<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article10_03_15_1540234</id>
	<title>How To Guarantee Malware Detection</title>
	<author>CmdrTaco</author>
	<datestamp>1268669940000</datestamp>
	<htmltext>itwbennett writes <i>"Dr. Markus Jakobsson, Principal Scientist at PARC, explains how it is possible to <a href="http://www.itworld.com/security/100679/looking-malware-all-wrong-places">guarantee the detection of malware</a>, including zero-day attacks and rootkits and even malware that infected a device before the detection program was installed. The solution comes down to this, says Jakobsson: 'Any program &mdash; good or bad &mdash; that wants to be active in RAM has no choice but to take up some space in RAM. At least one byte.'"</i></htmltext>
<tokenext>itwbennett writes " Dr. Markus Jakobsson , Principal Scientist at PARC , explains how it is possible to guarantee the detection of malware , including zero-day attacks and rootkits and even malware that infected a device before the detection program was installed .
The solution comes down to this , says Jakobsson : 'Any program    good or bad    that wants to be active in RAM has no choice but to take up some space in RAM .
At least one byte .
' "</tokentext>
<sentencetext>itwbennett writes "Dr. Markus Jakobsson, Principal Scientist at PARC, explains how it is possible to guarantee the detection of malware, including zero-day attacks and rootkits and even malware that infected a device before the detection program was installed.
The solution comes down to this, says Jakobsson: 'Any program — good or bad — that wants to be active in RAM has no choice but to take up some space in RAM.
At least one byte.
'"</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483960</id>
	<title>Two word response</title>
	<author>idontgno</author>
	<datestamp>1268676840000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p> <a href="http://en.wikipedia.org/wiki/Spherical\_cow" title="wikipedia.org">Spherical Cow</a> [wikipedia.org] </p><p>As far as I can tell, the technique requires that you postulate the existence of some element of the system which operates completely outside of system memory and OS image space, with complete incorruptibility and inviolability, and with complete authority to examine the entire contents of the system at any time necessary.</p><p>Terrific. The closest we have ever come to that is native-processor hypervisors, and they can be escaped using current malware techniques; or <a href="http://en.wikipedia.org/wiki/Trusted\_Platform\_Module" title="wikipedia.org">external security chips</a> [wikipedia.org].</p><p>The former is already busted. And the latter? If industry trends can be trusted, such technology will not be primarily used to protect users against malware, but to protect content providers from users.</p></htmltext>
<tokenext>Spherical Cow [ wikipedia.org ] As far as I can tell , the technique requires that you postulate the existence of some element of the system which operates completely outside of system memory and OS image space , with complete incorruptibility and inviolability , and with complete authority to examine the entire contents of the system at any time necessary.Terrific .
The closest we have ever come to that is native-processor hypervisors , and they can be escaped using current malware techniques ; or external security chips [ wikipedia.org ] .The former is already busted .
And the latter ?
If industry trends can be trusted , such technology will not be primarily used to protect users against malware , but to protect content providers from users .</tokentext>
<sentencetext> Spherical Cow [wikipedia.org] As far as I can tell, the technique requires that you postulate the existence of some element of the system which operates completely outside of system memory and OS image space, with complete incorruptibility and inviolability, and with complete authority to examine the entire contents of the system at any time necessary.Terrific.
The closest we have ever come to that is native-processor hypervisors, and they can be escaped using current malware techniques; or external security chips [wikipedia.org].The former is already busted.
And the latter?
If industry trends can be trusted, such technology will not be primarily used to protect users against malware, but to protect content providers from users.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483290</id>
	<title>Re:So it has to be in RAM</title>
	<author>dissy</author>
	<datestamp>1268674080000</datestamp>
	<modclass>Funny</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>The hard part is actually finding it.</p></div><p>That reminds me of a signature I've seen around here  (Sorry, I don't remember who was using it)</p><p>cat<nobr> <wbr></nobr>/dev/ram | strings | grep llama<br>OMG, my RAM is full of llamas!</p></div>
	</htmltext>
<tokenext>The hard part is actually finding it.That reminds me of a signature I 've seen around here ( Sorry , I do n't remember who was using it ) cat /dev/ram | strings | grep llamaOMG , my RAM is full of llamas !</tokentext>
<sentencetext>The hard part is actually finding it.That reminds me of a signature I've seen around here  (Sorry, I don't remember who was using it)cat /dev/ram | strings | grep llamaOMG, my RAM is full of llamas!
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483174</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31488702</id>
	<title>Not feasible</title>
	<author>emmenjay</author>
	<datestamp>1268651700000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I don't think it is feasible to swap out everything from memory.  If an interrupt occurs and the handler is not in memory, Windows will blue-screen.  The scanner would need certain O/S functions to perform the scan, not to mention to write/read the swapped RAM to/from disk.</htmltext>
<tokenext>I do n't think it is feasible to swap out everything from memory .
If an interrupt occurs and the handler is not in memory , Windows will blue-screen .
The scanner would need certain O/S functions to perform the scan , not to mention to write/read the swapped RAM to/from disk .</tokentext>
<sentencetext>I don't think it is feasible to swap out everything from memory.
If an interrupt occurs and the handler is not in memory, Windows will blue-screen.
The scanner would need certain O/S functions to perform the scan, not to mention to write/read the swapped RAM to/from disk.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485562</id>
	<title>This idea...</title>
	<author>FirstTimeCaller</author>
	<datestamp>1268682780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>This idea has already been invented... by Shampoo</htmltext>
<tokenext>This idea has already been invented... by Shampoo</tokentext>
<sentencetext>This idea has already been invented... by Shampoo</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484432</id>
	<title>Re:One big mistake - stegonography</title>
	<author>clone53421</author>
	<datestamp>1268678640000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Yes, but there has to be some active, unhidden code to eventually re-claim the hidden encrypted data from the pictures it was stored in.</p></htmltext>
<tokenext>Yes , but there has to be some active , unhidden code to eventually re-claim the hidden encrypted data from the pictures it was stored in .</tokentext>
<sentencetext>Yes, but there has to be some active, unhidden code to eventually re-claim the hidden encrypted data from the pictures it was stored in.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483916</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31494286</id>
	<title>Windows patching \_is\_ malware</title>
	<author>minstrelmike</author>
	<datestamp>1268749200000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>The way windows can patch itself is malware in action. As soon as I have some 'legal' way to change the baseline, I also have a way of installing illegal software surreptitiously. It would only work on something that never needs updating.</htmltext>
<tokenext>The way windows can patch itself is malware in action .
As soon as I have some 'legal ' way to change the baseline , I also have a way of installing illegal software surreptitiously .
It would only work on something that never needs updating .</tokentext>
<sentencetext>The way windows can patch itself is malware in action.
As soon as I have some 'legal' way to change the baseline, I also have a way of installing illegal software surreptitiously.
It would only work on something that never needs updating.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31489746</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>Anonymous</author>
	<datestamp>1268657640000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I'm not even sure how much ActiveX Microsoft relies on for its own website anymore - I use Firefox to view their site all the time, haven't had a problem in at least a few years.</p><p>On the other hand, there are a few gazillion consultingware apps using lots of ActiveX. These apps generally live inside single companies, but I assure you they'd describe ActiveX as a necessity.</p></htmltext>
<tokenext>I 'm not even sure how much ActiveX Microsoft relies on for its own website anymore - I use Firefox to view their site all the time , have n't had a problem in at least a few years.On the other hand , there are a few gazillion consultingware apps using lots of ActiveX .
These apps generally live inside single companies , but I assure you they 'd describe ActiveX as a necessity .</tokentext>
<sentencetext>I'm not even sure how much ActiveX Microsoft relies on for its own website anymore - I use Firefox to view their site all the time, haven't had a problem in at least a few years.On the other hand, there are a few gazillion consultingware apps using lots of ActiveX.
These apps generally live inside single companies, but I assure you they'd describe ActiveX as a necessity.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31486084</id>
	<title>Poorly thought-out article</title>
	<author>Gaygirlie</author>
	<datestamp>1268684640000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>"Assume now that we have a detection algorithm that runs in kernel mode, and that swaps out everything in RAM. Everything except itself. Well, malware may interfere, of course, as it often does, and remain in RAM. But if we know how big RAM is, we know how much space should be free."</p><p>The author seems to assume malware only lives in areas which are not reserved. But there's different kinds of malware: some which actually run rather like normal applications, reserve memory just like any other application, and then there's the malware that lives inside memory reserved by other applications. In both cases the memory is actually allocated and will not be considered "free" by the OS. Thus, the malware would just get swapped out, ignored by the detection routine, and swapped back in.</p><p>No, this method was dead already before its arrival.</p></htmltext>
<tokenext>" Assume now that we have a detection algorithm that runs in kernel mode , and that swaps out everything in RAM .
Everything except itself .
Well , malware may interfere , of course , as it often does , and remain in RAM .
But if we know how big RAM is , we know how much space should be free .
" The author seems to assume malware only lives in areas which are not reserved .
But there 's different kinds of malware : some which actually run rather like normal applications , reserve memory just like any other application , and then there 's the malware that lives inside memory reserved by other applications .
In both cases the memory is actually allocated and will not be considered " free " by the OS .
Thus , the malware would just get swapped out , ignored by the detection routine , and swapped back in.No , this method was dead already before its arrival .</tokentext>
<sentencetext>"Assume now that we have a detection algorithm that runs in kernel mode, and that swaps out everything in RAM.
Everything except itself.
Well, malware may interfere, of course, as it often does, and remain in RAM.
But if we know how big RAM is, we know how much space should be free.
"The author seems to assume malware only lives in areas which are not reserved.
But there's different kinds of malware: some which actually run rather like normal applications, reserve memory just like any other application, and then there's the malware that lives inside memory reserved by other applications.
In both cases the memory is actually allocated and will not be considered "free" by the OS.
Thus, the malware would just get swapped out, ignored by the detection routine, and swapped back in.No, this method was dead already before its arrival.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484372</id>
	<title>If the malware is in RAM</title>
	<author>Anonymous</author>
	<datestamp>1268678460000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>You have already lost.  Maybe you'll be able to detect it, assuming the malware chooses to allow you to look for things <em>before</em> it does bad stuff.  Maybe.  But the point of the malware is do to bad stuff when it runs. Detecting running malware is like Missile Command telling you "Game Over" <strong>after</strong> your cities are destroyed by nukes. Writing programs to detect that you have lost, is a solution to the wrong problem.  The only problem that really matters, is "how do you prevent malware from being run?"  How do you <em>not lose</em>?</p></htmltext>
<tokenext>You have already lost .
Maybe you 'll be able to detect it , assuming the malware chooses to allow you to look for things before it does bad stuff .
Maybe. But the point of the malware is do to bad stuff when it runs .
Detecting running malware is like Missile Command telling you " Game Over " after your cities are destroyed by nukes .
Writing programs to detect that you have lost , is a solution to the wrong problem .
The only problem that really matters , is " how do you prevent malware from being run ?
" How do you not lose ?</tokentext>
<sentencetext>You have already lost.
Maybe you'll be able to detect it, assuming the malware chooses to allow you to look for things before it does bad stuff.
Maybe.  But the point of the malware is do to bad stuff when it runs.
Detecting running malware is like Missile Command telling you "Game Over" after your cities are destroyed by nukes.
Writing programs to detect that you have lost, is a solution to the wrong problem.
The only problem that really matters, is "how do you prevent malware from being run?
"  How do you not lose?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31486162</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>Anonymous</author>
	<datestamp>1268684820000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>"4. If a file comes in from the outside world - STRIP ITS PERMISSION TO EXECUTE. MAKE THE USER UNPACK IT FROM AN ARCHIVE OR SET ITS PERMISSION."</p><p>Yea cause the average user really wants to do this. The fact that you suggest this makes me think you are a Linux-on-the-desktop type, aka don't get it.</p></htmltext>
<tokenext>" 4 .
If a file comes in from the outside world - STRIP ITS PERMISSION TO EXECUTE .
MAKE THE USER UNPACK IT FROM AN ARCHIVE OR SET ITS PERMISSION .
" Yea cause the average user really wants to do this .
The fact that you suggest this makes me think you are a Linux-on-the-desktop type , aka do n't get it .</tokentext>
<sentencetext>"4.
If a file comes in from the outside world - STRIP ITS PERMISSION TO EXECUTE.
MAKE THE USER UNPACK IT FROM AN ARCHIVE OR SET ITS PERMISSION.
"Yea cause the average user really wants to do this.
The fact that you suggest this makes me think you are a Linux-on-the-desktop type, aka don't get it.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485124</id>
	<title>I am dumb and need ad revenue</title>
	<author>Anonymous</author>
	<datestamp>1268681100000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>This writer is yet another brillant idiot who has found a great way of generating ad revenue.  Spewing crap out of his head and putting it on the internet claiming he has the knowledge to solve problems he clearly knows nothing about.  These people make me sick.  We need a web site about morons like these guys.  He must have worked at best buy before becoming a journalist.</p></htmltext>
<tokenext>This writer is yet another brillant idiot who has found a great way of generating ad revenue .
Spewing crap out of his head and putting it on the internet claiming he has the knowledge to solve problems he clearly knows nothing about .
These people make me sick .
We need a web site about morons like these guys .
He must have worked at best buy before becoming a journalist .</tokentext>
<sentencetext>This writer is yet another brillant idiot who has found a great way of generating ad revenue.
Spewing crap out of his head and putting it on the internet claiming he has the knowledge to solve problems he clearly knows nothing about.
These people make me sick.
We need a web site about morons like these guys.
He must have worked at best buy before becoming a journalist.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483828</id>
	<title>Impossible By Definition</title>
	<author>davidshewitt</author>
	<datestamp>1268676240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>It is impossible to <i>guarantee the detection of malware by definition.  New techniques for malware to hide itself will be developed when new detection techniques are created.  This is the way of security.</i></htmltext>
<tokenext>It is impossible to guarantee the detection of malware by definition .
New techniques for malware to hide itself will be developed when new detection techniques are created .
This is the way of security .</tokentext>
<sentencetext>It is impossible to guarantee the detection of malware by definition.
New techniques for malware to hide itself will be developed when new detection techniques are created.
This is the way of security.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483136</id>
	<title>At least one byte</title>
	<author>BadAnalogyGuy</author>
	<datestamp>1268673660000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>While it might be true that any application will take up at least a byte of memory, there is no reason malware couldn't masquerade as another binary down to the exact number of bytes.</p><p>Hell, Windows is a whole slew of malware that masquerades as the whole OS.</p></htmltext>
<tokenext>While it might be true that any application will take up at least a byte of memory , there is no reason malware could n't masquerade as another binary down to the exact number of bytes.Hell , Windows is a whole slew of malware that masquerades as the whole OS .</tokentext>
<sentencetext>While it might be true that any application will take up at least a byte of memory, there is no reason malware couldn't masquerade as another binary down to the exact number of bytes.Hell, Windows is a whole slew of malware that masquerades as the whole OS.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483280</id>
	<title>Underestimating your enemy</title>
	<author>Anonymous</author>
	<datestamp>1268674080000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Even if this did work in theory, someone would think of a way around it. We'll never be completely safe from malware, no matter what security mechanisms are in place. It's like in physical security, security system companies come up with new locks, and thieves come up with new lock breakers. Unless we brainwash the entire population of the world to be nice and not try to break systems, there will never be a conclusive way to detect malware.

Oh, and wouldn't his method for detecting malware be horribly intrusive?</htmltext>
<tokenext>Even if this did work in theory , someone would think of a way around it .
We 'll never be completely safe from malware , no matter what security mechanisms are in place .
It 's like in physical security , security system companies come up with new locks , and thieves come up with new lock breakers .
Unless we brainwash the entire population of the world to be nice and not try to break systems , there will never be a conclusive way to detect malware .
Oh , and would n't his method for detecting malware be horribly intrusive ?</tokentext>
<sentencetext>Even if this did work in theory, someone would think of a way around it.
We'll never be completely safe from malware, no matter what security mechanisms are in place.
It's like in physical security, security system companies come up with new locks, and thieves come up with new lock breakers.
Unless we brainwash the entire population of the world to be nice and not try to break systems, there will never be a conclusive way to detect malware.
Oh, and wouldn't his method for detecting malware be horribly intrusive?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483416</id>
	<title>Re:Theory and hand-waving</title>
	<author>ircmaxell</author>
	<datestamp>1268674500000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Well, wouldn't this require ALL other processes to "sleep" while the check is performed?  Sure, Ram is fast, but writing to 4gb of DDR3 would take around 1/3 of a second (excluding the time it took to generate that data and store the hash) considering the peak transfer rate of DDR3 is around 12800 MB/s (Using the best case)...   So in reality, you're looking at well over 1/3 of a second (potentially into the seconds.  And that's just for writing.  You need to swap everything out first.  So the whole process could take several seconds to complete.  Now, if the computer is doing ANYTHING (GUI is active, servers are active), they'll either cause the memory to be paged back in (And hence be detected as malware), or (if this software blocks the paging attempt) stall waiting for it to page.  So the computer would have a several second "pause" where it wouldn't react to anything (and possibly lose the inputs in that timespan, since memory can't be written to)...  So that means this is useless on any kind of an active computer (Server, computer being used, computer with any kind of process that runs long term, etc)?</htmltext>
<tokenext>Well , would n't this require ALL other processes to " sleep " while the check is performed ?
Sure , Ram is fast , but writing to 4gb of DDR3 would take around 1/3 of a second ( excluding the time it took to generate that data and store the hash ) considering the peak transfer rate of DDR3 is around 12800 MB/s ( Using the best case ) ... So in reality , you 're looking at well over 1/3 of a second ( potentially into the seconds .
And that 's just for writing .
You need to swap everything out first .
So the whole process could take several seconds to complete .
Now , if the computer is doing ANYTHING ( GUI is active , servers are active ) , they 'll either cause the memory to be paged back in ( And hence be detected as malware ) , or ( if this software blocks the paging attempt ) stall waiting for it to page .
So the computer would have a several second " pause " where it would n't react to anything ( and possibly lose the inputs in that timespan , since memory ca n't be written to ) ... So that means this is useless on any kind of an active computer ( Server , computer being used , computer with any kind of process that runs long term , etc ) ?</tokentext>
<sentencetext>Well, wouldn't this require ALL other processes to "sleep" while the check is performed?
Sure, Ram is fast, but writing to 4gb of DDR3 would take around 1/3 of a second (excluding the time it took to generate that data and store the hash) considering the peak transfer rate of DDR3 is around 12800 MB/s (Using the best case)...   So in reality, you're looking at well over 1/3 of a second (potentially into the seconds.
And that's just for writing.
You need to swap everything out first.
So the whole process could take several seconds to complete.
Now, if the computer is doing ANYTHING (GUI is active, servers are active), they'll either cause the memory to be paged back in (And hence be detected as malware), or (if this software blocks the paging attempt) stall waiting for it to page.
So the computer would have a several second "pause" where it wouldn't react to anything (and possibly lose the inputs in that timespan, since memory can't be written to)...  So that means this is useless on any kind of an active computer (Server, computer being used, computer with any kind of process that runs long term, etc)?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483198</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31492802</id>
	<title>Re:In case anybody was wondering...</title>
	<author>Anonymous</author>
	<datestamp>1268732340000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><a href="http://www.fatskunk.com/solutions/our-solutions" title="fatskunk.com" rel="nofollow">Something</a> [fatskunk.com] </p><p><div class="quote"><p>We introduce a new and provably secure approach to software-based attestation, suitable for smartphones, smartbooks and netbooks. Our new approach is based on two basic principles:</p><p>
&nbsp; &nbsp; &nbsp; 1. Malware must either be active in RAM or passively reside in secondary storage &ndash; but only active malware can attempt to avoid detection by attacking the scanning software. Therefore, if one can first make sure that there is no active process in RAM &ndash; except for the scanning software itself &ndash; then one can proceed to perform the function that needs security, safe in the knowledge that malware cannot corrupt the process. This can be done whether this process is to log in, cast a vote, or scan secondary storage for infections.<br>
&nbsp; &nbsp; &nbsp; 2. Accessing flash or external resources takes considerably more time than to access RAM &ndash; especially if memory is not accessed linearly. That means that if we fill the portion of RAM that should be empty with a pseudo- random string and then compute a special kind of checksum on all of RAM, then active malware will be detected. Namely, it has to be in RAM, and therefore has to displace some part of the pseudo-random string. As any displaced portion is requested by the checksum function, it has to be obtained from somewhere &ndash; computed, loaded from flash, or obtained from some external source. This takes longer than simply accessing RAM. By having an external verifier both ask the scanned device for the result of the checksum computation, and time how long it took to compute the checksum, malware will be detected. Note that it does not matter what kind of malware it is, or what it does.</p></div></div>
	</htmltext>
<tokenext>Something [ fatskunk.com ] We introduce a new and provably secure approach to software-based attestation , suitable for smartphones , smartbooks and netbooks .
Our new approach is based on two basic principles :       1 .
Malware must either be active in RAM or passively reside in secondary storage    but only active malware can attempt to avoid detection by attacking the scanning software .
Therefore , if one can first make sure that there is no active process in RAM    except for the scanning software itself    then one can proceed to perform the function that needs security , safe in the knowledge that malware can not corrupt the process .
This can be done whether this process is to log in , cast a vote , or scan secondary storage for infections .
      2 .
Accessing flash or external resources takes considerably more time than to access RAM    especially if memory is not accessed linearly .
That means that if we fill the portion of RAM that should be empty with a pseudo- random string and then compute a special kind of checksum on all of RAM , then active malware will be detected .
Namely , it has to be in RAM , and therefore has to displace some part of the pseudo-random string .
As any displaced portion is requested by the checksum function , it has to be obtained from somewhere    computed , loaded from flash , or obtained from some external source .
This takes longer than simply accessing RAM .
By having an external verifier both ask the scanned device for the result of the checksum computation , and time how long it took to compute the checksum , malware will be detected .
Note that it does not matter what kind of malware it is , or what it does .</tokentext>
<sentencetext>Something [fatskunk.com] We introduce a new and provably secure approach to software-based attestation, suitable for smartphones, smartbooks and netbooks.
