Contributors: How to avoid aiding the development of malicious code
I would like to ask our community to take a brief moment to consider the outcome of answering a question before doing so. Sometimes a question can lead down a path to examples of how to create malware applications, and that is something we want to try to avoid. There are a few key things we can watch out for which would often indicates a question about malicious code intent. First, watch for requests to do network communications that violate one or more RFC documents (e.g. How do I spoof my IP address?). Second, watch for requests on automating other websites - a quick check of the other site's AUP or TOU will typically tell you if the automation is permitted. Third, watch for requests that appear to want to harvest data from the web, without following the typical procedures for a web crawler (bot).
I would also ask that everyone take a moment to review the TOU for this site: http://msdn.microsoft.com/en-us/cc300389.aspx#K
Please note the paragraph under "MATERIALS PROVIDED TO MICROSOFT OR POSTED AT ANY MICROSOFT WEB SITE." which states:
"By Posting a Submission you warrant and represent that you own or otherwise control all of the rights to your Submission as described in these TOU including, without limitation, all the rights necessary for you to Post the Submissions."
If the code you post violates another site's Terms of Use, then that site may claim that you do not have rights to the code, which could then make your post violate the TOU here at MSDN. By posting a modified version of someone's code in an attempt to help them, you may actually be posting code for which you do not have full rights.
Now obviously we cannot all recognize every instance of an attempt to write malicious code, or a violation of any given TOU. However, we can each take just a moment to review the question against what we know, inform the OP if they are headed into potentially dangerous territory, and notify the mod/admin community by marking posts abusive when appropriate. I don't think too many of our community members would be proud to know that their knowledge helped create yet another piece of malware, so we'll have to police ourselves and each other to help prevent such a thing from happening.
My suggestion would be to treat this the same as the homework questions we see posted - many contributors have gotten used to spotting a homework assignment and will only give suggestions to help the OP without doing the work for them. Spotting attempts at creating malicious software is much the same; when you see red flags, confront the OP and give them some suggestions on a legitimate course of action, or mark the post abusive if appropriate.
I thank all of our community members for their continued support and know that together we can keep the MSDN forums clean, productive, and safe for all to use.
Reed Kimble - "When you do things right, people won't be sure you've done anything at all"
All Replies
- Hi Reed,
"Hear, hear!!"
as they shout in the HOUSE OF COMMONS, (and some court rooms?).
You have my full support to keep these forums clear of malicious code. :-) ;-)
Regards,
John
I'm currently looking for work in Vb.Net software development. :-) - Hi John Anthony (we have a numberof John's as you well know! lol),
Thanks for your support. This thread welcomes the input of yourself and other top-standing forum members (anyone with a good idea is welcome to post - I'm just encouraging suggestions from our resident gurus =P). If you have any other warning signs to mention, or other related advice, please feel free to share it here. I'll copy new info into the original post to keep it at the top for easy viewing.
Reed Kimble - "When you do things right, people won't be sure you've done anything at all" we have a numberof John's as you well know!
Hi Reed,
I hope you are not referring to your toilets!! LOL!!
Regards,
John
I'm currently looking for work in Vb.Net software development. :-)- Hmm... well the forums do contain users who are like toilets - they come here FOS and stink up the place - but that's not what I meant...
hahahahaha!
Anyway, now WE'RE mucking things up so lets keep this sticky thread on topic :)
Reed Kimble - "When you do things right, people won't be sure you've done anything at all" - reed kimble ,
.
=================
off topic....
from the time of your appearance on this forum, i have noticed a great job on your side. very well appreciated from me. thanx ;o)
if you need an idol, which i hope is not offensive to mention, martin xie. don't follow him everywhere, just view his posts.
other mods, seem to just mark anything as an answer and doodle anything to propose their answers. no offense to "other" mods, wisen up. ( i know wisen is misspelled, thanx to microsoft . ) proposing self answers, well, microsoft has not wisened up about that yet..
here is one i should self propose, "i am god!, tremble!"..
=================
back to topic....
i have caused havoc on plenty threads, as such,
http://social.msdn.microsoft.com/Forums/en-US/vbgeneral/thread/5a4db104-d114-4eec-ae3e-0f6dd49a8938
and also, on threads that had something as a hackercentral.jpg, or so, for an image in their question.
talk about some nonsense on a microsoft forum.
