Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

From Ben Edelman: Who To Trust

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Anti-Spyware and Security Software Discussion
View previous topic :: View next topic  
Author Message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Jan 2014
Posts: 4953
Location: Phx. AZ.

PostPosted: Sun Dec 18, 2005 11:19 pm    Post subject: From Ben Edelman: Who To Trust Reply with quote

Ben wrote:
Much of the spyware problem results from users visiting sites that turn out to be untrustworthy or simply malevolent. I'm certainly not inclined to blame the victimized users -- it's hardly their fault that sites run security exploits, offer undisclosed advertising software, or show tricky EULAs that are dozens of pages long. But the resulting software ultimately ends up on users' computers because users browsed to sites that didn't pan out.

How to fix this problem? In theory, it seems easy enough. First, someone needs to examine popular web sites, to figure out which are untrustworthy. Then users' computers need to automatically notify them -- warn them! -- before users reach untrustworthy sites. These aren't new ideas. Indeed, half a dozen vendors have tried such strategies in the past. But for various reasons, their efforts never solved the problem. (Details below).

This month, a new company is announcing a system to protect users from untrustworthy web sites: SiteAdvisor. They've designed a set of robots -- automated web crawlers, virtual machines, and databases -- that have browsed hundreds of thousands of web sites. They've tracked which sites install spyware -- what files installed, what registry changes, what network traffic. And they've built a browser plug-in that provides automated notification of worrisome sites -- handy red balloons when users stray into risky areas, along with annotations on search result pages at leading search engines.

Full Read @ Ben Edelman
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Jan 2014
Posts: 4953
Location: Phx. AZ.

PostPosted: Sun Dec 18, 2005 11:19 pm    Post subject: Reply with quote

Check out the screenshots:





_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 16 Apr 2014
Posts: 10310
Location: sunny California

PostPosted: Mon Dec 19, 2005 5:51 pm    Post subject: Reply with quote

Thanks for posting this. Great screenshots, too.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
Recon Man
Warrior


Joined: 21 Mar 2005
Last Visit: 02 Dec 2008
Posts: 95
Location: Miami

PostPosted: Tue Dec 20, 2005 5:44 am    Post subject: Reply with quote

Hello Suzi and TeMerc Very Happy ,

Indeed, SiteAdviser does seem to be a quantum leap in internet security and a sign of great things to come with regards to preventing users from hurting themselves by accessing dubious sites. A most exciting and promising innovation to say the least. I look forward to its release in the future.

In the meantime, however, it is a matter of carrying the right amount of security hardware/software onboard and avoiding going to those shady websites so prevalent on the internet these days.


Best Regards,

Recon Man Wink
_________________
Helping make Cyberspace a safer place.
Back to top
View user's profile Send private message
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 29 Jan 2014
Posts: 1071
Location: CenTex

PostPosted: Tue Dec 20, 2005 6:13 am    Post subject: Reply with quote

I'm about as skeptical as anyone when it comes to sites that collect user profiles as this one does. (They claim to aggregate & discard.) However, I find this outfit and concept very intriguing. The data transfered is NOT personally identifiable as demo'ed here with the capture of a normal transfer made with every request to any site visited(noted no GUIDs or identifying cookies);

Code:
GET /DSS/Query?Type=Domain&Name=www.spywarewarrior.com/index.php
&IPAddr=204.14.90.22&version=2&language=en HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: dss1.siteadvisor.com

sInfo><RogueInfo code="UNKNOWN">
<description>
</description>
<short_desc>
</short_desc>
</RogueInfo>
</FacetInfos>
</DomainInfo>
<IPAddrInfo>
<ipAddress>204.14.90.22</ipAddress>
<country>-</country>
<blacklists>unknown</blacklists>
</IPAddrInfo>
</DomainQueryResponse>
HTTP/1.1 200 OK
Date: Tue, 20 Dec 2005 13:18:24 GMT
Server: Apache/1.3.34 (Unix) mod_jk/1.2.15
Cache-Control: no-cache
Content-Length: 1528
Content-Type: text/xml;charset=ISO-8859-1

