RE: [ISN] Why I should have the right to kill a malicious process on your machine

From: InfoSec News (isnat_private)
Date: Wed Jan 15 2003 - 23:12:34 PST

  • Next message: InfoSec News: "[ISN] The Authprogs SSH Command Authenticator (Passwordless SSH part 4)"

    Forwarded from: Jason Coombs <jasoncat_private>
    Cc: Thorat_private
    Aloha, Tim.
    Rights in and liability for abandoned property is a complex subject of
    law. Nobody would argue that you don't have the right to perform
    remote system administration on abandoned property that happens to
    still be connected to a power source and the Internet, but a server
    that has been owned by a worm or an anonymous third-party attacker is
    not clearly abandoned. As physical property it still belongs to its
    legal owner. If we allow anonymous remote system administration that
    is allegedly benign or even beneficial to information security why
    shouldn't we also encourage the coding of self-replicating concept
    worms and viruses that exploit security vulnerabilities for the sole
    purpose of demonstrating that such vulnerabilities exist?
    Code Red was a concept worm. It did no real harm. Its spread could
    have educated IIS administrators as to the threat of their unpatched
    boxes, but it didn't. Code Red II DID result in widespread awareness
    of the security risk of unpatched IIS boxes because it did cause
    widespread harm. It's not difficult to see the slippery slope that
    begins with your good intentions and ends with the logical conclusion
    that in order to cause real security for the good of your nation and
    the world, you have to write malicious code that self-replicates and
    causes global electronic paralysis. Otherwise nobody will listen,
    nobody will acknowledge the threat even though you see it clearly, and
    nobody will act to prevent more severe penetrations before they occur.
    When electronic trespassing is permitted in violation of other
    people's reasonable legal rights under the condition that the
    trespasser must be attempting to do something beneficial to the
    security of the property in which she trespasses the entire notion of
    illegal electronic trespassing disappears, to be replaced with
    forensic arguments made by expert witnesses in front of juries. You do
    not want a jury of your peers to decide whether or not the
    prosecution's interpretation of the computer evidence is accurate or
    whether your defense expert witness is correct in her forensic
    counter-analysis that proves your innocence. This is a losing
    situation for you, the accused, because law enforcement will always
    appear to be the more credible witness.
    "Ladies and gentlemen of the jury, who are you going to believe?
    THORat_private or the FBI?"
    Advocating white hack hacker penetrations of other people's property
    for the purpose of remote system administration also fails the common
    sense test. Common sense tells us that we can defend ourselves
    adequately from all of our badly-configured and compromised peers
    simply by unplugging our computers from the network that connects us
    to them. If the only viable solution to the world's information
    security problems includes automated legalized trespassing, then the
    world needs brand new computer products designed from the ground up
    with infosec in mind. The fact that we will soon see the first
    generation of these systems enter the marketplace may be proof of the
    fundamental insecurity of existing programmable computers; though the
    jury is still out deliberating this point.
    Jason Coombs
    -----Original Message-----
    From: owner-isnat_private [mailto:owner-isnat_private]On Behalf
    Of InfoSec News
    Sent: Wednesday, January 15, 2003 2:17 AM
    To: isnat_private
    Subject: [ISN] Why I should have the right to kill a malicious process
    on your machine
    By Tim Mullen
    Security Focus Online
    Posted: 14/01/2003
    Opinion - A lot has happened since my Right to Defend column in
    SecurityFocus Online last July, and the subsequent presentation I made
    at the Blackhat Security Briefings in Las Vegas. The idea has
    withstood a lot of criticism.
    To refresh, I believe you should have the right to neutralize a worm
    process running on someone else's infected system, if it's
    relentlessly attacking your network. I've even written code to
    demonstrate the process. Though the initial news coverage of the
    concept was grossly inaccurate in conveying my ideas, it has stirred
    up a constructive dialog.
    I knew my idea was controversial, but I was wrong about something-- I
    figured everyone in the security biz would "get it" and that the hard
    part would be convincing everyone else that if they can't or won't
    secure their machines, we as the defenders would have the right to
    terminate the process attacking us.
    It has turned out to be the opposite.
    TechTV's Cybercrime news magazine show did a segment about strikeback,
    where I talked about my goals and demo'd a couple of my neutralizing
    agents. Though the audience of Cybercrime is a much more generalized
    group of computer users and enthusiasts, the very people I thought
    would cry foul the loudest, I did not receive a single negative e-mail
    in response. Every last message was wonderfully supportive, and most
    of them eagerly offered assistance and asked how they could
    It has been the "security experts" who have grouped as the opposition,
    some even with a level of condescension. For instance, Eugene Schultz
    of U.C. Berkeley's Lawrence Berkeley National Laboratory wrote in an
    issue of SANS Newsbites that he "hoped no one would take Mr. Mullen
    seriously" about this technology, as if it were some joke I was
    playing on the community.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Jan 16 2003 - 01:13:02 PST