[unisog] antivirus that works despite ssl
eckman at umn.edu
Tue Jul 10 22:24:46 GMT 2007
power less wrote:
> BTW in my exhausting coverage of the storm worm :-) I should mention
> this article:
> This explains a few things, I guess. I'm not well-versed in DNS I'm afraid.
> I take it they are not talking about the urls in the storm messages
> Because those are are IP numbers not domain names in most of the ones I
> got. I
Storm a/k/a Peacomm switched from using fast flux DNS to IP addresses a
while back. That would explain the difference in what you read and what
> Two I just got:
> Address: 24.93. 201.2
> Name: cpe-24-93-201-2.neo.res.rr.com
> Address: 65.190. 29.151
> Name: cpe-065-190-029-151.triad.res.rr.com
> I'd love to hear more about this dnsflux business. A comment to that
> "Why don't ISPs just block the inbound DNS traffic to home machines on
> dynamic addresses? Do that and the distributed DNS part evaporates."
> Is that true?
ISPs will probably tell you that this isn't their job. Regardless,
hardly anyone has the capability to determine what is a "home machine on
dynamic addresses" 95% of the time, let alone 100% of the time. Also, I
bet you there are no less than 1,000 legitimate Internet domain names
(and likely lots more than that) that have their authoritative DNS
servers running on "home machines on dynamic addresses", or what would
appear to most people to be "home machines on dynamic addresses".
ISPs don't like blocking legitimate traffic. It makes their customers,
help desk, and shareholders quite unhappy. The solution proposed above
would certainly do this.
Put bluntly, there is no patch for stupidity nor ignorance. If you
approach the entire world's population, hand them a loaded gun, and tell
them you'll give them dinner if they point it at their head and pull the
trigger, I guarantee you'd find people that would do it. Not just the
suicidal folks, but there are surely millions of people in the world
that have no idea what a gun looks or acts like.
The same principle applies to computer users. Some percentage of them
just have no clue that clicking the link in the email, then "clicking
here" to get their greeting card because the site is "testing new
functionality", then clicking "Open" or "Run" when prompted what to do
with ecard.exe is risky behavior. They just want to see their stupid
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance
More information about the unisog