Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 4: Boot and file viruses

Ch. 4: Part 1: Boot viruses

Contents

1. Introduction
2. The disk partitioning, MBR and boot sector
3. Prophylactics
4. How do I remove a boot virus from the hard drive
5. How do I remove boot viruses from diskettes?
6. The most common boot viruses
6.1. The Form virus
6.2. The AntiExe virus
6.3. The Monkey virus
6.4. AntiCMOS.A
6.5. NYB virus
6.6. Stoned
7. What to do if F-prot is unable to disinfect the virus
7.1. Using FDISK /MBR in case when F-prot is unable to recover MBR.
7.2.Using a hex editor (for advanced users only)

Microsoft Blunders

8. Additional information about partitioning

Introduction

This document contains information about removal of boot viruses and descriptions of several most frequently found boot viruses: AntiCMOS.A, Form, AntiEXE, Monkey, Stoned.

Boot viruses are second most important class of viruses after MS Word macro viruses and in 1997 are estimated to account for 40% of all virus infections. They became less widespread in 1998 and 1999, but I do not know any particular figures about the percentage of incidents due to this viruses now as I am out of this business since 1998.

At the time of writing AV programs do not deal with boot viruses intelligently enough (they are often confused by special drivers, sandwiched infections, etc.), but nevertheless they recognize and remove then much more effectively that other types of viruses.

Please keep in mind that the word "current" in this chapter of the book usually means "November 1997" -- the time when this text was written ;-).

Infection by the boot virus can sometimes lead to symptoms that look more like a hardware problem:

Most often boot virus is detected when some AV program reports that it found virus in memory. That can be true, or can be a false positive.

It is important to write down the name of the virus. All modern AV programs have a help file that will provide you some (often misleading) info about this particular virus. It you still have access to the WEB from other computer than you can use AVP encyclopedia -- probably the best source of information about boot viruses. At least this source is honest and will state some basic fact -- whether the virus is MBR or boot sector virus, is it version of operating system dependent -- actually the most important information is whether the virus is FAT32 aware (usually boot viruses are not). Other than that boot viruses are pretty much MS-DOS version independent, but they usually destroy loaders of other operating system NT, Linux, etc. and the system will not boot after the infection.

BTW file viruses, especially complex one are usually much more sensitive to the version of MS DOS and do not survive more than a couple of generation of MS DOS).

If you run F-prot (F-prot is free for non-commercial users) you can use help file that comes with f-prot.

To remove the virus you need to have a special bootable disk that I will call AV Rescue Disk (See supplement 1). See AV-Rescue on how to create one. Once you have removed the virus from your hard disk, be sure to scan all your diskettes -- especially those that you have used recently -- usually all of them will be infected too.

This chapter like the whole book is written and maintained as a service to community under GPL license and I would appreciate feedback, if any.

The disk partitioning, MBR and boot sector

Hard drives have one or more rotating platters and a moving arm with read/write heads attached to it - one head on each side of the platter. The arm could move and stop at the certain number of positions. When it stopped each head could read or write data on the underlying track. Every read or write had to be done in blocks of bytes, called sectors. Sectors were usually 512 bytes long and there were fixed number of sectors on each track.

Old drives operated with Cylinders, heads and blocks -- so called CHS addressing. There are several things that you have to know about CHS addressing. The maximum allowable values for CHS addressing mode are 0..1023, 0..255, 1..63 for cylinders, heads, and sectors respectively. If you multiply these values you will see that the largest hard disk that could be addressed with CHS is 8G. Therefore, if your disk is 12G many programs will see only 8G, because they use CHS. If drive has say 1200 cylinders you is also in trouble. but fortunately the number of heads can help -- few drives have more than 6 heads.

When IDE (Integrated Drive Electronics) disks came out they had a little processor on each drive. This givers possibility to translate real CHB into virtual. by pretending that disk always has 256 heads and 63 sectors per track and calculating number cylinders accordingly.

