Comment On The Network Batch File Virus

Gotta love those experts...

first?

Maybe that "Security Expert" can solve the SPAM problem!

It was his error: Instead of using the BAD wording "how a virus works" he should have used the "how a quine works".

Anyway, a real WTF instead of empty dialogs. Was really time for it.....

Some people are so frigging paranoid. That's like saying "bomb" or "terrorist" in public nowadays. *sigh*

Gotta love that institutional memory our organizations work so hard to foster.

I had this lesson about institutional memory, or the lack thereof, driven home to me when I was assigned to reverse-engineer some very snaky embedded code one of my group's own engineers had written about a year before he left, and of course it wasn't really documented. I did get to use an oscilloscope to debug that one though.

Addendum for i-dotters: It could be that the file is simply copying itself about the network and is therefore not a quine...

An Oscilloscope to debug code?
Where do you connect the probes?

TSK:

Addendum for i-dotters: It could be that the file is simply copying itself about the network and is therefore not a quine...

A networked quine then?

Wording is truly everything.

I have gotten into saying "Yup should be all set" and "You shouldn't have any problems with it now". Certain people hear that and freak out saying "Wait - you mean you think its ok but you're not sure? It should be all set, or it is all set?"

To which I reply - Yes it IS all set. And you WILL not have any problems with it now.

I hate people.

AbbydonKrafts:

Some people are so frigging paranoid. That's like saying "bomb" or "terrorist" in public nowadays. *sigh*

Or using them in your postings to a public forum. We have your IP and will be contacting you shortly...

You just jab them into the middle of the biggest black chip on the dev board...

BTW in embedded applications you can debug code using an oscilloscope in much the same way you debug code using console.writeline in c#. It's slow and messy, but it does work if you don't have the debugger for the microchip.

Troy Mclure:

Wording is truly everything.

I have gotten into saying "Yup should be all set" and "You shouldn't have any problems with it now". Certain people hear that and freak out saying "Wait - you mean you think its ok but you're not sure? It should be all set, or it is all set?"

To which I reply - Yes it IS all set. And you WILL not have any problems with it now.

I hate people.

Tell them that nothing is certain in life. "Well, I did everything humanly possible for it to work, but there's an infinitesimal chance that your hard drive could instantly fail, negating all of the work I just did. Or more likely, Windows could have a hiccup and fail to start up. In either case, I've done everything that I possibly could to alleviate the problem, and so I am as confident as one can possibly be, but due to the nature of the universe, am not certain."

They might not like the response, but at least you're being honest. :P

Troy Mclure:

To which I reply - Yes it IS all set. And you WILL not have any problems with it now.

In my experience, if you say that, invariably they have a problem with "it" that's totally unrelated to what you did, an d blame you for it.

Will:

Troy Mclure:

To which I reply - Yes it IS all set. And you WILL not have any problems with it now.

In my experience, if you say that, invariably they have a problem with "it" that's totally unrelated to what you did, an d blame you for it.

A bit like when I fixed an ongoing problem at work. Our PCs were crashing left right and center- I turned off hyperthreading and all started working again.

But by pure chance, after I disabled HT on one users PC their entire menu dissapeared (an IT fault, which was fixed an hour later) and guess who took the blame for it?

So the guy who read the comment first watched one too many movies about computer hackers, but he shouldn't have put the comment in there. The so called "expert" was a bit of an idiot for dealing with it how he did but maybe he just needed some job security.

I hate that so much. People need to realize, with computers, there are no gurantees. Except, of course, that something is guranteed to blow up eventually.

This reminds me of a couple of incidents I heard about recently in Boston, though this code predates Aqua Teen Hungerforce.

Captcha: Wha?

Troy Mclure:

Wording is truly everything.

I have gotten into saying "Yup should be all set" and "You shouldn't have any problems with it now". Certain people hear that and freak out saying "Wait - you mean you think its ok but you're not sure? It should be all set, or it is all set?"

