.

Postbag Special: This is why security conferences are all messed up

Doing any more security conferences? Steve G

Well, I am - but I'm not telling yet ;)

Mind you, the whole "security conference" thing is vaguely depressing, if I'm being honest. Like many people, I submit presentations to upcoming events and some get accepted, some get rejected. Cool, whatever. What did open my eyes, was one particular response I got back. It seems to be symptomatic of both what people expect from security researchers, and what people think they're supposed to put up with at security conferences.

"I think it might have interested the reviewers if it was a little more technically specific, your talk description sounded more suited to a general audience than an audience of security specialists."

Hmm. So a crowd of people would rather sit through an hour long talk with a lot of technobabble they might not understand, but because "we're security specialists, lol" and we're supposed to act and think and do in a certain way, anyone falling outside that bracket is automatically excluded because "it ain't security if you understand what the Hell the guy on the stage is talking about".

I go to lots of talks like that where the guy starts rambling on about some obscure method of coding that affects some server application I never heard of, and you know what happens within ten seconds of those bad boys starting? See the bar over there in the next room? Yeah, that's me. Come over and I'll grab you a beer.

You're paying for it, though.

What is this obsession with it only being security if whole chunks of it sound too complicated to understand?

Where are the conferences where we get to hear how to repeatedly punch bad guys into the ground until they start crying? Where is the balance?

And anyway, my background isn't microscopic evaluation (and discussion) of code. It is a more general application of lots of non-security disciplines used to track down scumbags and make them cry.

Don't those methods count either due to them not being in the realm of pure code? Oh well.

"My suggestion is to recast this proposal and resubmit it, but next time include more details on the technology in the examples you will be covering, and have more highlighting about what is going on in the technology of the attacks."

No. Resolutely no, no, no.

If I include a screenshot of some stupid thing happening behind the scenes in a hijack somewhere, or throw in ten minutes of rambling about how chunk of code kicked into life while some other bit of code did some other thing, have we really gained any insight into anything?

If the actual focus of the talk is some coding thing, or looking into how x does y by a process of eleventy, then great. But if the focus of your presentation is looking at the human cost of a particular hijack, how it affected the people it appeared in front of, what happened in the process of getting said scam kicked off the Internet, then I'm not going to lose any sleep over it because it is irrelevant.

Case in point, at the ASC Conference in Boston, while giving a general overview of the different kinds of attacks I'd come across in the last year or so, when I got to the Yapbrowser shambles I simply flipped up a screenshot of the browser installing, before child porn and after.

Afterwards someone came up and said something along the lines that everyone in the room were shocked, took a deep intake of breath, really had the message of the attack driven home to them etc because they had no idea people were going round pushing web browsers that redirected you to illegal porn.

Job done, some more rage generated against the scum that plagues the net. I know some of those people went off and explored this area further, got involved in takedowns etc.

This is a good thing.

Would that have happened if those more general screenshots had been subsituted for a 30 minute talk about the code contained in the Browser? Nah. Everyone would have nodded sagely at the code-talk and forgotten all about the fact that some asshat in Russia somewhere is making lots of money from naked pictures of kids. I refuse to separate the human misery peddled by these applications from the main thrust of my argument in all these talks, which is that

scumbags + human misery = SOMEONE NEEDS THEIR ASS KICKING.

There's room enough for all these angles, or there should be. But meanwhile, here's another presentation on Fuzzing.

"Oh also a nitpick... our reviewers are lazy prima donnas and they all hate to click another program to review stuff...So next time make sure you include a .txt version or synopsis. It's tough to figure out if that actually played a part in the rankings but I'm willing to bet at least a few of them looked at it with less scrutiny in the flood of stuff they have to review."

.....now this is interesting. I'm a visual person. I go for the images and the pretty colours. I want to show you what this stuff does. It's almost impossible to create a text-only version of a 37 page Powerpoint presentation where 95% of it is entirely constructed with images and moving graphics.

It's back to that one-size fits all thing, I guess. And if you're a "lazy prima donna", then what on Earth are you doing on the panel anyway? But this next quote is the killer:

"Your presentation was a fascinating case study, but I fear the reviewers (and the attendees) are a little jaded about all the abundant classes of malware that seems so prevalent these days."

....wait, what? If people are sick of learning about new kinds of attacks via new types of Mal/Spy/Adware, then why on Earth are they even bothering to show up to these things?

What is it that they're actually listening to and thinking wow, this is awesome!

.....fuzzing?

Sigh.

THIS is how I roll

.....man, Sid Justice was awesome wasn't he? Remember that time where he stuck the dude on the stretcher then ran the whole thing into the side of the ring and the dude went flying into the air like an amazingly mangled ragdoll?

