lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040204134430.GA27806@brucia.ulcc.ac.uk>
Date: Wed, 4 Feb 2004 13:44:30 +0000
From: Ben Wheeler <b.wheeler@...c.ac.uk>
To: Patrick Proniewski <patpro@...pro.net>,
	Thomas Zehetbauer <thomasz@...tmaster.org>,
	Bugtraq <bugtraq@...urityfocus.com>
Subject: Re: RFC: virus handling


On Tue, Feb 03, 2004 at 12:55:24PM -0800, Matthew Dharm wrote:
> Consider a provider who offers the e-mail address of
> virusalert@...vider.com (name it what you will), to which can be fed an
> e-mail consisting of a single line -- that line is the IP address and a
> one-word 'name' for the problem. 
> 
> Thus, if I find I'm getting MyDoom.A from 127.2.2.1, I can send a message
> that will alert _someone_ (who is presumeably not asleep at the controls).

I don't see much difference between this and the normal strategy of
just notifying abuse@ or some other address at the ISP. It is similarly
doomed to failure, because you end up with so many reports that the ISP 
cannot possibly verify whether each report is legitimate or not. So they 
would have a choice of either:
1. Ignore all reports. "It's not our job to protect our lusers from viruses."
or 
2. Automatically take action against all reports. Thus is becomes a great
way to DoS your enemies, just report them as infected.

Since the ISP gets money from its customers, not from people who report
abuse, they will always tend towards option 1 as the number of reports 
increases. Reporting abuse or infection is mostly a complete waste
of time, just like reporting spam. It might have worked a few years ago, 
it generally doesn't anymore (and the exceptions get fewer all the time).

Our time would be far better invested in ways to prevent the spread of 
viruses by other means rather than trying to report infections, after
it's already too late, to either ISPs who will usually do nothing, or 
end users who will usually be clueless (otherwise they wouldn't have 
got infected in the first place, right?) 

Ben



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