Re: [ISN] Why I should have the right to kill a malicious process on your machine

From: InfoSec News (isnat_private)
Date: Sat Jan 18 2003 - 01:21:11 PST

  • Next message: InfoSec News: "Re: [ISN] Why I should have the right to kill a malicious process on your machine"

    Forwarded from: "Deus, Attonbitus" <Thorat_private>
    Cc: jerichoat_private
    
    
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    At 10:34 PM 1/16/2003, InfoSec News wrote:
    
    > > I think the main reason for the knee-jerk criticism from the likes
    > > of Schultz is that they work largely in a theoretical rose-colored
    > > world of security, where all problems are solved after a cup of
    > > coffee and a bit of pontification. Those who actually work in the
    > > operational end
    >
    >Heed your own insults Tim. Your proposal falls in the category of
    >theoretical rose-colored solutions. Hopefully you enjoyed your coffee
    >as you pontificated.
    
    When Gene unilaterally dismissed the strikeback concept in News Bites, 
    there was no public information available- my whitepaper was not published, 
    nor were any of my presentations.  No attempt to contact me was made, and 
    no research was done to substantiate his stance.  I certainly expect this 
    type of behavior from the general public, but not from a security 
    researcher in a position to editorialize to a national (worldwide?) 
    audience.  To me, that is irresponsible.  Was I irritated that he disagreed 
    with me?  Not in the least- I was irritated because the comments were made 
    without even bothering to find out what I was talking about first.  I felt 
    my response was justified in the same way that you feel your use of the 
    same "insult" against me is justified.
    
    >There are several issues that you do not clearly address in such a way
    >to sell this idea. Further, by bringing up the details, you will open
    >yourself up to further criticism and further validate the criticism on
    >the table already.
    
    If I were concerned with criticism, I would not have floated the concept to 
    the security community.  I am not ignorant to the fact that the forum in 
    which I presented a possible solution is widely unaffected by the core 
    problem - most of the people reading this now were not infected by Code Red 
    or Nimda.  It is perfectly understandable that many here have the "secure 
    your systems and get on with it" mind set.  But the persistence of old 
    worms and the introduction of new ones is a growing problem- and one that 
    should be considered now.  I have been and still am willing to wade through 
    the "f'ing Nazi" emails in order to get to the "hey, have you thought about 
    this" communications that have some value.
    
    
    >Who defines "relentless" attacks? Is one worm spamming your web server
    >with 6 hits every 30 minutes as it tries to spread "relentless"? Is it
    >really threatening your machine or stealing your bandwidth? What if is
    >the same 6 hits every 5 minutes? Or even every minute? Is that really
    >a "relentless attack" or is that an annoyance? Is your answer the same
    >as everyone elses?
    
    YOU define it!  WE define it! The fact that you asked the question in the 
    first place shows that it is something that *must* be defined, along with a 
    host of other questions!  We try to address questions like this in the 
    whitepaper... And note that we call it a whitepaper, not the Strikeback 
    Bible, because it is collection of concepts, ideas, and processes that 
    might help solve a problem and is not a "here are all the answers" text.
    
    
    >Who authenticates these attacks? Are your web logs grounds for you to
    >engage in what is normally considered felony level activity and title
    >18 violations? Are you sure you are reading those web logs right? Have
    >you considered some possible scenarios that might challenge your ideas
    >on strikeback?
    <examples snipped>
    
    >These are three examples off the top of my head that show some serious
    >flaws in the idea of strikeback technology. You are definitely not the
    >first to bring this idea up, and you are certainly not the first to
    >consider all the scenarios and ramifications.
    
    Some of the issues are addressed in the whitepaper- others are not; but 
    they can be.  We can figure this out if we try.
    BTW, the wp is at http://www.hammerofgod.com/strikeback.txt if you have not 
    looked at it.
    
    >If you find yourself asking what else can be done to stop these
    >problems, one answer that comes to mind is simple. ISP's need to be
    >more reactive to complaints about abuse on their network. Their
    >customers already sign an agreement stating they will follow an
    >Acceptable Use Policy.
    
    Having it come to mind is simple, but actually *making* the ISP react is 
    quite a different matter.   And you have now just introduced the exact same 
    questions- what is an attack?  How much is too much?  If you do a port scan 
    from your "mission critical" machine, does the ISP get to pull your 
    plug?  Is is different for each ISP?  And if I maliciously hack into your 
    machine to steal your customer's information and your ISP (or mine) does 
    not catch it and pull the plug, is it not now their fault?  And if you 
    secure the hell out of all your machines, but your ISP has to hike rates 
    50% to cover their expenses of this new duty, are you willing to pay that 
    though you don't feel you personally need it?
    
    >Every AUP I have seen covers malicious activity
    >like you describe, and puts the liability on them. If your system
    >attacks mine, be it from automated worm or not, and I report that
    >activity to your ISP.. they need to kill your conneection until the
    >problem is solved.
    
    So, if I think you are attacking my machine, and I call your ISP, you 
    expect them to just kill your connection?  I see as many problems with this 
    concept as you do with mine.
    
    >If they read the logs I sent, they can then make
    >the determination if it is a serious problem, contact you, or monitor
    >your traffic to find their own verification of the activity. Once they
    >find it, they pull your plug and problem is solved temporarily. While
    >this system is not flawless, it is certainly more feasible and
    >responsible than any strikeback proposal.
    
    I guess we disagree... Well, I agree that something can and should be done 
    at the ISP level, but I don't agree that the ISP staff should be the ones 
    making the decision.  I would much rather capitulate to a framework that 
    you and other security people lay out that outlines the important questions 
    than to have arbitrary employees of the ISP do it.
    
    Of course, we could combine the ideas and have the ISP's deploy a 
    strikeback framework that the community builds.
    
    While there a many questions to all of this, the only way for us to get an 
    answer is to talk about it and explore the possibilities- and that is my 
    intention in all of this.
    
    Thanks for the email...
    
    Tim
    
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1
    
    iQA/AwUBPiggXohsmyD15h5gEQI0mACfdh8eIYeNXB65yb5P5gLBZAbrGgMAoPkS
    vhHsyIMimFPV7Pzx0qG7ab+d
    =5j8I
    -----END PGP SIGNATURE-----
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Sat Jan 18 2003 - 03:52:54 PST