lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat May 14 18:13:04 2005
From: cstejere at cti.depaul.edu (Stejerean, Cosmin)
Subject: RE: Bening Worms (Cosmin Stejerean)

I think you are going a little overboard with this kind of response. The guy
had a couple of questions about "benign worms." If you are going to provide
some useful feedback then go ahead and do it. If you are going to write an
insulting email you should probably think twice about it.

More comments about specific parts of your email. If you don't care for the
comments you should read the last part of the email as it is a little more
relevant to the topic.

>k k wrote:

>> I am an academic researcher.  ...

>One so well-versed in the area of which you enquire and with such a 
>relevant academic record that you hide behind a Hotmailaddress?

>Yeah, right...

I often write emails from my gmail address when posting to lists for various
reasons. One, I don't want SPAM in my work inbox. Second, it makes it clear
that my views are my views alone and it usually prevents questions such as 

> "Do these Purdue academics share your views of 'benign worms?'  "



>> ...  I benefited a lot during my previous 
>> interaction at the full disclosure list on a different topic and now, I
am 
>> here to get some input on benign worms.

>There are no benign worms.

>I'm not denying that it is not actually possible to design such, but 
>once you've put _all_ the safety checks and other requirements in place 
>to fulfill any vaguely sane and "widely acceptable" notion of benign 
>worm" you'll have designed something massively more complex and 
>convoluted than any existing patch management system.

That was the only intelligent part of your email. Everything else you should
have left out.


>If you don't think that's the case then you are not much of 
>_researcher_, "academic" or not.  If you don't believe that, please 
>sensibly refute (in the true academic sense) a few of the arguments 
>against the possibility of "good viruses" in Vesselin Bontchev's papers 
>on the topic.

You would have looked a little more intelligent if instead of insulting him
you would have wrote something like "Please read Vesselin Bontchev's papers
on the topic of benign viruses"


>> There is debate surrounding whether releasing benign worms such as Nachi
>>or 
>>> Welcha, ...

>You know, I've heard them called an awful lot of things but the word or 
>notion of "benign" was never one of them...

>Are you _sure_ you're an academic?

[...]

>You must really hang out in very limited circles.  The only folk in 
>favour of such releases are miscreants with severely impaired ethical 
>development.  Most of them still get kicks pulling wings off flies.

I don't think that was at all necessary.


>> ...  But network administrators can still 
>> create benign worms for their need (not necessarily Nachi or Welcha) and 
>> release them in their domain to patch systems.
>> 
>> 1. Do people do that?  Or at least, have you considered it?
>> 
    
   Please see the last part of this email for an answer to this question.

>> 2. If yes, under what conditions would you do that?

   You would probably only do something like this in case of an emergency.
In most cases there are a lot better ways to patch management than spreading
a worm of your own.

>> 3. If not, what prevents you from doing that?

   There is a lot of risk associated with this. Exploits can be unstable and
crash production machines or have other undesirable side effects which in
most organizations can cost you your job.

>Do these Purdue academics share your views of "benign worms"?  Might 
>their intellectual and academic achievements in their collective 
>decades of research in closely relevant areas more than slightly 
>outweigh your twenty minutes musing over a term paper topic?

Like I mentioned before, this is why he probably used his hotmail address.
If he thought he was 100% right he wouldn't have emailed the list. He was
trying to get feedback on his idea without needing to be insulted.

...

I would like to make a few comments about the topic. The idea to use
"aggressive" techniques to "patch" computers is not new at all. This is
usually only done to patch computers that are infected. It is one of the
concepts of evil honey pots (http://cansecwest.com/csw04/csw04-Oudot.pdf) to
attack attackers. If the attacker is a computer infected with a worm that
you can write a program that will detect this attack and then attack back in
order to remove the initial worm. This has been done in practice with Honeyd
to fight the Blaster worm. You can read about it at 

http://www.securityfocus.com/infocus/1740

You can also read more about active defense at
http://staff.washington.edu/dittrich/ad/AD-workshop-091203.ppt

If I recall properly Stanford also used similar techniques to get rid of MS
Blast on their networks especially from laptop machines that were infected.
They had no administrative control over those machines yet the machines
posed a threat and the threat had to be eliminated.

Perhaps the best example of how this was used and why it should be done this
way unless it's an emergency is the problem with the Xerox researches in
1978 that used worms to automate tasks on their network. The code was
corrupted and over 200 machines crashed.

Nachi can also crash machines and although it has a good intention it is not
generally welcomed by anyone on their machines. If you are going to do such
a thing make sure you limit the worm to only scan machines in your IP range
and set a time/date when the worm will expire and remove itself. Make sure
you test it well in a lab before you release it on your network.




Cosmin Stejerean





-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3726 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050514/2272680b/smime.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