Most active commenters

    ←back to thread

    Cyber Scarecrow

    (www.cyberscarecrow.com)
    606 points toby_tw | 21 comments | 18 Jun 24 08:08 UTC | HN request time: 0.215s | source | bottom
    Show context
    scosman ◴[18 Jun 24 08:25 UTC] No.40715334[source]
    Fun concept.

    If the creators read this, I suggest some ways of building trust. There’s no “about us”, no GitHub link, etc. It’s a random webpage that wants my personal details, and sends me a “exe”. The overlap of people who understand what this tool does, and people who would run that “exe” is pretty small.

    replies(7): >>40715364 #>>40715425 #>>40715446 #>>40715473 #>>40716059 #>>40716538 #>>40723731 #
    1. vmfunction ◴[18 Jun 24 08:32 UTC] No.40715364[source]
    It is a cat and mouse game. And security by obscurity practice. Not saying it won't work, but if it is open sourced, how long before the malware will catch on?

    Here is one on github:

    https://github.com/NavyTitanium/Fake-Sandbox-Artifacts

    replies(7): >>40715392 #>>40715530 #>>40715603 #>>40715668 #>>40716144 #>>40716690 #>>40716934 #
    2. xyzzy123 ◴[18 Jun 24 08:37 UTC] No.40715392[source]
    The really fun part is when malware authors add detections for "fake sandbox" and then real sandbox authors get to add those indicators.
    replies(1): >>40716933 #
    3. CyberScarecrow ◴[18 Jun 24 09:06 UTC] No.40715530[source]
    Author of scarecrow here. Our thinking is that if malware starts to adapt and check if scarecrow is installed, we are doing something right. We can then look to update the app to make it more difficult to spot - but its then a cat and mouse game.
    replies(2): >>40717240 #>>40717661 #
    4. boxed ◴[18 Jun 24 09:16 UTC] No.40715603[source]
    If windows would have this built in, then it would make malware authors job much more difficult. I like that.
    5. self_awareness ◴[18 Jun 24 09:29 UTC] No.40715668[source]
    Some malware will catch on, some will not. It's a cost vs profit problem. Statistically, this will always decrease the number of possible malware samples that can be installed on the machine, but by what margin? Impossible to say.
    6. port19 ◴[18 Jun 24 10:44 UTC] No.40716144[source]
    I'd be willing to bet good money that 99% of malware authors won't adapt, since 99% (more like 99.999%) of the billions of worldwide windows users will not have this installed.

    For the cat to care about the mouse it needs to at least be a good appetizer.

    replies(2): >>40716926 #>>40717629 #
    7. RajT88 ◴[18 Jun 24 11:53 UTC] No.40716690[source]
    Not just that - it only works on smart malware.

    There is plenty of dumb malware.

    Security folks seem to get overly focused at times on the most sophisticated attackers and forget about the unwashed hordes.

    8. ferfumarma ◴[18 Jun 24 12:19 UTC] No.40716926[source]
    I think this is a same thing as betting on your own failure: "not enough people will use this for it to be an important consideration for hackers".
    replies(1): >>40717449 #
    9. vmfunction ◴[18 Jun 24 12:20 UTC] No.40716933[source]
    Look into Windows NT source code that was leaked. The if-else/switch statements in there is just another level of string matching hell. Seems like software development just become "let's jerry rig it to just make it work and forget about it." Pretty sure management (without tech clue) have something to do behaviours like this.
    replies(1): >>40717430 #
    10. linsomniac ◴[18 Jun 24 12:20 UTC] No.40716934[source]
    It's not a cat an mouse game; it's a diver and shark game. In SCUBA training we joked that you had the "buddy system" where you always dive in pairs, because that way if you encounter a shark you don't have to outswim the shark, you only have to outswim your buddy.

    A low-effort activity that makes you not be the low-hanging fruit can often be worth it. For example, back in the '90s I moved my SSH port from 22 to ... not telling you! It's pretty easy to scan for SSH servers on alternate ports, but basically none of the worms do that.

    replies(1): >>40724333 #
    11. hluska ◴[18 Jun 24 12:52 UTC] No.40717240[source]
    You had an answer canned for one part of the query. Why are you trying to release security software completely anonymously? This is insane - you want an incredible amount of trust from users but can’t even identify a company.

    Simply, if users are as intelligent as you think, they’re too intelligent to use your product.

    12. 1992spacemovie ◴[18 Jun 24 13:11 UTC] No.40717430{3}[source]
    > Pretty sure management (without tech clue) have something to do behaviours like this.

    Always the same bullshit with you people here. Could never possibly someone built a sub-optimal system -- it HAD to be management fucking with our good intentions!

    replies(2): >>40720700 #>>40724329 #
    13. Sebb767 ◴[18 Jun 24 13:13 UTC] No.40717449{3}[source]
    I've worked in companies with horrendous security, where someone with just a bit of SQL injection experience could have easily carried out the data. Yet, since this was a custom in-house application and your off-the-shelve-scanners did not work, this never happened; the only times the servers were hacked was when the company decided to host an (obviously never updated) grandfathered Joomla instance for a customer.

    But even more simply, just setting your SSH port to something >10000 is enough to get away with a very mediocre password. It's mostly really not about being a hard target, not being the easiest one is likely quite sufficient :)

    replies(1): >>40720545 #
    14. dylan604 ◴[18 Jun 24 13:29 UTC] No.40717629[source]
    If I were to run a Windows computer, I wouldn't care what 99.999% of other people didn't do to make their computer safe. If it were something that I could do, then that's good enough for me. However, the best thing one can do to protect themselves from Windows malware is to not use Windows. This is the path I've chosen for myself
    15. dylan604 ◴[18 Jun 24 13:32 UTC] No.40717661[source]
    If you think that is what will make it a cat and mouse game instead of understanding it has been a cat and mouse game since the beginning of time, then you're not compelling me into thinking you're very experienced in this space.
    16. giobox ◴[18 Jun 24 18:11 UTC] No.40720545{4}[source]
    > But even more simply, just setting your SSH port to something >10000 is enough to get away with a very mediocre password.

    Given how easy and free tools like Wireguard are to setup now (thanks Tailscale!), I really don't understand why folks feel the need to map SSH access to a publicly exposed port at all anymore for the most part, even for throw away side projects.

    replies(1): >>40736115 #
    17. westmeal ◴[18 Jun 24 18:30 UTC] No.40720700{4}[source]
    Lemme guess you're a manager.
    replies(1): >>40722647 #
    18. Tao3300 ◴[19 Jun 24 03:00 UTC] No.40724329{4}[source]
    Well yeah. Left to their own devices, people want to build good stuff. It's when some dumb turd with his metrics and clueless plan shows up that things get screwy.
    19. Tao3300 ◴[19 Jun 24 03:01 UTC] No.40724333[source]
    What I've heard is: If you're running from a bear, you only have to be faster than the other guy.
    20. port19 ◴[20 Jun 24 07:57 UTC] No.40736115{5}[source]
    I say leave it at 22 and use public key authentication. If a hacker can crack that, they deserve my server!
    replies(1): >>40740927 #
    21. giobox ◴[20 Jun 24 17:10 UTC] No.40740927{6}[source]
    I mostly agree, but even this leaves you exposed to new bugs found in SSH in the future etc if on an unpatched/forgotten server. I still think its best (and really, really easy now with tools like tailscale) to simply never expose the software to the wide world in the first place and only access over Wireguard.

    Fundamentally, it makes no sense to expose low level server access mechanisms to anyone other than yourself/team - there is no need for this to sit listening on a public port, almost ever.