That was super awesome. And now that we've worked out that there's nothing finer than Sid Justice ruling this Earth, fire away with questions or whatever and I'll answer them next week assuming I get any. Otherwise I'll just post up some video of a dude doing stuff instead.

Win-win either way, right?

A week of disasters, but here's a Postbag anyway

...okay, so first my testbox eplodes, then I discover something has gone seriously wrong with my Interwebs. Cue me missing in action for what feels like forever. Everything should be back to normal next week, but for now enjoy hurling questions about stuff in my general direction.

Paperghost Postbag - Answers Galore

Here we go with some more rambles from the Deadliest Man Alive.

That's me, by the way. Bang bang.

Oh, I didn't manage to cover all the questions, so (as always), the ones left out will be included next time. And away we go...

Did the airline ever return your dainties? Rob

Sadly, no. My underwear - super sexy underwear, it should be noted - is still totally MIA. If anyone out there happens to see a random pair of men's undergarments that sort of glow like the briefcase in Pulp Fiction, do not approach them without shades on lest you go blind.

We all know each year will be different. As we are entering the darker months. Do you think this year so far has been a quiet one or similar to other years in regards to new malware appearing/reported? AndyAtHull

Ooh, dunno. There's definitely a shift away from people like me complaining about Ye Olde Skool Adware vendors such as Zango and all the rest of them. Contrary to popular belief, this is a good thing and I'd really rather be writing about all the crazy crap coming out of places like China. All those Adware guys have set sail for Moneybags Island, and they're not coming back for the most part. This presents an interesting problem for people who write about security stuff on a daily basis.....half the content of an Anti-whatever blog will usually be stuff related to legit Adware vendors.

A lot of that has suddenly been thrown under a bus, and of course, a lot of potential additional things to write about goes with it. It's a lot easier to tell people about things and make them understand when there's a specific entity or company or whatever at the heart of it. The moment you start going on about "gangs" (they're always gangs, aren't they? Where did all the groups go?) with silly names like "Zhelatin" (that sounds like a kind of cream for intimate areas), people start to go a bit misty eyed.

So the increase in anonymity with regards "who to blame this week for some random disaster" doesn't really help.

I'd still rather never have to write about Zango or Direct Revenue ever again, though. People will just have to get used to the shift in "where this weeks biggest ever problem with something" lies.

Would you go on a tour of the Zango offices if you were asked? Alex

Funnily enough, Zango did ask me to take a tour - I think it was last year or thereabouts. At the time I declined, as I was busy with something else. Would I do it now? Possible, though I'm just as likely to be busy with something else again - and seeing as how Homeland apparently don't like me very much, I'd rather use up what remaining trips I have to get into the States for Conference purposes, than turning up on Zangos doorstep to basically tell them in person what I've already said on this website. And like I said, they're slowly drifting out of the target site lately...I don't think there would be much point.

How does someone go about getting a career like yours. Basically how to get into Anti-Malware and hunting scum bags down but getting some kind of monetry reward for it? I love hunting scumware creators, but it is time consuming and I have very little "free" time, but would love to do it as a career? KiD

All I can really say is, a lot of luck combined with a lot of misfires. Before I started working for FaceTime, I was doing this security stuff in my spare time while holding down a sucktacular job in Insurance, with a few nifty arts-related detours along the way. It depends what bit of the security industry you want, too - the bit that falls under Antispyware seems to be a lot more flexible in terms of the previous backgrounds of the people doing it. A lot of people I talk to were doing something completely different before they got into this, and probably didn't imagine they'd be doing this full time either. Ask around, check out the forums where security guys post job offers (EMail me and I'll see if I can remember the sites!), maybe set up a blog and start publishing your research. You never know what will happen.

And hey, for what it's worth, you have my personal recommendation, because I happen to know you kick ass.

List your top three / favorite busts? LoPhat

Oh man, there's a toughie. If I'm in the middle of a whirlwind of aggro, then you can be sure everything is coming up roses as far as I'm concerned. In no particular order....

1) "Spyware Floods in Through BitTorrent" - Well, this definitely kicked off, didn't it? An absolutely rampant distribution of Adware and Spyware packed bundles pushed across BitTorrent sites, accusations of illegal porn, websites hacked, John Dvorak kicking off, EWeek firing back...this thing had it all. Oh, and this wonderful swipe from John himself:

This was all begun by a Microsoft MVP character named Chris Boyd, who is always described as a "renowned" security expert. By whose standards is he renowned? Has he written books? Academic papers? Articles? What exactly besides blogging? So where does this assertion come from? The blog?

....hi John, I hunt down and terrorise the scum of the net on a daily basis. That's pretty much it, I guess. Take it or leave it.