-----
about your post, to much to read. ;o)
i read most of it, which, from what i picked out, was that, respect should be given where proper .. the TOU, i don't even vote, minus well view the political stuff. so, if it's not vb code, then you can guess that i read it very well. ;o)
i have had a few, well, a lot, of my replies, where i had to search the web for solutions..
if the code was shooting blanks, but i could fix the shots, i would correct it and supply the solution for the o.p. ( original post ), without a link.
blanks, roflmao.. i double/triple check code before posting. what a joke from some of those tutorial websites shooting blanks..
but , if the code was complete and supplied quite useful information, or just the information was something i thought would be of use, i would definitely supply the link to the website location. a few times, in case the code was a gem in a pile of dirt, i supplied the code as well as the link, for backup reasons, just in case the website was sentenced to being a malicious, thing...
about other sites, and their TOU, hah.. get me to read it. more nonsense of " i will sue you, if you sue me, but if you read the fine print, microsoft created vb, so i guess i will be sued."
i will keep using the internet for solutions, unless confronted by a popup, as "DaniWeb's" forum usually does, but not with a TOU..
if it did, stating that you can not copy and paste code, i would not. . plain and simple..
if they do not want viewers to link to their website, then, they should be added to the WOT ( world of trust ) as red flagged, even taken off search engines..
code is code.
one way or another, someone will code it .. they cannot hold copyrights as some nonsense paper signed by jesus himself, stating that it is god's code.
believe it or not, it is god's world, so all is, his code, or someone's, like the designer's of vb, or any other language.. hold copyrights for that! FOOLS! ..
-----------
do these websites ( lawyered up, without jesus ), providing code and information on how to code, explaining the code in details, want a fee?
i bet they all use vb.net express.
----------
i bet i could write a book on this.. roflmao.
nice post reed kimble, but for something like this, you will need a forum.
i live here and this is my reason.. trujade. lol Trujade, lol
I think you've done just fine around here - and I think you're making the correct call on when to link to someone else's content as reference.
On the TOUs, obviously nobody reads them under normal circumstances - but ANYTIME you want to fiddle with someone else's web content, you really have to scan the TOU or AUP and see what they allow you to do with their content. I'm not saying I agree with any of it from a social standpoint (I gotta kick outta your "...hold copyrights for that..." comment!), but from the perspective of someone who's been granted moderator privledeges, it is right to discourage any activity which has any obvious potential for legal reprocussion should the wrong individuals become involved.
And you are right; code is code. If it can be written, someone can write it. There will always be those who do things without regard to the possible consequences of the doing. But that doesn't mean that we have to make it easy for them. ;)
I, too, really like Martin. He, Riquel Dong, and other MSFT Mods have made a SIGNIFICANT impact in reducing the number of unanswered threads and helping to generally keep things clean... not to mention being rather brilliant and posting some really good stuff for users. I actually know Riquel better than Martin, but they have both proven to be fine fellows in my opinion.
One correction to make: you said "from the time of your appearance on this forum"... lol you mean "from the time of this forum's appearance on me"! hahaha You see, these VB forums actually started on www.windowsforms.net which I believe was a side-project site for some MSFT developers, much like Channel9 today. Either way, when the MSDN forums were created, the windowsforms forums were actually used as the foundation for the VB portion of the MSDN forum site. There are actually still a number of us "old schoolers" (LOL) who started on the forums back in framework 1.0 or beta and were migrated with the content onto these forums. So I've actually been around LONGER than these forums... hahahaha!
Finally, thanks for the kind words. :) I don't think there are many people who don't enjoy an unassumed "well done" every now and again.
Reed Kimble - "When you do things right, people won't be sure you've done anything at all"So I've actually been around LONGER than these forums... hahahaha!
Hi Reed,
Myself included. :-) ;-) Back then my forum I.D. was not my real name.
I can't remember the old forum area url where these Vb.Net forums were moved from even!!
<edit> I've just found it!! We were moved from.>>
http://social.microsoft.com/Forums/en-US/categories </edit>
I have stumbled upon this list though.>>
http://www.microsoft.com/communities/forums/default.mspx
which includes these popular ones.>>
Most Popular
• MSDN Forums • TechNet Forums • Microsoft Answers Forums
Regards,
John
I'm currently looking for work in Vb.Net software development. :-)- [JackAssMode=On]
Can any perhaps tell me how to attach my code to an existing non-managed exe?
My intensions are benevolent. I promise :-p
[JackAssMode=Off]
Agreed. A lot of malware comes from young developers that has not yet starting making money in a productive manner or are simply just bored.
