* Posts by Trevor_Pott

6991 publicly visible posts • joined 31 May 2010

Thanks ever so much Java, for that biz-wide rootkit infection

Trevor_Pott Gold badge

Re: Hmm

They generally are capable of PXE boot, but not configured for it. So you have to go into the BIOS and set it up; something that isn't going to happen when your phone call happens as the office is emptying and you get a "please just make this go away over the weekend, bye." :/

Trevor_Pott Gold badge

Re: "appearance and disappearance of some malicious Java archive files"

MSE flagged them as malicious, and this was logged. I had an app trawling writes to standard windows events at the time making a second copy, so it caught them being flagged as such. By the time I looked at the computer (about 15 minutes later) the Jars were gone, along with most of MSE, Avast, the Windows logs, browser history and so forth.

So these jars showed up, MSE caught them as bad, but wasn't able to kill them. The rest you know. The following is what was seen:

Java/CVE-2011-3544.gen![insert a letter here]

Exploit:Java/CVE-2012-1723

Exploit:Java/CVE-2012-4681[insert letter here]

Exploit:Win32/Java (no qualifier?!?)

Now, CVE-2011-3544 and CVE-2012-1723 should not have affected a fully patched copy of Java. CVE-2012-4681 is just new enough that I can believe it might have been exploited if the user had “patched but not rebooted” or some such. Install logs for this system say that Java was up to date (Java 6u35).

What’s curious is seeing these together within a second of one another followed by the system going crazy. MSE lagged detection of CVE-2012-4681 by a day…so my working hypothesis is that the user went to a site that took a shotgun approach to Java exploits, at least one of which worked. (There may even have been more exploits to come; it is entirely possible that the payload went off before all the detections had been completed.)

The payload that worked nommed all the evidence, except for my little logger which caught the mentions of the files that shouldn’t have actually been an issue. Now, you can flog me all you want for the one stupid thing I actually did during this exercise, but I think making the call that “this crawled in through Java” is backed by reasonable evidence.

What I should have done was immediately image the system at a block level and get the image to Symantec/Kaspersky/etc with alacrity. Assuming the malware didn’t dban the blocks where it was stored, someone could have lifted the thing off of the recently deleted blocks and we might know more about it. Sadly, I got the call pre-coffee and simply set about trying to kill the thing. By the time I realised that I might actually be dealing with something totally unknown, it was too late; I’d made so many system changes that imaging the thing was likely pointless.

So this is why I say that Java is the most likely candidate. Nothing else was untowards on this system. It looks to me like someone out there has an updated Blacole toolkit with some terrifyingly new exploits in hand and is using it with abandon. That said, I am not a security expert. I do not work for Symantec, Kaspersky or any of these other firms. I can only look at the evidence I have and say “well, this looks like the attack vector, this looks like the end result, here’s how you nuke the buggers.”

I can only hope that by laying out a “how to kill it” in my post, someone is helped. If along the way a little bit of awareness is raised about the fact that Java in the browser is bad for us all, so much the better.

Frankly, I don't think Java needs to be singled out as "the only bad thing to run in your browser." I think that any extensions in a browser need to be vetted for necessity. That includes Flash, Silverlight, .net, various toolbars and more. Shrinking the attack surface is always a good idea.

In the case of Java, I have a particular hate on because of the frequency and severity of exploits, combined with the abysmal response from Oracle regarding patches. This gets combined with the sheer unavoidability of the product and the versioning issues that can and do crop up in real world use. It makes me ornery. Doubly so when the issues I described in my post – and the subsequent comments – occur.

So if I hath insulted the almighty JVM, please accept my apologies. It sure looks to me like it is at fault here. I can’t even blame the user for this one, and that bothers the hell out of me.

Trevor_Pott Gold badge

Re: [citation needed]

Every time I try to run anything that my affect a system configuration, Windows asks for administrator's credentials. The user is not a member of "Administrator" or "Power Users," only "Users." This is verified by taking the time to trace all the domain memberships, how they interact, and what privileges those security groups have on the local computer. The user itself does not have specific permissions on the local machine. Everything I can see points to the user account not having any administrative privileges on the local PC whatsoever.