Oh, I also got my first ever death threats as a result of this one. And a lot of stuff like this (previously unpublished comedy gold coming up, kids!):

"Comments :
1. Please _un_subscribe me from your newsletter.
2. Please provide details on your site about your credentials. 'Microsoft MVP' means little.
3. You indicate where your are _not_ affiliated in your right-hand home page banner. For the sake of better disclosure, please also indicate your past and current affiliations, and the source of past and current monetary and non-monetary comepensation, especially from Microsoft.

Why do I ask these things? See this article. I've been a PC Magazine reader since 1989, long before your 2001 foray onto the web. Dvorak's opinions trump yours by a mile, in my book."

....well crap, can't argue with that. I resign.

2) Zango on Myspace. This was absolutely bezerk, and gathered some sort of terrifying, inexorable momentum until it (predictably enough) culminated in a totally kickass "smoking gun" Email that showed how people at Zango HAD, in fact, targetted Myspace as an avenue for distributing their Adware all along (despite claims to the contrary). Awesome fun for all the family.

3) Well come on, I have to include this, don't I? I told that punk what I was going to do to him, and then I went and did it. In as emphatic a fashion as possible. And then he cried.

Hahaha.

Paperghost Postbag

Ask me stuff.

Paperghost Postbag: Randomness Galore

You asked. I answer:

Do you ever think youre too, uh, militant sometimes? JabaMan

Hi, this is me shooting bad guys in the face.



Not only am I shooting them in the face, but I have no idea how to actually hold a gun which probably makes me twice as dangerous. Especially when I charge in to steal their shoes. Additionally, recent scientific testing has shown that I'm at least as militant as Paris, my wallet looks like this and when I pwn you, it goes a little something like that.

All in all, I'd consider myself pretty militant and I have no intention of changing anything anytime soon. Why shouldn't we treat the people behind hijacking with the same level of arrogant disdain that they've treated computer users with for years? Why should we give them any pardons or do them any favours or trot out some lame excuses?

No, man. Keep wailing on them and pound them into the ground. It's the only way.

Some people accused me of being overzealous with regards this guy. The thing is, all infections treat their victims the same, so I figure we need to apply the same logic to the people behind them regardless of who they might be. If you're rich, I'll cost you money. If you're poor, I'll prevent you getting rich. If you're in a wheelchair, I'll push you down the stairs.

It's like that, and that's the way it is, yo.

Seems like everyone has a blog now. What do you think of the more corporate efforts out there (for want of a better word)? Steve

Oooh, controversial or something. Well, not really. There's more than enough room for all these blogs (though maybe not enough time to read them all). Of course, any corporate blog will necessarily have a point beyond which they can't go in terms of what they can post to their site, so I have the advantage of being able to throw up any old garbage or a rap video or whatever. But if a well known security firm starts up a blog from scratch, they immediately have a ready made audience of a size that may dwarf my collection of daily readers, so that sort of stings I guess.

Then again, I think there's something to be said for building up a readership from zero, because you tend to have a better insight of what works and what doesn't in terms of increasing that readership and making it grow organically.

Then again, I'd love to start a blog with a ready made audience of zillions.

Then again, here it is. I don't know the exact figures, but I do know SPG gets an insane amount of traffic due to the main site having been around so long before the blog was set up.

Ultimately it doesn't really matter anyway, if you write something new or interesting it'll spread anyway. I do enjoy the daily interaction with this site's loyal following, so thanks for sticking around.

One thing I do want to see is more indie blogs! All the new ones of note recently seem to be company sites. The indie vibe is sort of dead at the moment, where's everybody gone?

We need more stupid garbage and rap videos.

I've probably asked something similar before. William Gibson's Neuromancer, and associated stories.

How long until we're there?

Where can I get a kill-file like in Idoru?

When you form the crew that hunts down spam/scam/crapware people - with guns - will you let us know so we can get involved? Derrill

All I can do here is point to me shooting guns in a poor fashion, and then point to the inevitable news reports when I'm let loose with a crack team of commandos, no doubt in a large black van with a red stripe, some dude who ain't gettin on no plane and that bloke out of Battlestar Galactica.

I'm hoping our minds are implanted into large mech-suits that fire missiles and come with built in Ninja swords before I get too old and droopy. That would freaking rock.

In all seriousness though, this is the guy you want to ask about that kind of stuff. Some of his theories and ideas on those sort of topics rock.

I just read a pretty generic article about FaceTime exposing customer information in The Register. I'd like to hear a less reactionary version of events if you can tell us exactly what happened? Rob Newby

To be honest, I've absolutely no idea what happened (or the cause of the problem) other than what was posted on the Register article. As whoever is responsible for it is presumably based in America somewhere, I haven't got any additional info as I'm based in the UK and don't have any involvement in the FaceTime website, I just do research and feed it into the various blogs.

That said, what happened is stupid. On the other hand, if the problem was something to do with server permissions screwing up after an update was applied, there but for the grace of God etc etc.

