On Fri, 16 May 2003, Dan Hanson wrote (in part): > At last year's Blackhat conference in Las Vegas, Tim Mullen presented what > turned out to be a very controversial proposal. Briefly, he questioned why > it would be inappropriate to strike back and disable (if not remove) a > worm from hosts that are clearly not being adequately managed. It is interesting that this sounds similar to me to proposals by the RIAA to allow them to legally "strike out", hack into the networks of companies, and remove allegedly copyrighted files from machines who may have advertised them on Peer-to-peer networks. And I'll BET you that we'll have inquiries in the Incidents list if the computers owned by the RIAA try such a thing. But to get more directly to the inquiry at hand, I've wondered if it could be considered "self defense" if, say, a web server who just received the Nimda packet for, say, "cmd.exe" sent an immediate signal right back, telling the offending machine to shut itself down? And this being considered different from someone going through his/her logs after the fact and sending a counter-attack at that point? (One problem with the latter approach is some of the IP addresses may have been reassigned). Good luck on your inquiry and best regards, Ken Parker ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon May 19 2003 - 10:40:40 PDT