[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040323135648.GA16405@grok.org.uk>
From: johnc at grok.org.uk (John Cartwright)
Subject: viruses being sent to this list
On Mon, Mar 22, 2004 at 11:36:18PM +0200, Gadi Evron wrote:
> Viruses must not be spread, especially on a security mailing list and to
> such a huge audience.
>
> It is my opinion that it is the _duty_ of the list owners to do
> something about this, as it is not only illegal, but it is irresponsible.
>
> I'd have emailed the list owners privately, but as I am the latest
> victim of the latest spreading mechanism for viruses - Full-Disclosure,
> I demand and immediate public announcement on what is going to be done
> about this problem.
Hi
Apologies for the belated reply, I was travelling for a large part of
yesterday and my access to mail was sporadic to say the least. There
were many interesting points raised, and rather than attempt to reply
to all individuals concerned, I felt it pertinent to send this open
reply to the list to try and clarify the situation regarding virii/
malware and the Full-Disclosure list.
Len and myself remove a large number of malicious posts due to the
fact that the sender address is typically not subscribed. Due to the
open nature of the list, posts appearing to come from subscribed
addresses will never hit the admin queue, so if a virus spoofs an
approved sender address then, with the current set-up, it will
clearly be re-transmitted to list members. If a virus is identified
as actually originating from a list member (i.e. non-spoofed) then
that individual is clearly in violation of the list charter and will
be contacted and dealt with appropriately.
As I see it, there are two means of regulating malicious content
from spoofed subscribed addresses. One, we moderate the list. Two, we
use anti-virus or other scanning to try to prevent this data flow.
Let's consider the effect of these options:
Firstly, moderating the list. This has never been a real option, and
to do so would destroy the very ideal that Full-Disclosure was built
upon. Len and I already spend several hours per day dealing with non-
member posts and related administrative duties, and we have no wish to
increase this workload, or to censor or restrict the flow of
information. So, I am dismissing this option as unacceptable whatever
the circumstances.
Secondly, the provision of anti-virus on the server side. This raises
a number of points, the most obvious of which is the problem with
false positives. I have yet to see any anti-virus software that is
100% reliable in its detection and classification, and I doubt I will
ever see such a piece of software. So, automatic rejection of posts
due to virus signature matches would not be possible. The net result:
despite the financial burden placed on Len and myself, this would also
increase our workload, as we would have to manually review the filter
results for false positives. Given that the most likely cause of false
positives is new exploit code, we then run the risk of unnecessarily
delaying that which is most important to the list subscriber base,
and this is my primary reason for also rejecting the idea of automated
virus scanning at this moment in time.
However, if we shift the filtering from server- to client- side, then
there are advantages for all concerned. Treating virii/malware just
like any other noise allows the discerning user to decide exactly what
he/she wishes to receive via our list, and to silently drop that which
they do not. Given that subscribers are probably receiving virii from
other sources apart from FD, one would expect that anyone vulnerable
to such code would already have defences in place. I'd also assume
that individuals who made a conscious decision to subscribe to an
unmoderated security list were capable of dealing with unknown
binaries in a sensible manner. Client-side filtering means that the
associated costs and workload are distributed amongst list members.
Those who wish to employ filters can then accept that they may miss
out on something important, those of us who are not threatened by
virii can continue to receive unfiltered list mail in a timely manner.
As far as the legalities of the situation are concerned, I'd
appreciate input from any knowledgeable individuals on this matter. As
far as I am concerned, Full-Disclosure is a publicly available opt-in
mailing list, run privately by individuals on a best-effort, not-for-
profit basis, and due to the unmoderated nature of the list, we cannot
and will not be held responsible for the data transferred via the list.
Please remember that every single list member is here because they
chose to be, and in doing so implicitly accepted the risks associated
with that membership. Like any other source of information you are
free to make use of its raw form, filter or transform it to meet your
needs, or simply discard it and find an alternative source that fulfils
your requirements.
I hope that addresses all concerns. Let's get back on topic - comments
are welcome off-list.
Cheers
- John
Powered by blists - more mailing lists