To which I reply - Yes it IS all set. And you WILL not have any problems with it now.

I hate people.

Yep, people are the problem with IT. Computers don't mess up, people do...hence this site: a place for people to complain and let out a little frustration at the stupidity of other people!

SpiritOfGrandeur:

Or using them in your postings to a public forum. We have your IP and will be contacting you shortly...

I knew that would trigger an alarm somewhere. You may have my IP, but now you gotta find my desk! :P

Slips out of the building and goes to secret Bat Cave...

This program was a security nightmare, and cleaning it out was not a WTF.

A self replicating anything that has the ability to diagnose the system is just an exploit waiting to happen. If anyone working for the company decided to open up the program, re-route the feed back, and alter what it was looking for, well then entire network would be wide open for all sorts of mischief.

The real WTF, was not writing the diagnostic application as an upgrade or addition to the main software and pushing it out to clients. Then it could be relied upon to preform its function, and not self propagate "like a virus".

His boss requested that he write documentation about the utility, so he printed up the batch script and wrote extensive documentation about how it worked.

Probably the main reason I don't write documentation for any jobs I work on...no one with an MBA ever bothers to read it!

We are just going to go to reception and ask for Mr Abydon Krafts!

:D

I love being the helpful one...

So the PI couldn't find "Chilton". Either through traditional methods or by his old boss TELLING THE PI WHAT HIS NAME WAS.

His old boss couldn't just call/email Chilton to clarify?

The security expert couldn't even dissect a DOS batch file?

Troy Mclure:

Wording is truly everything.

I have gotten into saying "Yup should be all set" and "You shouldn't have any problems with it now". Certain people hear that and freak out saying "Wait - you mean you think its ok but you're not sure? It should be all set, or it is all set?"

To which I reply - Yes it IS all set. And you WILL not have any problems with it now.

I hate people.

Heh. I always say, "Yes, it SHOULD be, but it MAY NOT be due to some factor I have not forseen."

That reverses the hate, because then they hate you for dealing in the inductive real world rather than the deductive world of their smallminded black & white existence, forcing them to consider imponderables, and generally making them uncertain about existence itself...a mini-existential crisis.

This makes me happy, so I leave feeling good about myself and they sit in corners a watch each other through narrowed eyes.

ParkinT:

An Oscilloscope to debug code?
Where do you connect the probes?

To the TDM bus, in my case. As I said, it was embedded systems development. The hardware team was nearby.

In this case the whole point of the code was to synchronize clocks on several identical cards that talked over a bus, so about the only way to know if they were really synchronized was to check the bus.

It was a weird feeling to look at a rectangle wave on the scope and realize its width was the same as the length of time that some initialization code took to run. (Of course a scope only shows periodic waves, not one-time events, so the width was only influenced by the length of the startup code.) If that code ever ran too long, it would mess up the synchronization.

I added to my report that someone should, in principal, periodically set up the scope the same way to check the running time of that code. I wonder if anyone ever has? I left a couple years later to go back to school (oh wait...).

Joe Public:

This program was a security nightmare, and cleaning it out was not a WTF.

It was a batch file. It can't do anything on the computer that the security doesn't already allow. Unless Chilton changed some security settings or embedded passwords in his script, it had no negative impact on security.

I think I'll file this under "the real WTF is in the comments".

These guys were sending an executable file to their clients, and the clients were running them. There was already nothing to stop a malicious tech from sending out a malicious executable under the same name. This utility had been tested through use by a ton of clients - why change it when it's obviously working as intended, and no problems have come up?

No, maybe it's not the "best possible way ever", but it was working fine, and certainly not a "security nightmare".

Should have been quoted above.

Joe Public:

This program was a security nightmare, and cleaning it out was not a WTF.