Our new approach is based on two basic principles:
      1.
Malware must either be active in RAM or passively reside in secondary storage – but only active malware can attempt to avoid detection by attacking the scanning software.
Therefore, if one can first make sure that there is no active process in RAM – except for the scanning software itself – then one can proceed to perform the function that needs security, safe in the knowledge that malware cannot corrupt the process.
This can be done whether this process is to log in, cast a vote, or scan secondary storage for infections.
      2.
Accessing flash or external resources takes considerably more time than to access RAM – especially if memory is not accessed linearly.
That means that if we fill the portion of RAM that should be empty with a pseudo- random string and then compute a special kind of checksum on all of RAM, then active malware will be detected.
Namely, it has to be in RAM, and therefore has to displace some part of the pseudo-random string.
As any displaced portion is requested by the checksum function, it has to be obtained from somewhere – computed, loaded from flash, or obtained from some external source.
This takes longer than simply accessing RAM.
By having an external verifier both ask the scanned device for the result of the checksum computation, and time how long it took to compute the checksum, malware will be detected.
Note that it does not matter what kind of malware it is, or what it does.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483188</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483202</id>
	<title>Which one is the detector?</title>
	<author>mangu</author>
	<datestamp>1268673840000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>How about a malware that masquerades as this detector and reports the RAM checksum is OK?</p></htmltext>
<tokenext>How about a malware that masquerades as this detector and reports the RAM checksum is OK ?</tokentext>
<sentencetext>How about a malware that masquerades as this detector and reports the RAM checksum is OK?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483188</id>
	<title>In case anybody was wondering...</title>
	<author>fuzzyfuzzyfungus</author>
	<datestamp>1268673840000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>5</modscore>
	<htmltext>He is indeed <a href="http://www.fatskunk.com/" title="fatskunk.com">selling something</a> [fatskunk.com]...</htmltext>
<tokenext>He is indeed selling something [ fatskunk.com ] .. .</tokentext>
<sentencetext>He is indeed selling something [fatskunk.com]...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483776</id>
	<title>Re:Theory and hand-waving</title>
	<author>Lord Grey</author>
	<datestamp>1268676060000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>
Detecting the malware depends on the malware trying to stay in memory.  My point was that "properly written" malware wouldn't necessarily care if it is was swapped.  Allow the swap, get a clean bill of health from the "external verifier," then get reloaded and continue Bad Activities.  Downtime for the malware is negligible.
</p></htmltext>
<tokenext>Detecting the malware depends on the malware trying to stay in memory .
My point was that " properly written " malware would n't necessarily care if it is was swapped .
Allow the swap , get a clean bill of health from the " external verifier , " then get reloaded and continue Bad Activities .
Downtime for the malware is negligible .</tokentext>
<sentencetext>
Detecting the malware depends on the malware trying to stay in memory.
My point was that "properly written" malware wouldn't necessarily care if it is was swapped.
Allow the swap, get a clean bill of health from the "external verifier," then get reloaded and continue Bad Activities.
Downtime for the malware is negligible.
</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483368</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483552</id>
	<title>Wow</title>
	<author>Dunbal</author>
	<datestamp>1268675160000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Someone has discovered the white-list.</p><p>Please take a number and stand behind the perpetual motion people. When I'm done with them, I will explain the few finite set of cases where this method DOES work, and you can assume that in the infinite number of OTHER cases, this method does NOT work.</p></htmltext>
<tokenext>Someone has discovered the white-list.Please take a number and stand behind the perpetual motion people .
When I 'm done with them , I will explain the few finite set of cases where this method DOES work , and you can assume that in the infinite number of OTHER cases , this method does NOT work .</tokentext>
<sentencetext>Someone has discovered the white-list.Please take a number and stand behind the perpetual motion people.
When I'm done with them, I will explain the few finite set of cases where this method DOES work, and you can assume that in the infinite number of OTHER cases, this method does NOT work.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483364</id>
	<title>Re:Theory and Reality</title>
	<author>Anonymous</author>
	<datestamp>1268674320000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>You hit the nail on the head. Everthing goes through the kernel and a rootkit would thus be invisible. Now if you had a hardened ROM that the kernel lived in this detection method could work. However how practical is it to have a system that has a hardend ROM tied to a hardened BIOS so it would only ever read the kernel into RAM from the ROM then read in applications from FLASH.</p></htmltext>
<tokenext>You hit the nail on the head .
Everthing goes through the kernel and a rootkit would thus be invisible .
Now if you had a hardened ROM that the kernel lived in this detection method could work .
However how practical is it to have a system that has a hardend ROM tied to a hardened BIOS so it would only ever read the kernel into RAM from the ROM then read in applications from FLASH .</tokentext>
<sentencetext>You hit the nail on the head.
Everthing goes through the kernel and a rootkit would thus be invisible.
Now if you had a hardened ROM that the kernel lived in this detection method could work.
However how practical is it to have a system that has a hardend ROM tied to a hardened BIOS so it would only ever read the kernel into RAM from the ROM then read in applications from FLASH.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31491724</id>
	<title>Re:Theory and Reality</title>
	<author>BillX</author>
	<datestamp>1268671980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Very true!</p><p>But why bother trying to figure out where its keys are stored, just NOP over the scanner's entire memory space<nobr> <wbr></nobr>:-) It seems to me that if this all-powerful scanner has the power to arbitrarily swap out ALL other processes (including, presumably, the OS it runs in), shouldn't it have the power to pre-empt their threads during this process? And if not--that is, if it's letting these baddies dance all over RAM even as it scans, how does it guarantee that its own address space can't be danced on?</p></htmltext>
<tokenext>Very true ! But why bother trying to figure out where its keys are stored , just NOP over the scanner 's entire memory space : - ) It seems to me that if this all-powerful scanner has the power to arbitrarily swap out ALL other processes ( including , presumably , the OS it runs in ) , should n't it have the power to pre-empt their threads during this process ?
And if not--that is , if it 's letting these baddies dance all over RAM even as it scans , how does it guarantee that its own address space ca n't be danced on ?</tokentext>
<sentencetext>Very true!But why bother trying to figure out where its keys are stored, just NOP over the scanner's entire memory space :-) It seems to me that if this all-powerful scanner has the power to arbitrarily swap out ALL other processes (including, presumably, the OS it runs in), shouldn't it have the power to pre-empt their threads during this process?
And if not--that is, if it's letting these baddies dance all over RAM even as it scans, how does it guarantee that its own address space can't be danced on?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483656</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484124</id>
	<title>Re:Since I actually read the article</title>
	<author>phoenix321</author>
	<datestamp>1268677500000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>If it is really possible to fill all physically available memory cells with the detection hash and not have the rootkit just short-change to kernel and hide in the unreported installed memory, you will surely get one of two results:<br>- a clear proof that some contents of RAM are pointered in and out, not read and computed directly. ("there is something, don't trust the machine at all")<br>- a clear proof that no contents or RAM are pointered anywhere, meaning nothing can prohibit scanning the entire RAM image on file and the secondary storage ("nothing active, the machine can be trusted to compute correct results, traditional virus definition scans could produce evidence of a dormant infection")</p><p>Of course, the method of choice for 0-day malware will then be<br>- hooking onto a legitimate program<br>- allow to be swapped out nicely and play dead when the RAM scanner comes,<br>- hope to be missed by signature scanner, heuristic scanner and comparison against known-good md5's<br>- be swapped back in with the legitimate program and carry on its evil deeds.</p><p>Programs that prohibt being swapped out are malware by definition. Or a Sony DRM component, but that's also malware. Programs that allow that swapping out can also be malware, but they're giving control back to the kernel and could theoretically be detected during the scan.</p><p>Even the most clever malware now has to relinquish absolute control to the scanner, lower the shields and play dead for a while - be vulnerable for a moment. This could be a nice addition to intrusion detection systems.</p></htmltext>
<tokenext>If it is really possible to fill all physically available memory cells with the detection hash and not have the rootkit just short-change to kernel and hide in the unreported installed memory , you will surely get one of two results : - a clear proof that some contents of RAM are pointered in and out , not read and computed directly .
( " there is something , do n't trust the machine at all " ) - a clear proof that no contents or RAM are pointered anywhere , meaning nothing can prohibit scanning the entire RAM image on file and the secondary storage ( " nothing active , the machine can be trusted to compute correct results , traditional virus definition scans could produce evidence of a dormant infection " ) Of course , the method of choice for 0-day malware will then be- hooking onto a legitimate program- allow to be swapped out nicely and play dead when the RAM scanner comes,- hope to be missed by signature scanner , heuristic scanner and comparison against known-good md5 's- be swapped back in with the legitimate program and carry on its evil deeds.Programs that prohibt being swapped out are malware by definition .
Or a Sony DRM component , but that 's also malware .
Programs that allow that swapping out can also be malware , but they 're giving control back to the kernel and could theoretically be detected during the scan.Even the most clever malware now has to relinquish absolute control to the scanner , lower the shields and play dead for a while - be vulnerable for a moment .
This could be a nice addition to intrusion detection systems .</tokentext>
<sentencetext>If it is really possible to fill all physically available memory cells with the detection hash and not have the rootkit just short-change to kernel and hide in the unreported installed memory, you will surely get one of two results:- a clear proof that some contents of RAM are pointered in and out, not read and computed directly.
("there is something, don't trust the machine at all")- a clear proof that no contents or RAM are pointered anywhere, meaning nothing can prohibit scanning the entire RAM image on file and the secondary storage ("nothing active, the machine can be trusted to compute correct results, traditional virus definition scans could produce evidence of a dormant infection")Of course, the method of choice for 0-day malware will then be- hooking onto a legitimate program- allow to be swapped out nicely and play dead when the RAM scanner comes,- hope to be missed by signature scanner, heuristic scanner and comparison against known-good md5's- be swapped back in with the legitimate program and carry on its evil deeds.Programs that prohibt being swapped out are malware by definition.
Or a Sony DRM component, but that's also malware.
Programs that allow that swapping out can also be malware, but they're giving control back to the kernel and could theoretically be detected during the scan.Even the most clever malware now has to relinquish absolute control to the scanner, lower the shields and play dead for a while - be vulnerable for a moment.
This could be a nice addition to intrusion detection systems.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483302</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484820</id>
	<title>Ok, garantee this...</title>
	<author>hAckz0r</author>
	<datestamp>1268679900000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>How do you guarantee there is no malware installed in your non-ram mapped hardware devices? Such as your standard GPU's, and whole assortment of adaptor cards? <p>

How do you guarantee that the OS that you THINK you are running on is not just a virtual machine running in hardware supported virtual space? Any attempt to scribble or read bits over/across either of these is only doomed to failure because you can never be absolutely sure what exactly you are writing too. Is it physical memory or is it actually being written to cache in a VM disk somewhere? Even using the on-board 'hardware' clock could be hacked/virtualized so your hope of using latency issues as mentioned don't work either. Go Google for 'blue pill rootkit' if you think its that easy.  </p><p>

In short, there are some forms of malware that can control the very infrastructure that you depend on to judge whether you are infected, so they therefore by extension control your own perception of the results of those tests. Writing to 'all' the memory that you think you see doesn't accomplish much if you are not seeing all of it in the first place. </p></htmltext>
<tokenext>How do you guarantee there is no malware installed in your non-ram mapped hardware devices ?
Such as your standard GPU 's , and whole assortment of adaptor cards ?
How do you guarantee that the OS that you THINK you are running on is not just a virtual machine running in hardware supported virtual space ?
Any attempt to scribble or read bits over/across either of these is only doomed to failure because you can never be absolutely sure what exactly you are writing too .
Is it physical memory or is it actually being written to cache in a VM disk somewhere ?
Even using the on-board 'hardware ' clock could be hacked/virtualized so your hope of using latency issues as mentioned do n't work either .
Go Google for 'blue pill rootkit ' if you think its that easy .
In short , there are some forms of malware that can control the very infrastructure that you depend on to judge whether you are infected , so they therefore by extension control your own perception of the results of those tests .
Writing to 'all ' the memory that you think you see does n't accomplish much if you are not seeing all of it in the first place .</tokentext>
<sentencetext>How do you guarantee there is no malware installed in your non-ram mapped hardware devices?
Such as your standard GPU's, and whole assortment of adaptor cards?
How do you guarantee that the OS that you THINK you are running on is not just a virtual machine running in hardware supported virtual space?
Any attempt to scribble or read bits over/across either of these is only doomed to failure because you can never be absolutely sure what exactly you are writing too.
Is it physical memory or is it actually being written to cache in a VM disk somewhere?
Even using the on-board 'hardware' clock could be hacked/virtualized so your hope of using latency issues as mentioned don't work either.
Go Google for 'blue pill rootkit' if you think its that easy.
In short, there are some forms of malware that can control the very infrastructure that you depend on to judge whether you are infected, so they therefore by extension control your own perception of the results of those tests.
Writing to 'all' the memory that you think you see doesn't accomplish much if you are not seeing all of it in the first place. </sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484734</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>Anonymous</author>
	<datestamp>1268679600000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Thou hast just received the Amish Virus.</p><p>As we haveth no technology nor programming experience, this virus worketh on the honour system. Please delete all the files from thy hard drive and manually forward this virus to all on thy mailing list.</p><p>We thank thee for thy cooperation.</p></htmltext>
<tokenext>Thou hast just received the Amish Virus.As we haveth no technology nor programming experience , this virus worketh on the honour system .
Please delete all the files from thy hard drive and manually forward this virus to all on thy mailing list.We thank thee for thy cooperation .</tokentext>
<sentencetext>Thou hast just received the Amish Virus.As we haveth no technology nor programming experience, this virus worketh on the honour system.
Please delete all the files from thy hard drive and manually forward this virus to all on thy mailing list.We thank thee for thy cooperation.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485016</id>
	<title>Obligatory Post</title>
	<author>hduff</author>
	<datestamp>1268680680000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>1. Install Windows.
2. Connect to the Internet.
3. Blink.
4. Malware detected!</htmltext>
<tokenext>1 .
Install Windows .
2. Connect to the Internet .
3. Blink .
4. Malware detected !</tokentext>
<sentencetext>1.
Install Windows.
2. Connect to the Internet.
3. Blink.
4. Malware detected!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484810</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>Anonymous</author>
	<datestamp>1268679840000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Modern windows does #4, to the extent that it can. It asks if you *really* want to run something from the internet.</p><p>And you know what? The answer is yes. Always. I downloaded it, so I want to run it.</p><p>Even Microsoft cannot prevent people from using gets, sprintf, sscanf, etc.<br>They could, but then they wouldn't be shipping a C compiler. Furthermore, you could just<br>use GCC and 'solve' the problem.</p></htmltext>
<tokenext>Modern windows does # 4 , to the extent that it can .
It asks if you * really * want to run something from the internet.And you know what ?
The answer is yes .
Always. I downloaded it , so I want to run it.Even Microsoft can not prevent people from using gets , sprintf , sscanf , etc.They could , but then they would n't be shipping a C compiler .
Furthermore , you could justuse GCC and 'solve ' the problem .</tokentext>
<sentencetext>Modern windows does #4, to the extent that it can.
It asks if you *really* want to run something from the internet.And you know what?
The answer is yes.
Always. I downloaded it, so I want to run it.Even Microsoft cannot prevent people from using gets, sprintf, sscanf, etc.They could, but then they wouldn't be shipping a C compiler.
Furthermore, you could justuse GCC and 'solve' the problem.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484692</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>m50d</author>
	<datestamp>1268679540000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><i>2. STOP DEPENDING ON 3 MAGIC LETTERS TO DETERMINE IF SOMETHING IS CODE OR DATA. COME ON, SERIOUSLY. THIS SHOULD HAVE DIED WITH CP/M.</i> </p><p>Doesn't make any difference. Bottom line, people need to be able to edit code as data, and switch which of the two it is; whichever way you do that it's usable.</p><p> <i>3. Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX.</i> </p><p>Makes no difference given that people continue to want to let websites run code on their machines. Flash or firefox plugins or whatever are no more secure than ActiveX.</p><p> <i>4. If a file comes in from the outside world - STRIP ITS PERMISSION TO EXECUTE. MAKE THE USER UNPACK IT FROM AN ARCHIVE OR SET ITS PERMISSION.</i> </p><p>This would make no difference at all. So it takes one more click to execute something. That's not going to stop anyone. It's just going to piss me off more when I actually want to execute some code.</p></htmltext>
<tokenext>2 .
STOP DEPENDING ON 3 MAGIC LETTERS TO DETERMINE IF SOMETHING IS CODE OR DATA .
COME ON , SERIOUSLY .
THIS SHOULD HAVE DIED WITH CP/M .
Does n't make any difference .
Bottom line , people need to be able to edit code as data , and switch which of the two it is ; whichever way you do that it 's usable .
3. Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX .
Makes no difference given that people continue to want to let websites run code on their machines .
Flash or firefox plugins or whatever are no more secure than ActiveX .
4. If a file comes in from the outside world - STRIP ITS PERMISSION TO EXECUTE .
MAKE THE USER UNPACK IT FROM AN ARCHIVE OR SET ITS PERMISSION .
This would make no difference at all .
So it takes one more click to execute something .
That 's not going to stop anyone .
It 's just going to piss me off more when I actually want to execute some code .</tokentext>
<sentencetext>2.
STOP DEPENDING ON 3 MAGIC LETTERS TO DETERMINE IF SOMETHING IS CODE OR DATA.
COME ON, SERIOUSLY.
THIS SHOULD HAVE DIED WITH CP/M.
Doesn't make any difference.
Bottom line, people need to be able to edit code as data, and switch which of the two it is; whichever way you do that it's usable.
3. Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX.
Makes no difference given that people continue to want to let websites run code on their machines.
Flash or firefox plugins or whatever are no more secure than ActiveX.
4. If a file comes in from the outside world - STRIP ITS PERMISSION TO EXECUTE.
MAKE THE USER UNPACK IT FROM AN ARCHIVE OR SET ITS PERMISSION.
This would make no difference at all.
So it takes one more click to execute something.
That's not going to stop anyone.
It's just going to piss me off more when I actually want to execute some code.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485574</id>
	<title>Yes, it assures there's no malware in memory</title>
	<author>russotto</author>
	<datestamp>1268682840000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>OK, so we have this verifier.  It swaps everything out but itself.  It verifies the system, and it all comes up good.</p><p>Now what?  It has to swap everything back IN.  Including potential malware which made no attempt to evade the verifier.  Sure, it prevented the malware from running for a time. But only at the cost of preventing anything else from running either.  That's less than useful.</p></htmltext>
<tokenext>OK , so we have this verifier .
It swaps everything out but itself .
It verifies the system , and it all comes up good.Now what ?
It has to swap everything back IN .
Including potential malware which made no attempt to evade the verifier .
Sure , it prevented the malware from running for a time .
But only at the cost of preventing anything else from running either .
That 's less than useful .</tokentext>
<sentencetext>OK, so we have this verifier.
It swaps everything out but itself.
It verifies the system, and it all comes up good.Now what?
It has to swap everything back IN.
Including potential malware which made no attempt to evade the verifier.
Sure, it prevented the malware from running for a time.
But only at the cost of preventing anything else from running either.
That's less than useful.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484918</id>
	<title>Snake oil</title>
	<author>dskoll</author>
	<datestamp>1268680260000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>This looks like snake oil.  On desktop machines, it's quite impractical to swap everything out and then do a scan.  And how do you distinguish between malware and non-malware?  All programs take up space, whether they're malware or not.

</p><p>This may work for completely-constrained embedded devices that have rigid controls over what gets installed.  But then again, how likely are such devices to be malware vectors?</p></htmltext>
<tokenext>This looks like snake oil .
On desktop machines , it 's quite impractical to swap everything out and then do a scan .
And how do you distinguish between malware and non-malware ?
All programs take up space , whether they 're malware or not .
This may work for completely-constrained embedded devices that have rigid controls over what gets installed .
But then again , how likely are such devices to be malware vectors ?</tokentext>
<sentencetext>This looks like snake oil.
On desktop machines, it's quite impractical to swap everything out and then do a scan.
And how do you distinguish between malware and non-malware?
All programs take up space, whether they're malware or not.
This may work for completely-constrained embedded devices that have rigid controls over what gets installed.
But then again, how likely are such devices to be malware vectors?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483256</id>
	<title>"Guarantee"</title>
	<author>Anonymous</author>
	<datestamp>1268674020000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext>You can't guarantee anything in security. Especially when a human is involved.</htmltext>
<tokenext>You ca n't guarantee anything in security .
Especially when a human is involved .</tokentext>
<sentencetext>You can't guarantee anything in security.
Especially when a human is involved.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483584</id>
	<title>There is something that can answer your questions!</title>
	<author>spun</author>
	<datestamp>1268675220000</datestamp>
	<modclass>Troll</modclass>
	<modscore>0</modscore>
	<htmltext><p>How COULD this work? There is an answer. You can find this answer in a foreign place, known by the mysterious and terrifying name of The Article. Here's what you do: you read it. When you read it, your questions will be answered.</p><p>Basically, I can tell from the fact that you are asking irrelevant questions that you have not read the article. And you know what? I'm not going to explain it to you. To be clear, I am not saying, "This technique will work." I am saying "You are not criticizing this technique."</p></htmltext>
<tokenext>How COULD this work ?
There is an answer .
You can find this answer in a foreign place , known by the mysterious and terrifying name of The Article .
Here 's what you do : you read it .
When you read it , your questions will be answered.Basically , I can tell from the fact that you are asking irrelevant questions that you have not read the article .
And you know what ?
I 'm not going to explain it to you .
To be clear , I am not saying , " This technique will work .
" I am saying " You are not criticizing this technique .
"</tokentext>
<sentencetext>How COULD this work?
There is an answer.
You can find this answer in a foreign place, known by the mysterious and terrifying name of The Article.
Here's what you do: you read it.
When you read it, your questions will be answered.Basically, I can tell from the fact that you are asking irrelevant questions that you have not read the article.
And you know what?
I'm not going to explain it to you.
To be clear, I am not saying, "This technique will work.
" I am saying "You are not criticizing this technique.
