lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <004c01c396c3$33520bf0$6101a8c0@fosi>
From: steve.wray at paradise.net.nz (Steve Wray)
Subject: AT&T early warning system

And, contrary to one other post on the topic,
it shouldn't be to hard to perform a trial run;

If one made the worms code modular enough
that one could plug in a variety of "victim finding" code 
stubs.

This way, one could plug in a fixed list of targets,
(which one owned oneself so that one could watch how
they responded). 

Once one had the field test working one would then replace 
the stub with real "victim finder" code and away it goes...

Advantage; better testing.
Disadvantage; what if people detect the trial runs?

Ummmm actually, as a sysadmin I think I might swap the
Advantage/Disadvantage there!
:)

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of jkm
> Sent: Monday, 20 October 2003 2:02 p.m.
> To: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] AT&T early warning system
> 
> 
> 
> On 18 Oct 2003 12:27:23 -0400, "Hoho" <hoho@...omeat.net> said:
> > On Fri, 2003-10-17 at 22:44, jkm wrote:
> > > Quote 2:
> > > "AT&T saw anomalies in its network three to four weeks 
> before that worm
> > > hit and was able to take certain precautions. "When the 
> worm actually
> > > happened, AT&T's network did not take a hit,'' Eslambolchi said."
> > 
> > 
> > Doesn't it seem like they're trying to violate causality? 
> If the worm
> > doesn't exist yet, then its associated traffic doesn't 
> exist yet, hence
> > there's nothing to detect. Wonder what those 'anomalies' 
> were. Seems no
> > more effective than just watching MS security patches and 
> reading FD.
> > -- 
> 
> Yeah, I agree unless as other threads are saying, the worm author
> releases a test worm. I wonder if it would in fact catch 
> script kiddies
> and other criminal traffic, thus actually acting as an intrusion
> detection system?


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