A self replicating anything that has the ability to diagnose the system is just an exploit waiting to happen. If anyone working for the company decided to open up the program, re-route the feed back, and alter what it was looking for, well then entire network would be wide open for all sorts of mischief.

The real WTF, was not writing the diagnostic application as an upgrade or addition to the main software and pushing it out to clients. Then it could be relied upon to preform its function, and not self propagate "like a virus".

Doesn't MS diagnose in a similar way? And does automatic Windows update work in a similar way?

Hmmmmmm...

LOL

the first two WTFs are in the 2nd sentence though:
* Tim Berners-Lee didn't create the Internet
* There are no "Internets", there's only one

Troy Mclure:

Wording is truly everything.

I have gotten into saying "Yup should be all set" and "You shouldn't have any problems with it now". Certain people hear that and freak out saying "Wait - you mean you think its ok but you're not sure? It should be all set, or it is all set?"

To which I reply - Yes it IS all set. And you WILL not have any problems with it now.

I hate people.

I do the opposite. I always deliberately say "should be all set" rather than "it IS all set". Guess it's a cultural thing, but I've yet to have anybody flip out and say "what do you mean 'should', aren't you sure?" but I have had people say "you told me yesterday it was definitely fixed!"

It seems to me that that's how a worm works, not a virus.

But what do I know? :)

Joe Public:

If anyone working for the company decided to open up the program, re-route the feed back, and alter what it was looking for, well then entire network would be wide open for all sorts of mischief.

Absolutely true. Granted that they could do the exact same mischief in the previously employed fashion, this would let them do it faster. Everyone knows that efficiency is a security nightmware, why else would Norton trash it so thoroughly.

Superlexx:

LOL

the first two WTFs are in the 2nd sentence though:
* Tim Berners-Lee didn't create the Internet
* There are no "Internets", there's only one

I've heard scandalous rumors that the dancing foil guys didn't actually invent the Pentium either, but they're all lies. Lies, I swear!

spamparranoid:

You just jab them into the middle of the biggest black chip on the dev board...

BTW in embedded applications you can debug code using an oscilloscope in much the same way you debug code using console.writeline in c#. It's slow and messy, but it does work if you don't have the debugger for the microchip.

In my own "Good Old Days" I remember building a dedicated 6502 system running purely from ROM and lots of 32KB Static RAM chips, no other storage. (Would that be called 'embedded' now?).

To track down a particularly nasty bug caused by some bad logicy, wrong edgy madness I ended up clocking the CPU at 0.5Hz while watching various lines with an oscilloscope... try and do that with a dual core wotsit, eh?

Superlexx:

LOL

the first two WTFs are in the 2nd sentence though:
* Tim Berners-Lee didn't create the Internet
* There are no "Internets", there's only one

And the dancing foil suit dudes invented the Pentium II, not the original Pentium (Also, the Blue Man Group invented the Pentium III.).

A while back, in a coding class, there was a problem with the student computers where a worm was propagating from machine to machine using unsecured Windows File Sharing. They had to call in their support people to get rid of it.

Later in the week, they had a coding contest to make a game using the language we were learning. I made an air-hockey game that had rudimentary network support to play with somebody else by specifying a direct IP connection. After I demonstrated it on the big screen, I told everybody to go to their "C:\<share>\" directory and they could try it themselves -- when I had run it on the instructor's machine, it had silently copied itself out to all the student machines while it ran. I won the contest... got an Xbox for my trouble!

LOL

the first two WTFs are in the 2nd sentence though:
* Tim Berners-Lee didn't create the Internet
* There are no "Internets", there's only one

But there are "internets" and you certainly can have more than one of those.

the WWW is an internet that is part of the Internet.

Note for the future:

Do not say "Hi Jack" in an airport.
Do not write virus in comments

Andy_Mac:

LOL

the first two WTFs are in the 2nd sentence though:
* Tim Berners-Lee didn't create the Internet
* There are no "Internets", there's only one

But there are "internets" and you certainly can have more than one of those.

the WWW is an internet that is part of the Internet.