"</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483414</id>
	<title>Some amazingly bad assumptions</title>
	<author>nahdude812</author>
	<datestamp>1268674440000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>Sure, malware has to occupy memory.  That doesn't mean it has to be its own memory.  Buffer overflows are all about corrupting another application's memory space.</p><p>His basic argument is that if you want to scan RAM, the kernel can halt all processing except its RAM scanner, and have a go at the RAM safely.  If it's particularly insidious malware, it'll try to hide itself in various ways, one of which would be to masquerade the portion of RAM it was using with something legitimate looking (maybe erase that portion of memory).  But you know it did this because you can see that memory which was supposed to be free is no longer free.  Except the hardware has no concept of free or occupied memory.  It just has memory, and the OS keeps track of what's free and not.  The OS - the same space where malware is running.</p><p>OR, the malware could simply <em>not</em> do this, then its behavior is no different from any legitimate program.  So how do you detect it now?  You still need definitions that say, "When running in memory, this virus looks like X," then look through memory for that pattern.</p><p>Besides, who's to say that the kernel space is guaranteed free of malware itself?  Even if you would have successfully identified the threat in RAM, you have no guarantee that the malware hasn't corrupted the identification routine.</p><p>It's like someone came along and said, "Hey, you guys are looking for malware wrong.  You have to <em>look</em> for it!  And I mean really <em>look</em> for it!"</p></htmltext>
<tokenext>Sure , malware has to occupy memory .
That does n't mean it has to be its own memory .
Buffer overflows are all about corrupting another application 's memory space.His basic argument is that if you want to scan RAM , the kernel can halt all processing except its RAM scanner , and have a go at the RAM safely .
If it 's particularly insidious malware , it 'll try to hide itself in various ways , one of which would be to masquerade the portion of RAM it was using with something legitimate looking ( maybe erase that portion of memory ) .
But you know it did this because you can see that memory which was supposed to be free is no longer free .
Except the hardware has no concept of free or occupied memory .
It just has memory , and the OS keeps track of what 's free and not .
The OS - the same space where malware is running.OR , the malware could simply not do this , then its behavior is no different from any legitimate program .
So how do you detect it now ?
You still need definitions that say , " When running in memory , this virus looks like X , " then look through memory for that pattern.Besides , who 's to say that the kernel space is guaranteed free of malware itself ?
Even if you would have successfully identified the threat in RAM , you have no guarantee that the malware has n't corrupted the identification routine.It 's like someone came along and said , " Hey , you guys are looking for malware wrong .
You have to look for it !
And I mean really look for it !
"</tokentext>
<sentencetext>Sure, malware has to occupy memory.
That doesn't mean it has to be its own memory.
Buffer overflows are all about corrupting another application's memory space.His basic argument is that if you want to scan RAM, the kernel can halt all processing except its RAM scanner, and have a go at the RAM safely.
If it's particularly insidious malware, it'll try to hide itself in various ways, one of which would be to masquerade the portion of RAM it was using with something legitimate looking (maybe erase that portion of memory).
But you know it did this because you can see that memory which was supposed to be free is no longer free.
Except the hardware has no concept of free or occupied memory.
It just has memory, and the OS keeps track of what's free and not.
The OS - the same space where malware is running.OR, the malware could simply not do this, then its behavior is no different from any legitimate program.
So how do you detect it now?
You still need definitions that say, "When running in memory, this virus looks like X," then look through memory for that pattern.Besides, who's to say that the kernel space is guaranteed free of malware itself?
Even if you would have successfully identified the threat in RAM, you have no guarantee that the malware hasn't corrupted the identification routine.It's like someone came along and said, "Hey, you guys are looking for malware wrong.
You have to look for it!
And I mean really look for it!
"</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483200</id>
	<title>Still a needle</title>
	<author>dmgxmichael</author>
	<datestamp>1268673840000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>A needle in a haystack wants roughly the same amount of space as a straw - doesn't make it any easier to find (indeed, that's part of the reason it's so hard to find).</p><p>Even if this technique has merits, it does nothing to correct the primary reason for computer infection - stupid users.</p></htmltext>
<tokenext>A needle in a haystack wants roughly the same amount of space as a straw - does n't make it any easier to find ( indeed , that 's part of the reason it 's so hard to find ) .Even if this technique has merits , it does nothing to correct the primary reason for computer infection - stupid users .</tokentext>
<sentencetext>A needle in a haystack wants roughly the same amount of space as a straw - doesn't make it any easier to find (indeed, that's part of the reason it's so hard to find).Even if this technique has merits, it does nothing to correct the primary reason for computer infection - stupid users.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483400</id>
	<title>Re:So it has to be in RAM</title>
	<author>Engeekneer</author>
	<datestamp>1268674440000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Not as hard as reading the article</htmltext>
<tokenext>Not as hard as reading the article</tokentext>
<sentencetext>Not as hard as reading the article</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483174</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484228</id>
	<title>Re:Theory and hand-waving</title>
	<author>Anonymous</author>
	<datestamp>1268677860000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Yeah, you're missing the point.</p><p>The point being that with \_only\_ the scanner running in RAM the malware cannot \_actively\_ hide itself from the scanner since it cannot execute.</p><p>Wether or not the malware will be loaded again is totally beside the point. Maybe it will maybe it wont. Of course the scanner will at some point finish and let the other processes have their memory back, you didn't though the scanner would run for ever did you? That would kind of reduce the usability of your hardware.</p></htmltext>
<tokenext>Yeah , you 're missing the point.The point being that with \ _only \ _ the scanner running in RAM the malware can not \ _actively \ _ hide itself from the scanner since it can not execute.Wether or not the malware will be loaded again is totally beside the point .
Maybe it will maybe it wont .
Of course the scanner will at some point finish and let the other processes have their memory back , you did n't though the scanner would run for ever did you ?
That would kind of reduce the usability of your hardware .</tokentext>
<sentencetext>Yeah, you're missing the point.The point being that with \_only\_ the scanner running in RAM the malware cannot \_actively\_ hide itself from the scanner since it cannot execute.Wether or not the malware will be loaded again is totally beside the point.
Maybe it will maybe it wont.
Of course the scanner will at some point finish and let the other processes have their memory back, you didn't though the scanner would run for ever did you?
That would kind of reduce the usability of your hardware.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483198</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485194</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>Anonymous</author>
	<datestamp>1268681400000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>1. Educate users. Microsoft does a piss-poor job of this.</p></div><p>How?<br>Everybody panned Microsoft for UAC, what alternatives are there?</p><p><div class="quote"><p>2. STOP DEPENDING ON 3 MAGIC LETTERS TO DETERMINE IF SOMETHING IS CODE OR DATA. COME ON, SERIOUSLY. THIS SHOULD HAVE DIED WITH CP/M.</p></div><p>You mean the "magic bits" at the beginning of the file? Is there a better solution?<br>Every other platform does the same thing (or a variant of it)</p><p><div class="quote"><p>3. Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX.</p></div><p>Flash, Java, Acrobat, Google Toolbar, Silverlight.</p><p><div class="quote"><p>4. If a file comes in from the outside world - STRIP ITS PERMISSION TO EXECUTE. MAKE THE USER UNPACK IT FROM AN ARCHIVE OR SET ITS PERMISSION.</p></div><p>Windows does this already. (pretty sure it was introduced in Vista, I think it works with Vista/Firefox too)<br>Downloaded EXE files get a "from internet" attribute set on them.<br>This makes windows verify the digital signature of the file and prompt the user with an "this file is from Teh dangerous interwebs!!! do you want to run it?" along with the signer information.</p></div>
	</htmltext>
<tokenext>1 .
Educate users .
Microsoft does a piss-poor job of this.How ? Everybody panned Microsoft for UAC , what alternatives are there ? 2 .
STOP DEPENDING ON 3 MAGIC LETTERS TO DETERMINE IF SOMETHING IS CODE OR DATA .
COME ON , SERIOUSLY .
THIS SHOULD HAVE DIED WITH CP/M.You mean the " magic bits " at the beginning of the file ?
Is there a better solution ? Every other platform does the same thing ( or a variant of it ) 3 .
Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX.Flash , Java , Acrobat , Google Toolbar , Silverlight.4 .
If a file comes in from the outside world - STRIP ITS PERMISSION TO EXECUTE .
MAKE THE USER UNPACK IT FROM AN ARCHIVE OR SET ITS PERMISSION.Windows does this already .
( pretty sure it was introduced in Vista , I think it works with Vista/Firefox too ) Downloaded EXE files get a " from internet " attribute set on them.This makes windows verify the digital signature of the file and prompt the user with an " this file is from Teh dangerous interwebs ! ! !
do you want to run it ?
" along with the signer information .</tokentext>
<sentencetext>1.
Educate users.
Microsoft does a piss-poor job of this.How?Everybody panned Microsoft for UAC, what alternatives are there?2.
STOP DEPENDING ON 3 MAGIC LETTERS TO DETERMINE IF SOMETHING IS CODE OR DATA.
COME ON, SERIOUSLY.
THIS SHOULD HAVE DIED WITH CP/M.You mean the "magic bits" at the beginning of the file?
Is there a better solution?Every other platform does the same thing (or a variant of it)3.
Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX.Flash, Java, Acrobat, Google Toolbar, Silverlight.4.
If a file comes in from the outside world - STRIP ITS PERMISSION TO EXECUTE.
MAKE THE USER UNPACK IT FROM AN ARCHIVE OR SET ITS PERMISSION.Windows does this already.
(pretty sure it was introduced in Vista, I think it works with Vista/Firefox too)Downloaded EXE files get a "from internet" attribute set on them.This makes windows verify the digital signature of the file and prompt the user with an "this file is from Teh dangerous interwebs!!!
do you want to run it?
" along with the signer information.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31489592</id>
	<title>Re:Which one is the detector?</title>
	<author>Mantis8</author>
	<datestamp>1268656860000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><br>
Hard to see the dark side is...</htmltext>
<tokenext>Hard to see the dark side is.. .</tokentext>
<sentencetext>
Hard to see the dark side is...</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483202</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484268</id>
	<title>Prevention is the only guarantee</title>
	<author>Space Guerilla</author>
	<datestamp>1268678040000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>Personally I think prevention is the best solution.
You'll never get Malware, if you never connect to the internet and never install anything.</htmltext>
<tokenext>Personally I think prevention is the best solution .
You 'll never get Malware , if you never connect to the internet and never install anything .</tokentext>
<sentencetext>Personally I think prevention is the best solution.
You'll never get Malware, if you never connect to the internet and never install anything.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484020</id>
	<title>Re:There is something that can answer your questio</title>
	<author>Anonymous</author>
	<datestamp>1268677080000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Unfortunately this system relies on an 'external verifier' to verify the amount of RAM and processor speed.  What this probably really means is that the person running the detection utility must double check that the values provided by the utility match the numbers in BIOS.  This method of an 'external verifier' is extremely prone to being faulty.  Beyond that, god forbid the malware got into the BIOS, what do you do then?  Maybe we have read the article but we don't take on faith that it is the word of a 'god'.</p></htmltext>
<tokenext>Unfortunately this system relies on an 'external verifier ' to verify the amount of RAM and processor speed .
What this probably really means is that the person running the detection utility must double check that the values provided by the utility match the numbers in BIOS .
This method of an 'external verifier ' is extremely prone to being faulty .
Beyond that , god forbid the malware got into the BIOS , what do you do then ?
Maybe we have read the article but we do n't take on faith that it is the word of a 'god' .</tokentext>
<sentencetext>Unfortunately this system relies on an 'external verifier' to verify the amount of RAM and processor speed.
What this probably really means is that the person running the detection utility must double check that the values provided by the utility match the numbers in BIOS.
This method of an 'external verifier' is extremely prone to being faulty.
Beyond that, god forbid the malware got into the BIOS, what do you do then?
Maybe we have read the article but we don't take on faith that it is the word of a 'god'.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483584</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31491180</id>
	<title>Interesting Idea</title>
	<author>Anonymous</author>
	<datestamp>1268667120000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I don't see how this would work. Even if Windows would allow itself to be swapped out (which it won't) for the test, the virus would simply allow itself to be swapped out as well, and then re-load itself through whatever infected<nobr> <wbr></nobr>.DLL or media player codex that it was initially loaded from in the first place.</p></htmltext>
<tokenext>I do n't see how this would work .
Even if Windows would allow itself to be swapped out ( which it wo n't ) for the test , the virus would simply allow itself to be swapped out as well , and then re-load itself through whatever infected .DLL or media player codex that it was initially loaded from in the first place .</tokentext>
<sentencetext>I don't see how this would work.
Even if Windows would allow itself to be swapped out (which it won't) for the test, the virus would simply allow itself to be swapped out as well, and then re-load itself through whatever infected .DLL or media player codex that it was initially loaded from in the first place.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485364</id>
	<title>Snake Oil, part 2...</title>
	<author>dskoll</author>
	<datestamp>1268682000000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>From the <a href="http://www.fatskunk.com/solutions/our-solutions" title="fatskunk.com">Our Solutions</a> [fatskunk.com] page:</p><p> <i>A technique known as software-based attestation can provide an alternative defense against malware by performing infection scans periodically and detect the presence of any program that refuses to be inactivated &ndash; as well as any inactivated program that is known to be malicious.</i>

</p><p>So, it can detect malware <em>that refuses to be inactivated</em> which is a tiny (vanishingly-tiny?) percentage of malware, as well as inactivated software <em>that is known to be malicious</em> (eg, because of a known virus signature.)</p><p>So what's the advantage over signature-based virus-scanners?  Well, you get to detect <em>completely hypothetical</em> software that (somehow) refuses to allow the kernel to swap it out (and how that is possible is never explained) at the cost of hugely-expensive computations.</p><p>Great.</p></htmltext>
<tokenext>From the Our Solutions [ fatskunk.com ] page : A technique known as software-based attestation can provide an alternative defense against malware by performing infection scans periodically and detect the presence of any program that refuses to be inactivated    as well as any inactivated program that is known to be malicious .
So , it can detect malware that refuses to be inactivated which is a tiny ( vanishingly-tiny ?
) percentage of malware , as well as inactivated software that is known to be malicious ( eg , because of a known virus signature .
) So what 's the advantage over signature-based virus-scanners ?
Well , you get to detect completely hypothetical software that ( somehow ) refuses to allow the kernel to swap it out ( and how that is possible is never explained ) at the cost of hugely-expensive computations.Great .</tokentext>
<sentencetext>From the Our Solutions [fatskunk.com] page: A technique known as software-based attestation can provide an alternative defense against malware by performing infection scans periodically and detect the presence of any program that refuses to be inactivated – as well as any inactivated program that is known to be malicious.
So, it can detect malware that refuses to be inactivated which is a tiny (vanishingly-tiny?
) percentage of malware, as well as inactivated software that is known to be malicious (eg, because of a known virus signature.
)So what's the advantage over signature-based virus-scanners?
Well, you get to detect completely hypothetical software that (somehow) refuses to allow the kernel to swap it out (and how that is possible is never explained) at the cost of hugely-expensive computations.Great.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483498</id>
	<title>Re:Theory and hand-waving</title>
	<author>bill\_mcgonigle</author>
	<datestamp>1268674860000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><i>Punting the problem to an "external verifier" is pretty neat. I wish I could do that with my next hard problem.</i></p><p>It may be worth doing right.  Look for malware from a hypervisor (memory, disk, network, etc.).  Running this all inside the insecure machine is just asking for trouble, though, but is the best currently available.  But even today there are cpu's shipping without virt support, so this can't be done for every machine yet or for a while.  Still, I think many would spend the extra $50 if it worked well.</p></htmltext>
<tokenext>Punting the problem to an " external verifier " is pretty neat .
I wish I could do that with my next hard problem.It may be worth doing right .
Look for malware from a hypervisor ( memory , disk , network , etc. ) .
Running this all inside the insecure machine is just asking for trouble , though , but is the best currently available .
But even today there are cpu 's shipping without virt support , so this ca n't be done for every machine yet or for a while .
Still , I think many would spend the extra $ 50 if it worked well .</tokentext>
<sentencetext>Punting the problem to an "external verifier" is pretty neat.
I wish I could do that with my next hard problem.It may be worth doing right.
Look for malware from a hypervisor (memory, disk, network, etc.).
Running this all inside the insecure machine is just asking for trouble, though, but is the best currently available.
But even today there are cpu's shipping without virt support, so this can't be done for every machine yet or for a while.
Still, I think many would spend the extra $50 if it worked well.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483198</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483274</id>
	<title>Okay</title>
	<author>somersault</author>
	<datestamp>1268674020000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>And what if the malware lets itself be swapped out of RAM the same as all of the other apps?</p><p>I'd love to have an approach to malware that could always detect unwanted processes, I'm just trying to find holes here.</p></htmltext>
<tokenext>And what if the malware lets itself be swapped out of RAM the same as all of the other apps ? I 'd love to have an approach to malware that could always detect unwanted processes , I 'm just trying to find holes here .</tokentext>
<sentencetext>And what if the malware lets itself be swapped out of RAM the same as all of the other apps?I'd love to have an approach to malware that could always detect unwanted processes, I'm just trying to find holes here.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484010</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>Anonymous</author>
	<datestamp>1268677020000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><i>3. Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX.</i>
<p>
ActiveX is how your browser runs Flash, Silverlight, Acrobat, Java etc. through IE. So yes it has uses. And in those cases its not more or less dangerous than the equivalent NPAPI plugin. Both allow binary code to be executed (and scripted) with content supplied from an external site. The danger is that if you don't keep your plugins or controls up to date you might be vulnerable to attack.</p></htmltext>
<tokenext>3 .
Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX .
ActiveX is how your browser runs Flash , Silverlight , Acrobat , Java etc .
through IE .
So yes it has uses .
And in those cases its not more or less dangerous than the equivalent NPAPI plugin .
Both allow binary code to be executed ( and scripted ) with content supplied from an external site .
The danger is that if you do n't keep your plugins or controls up to date you might be vulnerable to attack .</tokentext>
<sentencetext>3.
Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX.
ActiveX is how your browser runs Flash, Silverlight, Acrobat, Java etc.
through IE.
So yes it has uses.
And in those cases its not more or less dangerous than the equivalent NPAPI plugin.
Both allow binary code to be executed (and scripted) with content supplied from an external site.
The danger is that if you don't keep your plugins or controls up to date you might be vulnerable to attack.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484198</id>
	<title>Re:Still a needle</title>
	<author>Space Guerilla</author>
	<datestamp>1268677740000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>A needle in a haystack wants roughly the same amount of space as a straw - doesn't make it any easier to find (indeed, that's part of the reason it's so hard to find).</p><p>Even if this technique has merits, it does nothing to correct the primary reason for computer infection - stupid users.</p></div><p>In Mythbusters they proved you could infact find the needle in the haystack
<a href="http://en.wikipedia.org/wiki/MythBusters\_(2004\_season)#Needle\_in\_a\_Haystack" title="wikipedia.org" rel="nofollow">http://en.wikipedia.org/wiki/MythBusters\_(2004\_season)#Needle\_in\_a\_Haystack</a> [wikipedia.org]</p></div>
	</htmltext>
<tokenext>A needle in a haystack wants roughly the same amount of space as a straw - does n't make it any easier to find ( indeed , that 's part of the reason it 's so hard to find ) .Even if this technique has merits , it does nothing to correct the primary reason for computer infection - stupid users.In Mythbusters they proved you could infact find the needle in the haystack http : //en.wikipedia.org/wiki/MythBusters \ _ ( 2004 \ _season ) # Needle \ _in \ _a \ _Haystack [ wikipedia.org ]</tokentext>
<sentencetext>A needle in a haystack wants roughly the same amount of space as a straw - doesn't make it any easier to find (indeed, that's part of the reason it's so hard to find).Even if this technique has merits, it does nothing to correct the primary reason for computer infection - stupid users.In Mythbusters they proved you could infact find the needle in the haystack
http://en.wikipedia.org/wiki/MythBusters\_(2004\_season)#Needle\_in\_a\_Haystack [wikipedia.org]
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483200</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31488182</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>Cro Magnon</author>
	<datestamp>1268649120000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>ActiveX is how your browser runs Flash, Silverlight, Acrobat, Java etc</p></div></blockquote><p>Really?  Since when did Firefox start running ActiveX?</p></div>
	</htmltext>
<tokenext>ActiveX is how your browser runs Flash , Silverlight , Acrobat , Java etcReally ?
Since when did Firefox start running ActiveX ?</tokentext>
<sentencetext>ActiveX is how your browser runs Flash, Silverlight, Acrobat, Java etcReally?
Since when did Firefox start running ActiveX?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484010</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31491850</id>
	<title>Re:register</title>
	<author>Hurricane78</author>
	<datestamp>1268673360000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Don&rsquo;t forget the megabyte-sized cache. The most important optimization nowadays, is to make your program parts fit into cache as a whole, since RAM access is extremely slow in comparison. So all you gotta do, is do the same with your malware, but keep it in there when deleted from RAM.</p></htmltext>
<tokenext>Don    t forget the megabyte-sized cache .
The most important optimization nowadays , is to make your program parts fit into cache as a whole , since RAM access is extremely slow in comparison .
So all you got ta do , is do the same with your malware , but keep it in there when deleted from RAM .</tokentext>
<sentencetext>Don’t forget the megabyte-sized cache.
The most important optimization nowadays, is to make your program parts fit into cache as a whole, since RAM access is extremely slow in comparison.
So all you gotta do, is do the same with your malware, but keep it in there when deleted from RAM.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483392</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31490038</id>
	<title>PARC? Didn't that used to be good?</title>
	<author>jamie(really)</author>
	<datestamp>1268659380000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Assume now that we have a detection algorithm that runs in kernel mode, and that swaps out everything in RAM. Everything except itself.</p></div><p>Further assume that this detection algorithm, running in kernel mode, must be loaded into memory itself.<br>Then further assume that the compromised kernel on which it is running has not modified the detection algorithm. (Because <a href="http://www.f-secure.com/weblog/archives/00001118.html" title="f-secure.com" rel="nofollow">noone</a> [f-secure.com] writes kernel malware)<br>Then further further assume that no one will spot this really obvious flaw before publishing it.</p></div>
	</htmltext>
<tokenext>Assume now that we have a detection algorithm that runs in kernel mode , and that swaps out everything in RAM .