I do not rule out the possibility that someone may have tweaked some obscure setting in the registry of the local computer before I took over administration of this system that somehow allowed this to occur despite the fact that the user appears in every other way to be unprivileged. Without going over the registry with a fine toothed comb, I cannot possibly know for sure. I do know that no extant GPOs exist that cause any such weirdness. The system is also an off-the-shelf HP consumer-targeted system; there is always the possibility that it simply shipped with a bizarre/obscure registry tweak that nobody is aware of.

That said, I have done the legwork on this. I wouldn’t be posting an article claiming that the thing crawled in through Java without being pretty damned sure that this is exactly what happened. I also don’t claim that it exploited the latest discussed vulnerability; I have absolutely no idea which vulnerability it exploited; for all I know it exploited a vulnerability that is a true zero-day and completely unknown outside the blackhat community.

I have determined that the browser in use at the time was Internet Explorer 9. I have gone over the IE9 settings; unless the malware in question changed the settings post-infection, it is entirely default. That should not allow Java, Flash or anything else to break out of a sandbox in usermode; and yet, it happened.

Look, as far as I can tell, this system is an off-the-shelf HP client system from about 2 years ago. It was attached to a domain run by an administrator that was pretty damned “by the book.” The GPOs and other configurations are pretty clear. WSUS automatically clears critical, security and definition updates for immediate install, and the user was diligent about keeping Java, Flash, etc up to date. Nobody played around with anything obscure because it simply was never required in this environment. It is as close to “off the shelf” as you can get for an SME install.

That’s what’s so scary about all of this. I would like to be able to write a “well damn it Jim, such and such happened because users are stupid” article. They get nods and smiles and sympathy from the readers instead of vicious personal attacks from a pool of internet piranhas.

Indeed, I have one such client that got slapped by their own stupidity on the same weekend. Nothing up to date, everything unmaintained, didn’t listen to my “disable java in your browser now” cries, and they run every user as local administrators. They got predictably pwned, but that’s not exactly interesting. (I like the billable hours, though!)

No, the guys that did it “by the book” and then got run over by something that crawled in through the internet are interesting. The CFO in question is a pretty honest guy; I asked him if he used a USB key, CD or anything in recent memory and no, he had not. I’ve checked every other vector I can think of, and nothing presents itself. So either something crawled in through Java and then broke out, or I.E. itself has a truly abominable zero day.

If I.E. has a zero day, the self-immolating Jars make no sense; why would Java anything be used as an intermediary there? Creating malware that requires something like Java be installed narrows your target availability unless Java itself is part of the vulnerability package you are exploiting to get the toehold into the system. This looks and smells like a Java vulnerability being exploited, probably in combination with something else. (http://arstechnica.com/security/2012/08/microsoft-defense-bypassed-in-2-weeks/ ???)

This is the first time I’ve seen a malware attack on a system that is reasonably properly defended. There is no obvious way this could have or should have occurred. If anyone has a better explanation I’m all ears on this; but I’ve spent an entire long weekend looking for obvious vulnerabilities in configuration and found none so far.

Trevor_Pott Gold badge

Re: Mr Pott, I tip my hat to you.

Two things: 1) I don't get physical access to the system for another couple of days. 2) I write a sysadmin blog, and my readers are important to me. If I can figure out how to kill the damn thing, maybe I can help someone stuck in a bad situation. If it helps just one guy stuck on the wrong end of a Teamviewer session, it's worth my Friday. :)

Trevor_Pott Gold badge

Re: @Trevor: even Microsoft Security Essentials can find and kill most variants

Fucked if I know. MSE seems "as good as the rest." Every malware vendor has gaps in coverage. I like Avast and MSE because they don't don't seem to stpe on eachother's toes, so they can coexist. I prefer using multiple overlapping scanners on high-importance machines. Otherwise...prayer?

Nothing offers complete coverage. So we need to be ready with the re-install. Personally, I periodically run one-shot "second opinion" scanners such as housecall, even when they aren't resident. I don't trust any one scanner to find malware, so I throw the kitchen sink at things and hope it works.

