Hi Bob.

18-Apr-04 22:06:11, Bob Lawrence wrote to John Tserkezis

 BL> I know what a *real* cookie does... what worries me is what a
 BL> virus masquerading as a cookie *might* do.

It'll do nothing on your machine but occupy space on your hard drive, (and
bandwidth in your internet connection while it's coming or going)

 BL> The sender is able to download a file into a known area on your hard
 BL> drive, and access it later. Jeeze! Doesn't that worry you?

No. even if the data section of a cookiie contained malicious code there's
no way to run that code that doesn't rely on a far worse security breach,
and if security is that broken already a "cookie virus" isn't going to make
anything worse.

 JT>> A search for "cookies" via google will return many sites that
 JT>> explain cookies, their structure, and use.

 BL> Who explains the illegal uses?

not you.

 >> A cookie is one way a remote computer can insert data into *your*
 >> computer.

 JT>> Yes. One remote site can create a cookie with its site name in
 JT>> it. One site cannot create a cookie on 'behalf' of another site
 JT>> though.

 >> You have no idea what's in the cookie...

 JT>> Nor do you really need to know or care.

 BL> You might, if it's a trojan.

there are other tools more suitable than cookies,
these include things like the command-line.

someone outside your computer capable of causing it to execute a cookie
could instead use command-line stuff to build any binary file they want.
and there'd be less evidence that way too.

 BL> You keep saying that. What it is... is a file inserted by someone
 BL> else into a known area of your hard drive. There can be *anything*
 BL> in that file, and the file can be *any* size hidden amongst thousands
 BL> fo other cookies. The only oen who knows where and what is the one
 BL> who originally inserted it.

 BL> AND THAT WORRIES ME...

why?

the file does not look like executable data to the operating system (it
has the wrong extension)

 BL> It never gets run? How does a trojan get run?

by having the correct atributes to be executed and looking like something
the user would want to run.

 BL> Okay. How about I'm a respected site (like Borland), and I send
 BL> you a trojan cookie. And then I decide that it's time to wipe all
 BL> the Borland free programs past their use-by (because some bastard
 BL> has cracked the codes). Now, when you update I activate my
 BL> "cookie" and wipe your hard drive of the pirated software. Is that
 BL> enough specific "somethign else" for you?

why not just wipe his hard drive without activating the cookie,  it's be
easier.

 BL> Does the write-protect tab physically prevent writing,

yes, the hardware in the floppy drive cannot write unless the write protect
tab is off. (or if the sensor is faulty)

 BL> or does it merely rely on the computer? Why not disable the write
 BL> protect with your virus (and catch those who believe the tab does
 BL> something real)?

floppy drives aren't built that way.

 BL> And how does that analogy relate to anything real? Of course you
 BL> isolate the computer (and floppies) once you realise it's
 BL> infected, but by then the virus scan is *also* infected! And you
 BL> can't load a new copy because *it* will become infected!

get a write protected copy, and boot your computer from clean media.

 BL> I get the feeling you don't understand the problem, John.

 BL> What you have to do, is use a virgin system disk just once, to
 BL> wipe the hard drive (including the partition information).

Nope.  if you need to use a windows based virus scanner  boot your PC from
a different hard drive containing a clean copy of windows... and then scan
the dirty disk.

 JT>> You know where it came from, you can backtrack to the last known
 JT>> outside source of data/disks. Then you point the finger. Worked
 JT>> every time.

 BL> Jeeze, you're good.

in cases where it didn't work he probably sent the disks back infected :)

 -=> Bye <=-

---