lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <2D9744FD87EBB24D9BF7A4ED65DE150E2185F7@CAEE3MVP211.up.corp.upc>
Date: Sat, 14 Mar 2009 13:22:49 -0400
From: "Castigliola, Angelo" <ACastigliola@...M.COM>
To: "Ron" <ron@...llsecurity.net>, "Ivan ." <ivanhec@...il.com>,
	<full-disclosure@...ts.grok.org.uk>, <tbiehn@...il.com>,
	<elazar@...hmail.com>
Subject: Re: BBC cybercrime probe backfires

Using the same technology to spread malicious viruses and worms and apply fixes for the very same exploits they used to obtain access to a remote computer is an age old debate. It has been discussed by industry heavyweights such as Microsoft Research to college grad students (http://www.newscientist.com/article/dn13318 <http://www.newscientist.com/article/dn13318> ). Information Week published an informative article last week titled "Offensive Computing: A Bad Idea That Never Dies" (http://www.informationweek.com/blog/main/archives/2009/03/offensive_compu.html <http://www.informationweek.com/blog/main/archives/2009/03/offensive_compu.html> ). The author George Hulme does an excellent job of documenting the history of this debate in ideology and discuses the ethics questions surrounding the "offensive computing" theory.  

 

The "friendly worm" or "anti-worm" theory has been applied to the field already in October of 2001 with the release of the "Codegreen" worm (http://www.vnunet.com/vnunet/news/2115989/anti-worms-fight-code-red-threat <http://www.vnunet.com/vnunet/news/2115989/anti-worms-fight-code-red-threat> ). The "friendly worm" intended to spread and fix remote computers vulnerable to Microsoft Security Bulletin MS01-033. It is currently detected by anti-virus programs as W32/CodeGreen.worm, quarantined then removed.

 

My opinion is that "offensive computing" isn't justified. Vital networks important to the operation of government, internet, and private industries are often protected by layers of defenses against conventional hacking attempts. Likewise botnets are also an old idea that has been put into practice in the field. More recently sophisticated botnet software has been easily obtainable on the internet with very detailed operations manuals. This old idea has now manifest to a new threat and the defense layers protecting vital computer infrastructure will eventually be reengineered to handle these threats. 

 

By releasing "friendly\anti-worms" you are dictating a patch release scheduled to the internet and enforcing your policies with "offensive computing" techniques. Large production business networks often have very detailed patch release cycles and procedures for critical patches. These patch release cycles include testing, a pilot release then finally a full deployment. These production environments are very controlled and any changes are track through a change management system for approvals from various information technology departments that have a steak in ensuring the successful uninterrupted operation of these systems. These IT professionals are responsible and sometimes liable for the systems in these controlled environments. How would a "friendly\anti-worm" tell if this computer is a part of a controlled environment? What happens if the "offensive computing" applications spreads to one of these controlled environments because someone was infected at lunch at an internet café then unknowing plugged their infected laptop into a controlled business environment?

 

You can slice the debate many ways but ultimately "offensive computing" is software that will consume CPU time and additional memory which degrades performance without an operators consent and that is why it is illegal.

 

Angelo Castigliola III
EISRM - Application Security Architecture
Unum
acastigliola@...m.com

 

Disclaimer: The opinions expressed are my own personal opinions and do not represent my employer's view in any way.

________________________________

From: full-disclosure-bounces@...ts.grok.org.uk on behalf of Ron
Sent: Sat 3/14/2009 10:57 AM
To: Ivan .
Cc: full-disclosure
Subject: Re: [Full-disclosure] BBC cybercrime probe backfires



Ivan . wrote:
> The BBC hacked into 22,000 computers as part of an investigation into
> cybercrime but the move quickly backfired, with legal experts claiming
> the broadcaster broke the law and security gurus saying the experiment
> went too far.
>
> http://www.smh.com.au/news/technology/security/bbc-cybercrime-probe-backfires/2009/03/13/1236447465056.html

They keep saying that the BBC "hacked" 22,000 computers, when in reality
the original articles said the BBC "acquired" or "hijacked" the botnet.
Strawman for the win?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