Trevor_Pott Gold badge

Re: privilege escalation?!

I wish I had a definative answer for you. I am 98% certain the initial attack was delivered through java in the browser to a non-administrative user. Then what? What does it execute? Is it using a java-native escalation, or some other exploit? How the hell did that bit of fail break out of its sandbox?

Then it ate itself. To me, this is the biggest indication that there was an unknown zero-day being used. The author of that malware did not want to initial payload to be examined by security companies. There are holes in the logs; I only even know that Jars appeared and dissapeared because I had a completely separate app on debug for a completely different reason. (Trying to debug something inovlving Office 365.) It caught the logs thrown by MSE before it was anhiliated (and all of it's logs, browser history etc) with it.

Something crawled in through Java. Then it ate itself, the anti-virus packages, the logs and installed new friends. The user was not running as admin. So I don't really care if it used a native flaw in Java to escalate privs enough to do that, or if it cascaded other flaws once the userspace code had been delivered. Java was the initial vecotr, and windows cracked like an egg after that.

Trevor_Pott Gold badge

Re: "have no idea what the initial vector was"

The user was not runnign as admin. Their antivirus was up to date. Their browsers were up to date. Their browser extentions were minimalistic. Jars showed up and then dissapeared; shortly thereafter the system was pwned.

If you have a different attack vector for that, I am all ears.

Trevor_Pott Gold badge

Re: ...for those running as root

sudo passwd root

Enter a pssword

Now you can log in to the GUI. What's so hard about that?

Trevor_Pott Gold badge

Re: ...for those running as root

Set a root password. Then you can log into the GUI as root.

Trevor_Pott Gold badge

Re: @ Trevor_Pott

If you are calling me a Linux fanboy, I'm going to ask you to back that statement up with some sort of evidence. For the record, these are the following things I am a "fanboy" of (in rough order):

1) My wife, close friends and selected coworkers.

2) Ninite.com (Just. Frakking. Works.)

3) Cyanogenmod (My phone. MINE.)

4) A significant chunk of The Register's writers, current and departed (I miss Sarah.)

5) Ars Technica's Nobel Intent (Science, bitches!)

6) Evidence-based legislation (Science, bitches!)

7) Mars Rovers (Science, bitches!)

8) Intel networking (Just. Frakking. Works.)

9) Jose Barreto (Awesome guy working for Microsoft's storage team.)

10) Classic Shell (I want my goddamned up button back!)

My definition of "fanboy" means I give those individuals, people, products and concepts on this list "the benefit of the doubt." It means I will accept at face value what is presented. I will trust what they have to say without the need for significant deep dives; this trust has been earned over time.

By nature however, I am a cynical person. I do the research, I question everything. So if you are suggesting that "Linux is the most compromised X on the planet" and that "anyone who believes otherwise is a Linux fanboy," I am going to call you on it. That goes against every scrap of evidence I have; prove your accusation.

Linux is not the most compromised webserver, despite being the most dominant. Various web APPLICATIONS (frequently, but not exclusively run on Linux) are vulnerable as hell...but these web apps lead to compromise on Windows as well as Linux. The actual underlying technology is significantly less assailable than the competition; shocking considering the many issues surrounding Linux governance and implementation.

So...prove it. Prove that Windows is "more secure" for the same tasks running the same apps. Especially when both are properly configured and hardened for a production environment. Prove also that those who disagree are "Linux fanboys," instead of people who have different - possibly more accurate - information than you are working from.

...you can prove that, can't you?

Trevor_Pott Gold badge
Pint

Re: @Trevor

I remember something about that. ;)

Trevor_Pott Gold badge

Re: The only use for java these days

Disables fine in Chrome and Firefox. Even when "disabled" in IE, the thing still can be called. How that works, well...comments, Microsoft? I'd love to hear the explanation.

Trevor_Pott Gold badge

Re: ...for those running as root

Do you have any idea how many Ubuntu users I catch runnign as root? It gives me a sad.