Everything except itself.Further assume that this detection algorithm , running in kernel mode , must be loaded into memory itself.Then further assume that the compromised kernel on which it is running has not modified the detection algorithm .
( Because noone [ f-secure.com ] writes kernel malware ) Then further further assume that no one will spot this really obvious flaw before publishing it .</tokentext>
<sentencetext>Assume now that we have a detection algorithm that runs in kernel mode, and that swaps out everything in RAM.
Everything except itself.Further assume that this detection algorithm, running in kernel mode, must be loaded into memory itself.Then further assume that the compromised kernel on which it is running has not modified the detection algorithm.
(Because noone [f-secure.com] writes kernel malware)Then further further assume that no one will spot this really obvious flaw before publishing it.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31487438</id>
	<title>Missing the point</title>
	<author>Zaphod-AVA</author>
	<datestamp>1268646240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>The people critical of this process are missing some of the point. The claim of catching everything including 0 day exploits is a bit grandiose, but that doesn't mean it isn't a good idea. An approach like this will pick up malware infections because they cloak their processes. If this forces them to stop cloaking, it makes it much easier for standard malware scanning to be effective.</p></htmltext>
<tokenext>The people critical of this process are missing some of the point .
The claim of catching everything including 0 day exploits is a bit grandiose , but that does n't mean it is n't a good idea .
An approach like this will pick up malware infections because they cloak their processes .
If this forces them to stop cloaking , it makes it much easier for standard malware scanning to be effective .</tokentext>
<sentencetext>The people critical of this process are missing some of the point.
The claim of catching everything including 0 day exploits is a bit grandiose, but that doesn't mean it isn't a good idea.
An approach like this will pick up malware infections because they cloak their processes.
If this forces them to stop cloaking, it makes it much easier for standard malware scanning to be effective.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</id>
	<title>Malware detection is Bogus.</title>
	<author>bmo</author>
	<datestamp>1268674380000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>4</modscore>
	<htmltext><p>How about we change things in Windows so it actually prevents infection in the first place?</p><p>1.  Educate users.  Microsoft does a piss-poor job of this.<br>2.  STOP DEPENDING ON 3 MAGIC LETTERS TO DETERMINE IF SOMETHING IS CODE OR DATA.  COME ON, SERIOUSLY.  THIS SHOULD HAVE DIED WITH CP/M.<br>3.  Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX.<br>4.  If a file comes in from the outside world - STRIP ITS PERMISSION TO EXECUTE.  MAKE THE USER UNPACK IT FROM AN ARCHIVE OR SET ITS PERMISSION.</p><p>Really.  Seriously.</p><p>No, the above won't cover every situation, but it's a pretty good start.</p><p>--<br>BMO</p></htmltext>
<tokenext>How about we change things in Windows so it actually prevents infection in the first place ? 1 .
Educate users .
Microsoft does a piss-poor job of this.2 .
STOP DEPENDING ON 3 MAGIC LETTERS TO DETERMINE IF SOMETHING IS CODE OR DATA .
COME ON , SERIOUSLY .
THIS SHOULD HAVE DIED WITH CP/M.3 .
Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX.4 .
If a file comes in from the outside world - STRIP ITS PERMISSION TO EXECUTE .
MAKE THE USER UNPACK IT FROM AN ARCHIVE OR SET ITS PERMISSION.Really .
Seriously.No , the above wo n't cover every situation , but it 's a pretty good start.--BMO</tokentext>
<sentencetext>How about we change things in Windows so it actually prevents infection in the first place?1.
Educate users.
Microsoft does a piss-poor job of this.2.
STOP DEPENDING ON 3 MAGIC LETTERS TO DETERMINE IF SOMETHING IS CODE OR DATA.
COME ON, SERIOUSLY.
THIS SHOULD HAVE DIED WITH CP/M.3.
Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX.4.
If a file comes in from the outside world - STRIP ITS PERMISSION TO EXECUTE.
MAKE THE USER UNPACK IT FROM AN ARCHIVE OR SET ITS PERMISSION.Really.
Seriously.No, the above won't cover every situation, but it's a pretty good start.--BMO</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483582</id>
	<title>Its easy.</title>
	<author>Kenja</author>
	<datestamp>1268675220000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>1) install malware<br>
2) report that there is malware installed</htmltext>
<tokenext>1 ) install malware 2 ) report that there is malware installed</tokentext>
<sentencetext>1) install malware
2) report that there is malware installed</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485062</id>
	<title>Anonymous Coward</title>
	<author>Anonymous</author>
	<datestamp>1268680800000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>The guy is wrong becuase his principal assumption is wrong.</p><p>Principal assumption:  Malware must take up at least one byte of RAM.</p><p>Refutation:  Malware hidden in the firmware (ROM)  does not need any dedicated bytes of RAM.</p><p>I know.  I've done it...</p></htmltext>
<tokenext>The guy is wrong becuase his principal assumption is wrong.Principal assumption : Malware must take up at least one byte of RAM.Refutation : Malware hidden in the firmware ( ROM ) does not need any dedicated bytes of RAM.I know .
I 've done it.. .</tokentext>
<sentencetext>The guy is wrong becuase his principal assumption is wrong.Principal assumption:  Malware must take up at least one byte of RAM.Refutation:  Malware hidden in the firmware (ROM)  does not need any dedicated bytes of RAM.I know.
I've done it...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484066</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>ghostis</author>
	<datestamp>1268677260000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Also, as an admin, help your clients change their business processes to minimize the number of workstations where regular users are local administrators.  Yes, some software packages need local admin to work, but most do not.  While doing this will not be a panacea, it does seem to cut infection rates down.</p></htmltext>
<tokenext>Also , as an admin , help your clients change their business processes to minimize the number of workstations where regular users are local administrators .
Yes , some software packages need local admin to work , but most do not .
While doing this will not be a panacea , it does seem to cut infection rates down .</tokentext>
<sentencetext>Also, as an admin, help your clients change their business processes to minimize the number of workstations where regular users are local administrators.
Yes, some software packages need local admin to work, but most do not.
While doing this will not be a panacea, it does seem to cut infection rates down.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484598</id>
	<title>This detects "hidden things", not malware</title>
	<author>InvisiBill</author>
	<datestamp>1268679240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I read the article.  I understand what he's proposing.  However, the method is simply a way of finding things that are hiding in memory.  By swapping out the hider-app, you disable its ability to hide.  Your RAM + random bits hash will then expose things that were messing with RAM.</p><p>This doesn't detect malware itself, it simply allows you to determine if something is altering RAM to hide itself, which most likely would turn out to be malware.  If you're simply taking a hash of the whole RAM space, I'm not even sure you'd be able to find out where the problematic bits were located (which would point to the swapped-out culprit).</p><p>While it would be nice to know if something is covertly tinkering with your memory, this test alone won't find the actual malware.  It also relies on a lot of things, like the external verifier and that the scanner itself is not compromised.  It's a nice theory, but I'm not sure how much practical value it has.</p></htmltext>
<tokenext>I read the article .
I understand what he 's proposing .
However , the method is simply a way of finding things that are hiding in memory .
By swapping out the hider-app , you disable its ability to hide .
Your RAM + random bits hash will then expose things that were messing with RAM.This does n't detect malware itself , it simply allows you to determine if something is altering RAM to hide itself , which most likely would turn out to be malware .
If you 're simply taking a hash of the whole RAM space , I 'm not even sure you 'd be able to find out where the problematic bits were located ( which would point to the swapped-out culprit ) .While it would be nice to know if something is covertly tinkering with your memory , this test alone wo n't find the actual malware .
It also relies on a lot of things , like the external verifier and that the scanner itself is not compromised .
It 's a nice theory , but I 'm not sure how much practical value it has .</tokentext>
<sentencetext>I read the article.
I understand what he's proposing.
However, the method is simply a way of finding things that are hiding in memory.
By swapping out the hider-app, you disable its ability to hide.
Your RAM + random bits hash will then expose things that were messing with RAM.This doesn't detect malware itself, it simply allows you to determine if something is altering RAM to hide itself, which most likely would turn out to be malware.
If you're simply taking a hash of the whole RAM space, I'm not even sure you'd be able to find out where the problematic bits were located (which would point to the swapped-out culprit).While it would be nice to know if something is covertly tinkering with your memory, this test alone won't find the actual malware.
It also relies on a lot of things, like the external verifier and that the scanner itself is not compromised.
It's a nice theory, but I'm not sure how much practical value it has.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485246</id>
	<title>Re:Still a needle</title>
	<author>Anonymous</author>
	<datestamp>1268681640000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>"Ok mom, to install software, just go to Apps &gt; Ubuntu Software Center.  If you need something that's not there, let me know and I'll get it for you. (Google Chrome) "</p><p>Security is really not that hard, 'stupid' users or not.  Unless you're Microsoft.<nobr> <wbr></nobr>...If we bail those retards out of bankruptcy I'm going to be pissed; I've worked the last several years to bring them down; they're too big not to fail.</p></htmltext>
<tokenext>" Ok mom , to install software , just go to Apps &gt; Ubuntu Software Center .
If you need something that 's not there , let me know and I 'll get it for you .
( Google Chrome ) " Security is really not that hard , 'stupid ' users or not .
Unless you 're Microsoft .
...If we bail those retards out of bankruptcy I 'm going to be pissed ; I 've worked the last several years to bring them down ; they 're too big not to fail .</tokentext>
<sentencetext>"Ok mom, to install software, just go to Apps &gt; Ubuntu Software Center.
If you need something that's not there, let me know and I'll get it for you.
(Google Chrome) "Security is really not that hard, 'stupid' users or not.
Unless you're Microsoft.
...If we bail those retards out of bankruptcy I'm going to be pissed; I've worked the last several years to bring them down; they're too big not to fail.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483200</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484574</id>
	<title>Rootkit detection</title>
	<author>Talennor</author>
	<datestamp>1268679120000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>One of the problems of computer security is that it's hard to be sure the level at which you're operating is secure.  Your app may think it's secure, but the OS can view its memory.  The OS may think it's secure, but it might be virtualized or running on a rootkit or boot sector virus.  You might have a malicious BIOS update.  It's almost impossible to verify from any level if the level below you is infected or not.</p><p>This is a neat, though probably impractical, way of trying to understand what the lower levels of the system are doing and judge the trustworthiness of those levels.</p></htmltext>
<tokenext>One of the problems of computer security is that it 's hard to be sure the level at which you 're operating is secure .
Your app may think it 's secure , but the OS can view its memory .
The OS may think it 's secure , but it might be virtualized or running on a rootkit or boot sector virus .
You might have a malicious BIOS update .
It 's almost impossible to verify from any level if the level below you is infected or not.This is a neat , though probably impractical , way of trying to understand what the lower levels of the system are doing and judge the trustworthiness of those levels .</tokentext>
<sentencetext>One of the problems of computer security is that it's hard to be sure the level at which you're operating is secure.
Your app may think it's secure, but the OS can view its memory.
The OS may think it's secure, but it might be virtualized or running on a rootkit or boot sector virus.
You might have a malicious BIOS update.
It's almost impossible to verify from any level if the level below you is infected or not.This is a neat, though probably impractical, way of trying to understand what the lower levels of the system are doing and judge the trustworthiness of those levels.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483302</id>
	<title>Since I actually read the article</title>
	<author>Rogerborg</author>
	<datestamp>1268674140000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I note that he seems to have missed a rather obvious possibility: there's malware in RAM, but it allows itself to be swapped out with all the other processes.  Why wouldn't it?  If it got loaded into RAM once, it'll get loaded again by the same vector.  In fact, it has to rely on that happening, since at some point the RAM is going to be physically powered down.  There's no point in trying to dig in like a tick.

</p><p>So as far as I can see, his magic technique will only catch malware that attempts to protect itself.  I'm not clear on why he thinks this will catch <em>all</em> malware, but I'm sure he'll explain further if I pay him some $$$.</p></htmltext>
<tokenext>I note that he seems to have missed a rather obvious possibility : there 's malware in RAM , but it allows itself to be swapped out with all the other processes .
Why would n't it ?
If it got loaded into RAM once , it 'll get loaded again by the same vector .
In fact , it has to rely on that happening , since at some point the RAM is going to be physically powered down .
There 's no point in trying to dig in like a tick .
So as far as I can see , his magic technique will only catch malware that attempts to protect itself .
I 'm not clear on why he thinks this will catch all malware , but I 'm sure he 'll explain further if I pay him some $ $ $ .</tokentext>
<sentencetext>I note that he seems to have missed a rather obvious possibility: there's malware in RAM, but it allows itself to be swapped out with all the other processes.
Why wouldn't it?
If it got loaded into RAM once, it'll get loaded again by the same vector.
In fact, it has to rely on that happening, since at some point the RAM is going to be physically powered down.
There's no point in trying to dig in like a tick.
So as far as I can see, his magic technique will only catch malware that attempts to protect itself.
I'm not clear on why he thinks this will catch all malware, but I'm sure he'll explain further if I pay him some $$$.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485552</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>Anonymous</author>
	<datestamp>1268682780000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>3.  Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX.</p></div><p>Go to south korea, all there is based on ActiveX, so any user must use IE and thus be a Windows user.</p><p><div class="quote"><p>4.  If a file comes in from the outside world - STRIP ITS PERMISSION TO EXECUTE.  MAKE THE USER UNPACK IT FROM AN ARCHIVE OR SET ITS PERMISSION.</p></div><p>Currently windows shows warning when you try to execute things downloaded from internet.</p></div>
	</htmltext>
<tokenext>3 .
Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX.Go to south korea , all there is based on ActiveX , so any user must use IE and thus be a Windows user.4 .
If a file comes in from the outside world - STRIP ITS PERMISSION TO EXECUTE .
MAKE THE USER UNPACK IT FROM AN ARCHIVE OR SET ITS PERMISSION.Currently windows shows warning when you try to execute things downloaded from internet .</tokentext>
<sentencetext>3.
Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX.Go to south korea, all there is based on ActiveX, so any user must use IE and thus be a Windows user.4.
If a file comes in from the outside world - STRIP ITS PERMISSION TO EXECUTE.
MAKE THE USER UNPACK IT FROM AN ARCHIVE OR SET ITS PERMISSION.Currently windows shows warning when you try to execute things downloaded from internet.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483702</id>
	<title>Re:Theory and Reality</title>
	<author>einhverfr</author>
	<datestamp>1268675760000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I read the article and I wasn't convinced.  I don't think one can guarantee malware detection.  Any detection approach has false positives and/or false negatives.  Typically we err on the side of false negatives, while some other approaches (host-based IDS-type approaches) err on the side of false positives.</p><p>The method addressed here does not deal with all possible attacks, but only the problem of malware interfering with the scan.  Hence even with such a mechanism, all you can use it for is guaranteeing the integrity of the scan process.  It doesn't tell you by itself whether a given executable is malware or not.  For that you have to either look for known threats or for suspicious system changes (sha256 checksums on files changing, for example).</p><p>"All we need" is generally an indication that something is missing in the analysis and this is the case here.</p></htmltext>
<tokenext>I read the article and I was n't convinced .
I do n't think one can guarantee malware detection .
Any detection approach has false positives and/or false negatives .
Typically we err on the side of false negatives , while some other approaches ( host-based IDS-type approaches ) err on the side of false positives.The method addressed here does not deal with all possible attacks , but only the problem of malware interfering with the scan .
Hence even with such a mechanism , all you can use it for is guaranteeing the integrity of the scan process .
It does n't tell you by itself whether a given executable is malware or not .
For that you have to either look for known threats or for suspicious system changes ( sha256 checksums on files changing , for example ) .
" All we need " is generally an indication that something is missing in the analysis and this is the case here .</tokentext>
<sentencetext>I read the article and I wasn't convinced.
I don't think one can guarantee malware detection.
Any detection approach has false positives and/or false negatives.
Typically we err on the side of false negatives, while some other approaches (host-based IDS-type approaches) err on the side of false positives.The method addressed here does not deal with all possible attacks, but only the problem of malware interfering with the scan.
Hence even with such a mechanism, all you can use it for is guaranteeing the integrity of the scan process.
It doesn't tell you by itself whether a given executable is malware or not.
For that you have to either look for known threats or for suspicious system changes (sha256 checksums on files changing, for example).
"All we need" is generally an indication that something is missing in the analysis and this is the case here.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483916</id>
	<title>One big mistake - stegonography</title>
	<author>vlm</author>
	<datestamp>1268676720000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>One big mistake from the article is:</p><p><div class="quote"><p>2) Any program -- good or bad -- that wants to be active in RAM has no choice but to take up some space in RAM. At least one byte, right?</p></div><p>Wrong.  Do the steganography thing to a live programs data.  Find a<nobr> <wbr></nobr>.jpeg in outlook and insert the encrypted executable code into the pix.  There are other interesting alternatives involving modification of the stack and stack pointers.  Even things like the map for virtual memory can be messed with to store a wee little bit of data.</p></div>
	</htmltext>
<tokenext>One big mistake from the article is : 2 ) Any program -- good or bad -- that wants to be active in RAM has no choice but to take up some space in RAM .
At least one byte , right ? Wrong .
Do the steganography thing to a live programs data .
Find a .jpeg in outlook and insert the encrypted executable code into the pix .
There are other interesting alternatives involving modification of the stack and stack pointers .
Even things like the map for virtual memory can be messed with to store a wee little bit of data .</tokentext>
<sentencetext>One big mistake from the article is:2) Any program -- good or bad -- that wants to be active in RAM has no choice but to take up some space in RAM.
At least one byte, right?Wrong.
Do the steganography thing to a live programs data.
Find a .jpeg in outlook and insert the encrypted executable code into the pix.
There are other interesting alternatives involving modification of the stack and stack pointers.
Even things like the map for virtual memory can be messed with to store a wee little bit of data.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483174</id>
	<title>So it has to be in RAM</title>
	<author>magsol</author>
	<datestamp>1268673780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>The hard part is actually finding it.</htmltext>
<tokenext>The hard part is actually finding it .</tokentext>
<sentencetext>The hard part is actually finding it.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483374</id>
	<title>Hmm</title>
	<author>Anonymous</author>
	<datestamp>1268674380000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I would love to meet the genius who discovered that any program that wants to be active in RAM uses some RAM...even if it is only 1 byte.</p></htmltext>
<tokenext>I would love to meet the genius who discovered that any program that wants to be active in RAM uses some RAM...even if it is only 1 byte .</tokentext>
<sentencetext>I would love to meet the genius who discovered that any program that wants to be active in RAM uses some RAM...even if it is only 1 byte.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484328</id>
	<title>Kind of interesting, but...</title>
	<author>Chris Mattern</author>
	<datestamp>1268678280000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Four major problems:</p><p>One: The malware can simply let itself be swapped out like a good little program, and be swapped back in when the detector is done.  Now the only way you'll find it is look for a malware pattern again, with all the limitations that implies.</p><p>Two: The malware can infect the system routines so that the system *lies* to the detector about what's in RAM.</p><p>Three: The system has to be brought to a complete halt to do this, with obvious repercussions to performance.</p><p>Four: Most operating systems have parts of the kernel that CANNOT be swapped out.  So you can't swap out everything but the detector anyways.</p></htmltext>
<tokenext>Four major problems : One : The malware can simply let itself be swapped out like a good little program , and be swapped back in when the detector is done .
Now the only way you 'll find it is look for a malware pattern again , with all the limitations that implies.Two : The malware can infect the system routines so that the system * lies * to the detector about what 's in RAM.Three : The system has to be brought to a complete halt to do this , with obvious repercussions to performance.Four : Most operating systems have parts of the kernel that CAN NOT be swapped out .
So you ca n't swap out everything but the detector anyways .</tokentext>
<sentencetext>Four major problems:One: The malware can simply let itself be swapped out like a good little program, and be swapped back in when the detector is done.
Now the only way you'll find it is look for a malware pattern again, with all the limitations that implies.Two: The malware can infect the system routines so that the system *lies* to the detector about what's in RAM.Three: The system has to be brought to a complete halt to do this, with obvious repercussions to performance.Four: Most operating systems have parts of the kernel that CANNOT be swapped out.
So you can't swap out everything but the detector anyways.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31487784</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>Anonymous</author>
	<datestamp>1268647740000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>#2 isn't quite as easy as it sounds.  A Perl script is both data and code.  It's data if you open it in a text editor, and it's code if you open it in a Perl interpreter.  If the file isn't marked executable, it should still open in a text editor, right?  And since the OS can't tell the difference between a text editor and an interpreter, it's really the interpreter's job to check the ACLs and halt execution, right?  And because perl cantexecute.pl works on Linux, does that mean your advice applies to Linux as well, or maybe that there's some more complexity behind this issue?</p><p>The problem with Windows is that executable-ness is enabled by default (covered in #4), combined with the fact that executable-ness is hidden by default.  If your average user could even see those magic 3 letters, that would rid the world of quite a lot of trouble.jpg.exe</p></htmltext>
<tokenext># 2 is n't quite as easy as it sounds .
A Perl script is both data and code .
It 's data if you open it in a text editor , and it 's code if you open it in a Perl interpreter .
If the file is n't marked executable , it should still open in a text editor , right ?
And since the OS ca n't tell the difference between a text editor and an interpreter , it 's really the interpreter 's job to check the ACLs and halt execution , right ?
And because perl cantexecute.pl works on Linux , does that mean your advice applies to Linux as well , or maybe that there 's some more complexity behind this issue ? The problem with Windows is that executable-ness is enabled by default ( covered in # 4 ) , combined with the fact that executable-ness is hidden by default .
If your average user could even see those magic 3 letters , that would rid the world of quite a lot of trouble.jpg.exe</tokentext>
<sentencetext>#2 isn't quite as easy as it sounds.
A Perl script is both data and code.
It's data if you open it in a text editor, and it's code if you open it in a Perl interpreter.
If the file isn't marked executable, it should still open in a text editor, right?
And since the OS can't tell the difference between a text editor and an interpreter, it's really the interpreter's job to check the ACLs and halt execution, right?