On the bright side (for me, anyway), I'm happy to report the screw up has absolutely nothing to do with the research teams so as far as I'm concerned we'll just be doing what we've always done. As far as I'm concerned, it's someone else's problem. I have had a few emails through of the "lol your research sucks" variety, but really, what does some boobery on a website I have no direct involvement in have to do with suddenly removing the value or worth of the research done? Meh. It looks stupid, but I doubt it'll have any impact on what I do.

Hello Chris, My question is..Do you listen to LBC FM? Joey Joe Joe Shobbydoo

I have no idea what radio station that is, but the answer (sadly) is no.

Blue pill controversy. What do you think? Devilz Sunz

You mean the whole "let's argue about whether or not it can be detected for about six years but never really prove it either way" thing? It makes me yawn, to be honest. I've tried to be interested, but every time I hear about it, I just shrug my shoulders. That's probably a bad thing, but oh well.

Do you believe there will come a day that Zango will ever answer a straight question with a straight answer because after reading the Comments The Zango guy made I'm starting to wonder... Milligansghost

.....I have no idea which comments you mean :(

Any conferences or talks or anything coming up? Rackson Jackson

Two words: Zealot Revolution Tour.

Oh wait, that's three. Keep em' peeled, anyway. And with that, we bid farewell to the latest Postbag. Thanks for asking questions about things and stuff, some good and vaguely controversial ones this time round.

Paperghost Postbag

...fire away. Questions answered further on in the week.

Probably.

Paperghost Postbag: Special Death-Threat edition

It's been quiet around here lately, but you can always rely on human stupidity to liven the place up in times of absolutely nothing interesting to write about. And so we come to a selection of wonderful missives that plopped into my Inbox this week. Batter up...

"Man u a fukin fool pickin on that gangsta guy. how about i find out who YOU are and come give you some grief? Thinking youre so tough on the internet mr anonymous? I'll kick your bitch ass."

...so, you want to employ your (no doubt) amazing detective skills and "find out who I am"? I'm sure it'll be a thrilling chase, full of twists and turns and lashings of red-herrings. Alternatively,

1) Go here.
2) Job done.

Now go away and never darken this website with your moronic stupidity ever again, lest I reach into your PC Screen and strangle you.

Next...

"You better bewre (I'm assuming he meant "beware"), cause im gonna f**k your ass up".

...I'd probably be more impressed if your sole attempt at terrifying me with your terrifyingness didn't soley rely on me not knowing you lifted your lame threat from a Wu Tang Clan album lyric. It would also look a little better if you'd kept "yo" instead of tidying it up to "you".

Honestly, if you're going to dish out a threat, at least make it an original one. Now get out of here, loser boy.

Next...

"you CANT STOP THE BLACK ATTACK!!!!"

....um?

Next...

"i hope you feel like shit. im into the scene and dont need people like you stopping me from making some money and feeling like i got someone breathin down my neck all the time. youre denying me a right to feed my family you piece of crap and i hope you burn"

You know something.....you're right. To everyone I've ever hassled or chased down online, I'd like to take this moment to apologise. Something I forgot in my ruthless quest for justice and exposing suckers the world over was that YOU are people too. Thank you for sending me the above, because it's made me see that w - oh wait, IT'S YOUR MOTHER RAPPING.



....lol. Put the rest of your cry-baby-o-gram in a DeLorean and SENT IT TO LAST WEEK WHEN I MIGHT HAVE CARED.

Nice rap though. Seriously.

Paperghost Postbag!

HAHAHAHAHAHA.

And now that we've finished laughing at Chelsea, please feel free to leave your questions in the comments thing and I'll answer them at the weekend or whatever.

Paperghost Postbag - Random Answers for Random Questions

Postbag? Answers:

Derrill: What kind of monster are you that you can repeatedly pummel pretty girls?

The worst kind. However, I'm an equal opportunities beater-upper too. Look at the bald guy die! Woo-hoo!!

Dintz: Gimme a day in the life of pg please

Er, there's no real way to answer this without it turning into a boring list an nobody likes those, right? Suffice to say, there's a bunch of computers doing a bunch of stuff and then I wake up and start fiddling with them to an insane degree. In addition, there's machines that run online games day in and day out, so people can report nasty hacker people ingame. Finally, there's around 700 to 1000 emails every day that need sifting through. Out of those, only about 30 to 40 are things about inflating body parts or buying pills. If my email goes down for just one day, there's Hell to pay catching up. You don't want me to find your latest screwy install on that day, I can tell you.

Sure, it doesn't sound exciting but wait till it all starts kicking off. Then it's fists flying and guns blazing. Sort of.

Zec: Hey Paperghost, I have a question for your postbag: What is your favourite radio station, what do you listen to the most on the airwaves?

