What's next? I propose we start publishing lists of every host that hits a webserver and sends a browser string with ".NET" in it. Then when the .NET worms start running rampant we're prepared and we can have some idea of what kind of potential threat we're facing. In fact, maybe we should write some scripts to portscan any host that sends a ".NET" browser string to check up on things like the UPNP bugs and whatnot. In fact, why not just create a big public database that has every single host with a static IP, what ports they have open, what services they're running, their OS, and other useful information. Besides, if they connect to your webserver and perform such malicious actions as sending a GET request, then they shouldn't have any expectations of privacy, right? It's funny hearing the same people argue that web-bugs that track people's browsing habits are huge invasions of privacy, while suggesting that we make public lists of people who issue certain GET requests. Maybe we need an RFC that would let us all know exactly what line we have to cross in order to throw away all our rights, and become "bad enough" that our information should be made public. What expectations of privacy we should have based on the types of HTTP requests we issue. For example, "Information that is willingly submitted to a webserver by a user cannot be shared without properly informing and warning the user, while information that is submitted due to a host being infected by a virus or worm can be made public without the sender being warning", or "Any information submitted to a webserver that could possibly be used to enumerate hosts that are running software that is deemed 'malware' by the general public can be made public without the sender being warned". Something to that effect. There should be general agreed-upon rules for this kind of behaviour, instead of going on a case-by-case basis. Just a thought. In addition to all this, I have a legal question. Probably the wrong forum, because it seems that most legal questions posed on this list are answered by people with no legal background who make educated guesses, but here goes. It is my understanding that, at least in Canada and the United States, there are laws addressing the issue of monitoring private conversations and making the contents of such conversations public. Are any of these laws directly applicable to the situation we're discussing. I know that this thread has gone on for quite some time, but I hope my comments and questions will sway the general contents of this thread away from the "Yes list good"/"No list bad" conversation that we're all probably sick of by now. To the person who got this thread started I have a few comments. Please don't go ahead with your "project" without carefully picking the brain of a good lawyer. Maybe even a couple of lawyers. Don't proceed based on "the suggestions of the posters", where "> 90%" of the "posters" are really a bunch of pissed off administrators who would love to see something like this implemented on a wide scale, as long as someone else does it and they're not putting themselves or their networks at risk. jordan young naïve student jfrankaat_private PS: What happens if I'm tricked into clicking on a seemingly innocent link that in fact sends a GET request matching the one sent out by NIMDA infected hosts. Is that reason enough for you to then post all of my information to some public list of 'evildoers'? How do you know that every NIMDA probe is in fact malicious. If I send a NIMDA probe to your Apache webserver then there's absolutely no threat whatsoever, so can you call that a malicious probe? What if JordanOS v0.1's IP Stack was flawed in such a way that an ICMP ECHO request would cause the whole OS to crash. Would it be fair to then label every ICMP ECHO sent to my network as malicious, and publish a public list of anyone who has pinged my network? I'm pretty sure that if I made all of my webserver logs public it would be considered extremely unethical (if not illegal), so why would publishing a subset that I dub malicious be any different. PPS: It is my opinion that if you do proceed with your project, and accumulate a large list of hosts that have sent out the evil GET request, then you should also make public the IP's of everyone that has browsed that list. Suppose one of my hosts were in that list. If you had done what I would consider the 'right' thing, and alerted myself and possibly my upstream provider, then I believe that I have every right to know exactly who you've sent the alerts to. I feel the same should hold if you post my information to a list. Either that, or you should require the administrators consent before their information is published to the list, and you should properly inform them that their information will be made public and they will not be privy to who has been given their information. This is just my opinion on the matter though. ----- Original Message ----- From: "Healy, S. S., CTM2" <sshealyat_private> To: <vuln-devat_private>; <dufresneat_private> Sent: Wednesday, May 08, 2002 7:01 AM Subject: RE: Publishing Nimda Logs > I'm just waiting for the day where a sysadmin gets fed up with being scanned > by NIMDA and rewrites NIMDA to start patching the systems it infects. > > What would you call such a beast, a retro-virus or an anti-virus virus? > > -Steve- > > -----Original Message----- > From: Ron DuFresne [mailto:dufresneat_private] > Sent: Tuesday, May 07, 2002 6:48 PM > To: Chip McClure > Cc: Deus, Attonbitus; vuln-devat_private > Subject: Re: Publishing Nimda Logs > > I've also pretty much given up on trying to clue folks to nimda issues > they still have, same with code red variants which are still plentiful. > I've started to blackhole whol IP blocks due to this problem. Some > companies, even when notified of their systems compromise and their > being used to further attack other systems don't even take the time to > either investigate, nor repair such systems. We've taken to having to > block the whole netspace for many sites, such as the City of Ashland in > Oregon, (NETBLK-SPRINT-D00150-2) SPRINT-D00150-2 208.1.80.0 - > 208.1.83.255, whose systems are so infested with code-red and nimda > variants and who fail as well as Sprint, their upstream provider, in > taking any action about their systems attacks on others on the Internet > infamous highway. We tried to actually call and talk to their techs and > were rudely hung up on, this after over 6 months of notifications to them > and their upstream ISP Sprint. Although Jose Nazario does mention these > systems can be 0w3d after a publication of IP's of infected systems, I'm > at this point not caring if they get taken. They are a pain and further > spreading their problem as it is. I suspect many of these systems are at > least partially 0w3d and used as DDOS mechanisms already. The hame of > shame list should include the ISP's in question too, the upstreams have > been notified as well as the direct offender, most many times over many > months. Nothing else has worked... > > Thanks, > > Ron DuFresne >
This archive was generated by hypermail 2b30 : Wed May 08 2002 - 22:23:02 PDT