And because perl cantexecute.pl works on Linux, does that mean your advice applies to Linux as well, or maybe that there's some more complexity behind this issue?The problem with Windows is that executable-ness is enabled by default (covered in #4), combined with the fact that executable-ness is hidden by default.
If your average user could even see those magic 3 letters, that would rid the world of quite a lot of trouble.jpg.exe</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31491884</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>Hurricane78</author>
	<datestamp>1268673720000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>3. Kill ActiveX - I know of no legitimate website that requires ActiveX.</p></div><p>There, fixed that for you. ^^</p></div>
	</htmltext>
<tokenext>3 .
Kill ActiveX - I know of no legitimate website that requires ActiveX.There , fixed that for you .
^ ^</tokentext>
<sentencetext>3.
Kill ActiveX - I know of no legitimate website that requires ActiveX.There, fixed that for you.
^^
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485002</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>nuckfuts</author>
	<datestamp>1268680620000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>How about we change things in Windows so it actually prevents infection in the first place?</p><p>1.  Educate users.  Microsoft does a piss-poor job of this.</p></div><p>Aside from the obvious infeasibility of this, how would this be changing <strong>Windows</strong>?</p><p><div class="quote"><p>2.  STOP DEPENDING ON 3 MAGIC LETTERS TO DETERMINE IF SOMETHING IS CODE OR DATA.  COME ON, SERIOUSLY.  THIS SHOULD HAVE DIED WITH CP/M.</p></div><p>Ever heard of <a href="http://en.wikipedia.org/wiki/Data\_Execution\_Prevention" title="wikipedia.org">DEP</a> [wikipedia.org]?</p><p><div class="quote"><p>3.  Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX.</p></div><p>It may be a risk, and there may be alternative ways to do things, but let's not pretend there's only one domain in existence that needs it. As a single example, I recently had to login to a customer's server remotely. The only method of remote access available was through logmein.com. I had to use ActiveX.</p><p><div class="quote"><p>4.  If a file comes in from the outside world - STRIP ITS PERMISSION TO EXECUTE.  MAKE THE USER UNPACK IT FROM AN ARCHIVE OR SET ITS PERMISSION.</p></div><p>Internet Explorer already has security zones that apply restrictions based on where content is coming from. Users are prompted whether to run executables. The problem is that naive users routinely agree when prompted to do dangerous things. This is not an OS-specific problem.</p></div>
	</htmltext>
<tokenext>How about we change things in Windows so it actually prevents infection in the first place ? 1 .
Educate users .
Microsoft does a piss-poor job of this.Aside from the obvious infeasibility of this , how would this be changing Windows ? 2 .
STOP DEPENDING ON 3 MAGIC LETTERS TO DETERMINE IF SOMETHING IS CODE OR DATA .
COME ON , SERIOUSLY .
THIS SHOULD HAVE DIED WITH CP/M.Ever heard of DEP [ wikipedia.org ] ? 3 .
Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX.It may be a risk , and there may be alternative ways to do things , but let 's not pretend there 's only one domain in existence that needs it .
As a single example , I recently had to login to a customer 's server remotely .
The only method of remote access available was through logmein.com .
I had to use ActiveX.4 .
If a file comes in from the outside world - STRIP ITS PERMISSION TO EXECUTE .
MAKE THE USER UNPACK IT FROM AN ARCHIVE OR SET ITS PERMISSION.Internet Explorer already has security zones that apply restrictions based on where content is coming from .
Users are prompted whether to run executables .
The problem is that naive users routinely agree when prompted to do dangerous things .
This is not an OS-specific problem .</tokentext>
<sentencetext>How about we change things in Windows so it actually prevents infection in the first place?1.
Educate users.
Microsoft does a piss-poor job of this.Aside from the obvious infeasibility of this, how would this be changing Windows?2.
STOP DEPENDING ON 3 MAGIC LETTERS TO DETERMINE IF SOMETHING IS CODE OR DATA.
COME ON, SERIOUSLY.
THIS SHOULD HAVE DIED WITH CP/M.Ever heard of DEP [wikipedia.org]?3.
Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX.It may be a risk, and there may be alternative ways to do things, but let's not pretend there's only one domain in existence that needs it.
As a single example, I recently had to login to a customer's server remotely.
The only method of remote access available was through logmein.com.
I had to use ActiveX.4.
If a file comes in from the outside world - STRIP ITS PERMISSION TO EXECUTE.
MAKE THE USER UNPACK IT FROM AN ARCHIVE OR SET ITS PERMISSION.Internet Explorer already has security zones that apply restrictions based on where content is coming from.
Users are prompted whether to run executables.
The problem is that naive users routinely agree when prompted to do dangerous things.
This is not an OS-specific problem.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483944</id>
	<title>Re:Theory and Reality</title>
	<author>Astrorunner</author>
	<datestamp>1268676780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>That's because all the memory is now swiss cheese full of random bytes.  If the malware wants to hide itself, it has to swap itself out to disk, regardless of whether or not it can hide itself.  He then proposes to identify that there is a threat by observing the performance of the hardware as it swaps itself out to secondary storage.</p></htmltext>
<tokenext>That 's because all the memory is now swiss cheese full of random bytes .
If the malware wants to hide itself , it has to swap itself out to disk , regardless of whether or not it can hide itself .
He then proposes to identify that there is a threat by observing the performance of the hardware as it swaps itself out to secondary storage .</tokentext>
<sentencetext>That's because all the memory is now swiss cheese full of random bytes.
If the malware wants to hide itself, it has to swap itself out to disk, regardless of whether or not it can hide itself.
He then proposes to identify that there is a threat by observing the performance of the hardware as it swaps itself out to secondary storage.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485164</id>
	<title>It's not general purpose. It's for dumb mobiles.</title>
	<author>Animats</author>
	<datestamp>1268681340000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>
Here's the <a href="http://dimacs.rutgers.edu/TechnicalReports/TechReports/2010/2010-03.pdf" title="rutgers.edu">real paper.</a> [rutgers.edu] This gives a better idea of what they have in mind.
</p><p>
They're proposing this for mobile phones, not general-purpose computers.  Specifically, they're thinking of phones where the software is entirely determined by the mobile carrier.  So the carrier's server knows exactly what's supposed to be in the phone's memory.  The problem is then to determine if, in fact, the contents of memory in the phone match the image back at the server, even if the phone has been corrupted.
</p><p>
That's a solveable problem, and their rather complex solution might actually work for that.
The "reliable external checking agent" is at the carrier's server farm, not within the phone.  The key idea is that while malware might try to fake the appropriate responses to the checking agent, it can't do so within time limits imposed by the checking agent.  This is because some cryptographic tricks make the faking job computationally expensive.
</p><p>
In the phone environment, if the carrier detects that the phone has been compromised, they can limit what the phone can talk to, since they control the channel.  Worst case, they could just de-authorize the phone, which limits it to 911 calls and customer service calls.  This is the default state of an unregistered phone.
</p><p>
It's not clear how useful this would be for phones which can download applications.  The paper punts on this issue.  On page 5, item 5, they write "[The verification policy] is beyond the scope of this paper."
</p><p>
I could see this as being very useful in military communication systems and in embedded systems, where you know what's supposed to be in the device and want to make sure the device at the other end of a link hasn't been compromised.  It's a way to check whether a locked-down environment is still locked down.
</p><p>
In other words, it's not going to help in the Windows world.</p></htmltext>
<tokenext>Here 's the real paper .
[ rutgers.edu ] This gives a better idea of what they have in mind .
They 're proposing this for mobile phones , not general-purpose computers .
Specifically , they 're thinking of phones where the software is entirely determined by the mobile carrier .
So the carrier 's server knows exactly what 's supposed to be in the phone 's memory .
The problem is then to determine if , in fact , the contents of memory in the phone match the image back at the server , even if the phone has been corrupted .
That 's a solveable problem , and their rather complex solution might actually work for that .
The " reliable external checking agent " is at the carrier 's server farm , not within the phone .
The key idea is that while malware might try to fake the appropriate responses to the checking agent , it ca n't do so within time limits imposed by the checking agent .
This is because some cryptographic tricks make the faking job computationally expensive .
In the phone environment , if the carrier detects that the phone has been compromised , they can limit what the phone can talk to , since they control the channel .
Worst case , they could just de-authorize the phone , which limits it to 911 calls and customer service calls .
This is the default state of an unregistered phone .
It 's not clear how useful this would be for phones which can download applications .
The paper punts on this issue .
On page 5 , item 5 , they write " [ The verification policy ] is beyond the scope of this paper .
" I could see this as being very useful in military communication systems and in embedded systems , where you know what 's supposed to be in the device and want to make sure the device at the other end of a link has n't been compromised .
It 's a way to check whether a locked-down environment is still locked down .
In other words , it 's not going to help in the Windows world .</tokentext>
<sentencetext>
Here's the real paper.
[rutgers.edu] This gives a better idea of what they have in mind.
They're proposing this for mobile phones, not general-purpose computers.
Specifically, they're thinking of phones where the software is entirely determined by the mobile carrier.
So the carrier's server knows exactly what's supposed to be in the phone's memory.
The problem is then to determine if, in fact, the contents of memory in the phone match the image back at the server, even if the phone has been corrupted.
That's a solveable problem, and their rather complex solution might actually work for that.
The "reliable external checking agent" is at the carrier's server farm, not within the phone.
The key idea is that while malware might try to fake the appropriate responses to the checking agent, it can't do so within time limits imposed by the checking agent.
This is because some cryptographic tricks make the faking job computationally expensive.
In the phone environment, if the carrier detects that the phone has been compromised, they can limit what the phone can talk to, since they control the channel.
Worst case, they could just de-authorize the phone, which limits it to 911 calls and customer service calls.
This is the default state of an unregistered phone.
It's not clear how useful this would be for phones which can download applications.
The paper punts on this issue.
On page 5, item 5, they write "[The verification policy] is beyond the scope of this paper.
"

I could see this as being very useful in military communication systems and in embedded systems, where you know what's supposed to be in the device and want to make sure the device at the other end of a link hasn't been compromised.
It's a way to check whether a locked-down environment is still locked down.
In other words, it's not going to help in the Windows world.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31491612</id>
	<title>Re:Computers are Appliances</title>
	<author>b4dc0d3r</author>
	<datestamp>1268670840000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>You buy a toaster, it toasts.  If it doesn't work, you throw it away and get a new one.  You buy a TV, maybe it works maybe it stops working, maybe lightning strikes it, but if you push the channel button and it doesn't work, you get it fixed or replace it.  Dishwasher stops working, you call someone and have it fixed.</p><p>Computer... I can't just click something I want to click, I have to unpack it and set it to be executable.  I have to think?  I don't want to think, I just want Farmville to work.  If I can't match these 3 jewels together, someone is going to have to fix this for me what's this box? OK.  OK, goddammit just go away!  You're blocking my jewels!  Fucking, OK, okay?  O MUTHER FUCKING KAY, I get it.  UNUUNUNNNGNGNGHGHGHGNFNG!</p><p>Customer calls tech support.</p><p>Tech: What were you doing when this happened?<br>Customer: I don't know, I was playing my game and some strange things just started happening.<br>Tech: Such as?<br>Customer: I was trying to play a game and these boxes came up that had nothing to do with the game.  It was broken.<br>Tech: You broke it by installing a virus, that's what you did when you clicked OK.<br>Customer: You don't know anything about computers.  Were you even listening?  It was doing stupid shit BEFORE I CLICKED OK!<br>Tech: No, those windows were trying to alert you to a security problem<br>Customer: Why would there be a security problem if it wasn't already broken dipshit?<br>Tech: That was Windows, asking if you wanted to allow something<br>Customer: I wanted to allow it to play MY FUCKING GAME that it wouldn't let me play.<br>Tech: You installed a virus.<br>Customer: I'm going to bash you head in with a box of Cheerios.<br>Customer's mom: So what was all that about?<br>Customer: That guy was pretending to be a computer nerd so he could ask me out or something, and he had herpes or something, I don't know.  He didn't know anything about computers and wasn't listening to me and didn't believe me.<br>Customer's mom: Hello, Police?  I'd like to report a crime...</p></htmltext>
<tokenext>You buy a toaster , it toasts .
If it does n't work , you throw it away and get a new one .
You buy a TV , maybe it works maybe it stops working , maybe lightning strikes it , but if you push the channel button and it does n't work , you get it fixed or replace it .
Dishwasher stops working , you call someone and have it fixed.Computer... I ca n't just click something I want to click , I have to unpack it and set it to be executable .
I have to think ?
I do n't want to think , I just want Farmville to work .
If I ca n't match these 3 jewels together , someone is going to have to fix this for me what 's this box ?
OK. OK , goddammit just go away !
You 're blocking my jewels !
Fucking , OK , okay ?
O MUTHER FUCKING KAY , I get it .
UNUUNUNNNGNGNGHGHGHGNFNG ! Customer calls tech support.Tech : What were you doing when this happened ? Customer : I do n't know , I was playing my game and some strange things just started happening.Tech : Such as ? Customer : I was trying to play a game and these boxes came up that had nothing to do with the game .
It was broken.Tech : You broke it by installing a virus , that 's what you did when you clicked OK.Customer : You do n't know anything about computers .
Were you even listening ?
It was doing stupid shit BEFORE I CLICKED OK ! Tech : No , those windows were trying to alert you to a security problemCustomer : Why would there be a security problem if it was n't already broken dipshit ? Tech : That was Windows , asking if you wanted to allow somethingCustomer : I wanted to allow it to play MY FUCKING GAME that it would n't let me play.Tech : You installed a virus.Customer : I 'm going to bash you head in with a box of Cheerios.Customer 's mom : So what was all that about ? Customer : That guy was pretending to be a computer nerd so he could ask me out or something , and he had herpes or something , I do n't know .
He did n't know anything about computers and was n't listening to me and did n't believe me.Customer 's mom : Hello , Police ?
I 'd like to report a crime.. .</tokentext>
<sentencetext>You buy a toaster, it toasts.
If it doesn't work, you throw it away and get a new one.
You buy a TV, maybe it works maybe it stops working, maybe lightning strikes it, but if you push the channel button and it doesn't work, you get it fixed or replace it.
Dishwasher stops working, you call someone and have it fixed.Computer... I can't just click something I want to click, I have to unpack it and set it to be executable.
I have to think?
I don't want to think, I just want Farmville to work.
If I can't match these 3 jewels together, someone is going to have to fix this for me what's this box?
OK.  OK, goddammit just go away!
You're blocking my jewels!
Fucking, OK, okay?
O MUTHER FUCKING KAY, I get it.
UNUUNUNNNGNGNGHGHGHGNFNG!Customer calls tech support.Tech: What were you doing when this happened?Customer: I don't know, I was playing my game and some strange things just started happening.Tech: Such as?Customer: I was trying to play a game and these boxes came up that had nothing to do with the game.
It was broken.Tech: You broke it by installing a virus, that's what you did when you clicked OK.Customer: You don't know anything about computers.
Were you even listening?
It was doing stupid shit BEFORE I CLICKED OK!Tech: No, those windows were trying to alert you to a security problemCustomer: Why would there be a security problem if it wasn't already broken dipshit?Tech: That was Windows, asking if you wanted to allow somethingCustomer: I wanted to allow it to play MY FUCKING GAME that it wouldn't let me play.Tech: You installed a virus.Customer: I'm going to bash you head in with a box of Cheerios.Customer's mom: So what was all that about?Customer: That guy was pretending to be a computer nerd so he could ask me out or something, and he had herpes or something, I don't know.
He didn't know anything about computers and wasn't listening to me and didn't believe me.Customer's mom: Hello, Police?
I'd like to report a crime...</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31491828</id>
	<title>No it doesnt!</title>
	<author>Hurricane78</author>
	<datestamp>1268673120000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>It can perfectly well live in the cache, busmaster devices, buffers, etc.</p></htmltext>
<tokenext>It can perfectly well live in the cache , busmaster devices , buffers , etc .</tokentext>
<sentencetext>It can perfectly well live in the cache, busmaster devices, buffers, etc.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483198</id>
	<title>Theory and hand-waving</title>
	<author>Anonymous</author>
	<datestamp>1268673840000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>3</modscore>
	<htmltext><blockquote><div><p>
Assume now that we have a detection algorithm that runs in kernel mode, and that swaps out everything in RAM. Everything except itself. Well, malware may interfere, of course, as it often does, and remain in RAM. But if we know how big RAM is, we know how much space should be free. Assume we write pseudo-random bits over all this supposedly free space. Again, a malware agent could refuse to be overwritten. It could store those random bits somewhere else instead... like in secondary storage.
</p><p>
Then, let us compute a keyed hash of the entire memory contents -- both our detection program and all the random bits. Here is what could happen: If there is no malware in RAM, the results will be the expected result. An external verifier checks this, and tells us that the scanned device is clean. Or there could be malware in RAM, and the checksum will be wrong. The external verifier would notice and conclude that the device must be infected. Or malware could divert the read requests directed at the place it is stored to the place in secondary storage where it stored the random bits meant for the space it occupies. That would result in the right checksum... but a delay. This delay would be detected by the external verifier, which would conclude that the device is infected.
</p></div>
</blockquote><p>
&lt;sarcasm&gt;Punting the problem to an "external verifier" is pretty neat.  I wish I could do that with my next hard problem.&lt;/sarcasm&gt;
</p><p>
That whole bit about swapping, though....  If I write malware and hide it somewhere in execution space, do I really care if it gets swapped out?  So the code that steals keystrokes or sniffs for credit card numbers doesn't get executed for short while.  Big deal.  At some point it will get loaded again (if written properly, that is).
</p><p>
Or am I missing something obvious?
</p></div>
	</htmltext>
<tokenext>Assume now that we have a detection algorithm that runs in kernel mode , and that swaps out everything in RAM .
Everything except itself .
Well , malware may interfere , of course , as it often does , and remain in RAM .
But if we know how big RAM is , we know how much space should be free .
Assume we write pseudo-random bits over all this supposedly free space .
Again , a malware agent could refuse to be overwritten .
It could store those random bits somewhere else instead... like in secondary storage .
Then , let us compute a keyed hash of the entire memory contents -- both our detection program and all the random bits .
Here is what could happen : If there is no malware in RAM , the results will be the expected result .
An external verifier checks this , and tells us that the scanned device is clean .
Or there could be malware in RAM , and the checksum will be wrong .
The external verifier would notice and conclude that the device must be infected .
Or malware could divert the read requests directed at the place it is stored to the place in secondary storage where it stored the random bits meant for the space it occupies .
That would result in the right checksum... but a delay .
This delay would be detected by the external verifier , which would conclude that the device is infected .
Punting the problem to an " external verifier " is pretty neat .
I wish I could do that with my next hard problem .
That whole bit about swapping , though.... If I write malware and hide it somewhere in execution space , do I really care if it gets swapped out ?
So the code that steals keystrokes or sniffs for credit card numbers does n't get executed for short while .
Big deal .
At some point it will get loaded again ( if written properly , that is ) .
Or am I missing something obvious ?</tokentext>
<sentencetext>
Assume now that we have a detection algorithm that runs in kernel mode, and that swaps out everything in RAM.
Everything except itself.
Well, malware may interfere, of course, as it often does, and remain in RAM.
But if we know how big RAM is, we know how much space should be free.
Assume we write pseudo-random bits over all this supposedly free space.
Again, a malware agent could refuse to be overwritten.
It could store those random bits somewhere else instead... like in secondary storage.
Then, let us compute a keyed hash of the entire memory contents -- both our detection program and all the random bits.
Here is what could happen: If there is no malware in RAM, the results will be the expected result.
An external verifier checks this, and tells us that the scanned device is clean.
Or there could be malware in RAM, and the checksum will be wrong.
The external verifier would notice and conclude that the device must be infected.
Or malware could divert the read requests directed at the place it is stored to the place in secondary storage where it stored the random bits meant for the space it occupies.
That would result in the right checksum... but a delay.
This delay would be detected by the external verifier, which would conclude that the device is infected.
Punting the problem to an "external verifier" is pretty neat.
I wish I could do that with my next hard problem.
That whole bit about swapping, though....  If I write malware and hide it somewhere in execution space, do I really care if it gets swapped out?
So the code that steals keystrokes or sniffs for credit card numbers doesn't get executed for short while.
Big deal.
At some point it will get loaded again (if written properly, that is).
Or am I missing something obvious?

	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31488904</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>Anonymous</author>
	<datestamp>1268652780000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>I know of no legitimate website besides Microsoft.com that requires ActiveX.</p></div><p>I know, there's management.local/infoserve and millions alike. They "just work" and they contain tens of millions of records of business-critical data. Users of this data can't upgrade beyond IE6 though...</p></div>
	</htmltext>
<tokenext>I know of no legitimate website besides Microsoft.com that requires ActiveX.I know , there 's management.local/infoserve and millions alike .
They " just work " and they contain tens of millions of records of business-critical data .
Users of this data ca n't upgrade beyond IE6 though.. .</tokentext>
<sentencetext>I know of no legitimate website besides Microsoft.com that requires ActiveX.I know, there's management.local/infoserve and millions alike.
They "just work" and they contain tens of millions of records of business-critical data.
Users of this data can't upgrade beyond IE6 though...
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483392</id>
	<title>register</title>
	<author>Anonymous</author>
	<datestamp>1268674440000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>4</modscore>
	<htmltext>Some processors may have big enough register sets that malware could reside entirely within the CPU.</htmltext>
<tokenext>Some processors may have big enough register sets that malware could reside entirely within the CPU .</tokentext>
<sentencetext>Some processors may have big enough register sets that malware could reside entirely within the CPU.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483546</id>
	<title>Re:Theory and Reality</title>
	<author>goombah99</author>
	<datestamp>1268675100000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>His whole point was not "this is how you should do it", it was "you could do this, and because you could do this it shows that it's theoretically possible".  This is a variant of what is know as a gedanken experiment-- an argument that proves or disproves some fact is true while not actually being somethign you would want to carry out.    For example, you could suppose that you could measure the force field is under by running  a pole from the earth to the moon and pushing slightly on it.  Not that you want to do this, but it shows that measuring that force field is possible at all.  Now you need to figure out an easy way to do that.</p></htmltext>
<tokenext>His whole point was not " this is how you should do it " , it was " you could do this , and because you could do this it shows that it 's theoretically possible " .