<DomainQueryResponse><DomainInfo name="spywarewarrior.com" expires="1136589457">
<DomainMetaData baseDomain="spywarewarrior.com" dateCreated="1077771600"
isDynamicIP="false" isUserContent="false"
domainSpecRegExs="^{[^/\\]*\.}?(spywarewarrior.com){[:/\\?].*}$">
<Location country="us" state="" city=""/>
</DomainMetaData>
<Classification code="OK" color="green">
<description>We tested this site and didn't find any significant problems to report.</description>
</Classification><FacetInfos>
<CommerceInfo code="UNKNOWN">
<description></description><short_desc>
</short_desc></CommerceInfo><DownloadsInfo code="UNKNOWN">
<description>We found 2 downloads here, which we are still testing.</description>
<short_desc>Testing 2 downloads</short_desc>
</DownloadsInfo><PersonalInformationInfo code="UNKNOWN">
<description>We have not found any e-mail sign-up forms on this site.</description>
<short_desc>0 sign-up forms found</short_desc>
</PersonalInformationInfo>
<AnnoyanceInfo code="OK">
<description>When we browsed to this site we didn't receive any pop-ups.</description>
<short_desc>0 popups</short_desc>
</AnnoyanceInfo><LinksInfo code="OK">
<description>This site links mostly to sites which our tests show to be safe.</description>
<short_desc>Links to green sites</short_desc>
</Link


I am tho a little bugged by the fact that the connections don't close untill the session with the page requested ends...constant pings...makes a mess of netstat. Smile

I'm also wondering if this wont be abused like the spam filter sites have been...bogus reports made by ignorant or malicious individuals designed to taint the reputation of sites and or cause chaos. The user feedback forms appear to suggest such a possibility. The feedback forms can be seen on pages such as this one; http://www.siteadvisor.com/sites/carmainc.org

BTW I have the install & event snapshots too in case anyone is interested but there isn't anything noteable enough to cause me to publish them.

I have concerns about this concept but will continue to use/look at it for some time because it does seem to solve many of the probs found by it's predecessors...some of which have just been plain corrupt.

All in all, it looks very interesting and could be very usefull to an average user. I'll reserve my opinion untill they have made it fully available and I've had a more extensive look at it. Smile
Back to top
View user's profile Send private message Visit poster's website
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Jan 2014
Posts: 4953
Location: Phx. AZ.

PostPosted: Tue Dec 20, 2005 7:28 am    Post subject: Reply with quote

No, this is certainly not a cure all by any stretch, but I think in a general sense, users wil be immediatly re-directed when they see the red flag. And while it will take a rather long time to get a really useful amount of sites covered, they are just beginning.

Yes, there is bound to be some abuse but for this type of app, or for any app for that matter there is potential for that. The proof of the pudding will see how they deal with the abuse to fix it.

There is good commentary going on over at this DSLR thread. The guy from SiteAdvisor even dropped in as did Ben.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
jlowell
Warrior


Joined: 06 Nov 2004
Last Visit: 13 Feb 2006
Posts: 128

PostPosted: Tue Dec 20, 2005 7:49 am    Post subject: Reply with quote

All of these new approaches interesting, I still think that our Repentance Forum represents the best defense against malware. To see the turnaround in a person like fcukdat is truly spellbinding Very Happy :

http://www.spywarewarrior.com/viewtopic.php?t=16370

Just joshin.

jlowell
Back to top
View user's profile Send private message
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 29 Jan 2014
Posts: 1071
Location: CenTex

PostPosted: Tue Dec 20, 2005 8:07 am    Post subject: Reply with quote

I would also note that their server/s have been very slow to respond this morning. This makes using this tool incompatible with fast surfing. For this to work, their responses must be fast. Users wont tolerate slow resposes in their browsers that are caused by a browser add on tool timing out.
Back to top
View user's profile Send private message Visit poster's website
Nick
Site Admin


Joined: 27 Feb 2004
Last Visit: 28 Mar 2014
Posts: 3913
Location: California

PostPosted: Tue Dec 20, 2005 8:58 am    Post subject: Reply with quote

This could be good, but as mikey already said, regular folks aren't going to use it and be inconvenienced. If that one screenshot above is what a page looks like, then that's too much information for most people to deal with. Maybe it is a composite picture.

