[69444] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Packet anonymity is the problem?

daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sun Apr 11 19:06:26 2004

From: "Steven M. Bellovin" <smb@research.att.com>
To: Joe Maimon <jmaimon@ttec.com>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Sun, 11 Apr 2004 18:03:39 EDT."
             <4079C0BB.80509@ttec.com> 
Date: Sun, 11 Apr 2004 19:05:21 -0400
Errors-To: owner-nanog-outgoing@merit.edu


In message <4079C0BB.80509@ttec.com>, Joe Maimon writes:
>
>Jeff Workman wrote:
>
>> --On Sunday, April 11, 2004 2:45 PM -0400 Joe Maimon 
>> <jmaimon@ttec.com> wrote:
>>
>>> Therefore the "good" people should beat the bad people to the punch and
>>> write the worm first. Make it render the vulnerable system invulnerable
>>> or if neccessary crash it/disable the port etc..... so that the "lazy"
>>> administrators fix it quick without losing their hard drive contents or
>>> taking out the neighborhood.
>>>
>>> Such "corrective" behavior as suggested by you might also be implemented
>>> in such a "proactive" worm.
>>>
>>> How many fewer zombies would there be if this was happening?
>>
>>
>> As I understand it, Netsky is supposed to be such a worm. Doesn't seem 
>> to make much of a difference, does it?
>>
>> I thought that Nachi/Welchia was supposed to be such a worm as well, 
>> and it ended up doing more harm than good.
>
>One could argue that those were implementation issues, probably 
>performed by people who did not know what they were doing.
>

From a perspective of auto-patch, *no* programmers "know what they're 
doing".  The state of the art of software engineering, even for 
well-designed, well-implemented, well-tested systems, is not good 
enough to allow arbitrary "correct" patches to be installed blindly on 
a critical system.  Let me put it like this:  how many ISPs like to 
install the latest versions of IOS or JunOS on all of their routers 
without testing it first?  

From a purely legal perspective, even a well-written, benevolent worm 
is illegal -- the writer is not an "authorized" user of my computer.  
But I'd never authorize someone to patch my system, even an ordinary 
desktop PC, without my consent -- there are times when I can't afford 
to have it unavailable.  (Many U.S. residents are in such a state for 
the next four days, until they get their income tax returns prepared 
and filed.  I don't even like installing virus updates at this time of 
year.)

Auto-patch is a bad idea that just keeps coming back.  Auto-patch by 
people other than the vendor, who've done far less testing, is far 
beyond "bad".


		--Steve Bellovin, http://www.research.att.com/~smb



home help back first fref pref prev next nref lref last post