The newest drives have even simpler interface. Instead of addressing sectors by their CHS (cylinder, head, sector) address they use LBA (Logical Block Addressing) mode. In LBA mode a program has to tell only number of the sector from the beginning of the disk (all sectors on disk are numbered 0, 1, 2, 3, ... ). In addition to that new disks have internal cache. This can speed up disk access, because they could read data in buffer using all four heads at the same time.

Virtually all modern operating systems use LBA addressing, but the CHS notation is still around. First of all, MS-DOS, which is almost 20 years old, uses only CHS. Also some programs, like Partition Magic, would not work if partitions do not start at the cylinder or side boundary. And finally, it is easier to talk about hundreds of cylinders than about millions of sectors. Therefore we will be using CHS notation throughout this discussion.

How disks are partitioned?

The idea of partition is that one physical disk can be split into several logical. The latter can belong to the same of different OS. Generally partition is a contiguous section of cylinders on your hard disk that is treated like a completely separate disk by most operating systems. It is fairly clear that partitions should not overlap, but reality is not that simple (extended partitions can contain several logical partitions, see below).

It's clear that the gap between adjacent partitions, should be minimal, if it exist at all -- otherwise you will waist your disk space. A disk need not be partitioned completely. You may decide to leave some space at the end of your disk that is not assigned to any of your installed operating systems, yet. Later, when it is clear which installation is used by you most of the time, you can partition this left over space and put a file system on it.

The number of partitions of the disk is written by special program fdisk that creates so called Master book record MBR. All hard disks on all IBM compatible computers have the same way of partitioning. First sector of the disk, called MBR (Master Boot Record), which we will be discussing in details later, contains partition table.

The partition table occupies 64 bytes in physical sector 0, starting at offset 446 (1BEh). There is room for information about four partitions. Each partition requires 16 bytes of information; thus, if you have only one partition, only the first 16 bytes will be used and the remaining 48 bytes will be zeroes. The active partition (usually the first one) starts with 80h; other partitions start with 00h. The two bytes right after the partition table should be 55 AA. Make a note of the values in the partition table. For example:

Hard Drive Structure

MBR

Partition type

Cyl Side Sect Cyl Side Sect Size
1. DOS FAT-16
2. Unused
3. Unused
4. Unused

System blocks of the hard drive

MBR boot sector FAT1 FAT2 Root directory Data clusters
Data clusters
Data clusters
Data clusters
Data clusters

Note that MBR occupies one sector at cylinder 0, side 0, sector 1 and partition starts on the cylinder 0, side 1, sector 1. The 62 sector gap between them was left unused, because we want all partitions to start at the cylinder boundary or, at least, on the side boundary. This is not required with LBA, but we need to follow this rule in order to make happy old software (MS-DOS for example).

Another important point that I want to make is that Operating System and File System are different things, which many people use interchangeably. Operating System just controls CPU and lets different application programs to run on the computer and use different system resources. The File System is a way to organize files and directories on the hard disk. Different operating systems can use the same filesystem (windows 95 and NT can use FAT16).

In our example all we know is that we have FAT-16 file system. And we have no idea which operating system is installed on it. It could be MS-DOS 6.22, it could be Windows 95 or NT, or it could be all three of them installed in the different directories in the same partition. If we put additional efforts we could install Linux in other (currently unused partitions).

Copy of MBR is important as a safeguard in case of computer crushes. For example, if the system crushes in such a way that MBR get corrupted you will lose access to all your files, because MBR table tells where each partition is located on the disk. The MBR table is so important that there are a lot of utilities that can save backup copies of it. One of the most popular is image from Norton Utilities.

Every user should have a copy of the disk MBR (and several other important system blocks) of a special rescue floppy. First of all, experience shows that most of boot viruses infect MBR and, secondly, for the majority of cases it would be sufficient to have a copy of your MBR to disinfect the boot virus even without knowing much about it.

How does computer boot up?

Along with MBR the first sector contain a small program -- initial program loader (IPL). Virus replace this initial program loader with itself and can save (or not) the content of the sector in some other sector (often marked as bad).

