lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: rsw at (Riad S. Wahby)
Subject: Re: DoomJuice.A, Mydoom.A source code

Mr. FitzGerald,

Nick FitzGerald <> wrote:
> I can see how it could be used as an invaluable _publicity_ aid for 
> attracting folk to the class.  However, as a teaching aid, it is highly 
> unlikely to be of much more or less value than the source of any of 
> dozens upon dozens of other malwares, and and that value would be very 
> low...

People won't be attracted to the class based on the source code I'm
presenting, as they won't know about it beforehand.  To be sure, the
source to any old virus would in fact work, and I will certainly
consider many others as well in deciding the specifics of the
cirriculum.  My intent is to emphasize material taken from issues that
attendees can relate to directly; undergrads are extremely unlikely to
have much personal experience at all with Robert Morris's 1988 worm.

> Unless you are planning on teaching malware _writing_?

Of course not.  The seminar deals with the mechanisms, targets, and
psychology of a malware pandemic.

> For folk interested in work in the antivirus and related security 
> fields, source code is all but worthless.  We rarely have the source 
> code of the malware we have to analyse -- at least, we rarely have it 
> in advance of, or concurrent with, having do such analyses.  Reverse 
> engineering is the name of this game and source code is then useless
> -- if you have source you need not reverse and if you must reverse you 
> would not have the source...

The class in question is not about reverse engineering.  It discusses
not the response and interdiction from AV companies et cetera, but the
underlying social and technical infrastructure upon which viruses and
their authors rely.

> Also, from a purely pedagogical perspective (I majored in Psychology 
> and Education), I find your claim that having the source of this 
> malware "could be an invaluable teaching aid" deeply suspicious.  
> Teaching from the specific is generally superficial, less long-lasting 
> and generalizes much less well than providing a good theoretical 
> grounding in the subject matter.  Could you expound the theoretical 
> applications that presenting this specific malware's source code to 
> your class would illustrate especially well?

Clearly one must also recognize the importance of providing
particulars in which to couch the theoretical.  Of course, I'm not
going to hand out pages of source and say "this is it kids, study up."
Instead, general claims will be augmented with carefully chosen,
specific examples.

> Finally, whether you obtain this code or not, what aspects of the 
> ethics of possessing, handling, distributing, etc such code will be you 
> be teaching?

This is obviously an important topic, and one that I will go to great
lengths to stress.

> Personally, I doubt they will be substantial (or even present) as
> your initial approach to obtaining the code shows a serious lack of
> concern for some significant ethical issues straight off...

I asked people to email me personally; in doing so, I was attempting
to contact those who might be of assistance.  Moreover, by attempting
to do so in a personal context (off-list) I've implied that I'm
willing to confirm my identity and describe in greater detail my
intentions.  As far as I can tell, I have ignored no "ethical issues"
in attempting to establish a dialogue with those who might help me.

> And what controls will you be placing on your students obtaining, 
> copying, etc the code?  Given your brazenly open and "uncaring" request 
> here, why should we expect that you will take any special care with the 
> code and its further distribution to and among those taking your class 
> and their room-mates, buddies and other contacts?

As I will neither be distributing code in electronic form nor handing
out intact code listings, there is little danger that my students will
be able to assemble a virus based solely on what I provide.  More to
the point, and to be quite frank, this is MIT.  The students here
don't need someone else's source code to write an email virus; they
would, however, be well served to be shown examples germane to the
modern virus "landscape."

My request was brief and to the point so as not to waste the time of
those it did not concern (a topic on which others might use a lesson
or two).  Your claim that it was "uncaring" is completely without
basis in fact.  It was an open request because I have nothing to hide.
It gave enough information to make initial contact with those who
might help me without unduly taxing the schedules of those who cannot
or will not.

Mr. FitzGerald, I've read many of your posts to full-disclosure, and I
am familiar with the apparent intensity of your personality.  Clearly,
vigilance in matters such as these is not only appropriate, but
required.  On the other hand, your surplus of zeal in responding to my
message might be viewed by some as an attempt to quash the responsible
academic study of an issue of ever-increasing import, or contemptuous
holier-than-thou proselytizing based on a questionable interpretation
of my intentions.  In the future, I encourage you to temper your tone
in order to prevent such misunderstandings.


Riad Wahby
MIT VI-2 M.Eng

Powered by blists - more mailing lists