Trevor_Pott Gold badge

Given the complex web of how things are run in Windows, who knows what happened to allow infection? The user running this was not an administrator on the local PC. How then did this get the kinds of privs nessecary to install a rootkit? Browser glitch? Did it pop up a "run escalated" box? (Users says no, but...they're a user...)

I have no idea how something crawling through Java could install a rootkit on a non-administrative user. And yet, it did. So is this something that uses multiple vulnerabilities in multiple products, or is there a whole new zero-day at work here that we just don't know about?

I'm open to thoughts on this.

Trevor_Pott Gold badge

Re: even Microsoft Security Essentials can find and kill most variants

Try it in practice. You'll sing a different tune. MSE cannot kill a single rootkit under active development. It can eliminate very old rootkits. Anything actively maintained will go through MSE like a hot knife through butter. It won't even see them, let alone be able to defang them.

FFS man, don't come in here and spread propaganda; we're actually trying to help people cope with real world issues here. This is not the time or the place for you pro Microsoft crap; especially when so much of it is half truths wrapped in outright lies. The lack of context in everything you’ve ever written in the comments section of The Register is appalling.

Please astroturf elsewhere.

Trevor_Pott Gold badge

Re: Lets not just blame java here

Richto; who is paying you and how much? The amount of utterly bullshit FUD you spread about Linux is amazing. Honestly though, which company foots the bill? I'm really curious.

Trevor_Pott Gold badge

Re: even Microsoft Security Essentials can find and kill most variants

Oh? Do tell. It is an actively versioned bit of malware, so it is a moving target for everyone. But in my experience, is MSE can kill it, it isn't all that relevant. MSE cannot however kill rootkits like Zeroaccess. They are a threat.

Sirefef will be isolated by and contained by MSE unless we're talking about the very latest greatest variant. It won't get a chance to download buddies. Unfortunately, whatever the primary vector was murdered MSE before installing Sirefef.

Trevor_Pott Gold badge

Nope. I blame Java for lettine the bastard in the door and giving it escalted privs on an account not running as administrator. The facr that once in, the sattelite infections played merry hob with a Windows system is just par for the course. Protect the edges if you know that the center is soft and chewy. Nothing I can do about windows; but I can uninstall the inefection vector...Java.

Trevor_Pott Gold badge

Re: The only use for java these days

Um...what? OSX is actively under attack using these vulns...as is Ubuntu for those running as root...

Trevor_Pott Gold badge

Re: Hmm

How many PCs do you know of that you buy at the local electronics store come preconfigured for PXE boot? Not a large enterprise; systems are not configured for image-based dissemination. Main office has only 11 people! Everything is on the other end of wet-noodle VPN. Nah; these folks use Best-Buy specials and the previous admin left such a mess that two months later I'm still picking up pieces.

At this point, it wouldn't be an "image" either. It would be a clean install. And there is a lot of CFO-only software to get off that thing...

Trevor_Pott Gold badge

Re: question

The user was not a member of the administrators group on the local PC; unless one of the infections in question altered permissions post-infection...

Trevor_Pott Gold badge

Re: What we have here is a serious lack of comprehension...

Up to date Java...that's the thing...

(!) :(

Trevor_Pott Gold badge

Re: 12 steps

If only it were that simple, and the people who pay money for things didn't have say in their own environments...eh?

Trevor_Pott Gold badge

Re: At least there's the day rate.

This is the first thing in years I've seen simply waltz right on by MSE. It was actually Avast that caught the initial one. (Befor it was crippled, and MSE annihilated.)

Trevor_Pott Gold badge

Re: Why blame Java at all?

I can know the attack vector without knowing the name of the attacker. I don't have a clue what the initial Bad Thing was. I do know they were malicious. Jar files that set off the alarms. The browsers were up to date. No flash was installed. Moments after detection, the jars dissapeared. So did Microsoft Security Essentials, Avast and a large chunk of all thee browser histories. It looked to me like someone using a java exploit that didn't want a security researcher decompiling the attack vector.

I crawled all over the thing for three days. I was hoping for an awesome new browser zero day. Alas, "Java is still broken" is not much of a story. But I was able to get the "this is how you fix it" info out to people, in case they got hit. That was really my goal.