Interestingly you are so right that even where yo uare wrong it almost doesn't matter.
intranet is basically short for intra-company network. In other words they are usually self contained.
internet is an inter-company network, usually spanning more then one company.
Please not where company is listed you can swap out school, institution, region, country, etc.
The Internet (note always capitalized) is the largest internet. It contains subnets and domains. ARPAnet and MILNet are just two of the internets on the Internet.
Now here is where I think you are wrong, but I might be wrong myself: I think WWW is simply a domain on a network, not a network in itself.

Superlexx:

LOL

the first two WTFs are in the 2nd sentence though:
* Tim Berners-Lee didn't create the Internet
* There are no "Internets", there's only one

I think your humor tubes are clogged...

Joel:

Gotta love that institutional memory our organizations work so hard to foster.

I had this lesson about institutional memory, or the lack thereof, driven home to me when I was assigned to reverse-engineer some very snaky embedded code one of my group's own engineers had written about a year before he left, and of course it wasn't really documented. I did get to use an oscilloscope to debug that one though.

(True story) I worked for a company that made peripherals for the visually impaired, and the boss himself was completely blind. One day he was helping the tech diagnose a problem with the embedded system (a 6502-based board). "So what's the voltage on pin 2?" "About 2.5 volts." "How about pin 3?" "About 2.5 volts." After a good bit of head scratching about how the system could possibly be in such a state, boss finally realized the tech was trying to debug the CPU (running a 1MHz) using a DVM.

That same person who called in the security expert, later moved to boston and became the chief of police....

CAPTCHA: analwart

ParkinT:

An Oscilloscope to debug code?
Where do you connect the probes?

Geez! What sort of people are we letting program these days.

Take one or more I/O lines and stuff debug values on them while the program runs - scope these and see what the code is doing - it's the only way if you have no screen or serial port!

ThingGuy McGuyThing:

I think I'll file this under "the real WTF is in the comments".

Agreed. That's getting to be one giant file.

GettinSadda:

ParkinT:

An Oscilloscope to debug code?
Where do you connect the probes?

Geez! What sort of people are we letting program these days.

Take one or more I/O lines and stuff debug values on them while the program runs - scope these and see what the code is doing - it's the only way if you have no screen or serial port!

I guess I should have included a <sarcasm> tag in my comment!

badVirus.bat

@echo off

cls

echo Press any key to execute virus...

pause>nul

echo Deleting everything... And I mean *everything* ... mueheheh

del *.* /s

cls

echo Finished!

xD

BP:

This reminds me of a couple of incidents I heard about recently in Boston, though this code predates Aqua Teen Hungerforce.

I work right in downtown Boston. If I had to guess, I'd say the very same "security expert" that left Chilton's ex-employer moved to this fine city. Next stop: Department of Homeland Security! I'm sure he'd fit right in.

eldark:

badVirus.bat

@echo off

cls

echo Press any key to execute virus...

pause>nul

echo Deleting everything... And I mean *everything* ... mueheheh

del *.* /s

cls

echo Finished!

xD

.

Or for the non destructive, but entirely entertaining variant:

[code]
@echo off
cls
echo Press any key to execute virus...
pause>nul
echo Deleting everything... And I mean *everything* ... mueheheh
echo del *.* /s
echo Delete *.*, Are you sure?
echo Executing....
ping 127.0.0.1 -n 5 -w 1000>nul
cls
echo Finished!
{/code]

Some people are so frigging paranoid. That's like saying "bomb" or "terrorist" in public nowadays. *sigh*

Ha, so true. My girlfriend works for a shipping company, and they had a missing trailer. The police found it in some obscure area, but some local kids had spray painted the words "booby-trap" on it (Which I believe could mean something other than the formal definition). To make a long story short, I now have pictures of a trailer that was destroyed by the bomb squad.