[ISN] Why I should have the right to kill a malicious process on your machine

From: InfoSec News (isnat_private)
Date: Wed Jan 15 2003 - 04:17:25 PST

  • Next message: InfoSec News: "Re: [ISN] RIAA defaced -again!"
    By Tim Mullen
    Security Focus Online
    Posted: 14/01/2003 
    Opinion - A lot has happened since my Right to Defend column in 
    SecurityFocus Online last July, and the subsequent presentation I made 
    at the Blackhat Security Briefings in Las Vegas. The idea has 
    withstood a lot of criticism. 
    To refresh, I believe you should have the right to neutralize a worm 
    process running on someone else's infected system, if it's 
    relentlessly attacking your network. I've even written code to 
    demonstrate the process. Though the initial news coverage of the 
    concept was grossly inaccurate in conveying my ideas, it has stirred 
    up a constructive dialog. 
    I knew my idea was controversial, but I was wrong about something-- I 
    figured everyone in the security biz would "get it" and that the hard 
    part would be convincing everyone else that if they can't or won't 
    secure their machines, we as the defenders would have the right to 
    terminate the process attacking us. 
    It has turned out to be the opposite. 
    TechTV's Cybercrime news magazine show did a segment about strikeback, 
    where I talked about my goals and demo'd a couple of my neutralizing 
    agents. Though the audience of Cybercrime is a much more generalized 
    group of computer users and enthusiasts, the very people I thought 
    would cry foul the loudest, I did not receive a single negative e-mail 
    in response. Every last message was wonderfully supportive, and most 
    of them eagerly offered assistance and asked how they could 
    It has been the "security experts" who have grouped as the opposition, 
    some even with a level of condescension. For instance, Eugene Schultz 
    of U.C. Berkeley's Lawrence Berkeley National Laboratory wrote in an 
    issue of SANS Newsbites that he "hoped no one would take Mr. Mullen 
    seriously" about this technology, as if it were some joke I was 
    playing on the community. 
    To the contrary, I am dead serious -- because we need strikeback. In 
    fact, had the technology been in place when Nimda first appeared, 
    institutions like the University of California at Berkeley, for 
    example, could have been spared the embarrassment of having Nimda rip 
    through their infrastructure, infecting untold numbers of innocent 
    external machines just because their IT staff couldn't secure IIS. 
    I think the main reason for the knee-jerk criticism from the likes of 
    Schultz is that they work largely in a theoretical rose-colored world 
    of security, where all problems are solved after a cup of coffee and a 
    bit of pontification. Those who actually work in the operational end 
    of network and system security see things as they really are. The men 
    and women who work the trenches of system administration know that 
    fast spreading worms like Nimda are a real problem that must be 
    addressed, and are willing to work for a solution. 
    No Accountability, No Rights 
    I was surprised to see Bruce Schneier try to draw a bit of the red, 
    red krovvy by lumping strikeback with legislation that the RIAA is 
    pushing -- and U.S. Representative Howard Berman is sponsoring -- that 
    would permit record companies to legally hack file sharing networks. 
    He even includes a quote from the "Declaration of the Rights of Man 
    and of the Citizen" in order to illustrate how such technology goes 
    against the rights of the people. 
    I'm not sure of the relevancy of a document the French National 
    Assembly drafted 200 years ago, but let's ignore that for now. If 
    anyone's rights are at issue here, it's yours and mine -- the people 
    whose systems are being attacked by worms and viruses running rampant 
    on negligently unprotected machines. 
    Schneier's reasoning ignores fundamental differences -- opposites, 
    really -- between the RIAA proposal and what my strikeback technology 
    does. Under the Berman bill, the RIAA could legally hack only people 
    infringing their copyrights -- people the RIAA already have ample 
    legal remedies against. 
    In contrast, my strikeback technique is aimed at an attacking 
    worm-infected box whose owners have no legal responsibility, and to 
    whom justice turns two blind eyes. We have no legal recourse against 
    these people. Maybe in the distant future we can prove that every 
    owner of a system connected to the Internet has a duty to perform due 
    diligence in securing their assets, but today proving such a duty 
    would be quite difficult, even in instances of the most grievous 
    Logic dictates that anyone who opposes a bill allowing corporate 
    entities to attack our systems should support a technique to stop 
    worm-ridden systems from doing the same. 
    As the debate continues, I'd like to suggest a new way of thinking 
    about the parties involved in a strikeback scenario. 
    Since the owner of a system has no responsibility for the actions of a 
    worm, or any malicious process, that runs without their knowledge, I 
    submit that they also have no rights to the process. No responsibility 
    means no rights. 
    So, if they have no rights to the process, there is no infringement 
    against them when we neutralize it. If someone wants to claim that 
    their rights were violated by our taking out the attacking process, 
    then they should be held accountable for the actions of the process 
    from its inception. They can't have it both ways. 
    If parents don't vaccinate their children, the state takes them out of 
    school. If a dog consistently attacks people, the authorities put it 
    down. If someone commits three felonies, they are put away for life. 
    This is because the rights of the many outweigh the rights of the one. 
    And that is the way it should be. 
    Timothy M. Mullen is CIO and Chief Software Architect for
    AnchorIS.Com, a developer of secure, enterprise-based 
    accounting software.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Jan 15 2003 - 06:47:44 PST