This is a variant of what is know as a gedanken experiment-- an argument that proves or disproves some fact is true while not actually being somethign you would want to carry out .
For example , you could suppose that you could measure the force field is under by running a pole from the earth to the moon and pushing slightly on it .
Not that you want to do this , but it shows that measuring that force field is possible at all .
Now you need to figure out an easy way to do that .</tokentext>
<sentencetext>His whole point was not "this is how you should do it", it was "you could do this, and because you could do this it shows that it's theoretically possible".
This is a variant of what is know as a gedanken experiment-- an argument that proves or disproves some fact is true while not actually being somethign you would want to carry out.
For example, you could suppose that you could measure the force field is under by running  a pole from the earth to the moon and pushing slightly on it.
Not that you want to do this, but it shows that measuring that force field is possible at all.
Now you need to figure out an easy way to do that.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484114</id>
	<title>Redeeculous idea.</title>
	<author>Ancient\_Hacker</author>
	<datestamp>1268677440000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>4</modscore>
	<htmltext><p>I tried reading TFA a few times.  First time, utter confusion.  Second, third times, no better.  I can't make any sense out of these points:</p><p>&gt;1) There are absolutely only three things malware can do when you scan for it. One: be active in RAM, maybe trying to interfere with the detection algorithm. Two: not be active in RAM, but store itself in secondary storage. It cannot interfere with the detection algorithm then, quite obviously. And option number three: erase itself.</p><p>Absolutely, not.  There are many other things malware could be doing. Inactive in RAM, compressed and inactive in RAM, encoded as plausible-looking entries in the File Name Table or the Virtual Memory map.</p><p>&gt;2) Any program -- good or bad -- that wants to be active in RAM has no choice but to take up some space in RAM. At least one byte, right?</p><p>No, it could be sleeping, existing only as an entry in the swapped-out process table.  Or in unused space below a thread stack.</p><p>&gt;Assume now that we have a detection algorithm that runs in kernel mode, and that swaps out everything in RAM. Everything except itself.</p><p>Whoah there fella.  Everything?  Are you going to turn off all timers and interrupt enables so their service routines don't get called?<br>Hard to do without mucking up all the device drivers.   Are you going to swap out the kernel too, as malware is quite capable of infesting kernel space.   And what about device drivers?   They're constantly mucking with their internal tables and I/O buffers.<br>And if you turn off all device drivers, you lose, as there's nothing stopping malware from masquerading as a device driver.  Many do.</p><p>&gt;&gt;But if we know how big RAM is, we know how much space should be free.</p><p>Whoa there again, big guy.  There are plenty of machines with RAM at places not generally known to the OS, such as video RAM, graphics polygon RAM,  network card RAM buffers, and kernel stacks.</p><p>&gt;&gt; Assume we write pseudo-random bits over all this supposedly free space. Again, a malware agent could refuse to be overwritten.</p><p>You don't need a checksum test to do this-- each page of virtual memory has R/W control bits.<br>And you're foiled here again, as there are plenty of system areas that are write-protected, such as pre code areas and the VM tables themselves.</p><p>&gt;&gt;Then, let us compute a keyed hash of the entire memory contents -- both our detection program and all the random bits. Here is what could happen: If there is no malware in RAM, the results will be the expected result. An external verifier checks this, and tells us that the scanned device is clean.</p><p>Nooo, that just tells you that either you overwrote the malware, so you'll never find it, or the malware during your two sweeps did not change any RAM contents.   Quite possible as most malware just sits around most of the time.</p><p>&gt;&gt; Or there could be malware in RAM, and the checksum will be wrong.</p><p>Well, no, unless you disabled all interrupts and stopped all kernel tasks, there will still be system timers and interrupts and device drivers changing their state in RAM.</p><p>&gt;&gt; The external verifier would notice and conclude that the device must be infected.</p><p>Or some part of the system or some device driver is still running.    Huge chance of false positives.</p><p>This essay seems to have been written by someone with only a glancing familiarity with hardware and system software.</p></htmltext>
<tokenext>I tried reading TFA a few times .
First time , utter confusion .
Second , third times , no better .
I ca n't make any sense out of these points : &gt; 1 ) There are absolutely only three things malware can do when you scan for it .
One : be active in RAM , maybe trying to interfere with the detection algorithm .
Two : not be active in RAM , but store itself in secondary storage .
It can not interfere with the detection algorithm then , quite obviously .
And option number three : erase itself.Absolutely , not .
There are many other things malware could be doing .
Inactive in RAM , compressed and inactive in RAM , encoded as plausible-looking entries in the File Name Table or the Virtual Memory map. &gt; 2 ) Any program -- good or bad -- that wants to be active in RAM has no choice but to take up some space in RAM .
At least one byte , right ? No , it could be sleeping , existing only as an entry in the swapped-out process table .
Or in unused space below a thread stack. &gt; Assume now that we have a detection algorithm that runs in kernel mode , and that swaps out everything in RAM .
Everything except itself.Whoah there fella .
Everything ? Are you going to turn off all timers and interrupt enables so their service routines do n't get called ? Hard to do without mucking up all the device drivers .
Are you going to swap out the kernel too , as malware is quite capable of infesting kernel space .
And what about device drivers ?
They 're constantly mucking with their internal tables and I/O buffers.And if you turn off all device drivers , you lose , as there 's nothing stopping malware from masquerading as a device driver .
Many do. &gt; &gt; But if we know how big RAM is , we know how much space should be free.Whoa there again , big guy .
There are plenty of machines with RAM at places not generally known to the OS , such as video RAM , graphics polygon RAM , network card RAM buffers , and kernel stacks. &gt; &gt; Assume we write pseudo-random bits over all this supposedly free space .
Again , a malware agent could refuse to be overwritten.You do n't need a checksum test to do this-- each page of virtual memory has R/W control bits.And you 're foiled here again , as there are plenty of system areas that are write-protected , such as pre code areas and the VM tables themselves. &gt; &gt; Then , let us compute a keyed hash of the entire memory contents -- both our detection program and all the random bits .
Here is what could happen : If there is no malware in RAM , the results will be the expected result .
An external verifier checks this , and tells us that the scanned device is clean.Nooo , that just tells you that either you overwrote the malware , so you 'll never find it , or the malware during your two sweeps did not change any RAM contents .
Quite possible as most malware just sits around most of the time. &gt; &gt; Or there could be malware in RAM , and the checksum will be wrong.Well , no , unless you disabled all interrupts and stopped all kernel tasks , there will still be system timers and interrupts and device drivers changing their state in RAM. &gt; &gt; The external verifier would notice and conclude that the device must be infected.Or some part of the system or some device driver is still running .
Huge chance of false positives.This essay seems to have been written by someone with only a glancing familiarity with hardware and system software .</tokentext>
<sentencetext>I tried reading TFA a few times.
First time, utter confusion.
Second, third times, no better.
I can't make any sense out of these points:&gt;1) There are absolutely only three things malware can do when you scan for it.
One: be active in RAM, maybe trying to interfere with the detection algorithm.
Two: not be active in RAM, but store itself in secondary storage.
It cannot interfere with the detection algorithm then, quite obviously.
And option number three: erase itself.Absolutely, not.
There are many other things malware could be doing.
Inactive in RAM, compressed and inactive in RAM, encoded as plausible-looking entries in the File Name Table or the Virtual Memory map.&gt;2) Any program -- good or bad -- that wants to be active in RAM has no choice but to take up some space in RAM.
At least one byte, right?No, it could be sleeping, existing only as an entry in the swapped-out process table.
Or in unused space below a thread stack.&gt;Assume now that we have a detection algorithm that runs in kernel mode, and that swaps out everything in RAM.
Everything except itself.Whoah there fella.
Everything?  Are you going to turn off all timers and interrupt enables so their service routines don't get called?Hard to do without mucking up all the device drivers.
Are you going to swap out the kernel too, as malware is quite capable of infesting kernel space.
And what about device drivers?
They're constantly mucking with their internal tables and I/O buffers.And if you turn off all device drivers, you lose, as there's nothing stopping malware from masquerading as a device driver.
Many do.&gt;&gt;But if we know how big RAM is, we know how much space should be free.Whoa there again, big guy.
There are plenty of machines with RAM at places not generally known to the OS, such as video RAM, graphics polygon RAM,  network card RAM buffers, and kernel stacks.&gt;&gt; Assume we write pseudo-random bits over all this supposedly free space.
Again, a malware agent could refuse to be overwritten.You don't need a checksum test to do this-- each page of virtual memory has R/W control bits.And you're foiled here again, as there are plenty of system areas that are write-protected, such as pre code areas and the VM tables themselves.&gt;&gt;Then, let us compute a keyed hash of the entire memory contents -- both our detection program and all the random bits.
Here is what could happen: If there is no malware in RAM, the results will be the expected result.
An external verifier checks this, and tells us that the scanned device is clean.Nooo, that just tells you that either you overwrote the malware, so you'll never find it, or the malware during your two sweeps did not change any RAM contents.
Quite possible as most malware just sits around most of the time.&gt;&gt; Or there could be malware in RAM, and the checksum will be wrong.Well, no, unless you disabled all interrupts and stopped all kernel tasks, there will still be system timers and interrupts and device drivers changing their state in RAM.&gt;&gt; The external verifier would notice and conclude that the device must be infected.Or some part of the system or some device driver is still running.
Huge chance of false positives.This essay seems to have been written by someone with only a glancing familiarity with hardware and system software.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483714</id>
	<title>Wrong from the getgo!</title>
	<author>mcrbids</author>
	<datestamp>1268675820000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Not only that, but his initial premise is already wrong!  Most people conceptualize a program like an application - it's launched, loads into memory, and then does stuff. And while that's typical, it's a grave mistake to think that's the ONLY way to go!</p><p>Off the top of my head, I can think of registering malware as a callack handler for a system event. In this case, you have an infected computer without any code running at all, in a context and namespace different than running applications!</p><p>Winows just wasn't designed with a multi-user security model. Adding this after the fact is showing itself to be exponentially more difficult!</p></htmltext>
<tokenext>Not only that , but his initial premise is already wrong !
Most people conceptualize a program like an application - it 's launched , loads into memory , and then does stuff .
And while that 's typical , it 's a grave mistake to think that 's the ONLY way to go ! Off the top of my head , I can think of registering malware as a callack handler for a system event .
In this case , you have an infected computer without any code running at all , in a context and namespace different than running applications ! Winows just was n't designed with a multi-user security model .
Adding this after the fact is showing itself to be exponentially more difficult !</tokentext>
<sentencetext>Not only that, but his initial premise is already wrong!
Most people conceptualize a program like an application - it's launched, loads into memory, and then does stuff.
And while that's typical, it's a grave mistake to think that's the ONLY way to go!Off the top of my head, I can think of registering malware as a callack handler for a system event.
In this case, you have an infected computer without any code running at all, in a context and namespace different than running applications!Winows just wasn't designed with a multi-user security model.
Adding this after the fact is showing itself to be exponentially more difficult!</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31488166</id>
	<title>Re:Theory and hand-waving</title>
	<author>Anonymous</author>
	<datestamp>1268649060000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Since the host might be compromised, you send the bits to an external verifier so that the verification can't be intercepted by the malware.  The external verifier can detect the delays and compare the hashes without risk of the results being compromised.</p></htmltext>
<tokenext>Since the host might be compromised , you send the bits to an external verifier so that the verification ca n't be intercepted by the malware .
The external verifier can detect the delays and compare the hashes without risk of the results being compromised .</tokentext>
<sentencetext>Since the host might be compromised, you send the bits to an external verifier so that the verification can't be intercepted by the malware.
The external verifier can detect the delays and compare the hashes without risk of the results being compromised.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483198</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485720</id>
	<title>What this can actually be used for</title>
	<author>Krahar</author>
	<datestamp>1268683440000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>The idea here is of course not able to detect all malware, even though the article claims that it is. It is designed to counter a specific technique malware can use to avoid detection: to interfere with the normal processing of a malware detector. E.g. it can intercept kernel calls and lie to the malware detector (or any other software) about what the content of memory is. This is something the malware has to be actually running at the time of the scan to do, and to be able to run it has to be in memory. So if you swap out all code except the malware scanner (including drivers and so on), and you nuke all memory except the scanner's own code, then either the malware has to allow itself to be overwritten, or it has to remain in memory by intercepting the calls that would overwrite it. The idea in the article is to use a hardware check-sum function that cannot be intercepted. At that point the malware scanner will be able to tell that the real, hardware checksum of the memory does not match the check-sum it computed on its own, so there must be a piece of software still running and lying about the content of memory. Only malware would do that, so this technique defeats the malware technique of lying to a malware scanner about what is in memory.
<br> <br>
Unfortunately the malware can of course still intercept the entire running of the malware scanner by not actually doing any scan at all and just displaying a message to the user that the malware scanner would normally display if there is no malware. That is still a half victory, though, as then the malware has to know about all the malware detectors that are out there and will be out there, which is a huge amount of work that the malware authors may not be able to keep up with. It could also just always display a message box saying "everything was fine" or it could crash the scanner, but then the user would possibly be able to tell that the something is wrong. A more sophisticated tactic  would be to scan the scanner executable (before it runs) for the instructions that trigger the hardware mechanism, and replace those by different instructions that simply report the hash as it would be if there was no malware. Maybe you could obfuscate that somehow, perhaps by having the scanner generate the instructions it runs in memory instead of having them all in the executable directly, and at that points it becomes yet another arms race where now it is the malware authors trying to detect something and it is the anti-malware people trying to hide.
<br> <br>
Unfortunately the type of scan proposed requires a hardware check-sum mechanism, it requires the OS to be able to swap every single part of itself to disk for an extended period of time (it then won't be able to respond to interrupts) and it still is not flawless. Still, it does make life more difficult for malware authors.</htmltext>
<tokenext>The idea here is of course not able to detect all malware , even though the article claims that it is .
It is designed to counter a specific technique malware can use to avoid detection : to interfere with the normal processing of a malware detector .
E.g. it can intercept kernel calls and lie to the malware detector ( or any other software ) about what the content of memory is .
This is something the malware has to be actually running at the time of the scan to do , and to be able to run it has to be in memory .
So if you swap out all code except the malware scanner ( including drivers and so on ) , and you nuke all memory except the scanner 's own code , then either the malware has to allow itself to be overwritten , or it has to remain in memory by intercepting the calls that would overwrite it .
The idea in the article is to use a hardware check-sum function that can not be intercepted .
At that point the malware scanner will be able to tell that the real , hardware checksum of the memory does not match the check-sum it computed on its own , so there must be a piece of software still running and lying about the content of memory .
Only malware would do that , so this technique defeats the malware technique of lying to a malware scanner about what is in memory .
Unfortunately the malware can of course still intercept the entire running of the malware scanner by not actually doing any scan at all and just displaying a message to the user that the malware scanner would normally display if there is no malware .
That is still a half victory , though , as then the malware has to know about all the malware detectors that are out there and will be out there , which is a huge amount of work that the malware authors may not be able to keep up with .
It could also just always display a message box saying " everything was fine " or it could crash the scanner , but then the user would possibly be able to tell that the something is wrong .
A more sophisticated tactic would be to scan the scanner executable ( before it runs ) for the instructions that trigger the hardware mechanism , and replace those by different instructions that simply report the hash as it would be if there was no malware .
Maybe you could obfuscate that somehow , perhaps by having the scanner generate the instructions it runs in memory instead of having them all in the executable directly , and at that points it becomes yet another arms race where now it is the malware authors trying to detect something and it is the anti-malware people trying to hide .
Unfortunately the type of scan proposed requires a hardware check-sum mechanism , it requires the OS to be able to swap every single part of itself to disk for an extended period of time ( it then wo n't be able to respond to interrupts ) and it still is not flawless .
Still , it does make life more difficult for malware authors .</tokentext>
<sentencetext>The idea here is of course not able to detect all malware, even though the article claims that it is.
It is designed to counter a specific technique malware can use to avoid detection: to interfere with the normal processing of a malware detector.
E.g. it can intercept kernel calls and lie to the malware detector (or any other software) about what the content of memory is.
This is something the malware has to be actually running at the time of the scan to do, and to be able to run it has to be in memory.
So if you swap out all code except the malware scanner (including drivers and so on), and you nuke all memory except the scanner's own code, then either the malware has to allow itself to be overwritten, or it has to remain in memory by intercepting the calls that would overwrite it.
The idea in the article is to use a hardware check-sum function that cannot be intercepted.
At that point the malware scanner will be able to tell that the real, hardware checksum of the memory does not match the check-sum it computed on its own, so there must be a piece of software still running and lying about the content of memory.
Only malware would do that, so this technique defeats the malware technique of lying to a malware scanner about what is in memory.
Unfortunately the malware can of course still intercept the entire running of the malware scanner by not actually doing any scan at all and just displaying a message to the user that the malware scanner would normally display if there is no malware.
That is still a half victory, though, as then the malware has to know about all the malware detectors that are out there and will be out there, which is a huge amount of work that the malware authors may not be able to keep up with.
It could also just always display a message box saying "everything was fine" or it could crash the scanner, but then the user would possibly be able to tell that the something is wrong.
A more sophisticated tactic  would be to scan the scanner executable (before it runs) for the instructions that trigger the hardware mechanism, and replace those by different instructions that simply report the hash as it would be if there was no malware.
Maybe you could obfuscate that somehow, perhaps by having the scanner generate the instructions it runs in memory instead of having them all in the executable directly, and at that points it becomes yet another arms race where now it is the malware authors trying to detect something and it is the anti-malware people trying to hide.
Unfortunately the type of scan proposed requires a hardware check-sum mechanism, it requires the OS to be able to swap every single part of itself to disk for an extended period of time (it then won't be able to respond to interrupts) and it still is not flawless.
Still, it does make life more difficult for malware authors.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484652</id>
	<title>I can do better - guarantee no malware ever!</title>
	<author>Anonymous</author>
	<datestamp>1268679360000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>It's really very simple. A machine with no writable storage and no network connection.</p><p>The problem, that also exists for the proposed detection solution, is that the result isn't necessarily very useful in a real world scenario. So, he detects malware swapping itself out by noticing a delay? What about false positives? Heavy system load -&gt; your machine must be infected. Real time software (scada, dcs etc) -&gt; your machine must be infected. And then what? You've been told that your machine is infected, and that somewhere in the 4GB of RAM is a piece of malware. What do you do? Waste a day hunting for the non-existent Wolf? And then what, after you've found nothing? Put the machine back online with a Hope and a Prayer? Leave it offline and useless? People will simply learn to ignore these alerts, and the whole solution becomes useless.</p><p>At least with the cat and mouse game that we have now (AV and anti-spyware software) when they flag something it becomes actionable. Even false positives are actionable because you're looking for the specific piece of malware that flagged. People get to tell their boss either "Yes, I found and disinfected Foo..." or "It was a false positive that appeared to be Foo but wasn't", either of which generally reassures their bosses that their employees know what they are doing. The answer "I don't know what it was, it might or might not be an infection, I'll never know for sure... and btw, do you want to turn that control system back on?" tends to lead to unhappy bosses.</p><p>Besides which, I'm not sure it's even technically possible. How long would it take to hash the entire memory? Can it even be done without writing to memory?</p></htmltext>
<tokenext>It 's really very simple .
A machine with no writable storage and no network connection.The problem , that also exists for the proposed detection solution , is that the result is n't necessarily very useful in a real world scenario .
So , he detects malware swapping itself out by noticing a delay ?
What about false positives ?
Heavy system load - &gt; your machine must be infected .
Real time software ( scada , dcs etc ) - &gt; your machine must be infected .
And then what ?
You 've been told that your machine is infected , and that somewhere in the 4GB of RAM is a piece of malware .
What do you do ?
Waste a day hunting for the non-existent Wolf ?
And then what , after you 've found nothing ?
Put the machine back online with a Hope and a Prayer ?
Leave it offline and useless ?
People will simply learn to ignore these alerts , and the whole solution becomes useless.At least with the cat and mouse game that we have now ( AV and anti-spyware software ) when they flag something it becomes actionable .
Even false positives are actionable because you 're looking for the specific piece of malware that flagged .
People get to tell their boss either " Yes , I found and disinfected Foo... " or " It was a false positive that appeared to be Foo but was n't " , either of which generally reassures their bosses that their employees know what they are doing .
The answer " I do n't know what it was , it might or might not be an infection , I 'll never know for sure... and btw , do you want to turn that control system back on ?
" tends to lead to unhappy bosses.Besides which , I 'm not sure it 's even technically possible .
How long would it take to hash the entire memory ?
Can it even be done without writing to memory ?</tokentext>
<sentencetext>It's really very simple.
A machine with no writable storage and no network connection.The problem, that also exists for the proposed detection solution, is that the result isn't necessarily very useful in a real world scenario.
So, he detects malware swapping itself out by noticing a delay?
What about false positives?
Heavy system load -&gt; your machine must be infected.
Real time software (scada, dcs etc) -&gt; your machine must be infected.
And then what?
You've been told that your machine is infected, and that somewhere in the 4GB of RAM is a piece of malware.
What do you do?
Waste a day hunting for the non-existent Wolf?
And then what, after you've found nothing?
Put the machine back online with a Hope and a Prayer?
Leave it offline and useless?
People will simply learn to ignore these alerts, and the whole solution becomes useless.At least with the cat and mouse game that we have now (AV and anti-spyware software) when they flag something it becomes actionable.
Even false positives are actionable because you're looking for the specific piece of malware that flagged.
People get to tell their boss either "Yes, I found and disinfected Foo..." or "It was a false positive that appeared to be Foo but wasn't", either of which generally reassures their bosses that their employees know what they are doing.
The answer "I don't know what it was, it might or might not be an infection, I'll never know for sure... and btw, do you want to turn that control system back on?
" tends to lead to unhappy bosses.Besides which, I'm not sure it's even technically possible.
How long would it take to hash the entire memory?