Not all of us are so lucky as to have full imaging gear and pre-vetted application stacks. This is a new client of mine; small, most IT descisions still taken directly by CEO, call for help as they need it. Remote cleaning was a priority. If it happened to me, it might happen to someone else in a similar position; worth the time then to write up.

Trevor_Pott Gold badge

Re: Hmm

Agreed; that's a next-week project; for when I have physical access. For right now, this works over Teamviewer, and everything I can throw at it comes back clean.

Why Java would still stink even if it weren't security swiss cheese

Trevor_Pott Gold badge
Pint

Re: Mostly agree

"Write once, run anywhere" can indeed work. Assuming your programmers are hot shit and either A) restrict themselves to a very limited subset of the language or B) "Write once, debug everywhere."

It is possible to achieve the holy zen of “write once, run anywhere.” It is however enough work that you’re better of being a monk on a mountain for 40+ years. It’s more satisfying and less effort.

Trevor_Pott Gold badge
FAIL

Reading comprehension fail.

THIRD SENTENCE:

"Hating or loving a logical construction such as a programming language is irrational, illogical and otherwise nonsensical. As a human being with an emotional reaction to the world around me, it is increasingly unavoidable."

LAST PARAGRAPH:

"It is possible to code Java applications that are excellent. The ubiquity of the language as a primary educational tool has unfortunately made these the exception rather than the rule. So I hate Java; not because there's anything inherently wrong with the language, but because of a decade's worth of people who still haven't figured out how to use it as designed."

Like so many others, you have completely failed to actually read the article. I explicitly state that technology is a logical construct for which it is irrational to "hate." I also explicitly state that java [i]can[/i] be used for good. I also – the article is right there, go read for yourself – explicitly state that my negative reaction to java is an irrational emotional reaction brought about by the totality of the extended universe of issues that surround it.

The article is not about “how terrible Java is.” Java is a tool. The article is about how “horrible abuse of this tool by our entire industry has meant that it is a significantly larger frustration – and even liability, from a security perspective! – than the marginal benefits it provides.

Bonus points for skimming through so fast that you assume the only Java I ever coded was the crap I had to do in my first year of university. The anecdote explains why I left university seeking something better. Is followed up immediately thereafter by a description of how that was a bad plan and I ended up developing applications anyways. Those applications include Java, which I am still forced to use to this day.

Perhaps you need to detach your personal sense of self worth form the language you program in. There is no need for a tribal reaction; criticism of Java) or the wider Java ecosystem) is not criticism of you. If the sub editor’s title, or the opening sentence of the article [i]which is immediately followed by an open admission of trolling commenttards for fun[/i] sets you up emotionally to skim through an article with a blinding rage, there are problems. If you skim so you can quickly get to the comments section and core dump some hatred, there are all sorts of questions about how you define yourself personally and professionally that need to be asked.

If you cannot acknowledge the issues surrounding your choice of language, why should anyone trust you as a developer? You need to know about – and acknowledge – the problems before you can adapt to and overcome them. Tribalism regarding technology is an indication of inadequate understanding of the role of that technology.

Trevor_Pott Gold badge

Re: Thank you for this.

The problem isn't the hammer. The problem is that we told an entire generation "all you need is a hammer" and they actually believed it. Now ****ing everything has hammer marks where other tools should have gone, and nothing quite works the way it should.

Trevor_Pott Gold badge

I didn't want to be a "sysadmin" myself. I wanted to "make comptuers talk to eachother, and get them to do things in a coordinated fashion." (I later discovered that what I wanted to do with build beowulf clusters; sadly, I do not build beowulf clusters for a living.)

The rest just sort of...happened...

Trevor_Pott Gold badge

Re: Python?

I never said Python was the best; I lack the diversity of experience to reliably choose a "best" language. Of the dozen or so that I, personally code in - including Java - Python is the one I enjoy coding in. Mostly because I enjoy the diversity of use cases for the code. It compiles - so I don't need an interpreter - and yet I can also use it as web scripts, shell scripts, etc.

