> Perhaps a very controversial viewpoint is using the backdoor installed by the > copycat code red worm to patch these systems. The majority of sysadmins who > by now haven't patched (or unmapped the script mappings from) their systems > are mostly ignorant anyway. Perhaps a couple of honeypot systems built to > automatically connect back, patch and reboot. This has been discussed before and remains a very dangerous, in addition to very controversial, idea. We really need to stick to a general principle of "If it's not yours, don't touch." In some jurisdictions, what you propose is, I suspect, illegal[0]. Imagine the legal mess you'd be in if you turned loose a worm which then acted on your behalf in nearly every jurisdiction on the planet. In some cases, the system is doing something important and rebooting it may cause harm to people or property. Yes, certainly an unmaintained, hacked system is a danger to people or property, but if you cause the harm by causing the reboot, you could and should be held liable. By all means, notify the system owner and their upstream provider of the compromised system. > If we live in a an ideal world, we'd eventually get the idiots > to listen. However, I find that unlikely. I think you're correct. There will always be someone who doesn't secure their systems. Put another way in a much more sensitive context, "There's always some son of a bitch who doesn't get the message!"[1] Still, that's not justification for me to assume the risk and liability of managing security on a system without knowledge of its intended use or authorization of any kind. Its much simpler, safer, and won't get you fired to secure your systems, accepting that some people out there simply won't ever do so. Further, this could do more harm than good if we convert the population of people who think about security now and again, but never bother to fix it, into people who never think about it at all because SomeInternetSecurityGroup will create a patch worm and do it for them. No, I think it far better for responsibility to remain on the system owner. I'm certainly not adopting the risk for them. I'll certainly not be happy if you penetrate my systems for any reason, and I'll have just as much work to do to clean up the mess. I wouldn't believe your good intentions any more than I'd believe the words on a defaced web page which say "We didn't damage anything, we just moved your web content to /foo." Rob [0] - There are proposed laws before the U.S. Congress which would make it illegal in some contexts. [1] - JFK apparently said this during the Cuban missile crisis when a US plane crossed into USSR airspace, a time when that was a Really Bad Idea. Classic quote, that one. Simple, short, and undeniably true. -- ------------------------------------------------------------------------------ Rob McCauley Radiation Oncology Duke University Medical Center On Mon, 6 Aug 2001, Mark Ng wrote: > > The only issue that creates is the problem of transparent proxies. Not sure > how you'd solve that one. > > This may eventually be the only way of actually getting rid of code red > > Mark > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 13:05:35 PDT