Can it even be done without writing to memory?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483940</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>Anonymous</author>
	<datestamp>1268676780000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>5. When you invented autorun, what the hell were your engineers smoking to make that seem like a good idea?<br>6. Icons in executables plus hidden extentions... whoever did that, I hope they were fired.<br>7.The user should not be running everything with administrative access. Not even on a standalone box. Not even a home user. No. Just... no.<br>7a. And no, you can't work around it by having a 'click this to be an admin' box that pops up so often people stop noticing it!</p></htmltext>
<tokenext>5 .
When you invented autorun , what the hell were your engineers smoking to make that seem like a good idea ? 6 .
Icons in executables plus hidden extentions... whoever did that , I hope they were fired.7.The user should not be running everything with administrative access .
Not even on a standalone box .
Not even a home user .
No. Just... no.7a. And no , you ca n't work around it by having a 'click this to be an admin ' box that pops up so often people stop noticing it !</tokentext>
<sentencetext>5.
When you invented autorun, what the hell were your engineers smoking to make that seem like a good idea?6.
Icons in executables plus hidden extentions... whoever did that, I hope they were fired.7.The user should not be running everything with administrative access.
Not even on a standalone box.
Not even a home user.
No. Just... no.7a. And no, you can't work around it by having a 'click this to be an admin' box that pops up so often people stop noticing it!</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484376</id>
	<title>Re:Theory and hand-waving</title>
	<author>raddan</author>
	<datestamp>1268678460000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Well, I suspect that allowing your evil program to swap out would make implementing an evil hypervisor very difficult, so that's one rootkit tactic that you can largely eliminate with this technique.  I'm not entirely convinced that this method is practical, though, but it's an interesting idea.</htmltext>
<tokenext>Well , I suspect that allowing your evil program to swap out would make implementing an evil hypervisor very difficult , so that 's one rootkit tactic that you can largely eliminate with this technique .
I 'm not entirely convinced that this method is practical , though , but it 's an interesting idea .</tokentext>
<sentencetext>Well, I suspect that allowing your evil program to swap out would make implementing an evil hypervisor very difficult, so that's one rootkit tactic that you can largely eliminate with this technique.
I'm not entirely convinced that this method is practical, though, but it's an interesting idea.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483198</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483736</id>
	<title>Looks a lot like Pioneer from SOSP 2005</title>
	<author>sseshan</author>
	<datestamp>1268675880000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>This looks a lot like Pioneer:</p><p>Seshadri, Arvind, Mark Luk, Elaine Shi, Adrian Perrig, Leendert van Doorn, and Pradeep Khosla.<br>"Pioneer: Verifying Integrity and Guaranteeing Execution of Code on Legacy Platforms."<br>In Proceedings of the ACM Symposium on Operating Systems Principles (SOSP), Brighton, United Kingdom, October 2005.</p><p><a href="http://sparrow.ece.cmu.edu/~adrian/projects/pioneer.pdf" title="cmu.edu" rel="nofollow">http://sparrow.ece.cmu.edu/~adrian/projects/pioneer.pdf</a> [cmu.edu]</p></htmltext>
<tokenext>This looks a lot like Pioneer : Seshadri , Arvind , Mark Luk , Elaine Shi , Adrian Perrig , Leendert van Doorn , and Pradeep Khosla .
" Pioneer : Verifying Integrity and Guaranteeing Execution of Code on Legacy Platforms .
" In Proceedings of the ACM Symposium on Operating Systems Principles ( SOSP ) , Brighton , United Kingdom , October 2005.http : //sparrow.ece.cmu.edu/ ~ adrian/projects/pioneer.pdf [ cmu.edu ]</tokentext>
<sentencetext>This looks a lot like Pioneer:Seshadri, Arvind, Mark Luk, Elaine Shi, Adrian Perrig, Leendert van Doorn, and Pradeep Khosla.
"Pioneer: Verifying Integrity and Guaranteeing Execution of Code on Legacy Platforms.
"In Proceedings of the ACM Symposium on Operating Systems Principles (SOSP), Brighton, United Kingdom, October 2005.http://sparrow.ece.cmu.edu/~adrian/projects/pioneer.pdf [cmu.edu]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485374</id>
	<title>How did something so assinine make the front page?</title>
	<author>Anonymous</author>
	<datestamp>1268682120000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Here's a simple example to show why the author of the paper is a fraud or a fool (or both):<br>the malware - presumably sitting in ram with admin privileges, will simply detect the scanner being loaded,<br>overwrite it's "is infected? Y/N" code with "is infected? N/N" code, and be done with it.</p><p>This is even glossing over all the different kinds of magic you can do with page table manipulation and exploiting the fact that a scanner cannot check all bytes in RAM at the same time.  No flaky "timer delay detection" is going to fix that either, since presumably other processes will be allowed to run during the scan.</p><p>Once a machine has been compromised, you're out of luck when it comes to guarantees.  Anyone who claims otherwise is either an idiot, a liar, or both.</p></htmltext>
<tokenext>Here 's a simple example to show why the author of the paper is a fraud or a fool ( or both ) : the malware - presumably sitting in ram with admin privileges , will simply detect the scanner being loaded,overwrite it 's " is infected ?
Y/N " code with " is infected ?
N/N " code , and be done with it.This is even glossing over all the different kinds of magic you can do with page table manipulation and exploiting the fact that a scanner can not check all bytes in RAM at the same time .
No flaky " timer delay detection " is going to fix that either , since presumably other processes will be allowed to run during the scan.Once a machine has been compromised , you 're out of luck when it comes to guarantees .
Anyone who claims otherwise is either an idiot , a liar , or both .</tokentext>
<sentencetext>Here's a simple example to show why the author of the paper is a fraud or a fool (or both):the malware - presumably sitting in ram with admin privileges, will simply detect the scanner being loaded,overwrite it's "is infected?
Y/N" code with "is infected?
N/N" code, and be done with it.This is even glossing over all the different kinds of magic you can do with page table manipulation and exploiting the fact that a scanner cannot check all bytes in RAM at the same time.
No flaky "timer delay detection" is going to fix that either, since presumably other processes will be allowed to run during the scan.Once a machine has been compromised, you're out of luck when it comes to guarantees.
Anyone who claims otherwise is either an idiot, a liar, or both.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483284</id>
	<title>False positives?</title>
	<author>Andy Dodd</author>
	<datestamp>1268674080000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Yeah you can detect that SOMETHING is there, but how do you determine whether that something is supposed to be there or not?</p><p>If you assume all "somethings" are not supposed to be there, you'll have a worse situation than UAC with users being prompted all the time and getting conditioned to click "yes".</p><p>After reading the article, it seems no different from doing an offline scan using ClamAV from a LiveCD except maybe slightly more convenient.  You boot a "secure" detection mechanism in place of whatever is normally operating on the machine.</p><p>The hooks needed to do it as described (which implies a hypervisor-esque antivirus/antimalware solution) would provide malware authors new vectors with which to attack systems, potentially vectors that would allow malware to escape from the likes of an "antivirus on LiveCD" solution.</p></htmltext>
<tokenext>Yeah you can detect that SOMETHING is there , but how do you determine whether that something is supposed to be there or not ? If you assume all " somethings " are not supposed to be there , you 'll have a worse situation than UAC with users being prompted all the time and getting conditioned to click " yes " .After reading the article , it seems no different from doing an offline scan using ClamAV from a LiveCD except maybe slightly more convenient .
You boot a " secure " detection mechanism in place of whatever is normally operating on the machine.The hooks needed to do it as described ( which implies a hypervisor-esque antivirus/antimalware solution ) would provide malware authors new vectors with which to attack systems , potentially vectors that would allow malware to escape from the likes of an " antivirus on LiveCD " solution .</tokentext>
<sentencetext>Yeah you can detect that SOMETHING is there, but how do you determine whether that something is supposed to be there or not?If you assume all "somethings" are not supposed to be there, you'll have a worse situation than UAC with users being prompted all the time and getting conditioned to click "yes".After reading the article, it seems no different from doing an offline scan using ClamAV from a LiveCD except maybe slightly more convenient.
You boot a "secure" detection mechanism in place of whatever is normally operating on the machine.The hooks needed to do it as described (which implies a hypervisor-esque antivirus/antimalware solution) would provide malware authors new vectors with which to attack systems, potentially vectors that would allow malware to escape from the likes of an "antivirus on LiveCD" solution.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31486142</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>Anonymous</author>
	<datestamp>1268684760000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>1) Users have to care first. Users will never care. They want their computer to be like their phone. Pick it up, use it, be done with it. It doesn't matter if they can't treat it like that. They will.<br>2) Microsoft will not stand for it. Losing battle.<br>3) See number 2.<br>4) See number 1. They're entirely too lazy to figure that out.</p><p>I agree that your ideas would be nice, but between Microsoft being lazy and users being lazy, you will never get any of these things. So for now, we're stuck with the shittastic arrangement of always treating the symptoms. Welcome to IT.</p></htmltext>
<tokenext>1 ) Users have to care first .
Users will never care .
They want their computer to be like their phone .
Pick it up , use it , be done with it .
It does n't matter if they ca n't treat it like that .
They will.2 ) Microsoft will not stand for it .
Losing battle.3 ) See number 2.4 ) See number 1 .
They 're entirely too lazy to figure that out.I agree that your ideas would be nice , but between Microsoft being lazy and users being lazy , you will never get any of these things .
So for now , we 're stuck with the shittastic arrangement of always treating the symptoms .
Welcome to IT .</tokentext>
<sentencetext>1) Users have to care first.
Users will never care.
They want their computer to be like their phone.
Pick it up, use it, be done with it.
It doesn't matter if they can't treat it like that.
They will.2) Microsoft will not stand for it.
Losing battle.3) See number 2.4) See number 1.
They're entirely too lazy to figure that out.I agree that your ideas would be nice, but between Microsoft being lazy and users being lazy, you will never get any of these things.
So for now, we're stuck with the shittastic arrangement of always treating the symptoms.
Welcome to IT.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31494210</id>
	<title>Firmware / BIOS malware?</title>
	<author>RichiH</author>
	<datestamp>1268748780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Our GPU are becoming more and more multi-purpose every day.</p><p>But that is not the real threat... Suppose I install my crap in your network interface's firmware and just drop packages I don't want you to see (think "rocket incoming" or "stock falling"). Yes, those are high-level examples and yes, this approach is more or less 'outside' the system.</p><p>But if I just feed crap into your system, are you \_sure\_ every device driver is hardened? And what context do device drivers run in? Kernel context? Oups...</p></htmltext>
<tokenext>Our GPU are becoming more and more multi-purpose every day.But that is not the real threat... Suppose I install my crap in your network interface 's firmware and just drop packages I do n't want you to see ( think " rocket incoming " or " stock falling " ) .
Yes , those are high-level examples and yes , this approach is more or less 'outside ' the system.But if I just feed crap into your system , are you \ _sure \ _ every device driver is hardened ?
And what context do device drivers run in ?
Kernel context ?
Oups.. .</tokentext>
<sentencetext>Our GPU are becoming more and more multi-purpose every day.But that is not the real threat... Suppose I install my crap in your network interface's firmware and just drop packages I don't want you to see (think "rocket incoming" or "stock falling").
Yes, those are high-level examples and yes, this approach is more or less 'outside' the system.But if I just feed crap into your system, are you \_sure\_ every device driver is hardened?
And what context do device drivers run in?
Kernel context?
Oups...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484170</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>Anonymous</author>
	<datestamp>1268677680000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>3. Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX.</p><p>www.rooms.hp.com<br>oracle web conferencing</p></htmltext>
<tokenext>3 .
Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX.www.rooms.hp.comoracle web conferencing</tokentext>
<sentencetext>3.
Kill ActiveX - I know of no legitimate website besides Microsoft.com that requires ActiveX.www.rooms.hp.comoracle web conferencing</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31500458</id>
	<title>The absolutely fatal assumption</title>
	<author>jamie(really)</author>
	<datestamp>1268772600000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Defending against adversarial strategy 4 &ndash; modify detection code. The security against adversarial strategy 4 follows directly from assumption 2 (code optimality), with the exception of a &ldquo;kamikaze strategy&rdquo; in which the adversary corrupts the execution of some of the steps (as described in section 3), and then willingly loads legitimate code and removes itself. <b>Such an adversary could only corrupt step 1 of the process, as it will have to be overwritten during step 2 to avoid detection.</b> Moreover, it needs to correctly perform the setup in step 1; this means that the only harm it can do is to cause an incorrect state to be swapped out in step 1. It can write anything it wants to to swap space. It can place a copy of itself in the swap space, or a copy of a legitimate but vulnerable application, with an input triggering an opportunity for malware to be loaded. However, the swap space will be scanned along with all other memory during step 5, and any known malicious configuration will be detected.</p></div><p>If an adversary corrupts stage 1, <i>there is no stage 2</i>, just a fake stage 2.</p><p>Holy shit. Seriously. Did this guy also certify the DRM for Ass Creed 2?</p></div>
	</htmltext>
<tokenext>Defending against adversarial strategy 4    modify detection code .
The security against adversarial strategy 4 follows directly from assumption 2 ( code optimality ) , with the exception of a    kamikaze strategy    in which the adversary corrupts the execution of some of the steps ( as described in section 3 ) , and then willingly loads legitimate code and removes itself .
Such an adversary could only corrupt step 1 of the process , as it will have to be overwritten during step 2 to avoid detection .
Moreover , it needs to correctly perform the setup in step 1 ; this means that the only harm it can do is to cause an incorrect state to be swapped out in step 1 .
It can write anything it wants to to swap space .
It can place a copy of itself in the swap space , or a copy of a legitimate but vulnerable application , with an input triggering an opportunity for malware to be loaded .
However , the swap space will be scanned along with all other memory during step 5 , and any known malicious configuration will be detected.If an adversary corrupts stage 1 , there is no stage 2 , just a fake stage 2.Holy shit .
Seriously. Did this guy also certify the DRM for Ass Creed 2 ?</tokentext>
<sentencetext>Defending against adversarial strategy 4 – modify detection code.
The security against adversarial strategy 4 follows directly from assumption 2 (code optimality), with the exception of a “kamikaze strategy” in which the adversary corrupts the execution of some of the steps (as described in section 3), and then willingly loads legitimate code and removes itself.
Such an adversary could only corrupt step 1 of the process, as it will have to be overwritten during step 2 to avoid detection.
Moreover, it needs to correctly perform the setup in step 1; this means that the only harm it can do is to cause an incorrect state to be swapped out in step 1.
It can write anything it wants to to swap space.
It can place a copy of itself in the swap space, or a copy of a legitimate but vulnerable application, with an input triggering an opportunity for malware to be loaded.
However, the swap space will be scanned along with all other memory during step 5, and any known malicious configuration will be detected.If an adversary corrupts stage 1, there is no stage 2, just a fake stage 2.Holy shit.
Seriously. Did this guy also certify the DRM for Ass Creed 2?
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31487444</id>
	<title>Re:Some amazingly bad assumptions</title>
	<author>noidentity</author>
	<datestamp>1268646240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Obviously his solution is a computer without any RAM (or ROM). Zero bytes means no space for malware means NO MALWARE. This guy is a genius.</htmltext>
<tokenext>Obviously his solution is a computer without any RAM ( or ROM ) .
Zero bytes means no space for malware means NO MALWARE .
This guy is a genius .</tokentext>
<sentencetext>Obviously his solution is a computer without any RAM (or ROM).
Zero bytes means no space for malware means NO MALWARE.
This guy is a genius.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483414</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484836</id>
	<title>Until...</title>
	<author>ChaosCon</author>
	<datestamp>1268679960000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I'm finding more and more that whenever I hear things like 'Any program &mdash; good or bad &mdash; that wants to be active in RAM has no choice but to take up some space in RAM. At least one byte.' I immediately think "yeah, until they change/patch/fix/rewrite/figure a way around that."</htmltext>
<tokenext>I 'm finding more and more that whenever I hear things like 'Any program    good or bad    that wants to be active in RAM has no choice but to take up some space in RAM .
At least one byte .
' I immediately think " yeah , until they change/patch/fix/rewrite/figure a way around that .
"</tokentext>
<sentencetext>I'm finding more and more that whenever I hear things like 'Any program — good or bad — that wants to be active in RAM has no choice but to take up some space in RAM.
At least one byte.
' I immediately think "yeah, until they change/patch/fix/rewrite/figure a way around that.
"</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31486290</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>Stick32</author>
	<datestamp>1268685360000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>How about we change things in Windows so it actually prevents infection in the first place?</p><p>1.  Educate users.  Microsoft does a piss-poor job of this...</p></div><p>OK, if you can do the first step to a satisfactory degree with 90\% of all windows users without blowing your or some idiots brains out.  I'll see to the other 3 steps personally.</p></div>
	</htmltext>
<tokenext>How about we change things in Windows so it actually prevents infection in the first place ? 1 .
Educate users .
Microsoft does a piss-poor job of this...OK , if you can do the first step to a satisfactory degree with 90 \ % of all windows users without blowing your or some idiots brains out .
I 'll see to the other 3 steps personally .</tokentext>
<sentencetext>How about we change things in Windows so it actually prevents infection in the first place?1.
Educate users.
Microsoft does a piss-poor job of this...OK, if you can do the first step to a satisfactory degree with 90\% of all windows users without blowing your or some idiots brains out.
I'll see to the other 3 steps personally.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485252</id>
	<title>What an utterly useless idea.</title>
	<author>nuckfuts</author>
	<datestamp>1268681640000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Even if this scheme worked as described, it useless. In the case of malware resident in RAM, it would do absolutely nothing to identify what malware is present or how got loaded into RAM.</p><p>In the case of malware resident on disk, it presents no solution at all for detection. The author evidently believes that 100\% effective malware scanners exist, and that if malware is stored on disk it is "gauranteed" to be detected.</p><p>An effective anti-malware detection scheme is going to have to do a hell of a lot more than produce a one-byte boolean report.</p></htmltext>
<tokenext>Even if this scheme worked as described , it useless .
In the case of malware resident in RAM , it would do absolutely nothing to identify what malware is present or how got loaded into RAM.In the case of malware resident on disk , it presents no solution at all for detection .
The author evidently believes that 100 \ % effective malware scanners exist , and that if malware is stored on disk it is " gauranteed " to be detected.An effective anti-malware detection scheme is going to have to do a hell of a lot more than produce a one-byte boolean report .</tokentext>
<sentencetext>Even if this scheme worked as described, it useless.
In the case of malware resident in RAM, it would do absolutely nothing to identify what malware is present or how got loaded into RAM.In the case of malware resident on disk, it presents no solution at all for detection.
The author evidently believes that 100\% effective malware scanners exist, and that if malware is stored on disk it is "gauranteed" to be detected.An effective anti-malware detection scheme is going to have to do a hell of a lot more than produce a one-byte boolean report.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483656</id>
	<title>Re:Theory and Reality</title>
	<author>n1ywb</author>
	<datestamp>1268675520000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>A rootkit that is AWARE of this detection mechanism ought to be able to defeat it easily by just overwriting the computed and expected keys in the detectors memory space with a random number. No delay, the values are equal, so no problem right? Wrong. The only way to make this really work would be for the detector to have direct hardware access to the machine's RAM but be running on a different uninfected machine. That's theoretically possible, but not really practical with out of the box hardware.</htmltext>
<tokenext>A rootkit that is AWARE of this detection mechanism ought to be able to defeat it easily by just overwriting the computed and expected keys in the detectors memory space with a random number .
No delay , the values are equal , so no problem right ?
Wrong. The only way to make this really work would be for the detector to have direct hardware access to the machine 's RAM but be running on a different uninfected machine .
That 's theoretically possible , but not really practical with out of the box hardware .</tokentext>
<sentencetext>A rootkit that is AWARE of this detection mechanism ought to be able to defeat it easily by just overwriting the computed and expected keys in the detectors memory space with a random number.
No delay, the values are equal, so no problem right?
Wrong. The only way to make this really work would be for the detector to have direct hardware access to the machine's RAM but be running on a different uninfected machine.
That's theoretically possible, but not really practical with out of the box hardware.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485302</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>Anonymous</author>
	<datestamp>1268681820000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>To point 1.  Couldnt agree more.  But how many people are 'I know better'?  Esp around here...</p><p>To point 2.  An extension is just as good as any other method you can think of.</p><p>Put it in the file.  You are still depending on the file begin 'correct'.<br>Put it in some other stream.  You are still depending on the 'other stream' to be 'correct'.</p><p>What you really want is some way of saying 'this is an executable'.  But if you do that, anything else can be turned into an executable but just saying 'yes this really is an executable'.  I could do that with a txt file...</p><p>A file rename is no worse an attack vector than chmod.  If you give me a way to change the state in some way I will just call that instead of rename...</p><p>You are not fixing the problem.  Just moving it somewhere else.</p><p>To point 3.  ActiveX had its day.  Its day has gone.  Yes it should 'die'.  But they were doing something that Firefox does (and quite well at that).  They were giving the ability to extend the browser.  They did a piss poor job of it no doubt.  Before ActiveX the browser extension market was amazingly bad.  But your right it is time for it to 'go'.</p><p>To point 4.  See point 3.  Really?  I have already managed to root your computer enough to make your computer download something without you seeing it.  Do you really think it is that big of a stretch to call chmod?  All you did was annoy the virus writer a bit.</p><p>Security on a computer usually is as simple as your point 1.  Do not download stupid junk and run it.  But all you have come up with is the whitelist.  Which in and of itself is 'ok'.  But not an end all be all.</p></htmltext>
<tokenext>To point 1 .
Couldnt agree more .
But how many people are 'I know better ' ?
Esp around here...To point 2 .
An extension is just as good as any other method you can think of.Put it in the file .
You are still depending on the file begin 'correct'.Put it in some other stream .
You are still depending on the 'other stream ' to be 'correct'.What you really want is some way of saying 'this is an executable' .
But if you do that , anything else can be turned into an executable but just saying 'yes this really is an executable' .
I could do that with a txt file...A file rename is no worse an attack vector than chmod .
If you give me a way to change the state in some way I will just call that instead of rename...You are not fixing the problem .