The structure of MBR sector

IPL -- Initial Program Loader

MBR
element 1
(16 bytes)

MBR
element 1
(16 bytes)
MBR
element 1
(16 bytes)
MBR
element 1
(16 bytes)

Sign
ature
(2 bytes)

Structure of the element of MBR table

Active Starting CHS Type Ending CHS Starting Sector Number of sectors in the partition

.

Prophylactics

Typical scenario of infection by boot virus consists of three distinct steps:

Step 1: The user put a floppy into computer that is already infected and boot virus instantly infect it by replacing book sector.

Step 2: After than the user take this floppy to another computer put infected floppy in drive A: to read or to write some file on the floppy.

Step 3: Then he/she turns PC off and forgets to remove the floppy from the drive. Next time he/she will turn PC on, it will try to boot itself not from the hard drive but from the forgotten in drive A infected floppy. Rebooting will load the virus into memory from boot sector of the floppy (floppy does not have MBR). After loading into memory the virus will infect hard drive (either MBR or boot sector depending of the type of the boot virus) and will intercept all write requests to floppy so that any floppy you will work with will be infected too. So after turning computer off it is wise to remove diskette from the drive. In this case you will never boot from a floppy, unless you really want to do so.

After turning computer off it is wise to remove diskette from the drive A:

The most simple and effective defense strategy is to prevent execution of virus code from the floppy boot sector after rebooting (step 3). That can be done by switching boot sequence to C, A (via Setup). To do this one need to go CMOS Setup. On Compaq computer that could be done if one presses F10 when cursor jumps to last column of the first line. For Dell computers one needs to press DEL key after message Please press DEL key to go to SETUP appears on the screen. In this case you will avoid infection, but virus would be still present on the floppy and can potentially infect other computers that does not have C, A boot sequence.

Second important measure is periodically check the floppies that you use. Boot viruses infect you computer in one case only – when you accidentally forget infected floppy in drive A and reboot computer from this floppy. So only floppy that you use on other computers need to checked.

At the same time the floppy does not need to contain an operating system to infect computer with the boot virus to work properly. This is just one questionable designs of BIOS that it does not recognize a special type of floppy (unbootable) and treat all floppies in the same manner.

In other words in PC world it does not matter whether you can try to boot from bootable floppy or not -- Bios always try to execute floppy drive boot sector if floppy is first in serach path(again C,A can help, as I mentioned before). If the disk does not contain MS DOS (system files that constitute MS DOS are ......) the code in the standard boot sector will display the message. Again I would like to stress that it's the code in floppy boot sector that displays the message. In case MS DOS was not found you will see a message similar to this:

Non-System disk or disk error.
 Replace and strike any key when ready

but if your floppy was infected this message will appear only after you hard drive will be infected and virus installed itself in memory.

If you see this message, you can immediately reboot from the AV Rescue Disk and use option B to check if boot sector is infected.

It is also clear that if we will destroy the virus code on step 2 the infection will be impossible. We can destroy virus by overwriting it with a new MBR. or by putting zeros into MBR code -- not bootable disk does not need to have valid loader to work properly.

The ability to proactively destroy IPL of the floppy boot sector if the floppy is inserted in the hard drive without write protection can be a really strong security measure that worth implementing is organization were you do not want to take chances against the boot viruses. The idea is very simple -- if floppy is inserted into the drive is not write-protected, then special resident program overwrites the boot sector of the floppy on the spot. In 1992-1994 I successfully used this trick in the university environment -- one of the most virus-intensive environment that one can imagine ;-). The program was implemented as a driver for DOS 5.0.

For military organizations, chemical factories and other organizations with need of strong security the best way is to implement changes into the flash BIOS (and not forget to make flash BIOS write-protected with a hardware switch ;-). These two simple changes include:

3. How do I remove a boot virus from the hard drive

The easiest way is to use AV Rescue Disk -- in this case you can be certain to have a non-infected environment for removal. AV programs from Eastern Europe usually will remove virus from the memory first and then from boot sector even on infected computer.

Important: Disk should be write-protected before booting from it. After removing the virus from your hard disk please scan all your diskettes. Most probably they are infected too and without disinfection you will reinfect computer again and again.

