[69444] in North American Network Operators' Group
Re: Packet anonymity is the problem?
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sun Apr 11 19:06:26 2004
From: "Steven M. Bellovin" <smb@research.att.com>
To: Joe Maimon <jmaimon@ttec.com>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Sun, 11 Apr 2004 18:03:39 EDT."
<4079C0BB.80509@ttec.com>
Date: Sun, 11 Apr 2004 19:05:21 -0400
Errors-To: owner-nanog-outgoing@merit.edu
In message <4079C0BB.80509@ttec.com>, Joe Maimon writes:
>
>Jeff Workman wrote:
>
>> --On Sunday, April 11, 2004 2:45 PM -0400 Joe Maimon
>> <jmaimon@ttec.com> wrote:
>>
>>> Therefore the "good" people should beat the bad people to the punch and
>>> write the worm first. Make it render the vulnerable system invulnerable
>>> or if neccessary crash it/disable the port etc..... so that the "lazy"
>>> administrators fix it quick without losing their hard drive contents or
>>> taking out the neighborhood.
>>>
>>> Such "corrective" behavior as suggested by you might also be implemented
>>> in such a "proactive" worm.
>>>
>>> How many fewer zombies would there be if this was happening?
>>
>>
>> As I understand it, Netsky is supposed to be such a worm. Doesn't seem
>> to make much of a difference, does it?
>>
>> I thought that Nachi/Welchia was supposed to be such a worm as well,
>> and it ended up doing more harm than good.
>
>One could argue that those were implementation issues, probably
>performed by people who did not know what they were doing.
>
From a perspective of auto-patch, *no* programmers "know what they're
doing". The state of the art of software engineering, even for
well-designed, well-implemented, well-tested systems, is not good
enough to allow arbitrary "correct" patches to be installed blindly on
a critical system. Let me put it like this: how many ISPs like to
install the latest versions of IOS or JunOS on all of their routers
without testing it first?
From a purely legal perspective, even a well-written, benevolent worm
is illegal -- the writer is not an "authorized" user of my computer.
But I'd never authorize someone to patch my system, even an ordinary
desktop PC, without my consent -- there are times when I can't afford
to have it unavailable. (Many U.S. residents are in such a state for
the next four days, until they get their income tax returns prepared
and filed. I don't even like installing virus updates at this time of
year.)
Auto-patch is a bad idea that just keeps coming back. Auto-patch by
people other than the vendor, who've done far less testing, is far
beyond "bad".
--Steve Bellovin, http://www.research.att.com/~smb