It is a simple language that is easy to learn, code in a maintainable fashion and addresses all of the use cases I run across on a regular basis.

It isn't "the best," but it is my favourite.

Trevor_Pott Gold badge

"You will spend you life coding scripts and apps in two dozen languages, but also dealing with whinging users" is not how anyone sells the career of systems administration. Why would a fresh-out-of-high-school kid with no experience in systems administration know that beforehand? After all, it's derided as "digital janitors" and nothing more. Taking care of hardware and operating systems. "Simple, easy, unworthy of real effort." Sounded fun to an 18 year old; make money during the day, do real work as a hobby!

Hah.

Trevor_Pott Gold badge

Re: "Java was my first experience of object-oriented programming"

You poor bastard!

Trevor_Pott Gold badge
Trevor_Pott Gold badge

Re: Your argument's flaw

Don't think "staying on at University" solves this; plenty of folks don't include the VM binaries with the application, still use applets or otherwise commit unpardonable sins. When I have to ship working Java code, these are not sins I commit...and I didn't finish University. It isn't the education; it's the asshat behind the keyboard.

Them folks with them fancy duh-grees still can't code for shit. The ability to pay attention to security, usability, lifecycle and maintenance isn't something that is easily taught. It's wrapped up in the deeper neuroses of "being able to think about people other than oneself." If you can't tear yourself away from the mitror for a moment, you never get time to think about the poor bastards that have to use your code.

Java amplifies douchebagitis because it's a secruity nightmare wrapped in a versioning problem.

Trevor_Pott Gold badge

I can code in Java just fine, thank you. I never did get the chance to stop doing so. Next?

Trevor_Pott Gold badge
Megaphone

Re: I beg to differ

I need to don some passive aggressive here.

To all the whigners bellyaching about my tearing the language up, how many of you read past the first sentance? Did I or did I not explain that hating a logical construct such as a language is irrational, that I recognise this, but hate the damned thing anyways? It is supposed to demonstrate that association of something inanimate or conceptual with a group of people you dislike can in fact cause the irrational response of hating the inanimate object (or concept.)

Which is a metaphor for every IT flamewar ever.

And I do hate Java. Not because the language is shite - it isn't...it's a language FFS - but because the end result of "Java" has been nothing but pain for over a decade. So instead of taking away "zomfgwtf he insulted the sacred!!!!", maybe folks should focuse on why I chose to do so. The lesson to be learned lies therein. :)

Trevor_Pott Gold badge

Re: Thank you for this.

Mama said "one idea per article." And the answer is Python.

Love vSphere? You're going to have to love Flash too

Trevor_Pott Gold badge

Re: Goodbye mouse button

My experience with the client in question says that right clicking on nearly every element in the UI works just fine.

Oracle knew about critical Java flaws since April

Trevor_Pott Gold badge
Megaphone

Re: CIA?

I am tempted to downvote you on principle. Your post implies that Oracle has in the past cared about Java or its user base. Or for that matter that Oracle may have at some point during its existance cared about the user base of any of its technologies.

I have yet to be exposed to evidence of this. Even third or fourth hand. Does anyone know a guy who knew a guy that Oracle cared about? Anyone?

...guys?

Trevor_Pott Gold badge

Oracle

giving no fucks since the beforetime.

Samsung chucks 'free' Galaxy S III at dragon sketcher

Trevor_Pott Gold badge

Not despising corporations is hard for me. There is an innate distrust that I hold against people who are financially motivate to screw me over and take all my money.

That said, I have an SII, a Samsung Netbook and who only knows what else from them...

Trevor_Pott Gold badge

Samsung is growing on me. As a company, I find them less offensive than some...and increasingly I find myself buying their widgets. Then they go ahead and do something like this.

Well, I'll be.

MIght there be a consumer electronics company worth not actively despising after all?

We're raising generations of MUTANT KIDS, says Icelandic study

Trevor_Pott Gold badge

Re: Careful with your evolution mumbo jumbo.