Attention: sometimes Form virus is combined with other boot virus to form a "sandwich infection". As of late 1997 F-prot does not recognize "sandwiched infections" and will remove only the first virus it found. So it is recommended to check is other virus exist after disinfection by rebooting from AV Rescue Disk and checking hard drive with option B again.

4. How do I remove boot viruses from diskettes?

After removing a boot virus from your hard disk, it's important to scan all your diskettes. All boot viruses also infect diskettes; if you don't remove the virus from your diskettes, you'll probably just reinfect your hard disk.

It's important to understand that a boot virus can infect apparently "empty" diskettes. This is because it infects the diskette's boot record, at sector 0. Therefore, you have to scan all your diskettes for viruses. Try to scan a couple of empty diskettes from you box too -- although I never saw such case myself, there were several reports about rare cases when diskettes were infected at manufacturer sites.

To remove boot virus from the floppy is as simple as to overwrite the boot sector. One can do it manually with hex editor but it does not worth the trouble. More simple options are:

to use AV program that recognize the virus. You can probably remove the virus from the diskette with an anti-virus program, for example F-prot.

If the diskette is empty or the data is unimportant, you can reformat the diskette.

If you want to preserve the data and does not have Av program or have used floppy on othercomputer and do not want to take any chances you can override the boot sector with sys command that installed MS DOS on the floppy and then delete system files as you do not need then (or leave them alone -- they do not take much space). To do that enter the command

SYS A:

from DOS command line.

Another option is to use Norton Utility’s Disk Tools and choose to "Make a disk bootable". This will work in some circumstances where

SYS A:

will not (you need to have some empty space on the floppy for sys command to be successful).

5. The most common boot viruses

The Form virus

The Form virus is a typical one-sector Boot virus. It infects boot sector of floppy disks and the Boot Sector of the hard drive. It is quite an old virus, very common in NY/NJ area.

Disinfection: It could be disinfected with option B or option D of the AV Rescue Disk.

Virus has several variants. Form.A is the most widespread and after installation decrease DOS memory by 3K(3072 bytes). So if available DOS memory was 640K (655,344 bytes) it becomes 637K (652,288) bytes). So CHKDSK will report "652,288 total bytes memory", and MSD will report 637K of conventional memory.

The Form virus activates on different days of the month, the 16th, the 18th and the 24th days are the most common, depending on the strain of the Form virus. If you start your computer on one of these days the virus will make a clicking sound from the computer speaker on each key pressed on keyboard.

On hard disks, the original boot sector is written by the virus to the last sector of the infected hard drive and may be overwritten. In this (rare) case computer will fail on boot.

The AntiExe virus

The AntiEXE virus is a typical boot sector virus. Virus consists of 2 sectors: Boot record and one additional hard disk or diskette sector. Hard drives are infected on accidental reboot from infected floppy

AntiEXE overwrite the Master Boot Record without saving the original. The virus itself contains all of the necessary information of a standard Master Boot Record. If a bootup is attempted from an infected diskette, the boot sequence is redirected to the hard drive (its as if there was no floppy in the drive) to check if it is infected.

Virus infects MBR of the hard drive and boot sector on diskette. subtracts 1 Kilobyte from the amount of memory which will become available to DOS after booting. Original MBR n a hard drive, this will have been stored at Track 0, Sector 13, Head 0.

Generally this virus only replicates. But there are 2 destructive fragments in the virus code which could be triggers in very rare circumstances:

Please use AV Rescue Disk to remove this virus. If could be created with by running AVDISK file.

The Monkey virus

The Monkey virus was first discovered in Edmonton, Canada, in 1991. The virus spread quickly to USA, Australia and UK. At present it is one of the most common boot sector viruses.

As the name indicates, Monkey is a distant relative of Stoned. Its technical properties make it quite a remarkable virus, however. The virus infects the Master Boot Records of hard disks and the DOS boot records of diskettes, just like Stoned. Monkey spreads only through diskettes.