Awesome, we might get through this without a single security question! Um, I don't really listen to the radio - however, you CAN get a slice of PG Pie here. In addition to that, let's go all Web 3.6 or whatever and slot in a tasty Music Burger (based on my most-listened-to-albums) for your viewing pleasure:

Derrill: a) When are you going to make some musical/malware fusion performance piece? b) What's the best music for cleaning your mother's PC of donkey-related porn-based malware? If you're going to answer Mahler, you'll have to come up with a better reason than "because he's the best".

a) Who said I'm not, muahaha and all that. You never know what crazy piece of nonsense is going to appear here.... ;)

b) Well, if you happen to be Oasis, Stone Roses, RATM, Johnny Cash, Nelly Furtado or Public Enemy I'll probably buy you a pint. Well, apart from Johnny Cash cos' he's dead. And Nelly Furtado, because I can't really see her slamming down a can of Tennant's Super.

You never know, though. At any rate, I find they're the best things to listen to when doing Malware related stuff with PCs.

Darren J McCabe a.k.a. KiD: Why are ISP's not being forced to pay penalties for hosting bot software? Why are they not forced by an international law to kill off any sites that are identified as spreading this scourge on the t'internet?

The short answer is, no one really cares enough to go after the ISPs at this point because they're all excited over wonderful "legislation" regarding Spy/Adware that no-one outside the US will care about, much less be affected by. Let them have their Spyware fun, and they'll come back soon enough. As for the ISPs themselves, it only seems to be a problem for them when the bots are costing them money.

Got a customer spewing spam on unlimited bandwidth per month? Meh, who cares.

Did they dare go over their 5 Gig limit for the second month running? Quick, fix it! Wall them off! Now!

Shadowserver have a Hall of Fame, which is nice. But what we REALLY need is a Hall of Shame. A blast of bad publicity works wonders.

LoPhat: whats your favourite website to write on and why?

..wow, these questions are random! Originally, I'd have said this one. However, now I have the luxury of being able to write on a whole pile of different sites and it's all geared around which site can do the most damage to whatever particular scam I happen to be looking at. Lots of money involved? Revenews time. Crazy technical writeup? That'll be Spywareguide. Tons of angry ranting and stupid drawings of silly things? That'll be this one, then.

milligansghost: Right Apart from Matrix Online have you Used any of the Other 3D things out there like WOW ... i cant they give me a migraine :-(

....see! What did I say about random? Okay, here goes - I've never played World of Warcraft. In fact, I don't play many PC games at all apart from Matrix Online and Guild Wars. Mostly, it's console games all the way. Give me a big gun with a chainsaw strapped to it, point me in the direction of some seven foot mutants and then be amazed as I proceed to cut them all into pieces and dance upon their corpses.

Oh, random flashback. My Student Union sucked apart from the (at the time) genius idea of putting a Playstation 2 in a glass case and letting you play Tekken 3 all night (more fun than the watered down beer and ugly students, believe me).

One night? Man, I got on there and I totally BEAT ALL COMERS TO DEATH WITH FIFTY STRAIGHT WINS IN A ROW.

Sadly, this included one really hot chick who (I am reliably informed) I was supposed to let win.

Still, she didn't even get one hit in which is the main thing.

RichieB: Sharon Stone b'aint purdy. Kinda fit but not really what I'd call pretty. I mean, I would and all that, but then I've got no standards ;) I live in permanent "2:30am in the nightclub land" where, heck, even the female bouncers are fair game!

Is it just me, or is there a definite theme of videogames, student bars, bouncers and nightclubs this time round? Let's see what else we have in the Postbag this week....

Derrill: Everyone talks about how social engineering based attacks are on the rise ... what can be done about it, outside of educating blokes as don't want to be educated? One of my programmer buddies loves his poster: "Programming is a race between programmers to create more idiot-proof software and the universe to create bigger idiots." The topic of social engineering and saving them from that reminds me of this poster. Can anything be done?

Sort of. Ultimately you'll always have people who'll click whatever you put in front of them. To me, it's up to the Operating System Vendors out there to think of new and funky ways to combat social engineering and stick it in their OS. And I'm thinking of something a bit more advanced than a box that says "are you sure?" fifty times in a row before it lets you do anything.

Yeah, you can lock down the code. But what's the point if you're not also striving to lock down the people? Security tools can do their bit, as can education - but when your pleas are falling on deaf ears the only people who can provide that last line of defence are the people making the Operating Systems. So far, they've failed spectacularly. And yes, Microsoft, I'm looking at you.

...this concludes my random ramble of things and stuff! If I didn't nab your question this time, fear not because it will probably end up in the next batch. As a reward, do you like Batman? Yeah, sure you do. Enjoy.

Paperghost Postbag!

