lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200402041431.i14EVFsc030677@turing-police.cc.vt.edu>
Date: Wed, 04 Feb 2004 09:31:15 -0500
From: Valdis.Kletnieks@...edu
To: Larry Seltzer <larry@...ryseltzer.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Hysterical first technical alert from US-CERT

On Tue, 03 Feb 2004 07:11:49 EST, Larry Seltzer <larry@...ryseltzer.com>  said:

> First, it's dated 1/28, the day MyDoom.B was discovered, and the message sent
 field says
> that too; other dates in the headers disagree.

Oh, like the fact that a lot of mail servers were getting pounded by MyDoom.*A*
doesn't mean that there could be delays along the line? (Remember to add in the
timezones - at least some of the boxes are running in GMT not EST5EDT).

> Second, and more to the point, it takes an extreme view of MyDoom.B that nobody else is
> supporting, including the sources they cite. MyDoom.B is a flop.

OK. So let's see.  We've got one highly successful virus (MyDoom.A) on the
loose at the time of writing, another variant that's essentially identical
except for the target, and no clear indication why this one *shouldn't*
take off as well.

Yes, it took an extreme view that nobody is supporting *NOW*.  Now isn't
last Wednesday night, when there wasn't a week's worth of hindsight.

Yes, it fizzled.  Please point us at the information available to the CERT
guys *at the time* that proves there was *no* way that MyDoom.B could
possibly ever be a real threat.  What would you have the CERT guys do,
*not* send the advisory just because they aren't 100% sure at the time?

I suppose you also understand why MyDoom-A was huge and Dumaru-whatever that
showed up 2 days before was a yawner.  Also, note that I got more copies of
Dumary in the first 2 hours of THAT one than I got *total* of MyDoom-A - so
based on the first 2 hours from where *I* am, Dumaru was looking like a much
bigger event.

> Am I misreading something? Did anyone else get this on 1/28?

Received: from lists2.securityfocus.com  (lists2.securityfocus.com [205.206.231.20])	by outgoing2.securityfocus.com  (Postfix) with QMQP	id B5ECF8F5D0; Mon, 02 Feb 2004 12:27:56 -0700 (MST)
Received: (qmail 11614 invoked from network); Thu, 29 Jan 2004 00:11:38 +0000
Date: Wed, 28 Jan 2004 19:12:09 -0500

Looks like some delay there.  But it was already at SecurityFocus's qmail
within seconds (the Date: is actually 31 seconds ahead of the Received: once
you allow for timezones - somebody isn't using NTP ;)

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