Monkey does not let the original partition table remain in its proper place in the Master Boot Record, as Stoned does. Instead it moves the whole Master Boot Record to the hard disk's third sector, and replaces it with its own code. The hard disk is inaccessible after a diskette boot, since the operating system cannot find valid partition data in the Master Boot Record - attempts to use the hard disk result in the DOS error message "Invalid drive specification".

When the computer is booted from the hard disk, the virus is executed first, and the hard disk can thereafter be used normally. The virus is not, therefore, easily noticeable, unless the computer is booted from a diskette.

The fact that Monkey encrypts the Master Boot Record besides relocating it on the disk makes the virus more difficult to remove. In DOS the changes to the Master Boot Record cannot be detected while the virus is active, since it reroutes the BIOS-level disk calls through its own code. Upon inspection, the hard disk seems to be in its original shape.

FDISK /MBR should not be used with Monkey. Although it will destroy the actual virus code, the computer cannot be booted from the hard disk afterwards as partition table will not be recreated.

Monkey could be removed with option B of the AV Rescue Disk.

It is difficult to spot the virus, since it does not activate in any way. A one-kilobyte reduction in DOS memory is the only obvious sign of its presence. The memory can be checked with, for instance, DOS's CHKDSK and MEM programs. However, even if MEM reports that the computer has 639 kilobytes of basic memory instead of the more common 640 kilobytes, it does not necessarily mean that the computer is infected. In many computers, the BIOS allocate one kilobyte of basic memory for its own use.

Monkey does not recognize 2.88 megabyte ED diskettes, however, and partly overwrites their File Allocation Tables.

Note: When disinfecting Monkey with AV Rescue Disk please use option B. After disinfection please reboot and use option M. That will disinfect correctly from combinations of FORM and Monkey that are quite common.

AntiCMOS.A

Virus infects MBR of the hard drive and boot sector on diskette. This virus may change the CMOS data. Disinfection is similar to AntiEXE (see above).

NYB virus

The NYB virus is one sector boot infector. It infects boot sector on floppy and MBR on hard drive (like Stone virus). It could be detected by F-prot, or almost any other antivirus program.

Virus is very common, so reinfection is quite probable. So users are strongly advised to check diskettes and switch to boot sequence C,A (via Setup).

Like any other boot virus NYB infect machine when user attempts to reboot machine with floppy inserted in his A drive. That's why having boot sequence C,A is so important, as it automatically prevent users from attempts to boot machine from floppy that he inattentively left in the drive A.

After installation virus decrease DOS memory by 2K(2048 bytes). So if available DOS memory was 640K (655,344 bytes) it becomes 638K (653,296 bytes). So CHKDSK will report "653,296 bytes total memory", and MSD will report 638K of conventional memory. The virus copies itself to this area of memory (which is hidden from DOS), stores the original Int 13h diskette handler interrupt, replaces the original Int 13h interrupt, issues a call to the replacement Int 13h handler which will result in infection of a previously uninfected hard disk, loads the original boot sector into memory and continues the boot process normally.

Like most boot viruses, NYB is a stealth virus, so the changes made to MBR are not visible as long as the virus is resident.

Every time a floppy disk is accessed, there is a 1/512 chance that the virus activates. Virus then sends the floppy drive head repeatedly from track 0 sector 0 to track 255, sector 62. On standard floppy drives, such areas do not exist. On some floppy drives there are no validity checking on these values, and so the floppy head might get hit against the stopper again and again. This might cause some physical damage to the floppy drive, but only if the routine is allowed to continue for some time.

There is also another activation routine, which went unnoticed by virus researchers for a long time. The virus will crash the machine, if the hard disk is written to when the hour and minute fields of the system clock is zero (i.e.. right after midnight).

While infecting, NYB could corrupt floppy with a lot of files in root directory, because NYB moves the diskette's original Boot record code to the last sector of the area used by the Root Directory, and if there were files listed in the overwritten sector, this will cause the loss of entries of files. The files could still be rescued by Norton Utilities Undelete.