See, if you imagine the never ending war between hackers and people like me....then imagine myself as a dude in a black trenchcoat with funky red pants and white sneakers...and the hackers as a bunch of weird Sharon Stone clones that get the snot beaten out of them...then you'll probably end up with something like this:




You'll note that I did let them get one shot in. Just to be fair, like.

But enough about the cosmic ballet that is nerdy nonsense in front of a PC, for it is time, once again, to.....ask me nerdy nonsense about PCs. Come one, come all and fire away with your questions about things and stuff. Answers will be forthcoming sometime next week! Oh, the suspense!

Paperghost Postbag: Your Questions Answered

Let's get this train wreck moving!

"Is it worth buying Vista now or wait a while for things to settle?" Alex, UK

Wait. Wait, wait, wait. Predictably, all I'm seeing are a whole bunch of people on forums complaining because settings haven't backed up correctly, files have gone missing, this is broke, that's stuffed and the thing in the corner is on fire. If you buy it anyway and it works then great, but I personally probably won't even bother buying it...I'll likely keep a spare XP machine knocking around, but finish migrating the other machines over to Linux. Ultimately, I can't be bothered having to deal with yet more Windows problems on a day to day basis. Sure, I'll have a copy for infection testing or whatever, but all bets are off as to whether I'll upgrade myself.

"With Vista launching in 2007, do you think the security risks will get bigger on the new OS, or do you think they'll actually shrink?" Mike1901

...oh God, more Vista. Okay - the pure code exploits may well go down a bit, but a hardened Kernel is NOT the be all and end all of better security. Social Engineering is still the best and easiest way to nail someone, and they need to do a LOT more to tackle this than a slightly screwy anti-phish toolbar and a zillion popups that keep asking you if you REALLY want to install something. All I know is, I had a brief play with some of the new security features with regards this aspect, and my eyes rolled around in my head for a few hours afterwards.

They were rolling with pain, not pleasure.

"Were you nervous facing such a big crowd at rsa? I'd have wet my pants." Stevo

I've previously done a crowd (ooer) of about five thousand or so, but then that was on a stage with my back to them so it's not quite the same thing. It was pretty exciting actually, because we finished with quite a bit of time to spare and so were able to have a really good Q&A sessio at the end. I'd prefer it if things like this did away with powerpoints altogether and just did a big load of questions instead. There was also some unintentional humour - like when you look up and there's a guy at the back holding up a big sign with 20 MINUTES LEFT on it, which made me lol. Also, the chair that they put on the stage. Why? Because when you're walking around, they stick that on there so if you get too near the edge, the chair falls off and you don't. Supposedly. I can imagine a fair few people got tangled up in it and went along for the ride too.

"Who is your favourite musician?" LlamaLam

...er, probably Gustav Mahler. The guy was a God, and if I could work out how to dig up his corpse, put it in a sack, smuggle it back into the UK and prop him up on a chair in the corner with a nice cup of tea in his bony old hand I'd do it, baby.

My finest moment doing anything musical was when I had to go around all these inner city school things and (while trying not to get shot or stabbed or whatever) take a bunch of kids between 6 and 9 years of age, teach them some music basics and get them on stage to play in the Liverpool Philharmonic Hall.

They wanted us to do incy wincy spider and baa baa black sheep.

I taught them an extract from MAHLERS THIRD SYMPHONY.

That's a big old heap of Johnny Kickass, right there.

As far as Mahler himself goes, he was a gigantic force of influence on everyone around him and not just limited to the field of music. He was a major influence on Walter Gropius and the eventual founding of the Bauhaus, The Secessionists (Gustav Klimt, anyone?), novelists such as Thomas Mann (Death in Venice), some major theatre designers from the time (though I can't remember their names, doh) - Hell, his musical influence alone revolutionised the way conductors would work, orchestras would play, the numerous musical movements that followed (Webern going small, because Mahler had already gone too far in the other direction)....the list is huge and surprisingly diverse.

You've probably heard whole chunks of music - er - "inspired" by Mahler without even realising it. You'll never view John Williams' Star Wars scores in the same light after hearing Mahler's Second, and as for the famous opening theme of the original Star Trek TV show? Try replacing that with the opening bars of Mahler's First.

In summary, Gustav Mahler rox my sox. You should consider letting him rock yours, too.

"Are you thinking of getting into podcasting? That would be cool. If not, I'd be glad to do your podcast for you :)" ouch/sam

I've done a couple of Podcasts - it's not something I'd probably be able to run and maintain myself, but I'm always open to turning up on someone's show and rambling till they throw me off ;)

"Who were those dolly birds each side of you in the pictures?" Dad

Er, no idea. Plus, they forced me to get in those photos. It was terrible. Oh God, there were nightmares, cold sweats, the whole package.

