[33503] in bugtraq
Re: RFC: virus handling
daemon@ATHENA.MIT.EDU (Shawn McMahon)
Sat Feb 7 09:45:48 2004
Date: Thu, 5 Feb 2004 07:52:25 -0500
From: Shawn McMahon <smcmahon@eiv.com>
To: bugtraq@securityfocus.com
Message-ID: <20040205125224.GA27879@eiv.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="jRHKVT23PllUwdXP"
Content-Disposition: inline
In-Reply-To: <20040204134430.GA27806@brucia.ulcc.ac.uk>
--jRHKVT23PllUwdXP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Feb 04, 2004 at 01:44:30PM +0000, Ben Wheeler said:
>=20
> cannot possibly verify whether each report is legitimate or not. So they=
=20
> would have a choice of either:
> 1. Ignore all reports. "It's not our job to protect our lusers from virus=
es."
> or=20
> 2. Automatically take action against all reports. Thus is becomes a great
> way to DoS your enemies, just report them as infected.
You're forgetting a third option:
Find or develop a method of scanning their hosts for the
virus/worm/trojan/foo, and cut off access on the necessary ports when
those hosts are found.
That's what Road Runner, for instance, did in some areas in response to
Code Red and Nimda.
A more extreme position (that I favor) is to put a note in the account's
file that they are infected and causing a problem, then cut off their
access entirely. When they call tech support, they find out they're
infected.
If ISPs do this (and as I've stated, some do), then reporting infections
to them is vital, because unless they understand that it's a large
number of their users, they won't bother dealing with it.
--=20
Shawn McMahon | Let every nation know, whether it wishes us well or ill,
EIV Consulting | that we shall pay any price, bear any burden, meet any
UNIX and Linux | hardship, support any friend, oppose any foe, to assure
http://www.eiv.com| the survival and the success of liberty. - JFK
--jRHKVT23PllUwdXP
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
iD8DBQFAIjyIEcl9bQ0RMt0RAs0kAKCX/sZJJCLl9Wem5XE8iU9fm/WihwCffgmq
HXdLB6CBN3SptKfREEZCBQI=
=hi2Q
-----END PGP SIGNATURE-----
--jRHKVT23PllUwdXP--