NYB is quite common in NY/NJ area

5.6. Stoned

Stones replace the Partition Boot Record, instead of the Boot Sector. This virus seems to have been designed to be harmless, but due to a mistake, it did not quite work out that way. On an infected diskette, the original boot sector is stored on track 0, head 1, and sector 3. This is the last sector of the root directory on a 360K diskette, so this will work unless the root directory contains more than 96 files, which is rather unlikely. Overwriting this sector on a 1.2M diskette is, however, much more likely to cause damage. Numerous variants exist of this virus, with no significant differences.

What to do if F-prot is unable to disinfect the virus

Using FDISK /MBR in case when F-prot is unable to recover MBR

This is a generic method for removing boot viruses that preserve partition table (not all of them preserve partition table) if the original code of MBR was lost. It will only work with MS-DOS 5.0 and later. In this case you need to boot from the AV Rescue Disk and try to use Fdisk /MBR option. . Do not proceed if you do not see C: drive. If you see the message "Invalid drive specification" or a similar error message, do not proceed! However, if you can access all your drives after booting from the AV Rescue Disk then the virus preserved partition table and this method will work (of course if AV Rescue Disk in not infected itself). In this case one can try the command:

FDISK /MBR


Undocumented key /MBR will write a new master boot record on your hard disk, overwriting the virus.

If you know the name of the virus plese check if this virus have file component as well -- in this case you should scan the hard drive again for viruses.

In rare case you have both MBR and boot sector infected. So scanning with the recent version of a decent AV program is recommended.

Using a hex editor (for advanced users only)

This method is for advanced users only. If you haven't used a hex editor before, this is not the time to learn. You need a hex editor which can edit the disk itself and not just files. Norton Utility’s DiskEdit is a recommended tool. The first thing to do is to save current content of MBR to the floppy. Then you need to zero all MBR using Norton Disk Editor and only then try to use NDD to recover it:

NDD /REBUILD

After starting NDD, choose "Diagnose Disk", then have NDD rebuild the partition table. Repeat if you have more than one drive. This method is riskier, but usually it worked for me. To increase chances of success I recommend first to zero all MBR using Norton Disk Editor ; use entirely at your own risk. You need to understand what you are doing or you can easily make your hard disk inaccessible and lose your data.). After removing the virus from your hard disk, scan your diskettes.

Many MBR viruses use "stealth mode" (like a TSR) to hide the changes they made to the MBR. If you boot from an infected disk and use a hex editor to look at the MBR, what you are seeing is not the new infected MBR but the old uninfected MBR. You can use this to see what your partition table used to look like, and what you want it to look like again.

Here's what my partition table looks like. I have a single DOS partition. (This only applies to my particular disk, do not copy this example!)

Note that some viruses will corrupt the partition table. You should ensure that the values you see are appropriate for your disk. Disked it will "interpret" the partition table data; check it against the characteristics of your disk.

Here I would like to stress the importance of using program like image from Norton Utilities to create a backup of you MBR, boot and FAT.

Additional information about partitions

We can only speculate about the reasons for choosing such design, but there are two very obvious limitations. First one is that partition table has only four records and you couldn't have more than four partitions if you didn't have extended partitions. To understand the second reason you have to know that, according to Microsoft, you can have only one primary partition on the disk and you cannot boot from the logical drives, which means that you cannot have more than one DOS-like operating system on the computer, which is another way to cut off the competitors. In fact, you can have more than one primary FAT partition with different OSes installed on each -- that a usual way to install Linux of PC.

Microsoft Blunders

Boot sector problems are not solely Microsoft blunders. The large part of guilt is on BIOS manufactures, that were slow to introduce any kind of protection from loading from floppies until 1997 or so (I saw a couple of BIOSes with boot sector scanning before booting, but this is probably not the best option -- overwriting of non-protected floppies is easier to implement. What Microsoft could do it to provide /BOOT key for the format utility that can overwrite IPL in the boot sector and a warning on booting from non write-protected floppy. The first measure would simplify preventive destruction of IPL on boot sector. The second would alert people about the danger.

Webliography to the chapter

Softpanorama Filesystems


Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: May 08, 2017