Never again.

"Do you believe that we will see a Raise in independant Internet Zones like Sealand and will they be considered a threat by the Governments of Western Countries" Milligansghost

I think Sealand is a bit of a one off, to be honest - plus, governments of western countries see everyone as a threat ;)

Paperghost Postbag!

...I hear the train a coming!

Anyway, fire away with your questions and I'll make up a bunch of answers. It's been a while since we did one of these, hasn't it?

Oh, and I'll be answering the questions asked from last time, too. Sorry about that...

Paperghost Postbag: Festive Edition

I'm MIA a little bit this week, due to the fact I need to crack on with my RSA Show Presentation, along with a few other things. With that in mind, it's time to unleash the one, the only, the craptacularly amazingly awesomely superb......Paperghost Postbag!

Leave your questions here, and I'll do my best to evade your question and jibber randomly about Batman or whatever in a few days time. If you're really hardcore, you'll check the Postbag Category to see what questions have already been asked, thus increasingly your chances of being published by a fractional amount. Hooray!

Paperghost Postbag: Your questions answered

You've got questions? Well, I've got answers, though none of them might actually make any sense. I think I got everything this time round, apart from a question from Random / Random regarding process filtering which I'll be looking at in-depth in the near future. For now, let's get this trainwreck moving...

What's the deal with YapBrowser? I read your last articles in the Archives? Has YapBrowser stopped?

Greg

Ah, Yapbrowser. As far as I'm aware, it's as dead as a dodo. Unless there's a mad crazy rush for child pr0n web-browsers sometime soon I can't see it making a comeback.

Should we all switch to the Opera browser with recent rumors/news of a zero-day exploit in Firefox and cross-domain hijacking in IE6&7? Or am I just being paranoid?

Kimson

To be honest, I'd just keep using whatever you're using on the basis that if someone suddenly finds a hot new exploit in Opera, are you gonna' jump back to Firefox? All you can do is use common sense and keep yourself patched - if someone still nails you after that, chalk it up to bad luck. Then hunt the perpetrator down and nail his face to his feet.

Do you think that the Adware Situation will get worse or better in the next 5 years will Adware win and run Rampant all over the Web or do you think that people like you can win ...

milligansghost

It's already getting better - relatively speaking. Adware vendors are increasingly resorting to spinning their way out of tough situations, or at least hoping they'll go away if people say nothing. The downside is that you'll never see them hold their hands up and say, hey, you know what, we really suck sometimes. Sorry about that. The upside, is that for all the claims of legitimacy you will see over the coming 12 months (as bodies like the FTC and the CDT lay the smackdown), it'll all just go completely tits up for them as researchers continue to find evidence of their web-based stupidity. In five years time, I will have uploaded my brain into a hard drive and placed it into a gigantic Mecha-Droid battle suit and will simply resort to trampling the offices of non-legit Adware vendors. Sure, it's a little more messy than the current procedure but it'll look awesome on your 32 inch HDTV.

Do all adware companies suck?

sayitaintso,moe!

....nice follow up. I'd say 99% of Adware companies do indeed "suck". I like to think of my site as a nice, crude barometer of the current trends. If you're continually showing up here, then you're obviously doing something wrong. If I never mention you, then you've nothing to worry about, right? If you keep showing up here four or five times a day then I'll likely dedicate an entire Subdomain to your idiocy and make your life a living Hell. I'm nice like that.

Have you seen Borat yet?

Sister of Paperghost

No.

Do you have any sort of Social Life do you go out to clubs or pubs and meet people ? Im not talking about the types at Antimalware conferences they dont count as people :-P

kaleidoscope eyes

But *I* go to conferences! At any rate, I do plenty of things besides making life a misery for Spy/Ad/Malware guys, but then it depends on your definition of "social life". Do martial arts, movies, painting pictures and writing orchestral scores count as a social life? No? Whaddya' MEAN, no?!? Kicking people in the ribs in Kung Fu is entirely sociable!

Oh well. I have been known to hit the town and paint it red or whatever. Sometimes I like to tap people on the shoulder and look the other way, too. Oh, what jolly japes we have! But only when they let me out of this accursed cage. Curse it! Curse the damn cage.

Which is better, cheetahs or leopards? Discuss. Also, what is the best flavor of ice cream.

mechBgon

Whatever the chick from Thundercats was, is what I'm picking. Also, my ice cream has got to be as sickly, and as packed with chocolate stuff, with crunchy bits, and maybe a dollop of caramel, as possible. If it isn't going to make you cry like a big sissy girl after one mouthful then it's not worth bothering with. I'm a man's man dammit, and I demand mountain climbing with no wires, skiing with no skis and action films with lines like "Let off some steam, Bennett". If my ice cream doesn't match up to that criteria, then it's INTO THE DITCH YOU GO, LITTLE BOY.