Just moving it somewhere else.To point 3 .
ActiveX had its day .
Its day has gone .
Yes it should 'die' .
But they were doing something that Firefox does ( and quite well at that ) .
They were giving the ability to extend the browser .
They did a piss poor job of it no doubt .
Before ActiveX the browser extension market was amazingly bad .
But your right it is time for it to 'go'.To point 4 .
See point 3 .
Really ? I have already managed to root your computer enough to make your computer download something without you seeing it .
Do you really think it is that big of a stretch to call chmod ?
All you did was annoy the virus writer a bit.Security on a computer usually is as simple as your point 1 .
Do not download stupid junk and run it .
But all you have come up with is the whitelist .
Which in and of itself is 'ok' .
But not an end all be all .</tokentext>
<sentencetext>To point 1.
Couldnt agree more.
But how many people are 'I know better'?
Esp around here...To point 2.
An extension is just as good as any other method you can think of.Put it in the file.
You are still depending on the file begin 'correct'.Put it in some other stream.
You are still depending on the 'other stream' to be 'correct'.What you really want is some way of saying 'this is an executable'.
But if you do that, anything else can be turned into an executable but just saying 'yes this really is an executable'.
I could do that with a txt file...A file rename is no worse an attack vector than chmod.
If you give me a way to change the state in some way I will just call that instead of rename...You are not fixing the problem.
Just moving it somewhere else.To point 3.
ActiveX had its day.
Its day has gone.
Yes it should 'die'.
But they were doing something that Firefox does (and quite well at that).
They were giving the ability to extend the browser.
They did a piss poor job of it no doubt.
Before ActiveX the browser extension market was amazingly bad.
But your right it is time for it to 'go'.To point 4.
See point 3.
Really?  I have already managed to root your computer enough to make your computer download something without you seeing it.
Do you really think it is that big of a stretch to call chmod?
All you did was annoy the virus writer a bit.Security on a computer usually is as simple as your point 1.
Do not download stupid junk and run it.
But all you have come up with is the whitelist.
Which in and of itself is 'ok'.
But not an end all be all.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483368</id>
	<title>Re:Theory and hand-waving</title>
	<author>taustin</author>
	<datestamp>1268674320000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>This proposal isn't to detect <em>what</em> malware is present, or to remove it. It is onl to detect that there is <em>some</em> malware present, which can then lean to more thorough scanning to detect and remove. Knowing that <em>something</em> is there is half the battle.</p></htmltext>
<tokenext>This proposal is n't to detect what malware is present , or to remove it .
It is onl to detect that there is some malware present , which can then lean to more thorough scanning to detect and remove .
Knowing that something is there is half the battle .</tokentext>
<sentencetext>This proposal isn't to detect what malware is present, or to remove it.
It is onl to detect that there is some malware present, which can then lean to more thorough scanning to detect and remove.
Knowing that something is there is half the battle.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483198</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483932</id>
	<title>Remove the article from slashdot</title>
	<author>cfoushee</author>
	<datestamp>1268676780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I read practically every response here on Slashdot as well as the ones posted by everyone on the article itself.  Everyone knows the article is crap, and shoots so many holes in that its not even worthy to be listed here on Slashdot.  I'm not one to make direct personal attacks and like to give people the benefit of the doubt but whoever posted this article should have known this article is without technical merit, or they were just asleep at the helm.  Either way they should apologize and remove the article from rotation.</htmltext>
<tokenext>I read practically every response here on Slashdot as well as the ones posted by everyone on the article itself .
Everyone knows the article is crap , and shoots so many holes in that its not even worthy to be listed here on Slashdot .
I 'm not one to make direct personal attacks and like to give people the benefit of the doubt but whoever posted this article should have known this article is without technical merit , or they were just asleep at the helm .
Either way they should apologize and remove the article from rotation .</tokentext>
<sentencetext>I read practically every response here on Slashdot as well as the ones posted by everyone on the article itself.
Everyone knows the article is crap, and shoots so many holes in that its not even worthy to be listed here on Slashdot.
I'm not one to make direct personal attacks and like to give people the benefit of the doubt but whoever posted this article should have known this article is without technical merit, or they were just asleep at the helm.
Either way they should apologize and remove the article from rotation.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483336</id>
	<title>Re:"Guarantee"</title>
	<author>Hatta</author>
	<datestamp>1268674260000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I guarantee there's at least one thing that can be guaranteed.</p></htmltext>
<tokenext>I guarantee there 's at least one thing that can be guaranteed .</tokentext>
<sentencetext>I guarantee there's at least one thing that can be guaranteed.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483256</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483732</id>
	<title>Re:Which one is the detector?</title>
	<author>Anonymous</author>
	<datestamp>1268675880000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Or malware that changes the total amount of RAM appearing to be available for the operating system? Good ol' boot sector virii did that. 20 years ago.</p></htmltext>
<tokenext>Or malware that changes the total amount of RAM appearing to be available for the operating system ?
Good ol ' boot sector virii did that .
20 years ago .</tokentext>
<sentencetext>Or malware that changes the total amount of RAM appearing to be available for the operating system?
Good ol' boot sector virii did that.
20 years ago.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483202</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31488872</id>
	<title>It's a game...</title>
	<author>Anonymous</author>
	<datestamp>1268652540000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>The only way you can't lose, is by not playing.</p></htmltext>
<tokenext>The only way you ca n't lose , is by not playing .</tokentext>
<sentencetext>The only way you can't lose, is by not playing.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484112</id>
	<title>In another news</title>
	<author>oxygen\_deprived</author>
	<datestamp>1268677440000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>a dummy with slashdot id of oxygen\_deprived claims that he can guarantee breaking 256 bit AES in 3 seconds given the following <br>
a. A piece of known plaintext <br>
b. A piece of cipher text corresponding to the known plaintext <br>
c. An external encryptocomparer (yeah , I made that up, also, patent pending in some country ) that can generate , compute and compare  2^256  keys per second</htmltext>
<tokenext>a dummy with slashdot id of oxygen \ _deprived claims that he can guarantee breaking 256 bit AES in 3 seconds given the following a. A piece of known plaintext b. A piece of cipher text corresponding to the known plaintext c. An external encryptocomparer ( yeah , I made that up , also , patent pending in some country ) that can generate , compute and compare 2 ^ 256 keys per second</tokentext>
<sentencetext>a dummy with slashdot id of oxygen\_deprived claims that he can guarantee breaking 256 bit AES in 3 seconds given the following 
a. A piece of known plaintext 
b. A piece of cipher text corresponding to the known plaintext 
c. An external encryptocomparer (yeah , I made that up, also, patent pending in some country ) that can generate , compute and compare  2^256  keys per second</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483470</id>
	<title>Re:Theory and Reality</title>
	<author>dmgxmichael</author>
	<datestamp>1268674680000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Agreed - couple this with the reality that at least half and probably more of all malware today is packed in with programs the user installed. I don't know how much BearShare and similar crap I've had to clean off relative's comptuers. This technique does nothing to stop malware of that nature - no antivirus technique known can stop the user from installing programs that do stuff other than what they advertise to do.</htmltext>
<tokenext>Agreed - couple this with the reality that at least half and probably more of all malware today is packed in with programs the user installed .
I do n't know how much BearShare and similar crap I 've had to clean off relative 's comptuers .
This technique does nothing to stop malware of that nature - no antivirus technique known can stop the user from installing programs that do stuff other than what they advertise to do .</tokentext>
<sentencetext>Agreed - couple this with the reality that at least half and probably more of all malware today is packed in with programs the user installed.
I don't know how much BearShare and similar crap I've had to clean off relative's comptuers.
This technique does nothing to stop malware of that nature - no antivirus technique known can stop the user from installing programs that do stuff other than what they advertise to do.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31489098</id>
	<title>Re:Theory and Reality</title>
	<author>Anonymous</author>
	<datestamp>1268653920000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Thats a good question.  Maybe if you read the article, you'd know the answer.</p></htmltext>
<tokenext>Thats a good question .
Maybe if you read the article , you 'd know the answer .</tokentext>
<sentencetext>Thats a good question.
Maybe if you read the article, you'd know the answer.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484248</id>
	<title>Re:Theory and hand-waving</title>
	<author>Anonymous</author>
	<datestamp>1268677980000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Just a sec, let me implement the algorithm in Dtrace and see if it really works... uh almost.  Actually there is nothing special about the memory verification (DEADBEEF anyone?), the timing of the access is what makes this approach somewhat unique, interesting and probably impractical for real world software environments.  Downscale this so that it can look at all of the memory in your phone and either your battery, CPU or bandwidth are going to be taken up by this "external verifier".  I don't know about you, but I'm tired of approaches where most of the power of my computer is being consumed keeping male-ware out.  I'd just as soon take my chances with a well-designed OS that doesn't give global root access to all applications.</p></htmltext>
<tokenext>Just a sec , let me implement the algorithm in Dtrace and see if it really works... uh almost .
Actually there is nothing special about the memory verification ( DEADBEEF anyone ?
) , the timing of the access is what makes this approach somewhat unique , interesting and probably impractical for real world software environments .
Downscale this so that it can look at all of the memory in your phone and either your battery , CPU or bandwidth are going to be taken up by this " external verifier " .
I do n't know about you , but I 'm tired of approaches where most of the power of my computer is being consumed keeping male-ware out .
I 'd just as soon take my chances with a well-designed OS that does n't give global root access to all applications .</tokentext>
<sentencetext>Just a sec, let me implement the algorithm in Dtrace and see if it really works... uh almost.
Actually there is nothing special about the memory verification (DEADBEEF anyone?
), the timing of the access is what makes this approach somewhat unique, interesting and probably impractical for real world software environments.
Downscale this so that it can look at all of the memory in your phone and either your battery, CPU or bandwidth are going to be taken up by this "external verifier".
I don't know about you, but I'm tired of approaches where most of the power of my computer is being consumed keeping male-ware out.
I'd just as soon take my chances with a well-designed OS that doesn't give global root access to all applications.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483198</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148</id>
	<title>Theory and Reality</title>
	<author>Anonymous</author>
	<datestamp>1268673660000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext>In theory, theory and reality are equivalent.  In reality, they are quite different...<br> <br>
Seriously, how could this possibly work for ALL (including undocumented, and hereto unknown) threats?  And if it does it by reading straight from RAM (through the kernel), wouldn't a rootkit be able to trivially defeat that?</htmltext>
<tokenext>In theory , theory and reality are equivalent .
In reality , they are quite different.. . Seriously , how could this possibly work for ALL ( including undocumented , and hereto unknown ) threats ?
And if it does it by reading straight from RAM ( through the kernel ) , would n't a rootkit be able to trivially defeat that ?</tokentext>
<sentencetext>In theory, theory and reality are equivalent.
In reality, they are quite different... 
Seriously, how could this possibly work for ALL (including undocumented, and hereto unknown) threats?
And if it does it by reading straight from RAM (through the kernel), wouldn't a rootkit be able to trivially defeat that?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31486636</id>
	<title>Re:Some amazingly bad assumptions</title>
	<author>Anonymous</author>
	<datestamp>1268686440000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>1 Attacker sends an ethernet packet to the PC, containing the part of a virus that the scanner uses as the virus signature.<br>2 The kernel pulls the packet into RAM using DMA.<br>
&nbsp; &nbsp; (even if the OS decides to drop the packet before the scanner runs, the packet data may not immediately be overwritten by another packet.)<br>3 This scanner finds the virus signature in RAM, and decided to kill the program that allocated that RAM (the OS...).<br>
&nbsp; &nbsp; There are several solutions for this problem, but they all involve the scanner and the OS to cooperate, while the OS can't be thrusted if it is already infected.</p><p>If a virus can get access to the operating system kernel, the solution is to fix your operating system, not inventing more scanners</p></htmltext>
<tokenext>1 Attacker sends an ethernet packet to the PC , containing the part of a virus that the scanner uses as the virus signature.2 The kernel pulls the packet into RAM using DMA .
    ( even if the OS decides to drop the packet before the scanner runs , the packet data may not immediately be overwritten by another packet .
) 3 This scanner finds the virus signature in RAM , and decided to kill the program that allocated that RAM ( the OS... ) .
    There are several solutions for this problem , but they all involve the scanner and the OS to cooperate , while the OS ca n't be thrusted if it is already infected.If a virus can get access to the operating system kernel , the solution is to fix your operating system , not inventing more scanners</tokentext>
<sentencetext>1 Attacker sends an ethernet packet to the PC, containing the part of a virus that the scanner uses as the virus signature.2 The kernel pulls the packet into RAM using DMA.
    (even if the OS decides to drop the packet before the scanner runs, the packet data may not immediately be overwritten by another packet.
)3 This scanner finds the virus signature in RAM, and decided to kill the program that allocated that RAM (the OS...).
    There are several solutions for this problem, but they all involve the scanner and the OS to cooperate, while the OS can't be thrusted if it is already infected.If a virus can get access to the operating system kernel, the solution is to fix your operating system, not inventing more scanners</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483414</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31492738</id>
	<title>It's a flawed idea</title>
	<author>Anonymous</author>
	<datestamp>1268731380000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>This thing is pretty dumb, a better way to do it is boot off a CD or something and scan the disc, which would mean that you don't have to swap out the memory because *it is already clean*</htmltext>
<tokenext>This thing is pretty dumb , a better way to do it is boot off a CD or something and scan the disc , which would mean that you do n't have to swap out the memory because * it is already clean *</tokentext>
<sentencetext>This thing is pretty dumb, a better way to do it is boot off a CD or something and scan the disc, which would mean that you don't have to swap out the memory because *it is already clean*</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483588</id>
	<title>Re:Theory and Reality</title>
	<author>HungryHobo</author>
	<datestamp>1268675280000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>ya. coming up with a reliable virus detection scheme for unknown viruses is pretty much in the same area as the halting problem.</p><p>Even detecting polymorphic viruses has been proven to be NP complete.</p></htmltext>
<tokenext>ya .
coming up with a reliable virus detection scheme for unknown viruses is pretty much in the same area as the halting problem.Even detecting polymorphic viruses has been proven to be NP complete .</tokentext>
<sentencetext>ya.
coming up with a reliable virus detection scheme for unknown viruses is pretty much in the same area as the halting problem.Even detecting polymorphic viruses has been proven to be NP complete.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31486606</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>Anonymous</author>
	<datestamp>1268686380000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I read that first point as Execute users.</p><p>Still, it'd work.</p></htmltext>
<tokenext>I read that first point as Execute users.Still , it 'd work .</tokentext>
<sentencetext>I read that first point as Execute users.Still, it'd work.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483888</id>
	<title>Hand waving at its finest</title>
	<author>Anonymous</author>
	<datestamp>1268676600000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>From the actual paper: "In order to remain on the device, a malware agent either has to be active in RAM or modify legitimate programs in RAM, flash or other storage. Doing the former, we show, introduces significant delays to generate the output expected from our algorithm, and doing the latter causes immediate detection when the memory contents are inspected."</p><p>Specifically: "doing the latter causes immediate detection when the memory contents are inspected"</p><p>Who are they kidding.  No algorithm exists today for immediately detecting the presence of malware in an arbitrary memory dump or even disk image.  If it did, A/V would be 100\% effective.</p><p>As has been repeated stated, if the malware simply allows itself to be swapped out and waits to resume it will, in all likelihood be fine.  After all, all the other applications from which it wants to steal keystrokes have also been swapped out and so are making no progress either.</p></htmltext>
<tokenext>From the actual paper : " In order to remain on the device , a malware agent either has to be active in RAM or modify legitimate programs in RAM , flash or other storage .
Doing the former , we show , introduces significant delays to generate the output expected from our algorithm , and doing the latter causes immediate detection when the memory contents are inspected .
" Specifically : " doing the latter causes immediate detection when the memory contents are inspected " Who are they kidding .
No algorithm exists today for immediately detecting the presence of malware in an arbitrary memory dump or even disk image .
If it did , A/V would be 100 \ % effective.As has been repeated stated , if the malware simply allows itself to be swapped out and waits to resume it will , in all likelihood be fine .
After all , all the other applications from which it wants to steal keystrokes have also been swapped out and so are making no progress either .</tokentext>
<sentencetext>From the actual paper: "In order to remain on the device, a malware agent either has to be active in RAM or modify legitimate programs in RAM, flash or other storage.
Doing the former, we show, introduces significant delays to generate the output expected from our algorithm, and doing the latter causes immediate detection when the memory contents are inspected.
"Specifically: "doing the latter causes immediate detection when the memory contents are inspected"Who are they kidding.
No algorithm exists today for immediately detecting the presence of malware in an arbitrary memory dump or even disk image.
If it did, A/V would be 100\% effective.As has been repeated stated, if the malware simply allows itself to be swapped out and waits to resume it will, in all likelihood be fine.
After all, all the other applications from which it wants to steal keystrokes have also been swapped out and so are making no progress either.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485820</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>ardeez</author>
	<datestamp>1268683800000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I like this idea. Just this one extra step would put the onus of action on the users enough that they<br>would not only pause to think, but actively associate any malware infection with their direct actions (possibly).</p><p>Rename downloaded EXE's  to<nobr> <wbr></nobr>.web and put up a dialog with an accept button that say 'I know the Risks' when<br>they try to rename it/make it executable.</p><p>Could make a difference<nobr> <wbr></nobr>...</p></htmltext>
<tokenext>I like this idea .
Just this one extra step would put the onus of action on the users enough that theywould not only pause to think , but actively associate any malware infection with their direct actions ( possibly ) .Rename downloaded EXE 's to .web and put up a dialog with an accept button that say 'I know the Risks ' whenthey try to rename it/make it executable.Could make a difference .. .</tokentext>
<sentencetext>I like this idea.
Just this one extra step would put the onus of action on the users enough that theywould not only pause to think, but actively associate any malware infection with their direct actions (possibly).Rename downloaded EXE's  to .web and put up a dialog with an accept button that say 'I know the Risks' whenthey try to rename it/make it executable.Could make a difference ...</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483554</id>
	<title>Idea</title>
	<author>Superdarion</author>
	<datestamp>1268675160000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Wouldn't it be posisble for malware to intententionally slow down many random bits of ram so that the detector would think that this is just latency? <br> <br>

I mean, malware could divert the checksum of his own memory bytes to the hard-drive and then divert many other bytes there too just to confuse the detector.</htmltext>
<tokenext>Would n't it be posisble for malware to intententionally slow down many random bits of ram so that the detector would think that this is just latency ?
I mean , malware could divert the checksum of his own memory bytes to the hard-drive and then divert many other bytes there too just to confuse the detector .</tokentext>
<sentencetext>Wouldn't it be posisble for malware to intententionally slow down many random bits of ram so that the detector would think that this is just latency?
I mean, malware could divert the checksum of his own memory bytes to the hard-drive and then divert many other bytes there too just to confuse the detector.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483838</id>
	<title>Re:Malware detection is Bogus.</title>
	<author>Anonymous</author>
	<datestamp>1268676300000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>wow.  combine the linux 'x' (execute) and the netware 'm' (modify) rights.  files default to 'not x' and must be given 'x' to run.  you can grant 'x' that if you have 'm' and users have not a lot of reason to have 'm' (modify).  and the admin can grant 'm' without giving out root/admin rights.</p><p>i have wondered why this was not pursued a while ago.</p><p>e</p></htmltext>
<tokenext>wow .
combine the linux 'x ' ( execute ) and the netware 'm ' ( modify ) rights .
files default to 'not x ' and must be given 'x ' to run .
you can grant 'x ' that if you have 'm ' and users have not a lot of reason to have 'm ' ( modify ) .
and the admin can grant 'm ' without giving out root/admin rights.i have wondered why this was not pursued a while ago.e</tokentext>
<sentencetext>wow.
combine the linux 'x' (execute) and the netware 'm' (modify) rights.
files default to 'not x' and must be given 'x' to run.
you can grant 'x' that if you have 'm' and users have not a lot of reason to have 'm' (modify).
and the admin can grant 'm' without giving out root/admin rights.i have wondered why this was not pursued a while ago.e</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380</parent>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483174
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483400
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_34</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483198
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483416
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483198
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483498
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_41</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484810
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484170
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485820
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_37</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483174
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483290
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_40</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31489098
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_31</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483414
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31487444
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_29</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483940
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_32</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483198
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484228
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_23</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483256
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483336
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485302
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_46</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483392
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31491850
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_19</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483714
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_22</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484734
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31488904
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_24</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483198
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484248
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_45</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483202
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483732
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483414
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31486636
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484066
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483200
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484198
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_51</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483364
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_21</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31487784
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_44</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31486142
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_35</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31491884
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483944
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484010
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31488182
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483702
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_38</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483916
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484432
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_43</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31486606
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485194
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483188
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31492802
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_28</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483588
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_33</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485552
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483546
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_36</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483302
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484124
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_27</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483198
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484376
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_30</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483838
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_26</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31489746
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483470
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_20</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483202
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31489592
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_49</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31486162
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483656
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31491724
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_48</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483198
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483368
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483776
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_47</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485002
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484692
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_25</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31491612
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_39</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483200
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485246
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_42</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483584
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484020
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483198
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31488166
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_03_15_1540234_50</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31486290
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.20</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484328
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31487438
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483198
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483416
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31488166
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484376
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483368
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483776
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483498
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484228
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484248
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484598
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483374
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483302
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484124
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483202
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483732
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31489592
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484372
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.22</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483280
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483916
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484432
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485562
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485164
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483414
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31487444
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31486636
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483392
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31491850
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484114
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483148
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483656
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31491724
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483470
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483714
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483702
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31489098
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483944
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483584
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484020
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483364
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483546
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483588
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.19</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483256
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483336
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.21</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483136
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483174
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483290
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483400
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483200
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485246
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484198
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483380
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31489746
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484066
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31491612
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485820
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485552
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484010
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31488182
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31486290
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31486606
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31491884
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483940
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484170
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485194
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31486142
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484692
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485002
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484734
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31484810
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483838
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31486162
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31487784
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31485302
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31488904
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483188
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31492802
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_03_15_1540234.9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_03_15_1540234.31483554
</commentlist>
</conversation>
