[33434] in bugtraq
Re: Hysterical first technical alert from US-CERT
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu Feb 5 02:57:11 2004
Message-Id: <200402041711.i14HB2LX005136@turing-police.cc.vt.edu>
To: Larry Seltzer <larry@larryseltzer.com>
Cc: bugtraq@securityfocus.com
In-Reply-To: Your message of "Wed, 04 Feb 2004 09:41:39 EST."
<061201c3eb2d$10633a60$5b00005a@moregarlic.com>
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_1073267199P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Wed, 04 Feb 2004 12:11:02 -0500
--==_Exmh_1073267199P
Content-Type: text/plain; charset=us-ascii
On Wed, 04 Feb 2004 09:41:39 EST, Larry Seltzer said:
> The advisory specifically says that MyDoom.B is spreading rapidly, and that was never
> the case. It didn't say that it *could* spread rapidly. Maybe you think misinforming in
> order to induce caution is a good idea, but I expect nothing but the truth from an
> agency like this.
And I posted a heads-up to our local staff about Dumaru a lot quicker than
I did for MyDoom, because from where *I* was, I saw a *huge* initial spike
of Dumaru. If I had waited, I would have realized that Dumaru had fizzled.
On the other hand, if I had waited that long and it took off like MyDoom,
we'd have been screwed.
As I said - would you rather they delayed 12 or 18 hours to identify
*for sure* how fast it was spreading? Read Nick Weaver's work on
Warhol Worms at http://www.cs.berkeley.edu/~nweaver/warhol.html and then
ask yourself how much time they should wait and verify before releasing.
Unless you have *proof* that they already *knew* it was a snoozer when
they hit send, or you have *specific* recommendations on how they can
do better, let it slide.
Or alternatively, what would *YOU* do if your boss at Ziff Davis told you that
there were cases where your article *had* to be on the web server *within an
hour* of you getting the first hint of the story, or real damage might happen?
Oh, and you don't know which stories those are, and which ones you can afford
to wait 2 or 3 hours and do follow-ups on first. Oh, and Ziff Davis also said
that if you screwed up and got a fact wrong, you'd hear about it from all your
readers.
If you got a lead that a massive DDoS was coming in 90 minutes, what would you
do?
--==_Exmh_1073267199P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFAISelcC3lWbTT17ARAvDAAJ9twduiSXgDeBkPRxpf3WpijMKOdQCdFaby
ZK0t+/Y5ZEiD2V/gOIii2Rg=
=jwSZ
-----END PGP SIGNATURE-----
--==_Exmh_1073267199P--