....yep, I feel so strongly about my ice cream that I visualise it as a little boy before I throw it into a ditch. It's just more fun that way. Try it.

Shipping with an activated two-way firewall, Windows Defender, a sandboxed browser, and Automagic Updates enabled (including the Malicious Software Pwnage Tool), will Vista be the bad guys' worst nightmare come to life? If so, will the bad guys try harder somehow (social engineering or whatnot), or will they just keep trying to milk the existing base of previous Windows systems for all they're worth?

mechBgon

Vista will help, but (and I say this as someone who hasn't explored Vista in depth yet, so I reserve the right to be horrendously incorrect) from what I've seen, they've tightened up the code but left the biggest door wide open - the one with "Social Engineers Welcome, bring a bottle" on it. Is my operating system "more secure" if it protects me from some obscure code exploit, but happily lets me click some stupid link and get nailed, or has absolutely no capabilities against a crude phising attack? I say no.

They're maybe saving 10% of people that would have been whacked with a code exploit that did little to no harm, but leaving a sizeable portion of the remaining 90% open to all the attacks that would have sliced them up on XP in the first place. I have to ask, this helps how? Users like yourself don't need protecting from the cheap parlour tricks out there - it's that sizeable lump of people that we all know will happily click something, or accept this, or follow an Email link to that. With that in mind, I say the operating system should treat me like an idiot right out of the box. I demand it smack me round and call me it's bitch. Label everything with baby steps, lock it all down, talk to me like I'm a complete neanderthal and punch me in the face if I happen to disagree with something. If my skill level is even slightly beyond that, no sweat, I can bump things up a few notches. It'll take me what, ten seconds? But the rest can stay with their built in antiphish tools (I'm guessing Vista doesn't actually come with one of those - oh well), their sixteen way firewalls and their red spinny thing that goes boing (I'm guessing it does come with one of these. Hooray).

I've never understood why Windows comes wide open by default, and then it's up to some idiot boy end-user to try and lock the mess down, then fail miserably and wonder why he's offering his friends cut-price rates on C14LI$. Surely common sense says it should go the other way, but oh well. I'm sure Vista will help some, but it won't....oh God, I can feel a cliche coming on.....that is to say, I can't see it.........oh no, I can't stop it........how about we just say that....

....oh to Hell with it, look what you made me do now:

THERE IS NO PATCH FOR HUMAN IGNORANCE.

...................blaaaaaaaaaaargh. Okay, now I feel all dirty. That'll require a shower, so I hope you're happy.

I've often wondered this. What can the average joe who can't program his way out of a paper bag do to help? (Aside from switich all his friends relatives, cats, dogs etc. over to FireFox.)

Drunken Sailor

I'd just set up a blog and start moaning about stuff. Hey, it worked for me and I can't program my way out of a paper bag, either. Sure, I know my technical stuff but I keep all that behind the scenes - you very rarely see in depth technical information here because that's not what the site is about. It's about kicking ass and taking names, baby. And it's my humble opinion that we need more asskicking and more nametaking. You'd be surprised just how far down the line some of these random blog posts go, and you don't need to spend any money on getting the word out either. Just start posting things about stuff, and eventually people will start linking to you and spreading your info still further. Short of telling all and sundry to switch to Firefox, security info blogs are the hot new sex of 2006. Now if I could just transfer that into myself and make ME the hot new sex of 2006, we'd be set.

Do you foresee ISPs taking a more active role in getting infected botnet clients off the Internet, or thwarting them somehow?

mechBgon

They absolutely have to. On the basis that everything begins and ends with your ISP in some way, shape or form, we need to start putting pressure on them to start enforcing their Quality of Service, "walling off" continually infected users and shutting suspect traffic down. Yeah, we can perform takedowns (God, I hate that word), chase these idiots round and round, send blind emails to abuse contacts and all the rest of it. But really, get an ISP to kill their Bot traffic and the problem just dies a miserable death. After all, how can the Botherders herd their bots with no bots to herd? The issue is trying to get these companies to take some responsibility for the lunatics making (bad) use of their bandwidth. While we're on that train of thought, here's the Shadowserver Hall of Fame. A good start, but what we really need, is a Hall of SHAME. I'll likely be addressing this to some degree at the upcoming RSA show next year.

How can the bad guys be shut down more quickly and effectively? Like these fake security-alert sites that just keep getting away with it, month after month.

mechBgon

To be honest, I don't think you can ever really "shut them down". If they're so inclined, they'll just keep coming back again and again until someone beats them up or throws them in the slammer. I think the grassroots efforts mentioned in this post are filling a crucial gap that (currently) the law-type guys can't plug on their own. Having said that, many grassroots groups feed in directly to the boys in blue, so i