Re: [ISN] Why I should have the right to kill a malicious process on your machine

From: InfoSec News (isnat_private)
Date: Sat Jan 18 2003 - 01:26:12 PST

  • Next message: InfoSec News: "Re: [ISN] Why I should have the right to kill a malicious process on your machine"

    Forwarded from: "Deus, Attonbitus" <Thorat_private>
    Cc: security curmudgeon <jerichoat_private>
    
    
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    At 11:45 AM 1/17/2003, security curmudgeon wrote:
    
    >Please don't make the mistake of thinking you are the first to consider
    >strikeback, write about it, propose it, or even implement it.
    >
    >If I write about some buffer overflow concept and don't provide much
    >information, it's fair to say you can intelligently respond to it because
    >there is already considerable information on the topic, yes?
    
    I know strike-back, hack-back, counter-attack, etc has been discussed for 
    quite some time, but I have not seen a framework put together like we have 
    in regard to combating worm propagation.  Regardless, if you published a 
    buffer overflow concept and provided links to papers on it, sure I 
    would.  Just like I did with the Shatter stuff- nothing really new there, 
    but I wanted to make sure of that- *particularly* if I were to render an 
    opinion of it.  I honestly can't see how I would *not* research something 
    before making any public comment.  But let's not spend too much time on 
    that- it doesn't really matter.  Let's talk about the technology now.
    
    >I agree now, more than ever. I am tired of the worms and I would love to
    >have the ability to strikeback at servers hitting me. But that just can't
    >happen until the idea is fleshed out more and all scenarios are
    >considered.
    
    So let's do it.  All of us here who give a damn, let's flesh it out and 
    consider the scenarios.  If the examples in the whitepaper are wrong, then 
    lets come up with some that are right.
    
    
    >Exactly my point. What YOU define may different than what I define or what
    >WE define as a collective group. Without some form of standards, more
    >liability will end up on YOUR shoulders and mine for striking back. That
    >is not what you want clearly.
    
    In the whitepaper (that you, uh, ahem, haven't read yet ;) we call for 
    standards.
    
    
    >Out of curiosity, have you read Schwartau's and other
    >posts/papers/comments on strikeback as a foundation for your own? Have you
    >read past criticism of their writings? I specifically mention him for a
    >reason.
    
    Yes I have- to be honest it was a while back, but I just re-visited to make 
    sure I remembered correctly.  I believe that those concepts are quite 
    different that what we are discussing here.  The term "strikeback" is 
    actually much more in tune to that mindset- that is why we have been trying 
    to refer to our stuff as "neutralizing agents" than "strikeback" but once a 
    term is coined, it is hard to get away from it.
    
    
    >it's currently loaded in my browser, just haven't had a chance to read it
    >yet =)
    
    Looking forward to your interpretations.
    
    
    >Preaching to the choir here. I'm one of those nutjobs who complain about
    >every single piece of spam, every worm/virus that hits us. I'm tired of
    >their lack of reactino and indifference.
    
    I still think you have a valid point about having it be an area to 
    explore.  I just don't know how to go about that.
    
    
    >Until all of these questions (and more?) are answered to the satisifaction
    >of legilators and the masses.. strikeback remains a topic for coffee and
    >pontification i believe.
    
    You're gonna keep kicking me on that one, aren't you ? =)
    
    
    
    >Not blindly, no. If you provide logs and my ISP has multiple complaints,
    >they should contact me or pull my plug until it is resolved. This is being
    >said  with a lot more in mind that I haven't typed out. Factoring in the
    >type of system, who the customer is, etc .. should all weigh in on how the
    >ISP reacts. My comment was made because I feel that it is easier to define
    >parameters for that kind of reaction and would readily be accepted by more
    >people before strikeback would.
    
    Right- my problem here is the reaction time frame- Let's say we've got all 
    of our neutralizing bots deployed world-wide; when SlapperII hits, we've 
    got to get all the IR and code guys on it pronto so they can present vector 
    and neutralization options.  We've got to get the standards body to make an 
    informed decision on if/how to apply neutralization measures, and then 
    deploy the updates to the field units.  Case-by-case ISP analysis won't cut 
    it.  They'll be flooded before they can get a single phone call off...
    
    But, that is still something to consider.
    
    
    > > While there a many questions to all of this, the only way for us to
    > > get an answer is to talk about it and explore the possibilities- and
    > > that is my intention in all of this.
    >
    >Agreed.
    
    Looks like we are doing it!
    
    Tim
    
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1
    
    iQA/AwUBPihuHohsmyD15h5gEQIsRwCfeuDRNw3H5Y647VpL7iXRI/dye10An2s6
    XsV9kby/ISY0DtmyAsJMEWCc
    =dGzW
    -----END PGP SIGNATURE-----
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Sat Jan 18 2003 - 03:53:01 PST