Also, what are these people getting for doing this. Who's paying for all of the bandwidth the bots are using? Do these bots follow a robots.txt? If they do then what if the bad people just block it with it? If it ignores the robots.txt, then isn't that a no no. What happens if the bots are blocked by htacess? Does the site automatically get a red flag? How much bandwidth does the bot use when looking around the site? If it uses alot and visits frequently, then webmasters are likely to block it.
_________________
Nick's Security Ticker



Last edited by Nick on Mon Feb 13, 2006 5:54 am; edited 1 time in total
Back to top
View user's profile Send private message
Oldfrog
Site Admin


Joined: 08 Aug 2004
Last Visit: 09 Feb 2013
Posts: 1161
Location: Hewitt, TX

PostPosted: Tue Dec 20, 2005 9:14 am    Post subject: Reply with quote

Excellent points, Nick. This site, for example, does some very aggressive robot control as do most of the ones that I am familiar with on the backside.
Back to top
View user's profile Send private message Visit poster's website
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 29 Jan 2014
Posts: 1071
Location: CenTex

PostPosted: Tue Dec 20, 2005 10:07 am    Post subject: Reply with quote

Yes Nick, very good points.

TeMerc wrote:
And while it will take a rather long time to get a really useful amount of sites covered, they are just beginning.


Considering all the timeouts I'm seeing, this brings to mind another concern;
We all know how slow things get when large dbs are parsed. I wonder how they intend to handle that prob. None of the other search engines have really solved the prob incl Google and while some do have browser add ons, they don't depend on that parsing for each and every new request.
Kinda reminds me of the probs experienced with the poor 'you know what kind of' toolbars that are prevalent today.
Back to top
View user's profile Send private message Visit poster's website
chris_dixon
Newbie


Joined: 20 Dec 2005
Last Visit: 30 Jan 2006
Posts: 1
Location: Boston

PostPosted: Tue Dec 20, 2005 12:54 pm    Post subject: Some responses to issues raised Reply with quote

Hi everyone

This is Chris Dixon from SiteAdvisor.

I thought I'd take a moment to answer some of the issues raised here.

1. Our hosting facility actually appeared to get DOS'd this morning, severly limiting upstream traffic. They seem to have tracked down the source of the attack and stopped it. In the near future, we will have a full back up web cluster set up at another data center in case this happens again. We are really sorry about this inconvenience.

Our systems right now (while they aren't getting DOS'd!) should be able to handle a very large number of simultanoues users. We actually wrote our own data serving system that prepackages the analyzed data and serves it directly from a memory resident database. Of course we are in early Beta so problems could very well arise. If you experience any performance problems, please feel free to submit feedback directly to us via http://www.siteadvisor.com/feedback.html and we'll try our best to diagnose the issue (we have been personally responding to almost all feedback so far and have already started working on a number of issues people have raised).

2. As to the issue of people potentially using the user feedback mechanism to corrupt the site ratings, we are thinking hard about introducing a full blown "reputation system" for users in the near future, similar to how it is done on sites like eBay. In the short term, we are very likely going to start a "moderator program" where interested users who sign up will have more impact on the site ratings and get greater access to the detailed data. We will also be releasing an API so users can use the data in their own (non-commercial) applications.

Thanks for all your comments and please keep them coming!

-Chris
_________________
SiteAdvisor
www.siteadvisor.com
Back to top
View user's profile Send private message Visit poster's website
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 29 Jan 2014
Posts: 1071
Location: CenTex

PostPosted: Tue Dec 20, 2005 3:37 pm    Post subject: Reply with quote

Hey Chris, very nice to see ya. I've been in contact with one of your mates...Paul. Seems like a nice sort. I'll quote myself here from my email to him; "I appreciate folks(devs) taking the time to solve user probs and address concerns. It speaks volumns about their character."

Well, it seems you are suffering some growing pains. Many of us in this pri/sec community have had the uncomfortable experience of dealing with severe DDoS attacks. Let's hope your experience is a mild one.

Anyway, again I thank you for taking the time to address our concerns. I would also say that I look fwd to continued exchanging of ideas and concerns. As well, I look fwd to hearing back from Paul(edited). Thx much.

Mike

============
EDIT: BTW While I have your attention; Do you think it could be a good idea to add an on/off toggle(bypass) to the context menu? I was thinking it might be of some use to some users especially when they are first trying out the concept.
Ref; {089FD14D-132B-48FC-8861-0048AE113215} ()
BHO name:
CLSID name:
Path: D:\Program Files\SiteAdvisor\
Long name: saIE.dll__BHODemonDisabled
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Anti-Spyware and Security Software Discussion All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group