There are tons of forums with tons of mallicious code out there. Because we are too eager to help. I know I have that problem. Impecible trust. I will always trust that actions and intensions are benevolent until prooven otherwise, and what follows is regret.
This thread should definatly be sticky and stay sticky.
Reed,
i know this is a hard subject to deal with. the honest people don't want to help maliscious code writers.
first, i know what prompted you to start this thread was the "spam email thread". i don't know enough about what all is sent with an email or why it would need to be hidden. is there anything sent with an email which could be considered private and might need to be protected that would be worth hiding? curious about that one. i really didn't pay close attention to what the poster was wanting to hide really.
what i have been thinking about for some time is code that can be used for maliscious purposes but can also be used to help stop maliscious users as well.
examples
keylogging - could be used to monitor others computers to steal information but can also be used to monitor users on your own computers. business employees for example.
hide processes or control the task manager - could be used to prevent users from stopping maliscious programs but can also be used to prevent users from stopping programs such as keyloggers on employee computers.
could probably name some more but you know what i mean. people here may be looking to write maliscious programs but some may be wanting to write programs for protection as well. or maybe they are learning for ethical hacking.
i have been interested in hacking and maliscious software for some time. not for maliscious purposes but for an understanding of how it works and learn how to protect myself from it better. we all have had the issues of trying to protect our computers, information and our software. i have even put some of my software on hold because of the ease of pirating. i have been slowly moving my software online which has been good so far as i can atleast hide my code. it's a start.
i guess the hard part is that code which can be used for maliscious purposes can also be used for good. i would not want to discourage the good "bad code" writers. they may end up looking for help from all the hacker sites, etc...
what do you think?
FREE DEVELOPER TOOLS, CODE & PROJECTS at www.srsoft.us Database Code Generator and Tutorial- Hi Jeff,
On the email question, the answer is basically "no". The default information in the email headers are simply sender, recipient, and message identifiers. There is a protocol to follow for SMTP transmissions and so certain information is expected to be both provided and accurate, otherwise the transmission may fail. Think about it this way: if you want to send someone a letter, you use the postal service. This service has a certain set of rules, or protocol, that it expects you to follow. First, they don't take letters; they expect you to place the letter in an envelope (e.g. wrap a message in headers). Not just any envelope will work - it needs to conform to certain specifications for a "letter". Next they expect you to place the recipient's name and address, as well as your name and address, on the outside of the envelope. Finally, they expect you to place postage on the envelope. If you've met all of the conditions of the protocol, then the postal service will deliver your letter as intended. If you fail to include any of the required items, the service will not deliver your letter. If you fake any of the required information, then your letter may or may not arrrive at the appropriate destination and you may or may not violate one or more federal laws (depending on what info you fake and how you fake it).
You can think of sending email in pretty much the same way. The SMTP server is a postal service. You are expected to follow it's protocol. If you don't, it has no responsibility to deliver your message as intended. If you lie in these transmissions, there could be legal reprocussions depending on what it was, what you did, and who you sent it to.
As for the malicious code/white-hat hacker... First, there are formal classes for white-hat training and I don't think these forums were intended for that purpose, despite how useful they may be. And apps like Keyloggers are hard to justify in any circumstance, and may be illegal to use depending on if they are announced or not, who owns the computer, state laws, the mood of a judge on a given occasion, etc., etc., etc. Immoral rarely stays a step ahead of illegal... It is just hard to imagine the circumstance in which a Keylogger is truly the best answer for a problem, given all the other security measures out there.
So I do understand your point, however, these forums are simply too loosely managed to support such sensative topics. With no true validation of posters and open access for anyone to view, this just isn't a good place to discuss such topics. Perhaps if someone reading this knows of a good white-hat website, they will share the link. Obviously I could search and find some, but I wouldn't really know anything about them.
Think about it this way: if we were Navy SEALs, would an open, public forum be a good place to discuss the best method by which 30 armed men could be silently dispatched by a group of four or five guys? Probably not.
At any rate, that is my take on the situation. :)
Reed Kimble - "When you do things right, people won't be sure you've done anything at all" - I have placed several web automation posts recently and I can assure you the intent is not malicious code.
We are faced with many fill in the blanks pages at a legacy government web site that can easily be automated from data stored in our database. We have cut our data entry times by 90%.
I also wrote routines that did 5+ automated drill downs that we needed to do to get all the information we needed. The user had to drill down, print, back up, drill down, print, etc. etc. which could take 5-10 minutes. They now get a report with one click in about 30 seconds.
We are truly greatful to those that replied to my posts - thanks!