Actually, you'd be completely wrong. All extant members of homo sapiens sapiens (the only subspecies of the only remaining species (homo sapiens) from genus homo) can trace their lineage to mitochondrial eve and y chromosome adam.

Mitochondrial eve - contrary to the biblical reference in her name - was not the only woman of her time. She was however the most "fit:" all extant humans are her descendants; no lineages survived from any of her contemporaries. Similarly, Y chromosome Adam - far from the only man of his day - was simply the most fit. Adam lived about 142,000 years ago, and we are all his descendants.

It is generally considered that this occurred before the “out of Africa” migration. Once out of Africa both European and Asian Cro Magnons interbred with other hominids. Europeans with Neanderthals and Asians with both Neanderthals and Denisovans. There is no evidence of gene transfer between Neanderthals or Denisovans to the Cro Magnons living in Africa at the time. (Though with modern intermixing this is becoming less and less relevant.)

So there are exceptionally small genetic deviations between the three primary populations of humans based on horizontal gene transfer between the three extant human subspecies shortly after the “out of Africa” migration, however it did not affect either our mitochondrial or Y chromosome lineages. (Which is to say, the genes are pretty dilute in today’s populations!)

You can always attempt to prove that you are a separate species. Go to https://www.23andme.com/ and get your DNA sequenced. If you are a separate subspecies (or if your mitochondrial DNA or Y chromosome differs from the rest of humanity) then I promise you, the geneticists will be all over you like white on rice. Until then, suppositions of subspeciation within humanity have no basis in fact. They are as erroneous as the bullshit Aryan race theories espoused by certain madmen, and potentially as dangerous.

There is simply no evidence whatsoever to support subspeciation within the only extant lineage of humans.

Trevor_Pott Gold badge

Re: Careful with your evolution mumbo jumbo.

Since all of genus homo is classified as hominidae (great apes), then it stands to reason that all of our antecedents up to (and perhaps slightly predating) the last common ancestor would also be considered “apes”.

All hominidae (including all members of genus homo) share certain physiological traits in common that differentiate us from other primates (and lemurs, to whom we are also closely related.) Homo is most closely related to pan (chimps and bonobos,) with gorilla and pongo (orangutans) rounding out the extant species.

Now, if you wanted to get into a debate about the inclusion of hylobatidae (gibbons) in “apes” then you are some good company. The current consensus is that “great apes” be restricted to true hominids; a distinction which excludes hylobatidae.

So yes, we did in fact evolve from apes. Which makes perfect sense, considering that genus homo are in fact still quite definitively apes.

But “we evolved from monkeys” is a trickier one. Where do you draw the line on “monkeys?” Simiiformes (which would be where you’d find the last common ancestor of all monkeys and apes) breaks down into platyrrhini (new world monkeys) and catarrhini. Catarrhini contains both cercopithecoidea (old world monkeys) and hominoidea (apes).

Although it is common to group all monkeys together as if they were a homogenous genetic lineage, there are in fact two very distinct groups. Catarrhini are as differentiated from platyrrhini as platyrrhini are from lemurs. Indeed: new world monkeys show a remarkable genetic differentiation, giving rise to several major families; something that neither catarrhini nor homonoidea seems to have managed.

But we are apes. There isn’t a lot of wiggle room here. We just haven’t diversified enough to be something “special, unique and different” yet. We area a separate species, but not yet a separate family, let alone superfamily!

So I’d ditch the whole “evolved from monkeys” thing altogether. “Monkeys” is meaningless. But you’ll not escape that we evolved from apes. My dad was an ape. So was yours. I’m an ape sir, and you are too.

The Oatmeal hits $850,000 goal for Tesla museum

Trevor_Pott Gold badge

Re: New Reg SPB project:

I'll pitch on the kickstarter for that...

Tech conferences: Not just here for the FREE BEER

Trevor_Pott Gold badge

Re: Choose conferences or events with real techies.

Sage advice. On my junket I was lucky to meet with the actual techies. My understanding is that both VMWorld and Build are like this. I wonder which others qualify?

Greens launch anti-TPP Internationale

Trevor_Pott Gold badge

Re: Where

Here's one: http://www.michaelgeist.ca/