Re: The 'good worm' from HP

[Bart.Lansing () kohls com]

I'm fairly sure I disagree with you, Nick.  I don't believe we need 
Brontchev's paper in hand or head to discuss whether or not 
self-replicating, active,"beneficial code" is a good idea or not. Contrary 
to the tone of some of your posts,  many of us are fairly bright, 
reasonably well educated, and capable of forming our own opinions without 
someone else framing the debate for us.  In fact, Brontchev's thoughts on 
constructing/distributing a beneficial virus come down, in the end, to 
just being a publish and subscribe software distribution method...hardly 
revolutionary or ground-breaking even when he wrote it.

As relates specifically to HP/Active Countermeasures, however:

HP Is looking to market /deploy this as a managed tool, most likely as a 
bolt on to OpenView, not "unleash" it on the net...more to the point, it 
is not viral (as described, in fact, in Bontchev's paper...so let's not 
quibble about that definition).  As a managed systems tool, confined to 
pre-defined systems, it matters not a whit what Bontchev's paper has to 
say.  If it's a functional, efficient tool to assist in keeping systems 
secure and patched it's going to be used.  In the case of this specific 
product, I think that several posters here need to do a little mnore 
research into the product.   It's a scanner, based on reported/compiled 
vulnerabilities, coupled with some rules-based capabilities such as taking 
a machine off a network, forcing patches, etc.  I think too many people 
here (and elsewhere) heard the term "good worm" and leapt to a series of 
conclusions so quickly that they never bothered to find out what it was 
that they were talking about.

Bart Lansing
Manager, Desktop Services
Kohl's IT




Nick FitzGerald <nick () virus-l demon co uk> 
Sent by: full-disclosure-admin () lists netsys com
08/20/2004 09:14 PM
Please respond to
nick () virus-l demon co uk


To
full-disclosure () netsys com
cc

Subject
Re: [Full-Disclosure] The 'good worm' from HP






Maarten wrote:

> Stuff like counter-attacking has been discussed often, whether in large 
open 
> forums such as FD or in more private circles.  Mostly, people were too 
> concerned to open themselves up for huge lawsuits and or for prosecution 

> even, but now that an important influential company like HP is 
suggesting 
> (building) it, this may well signifiy an important shift in the fight 
against 
> malware.  I, for one, welcome the initiative...

You need to read Vesselin Bontchev's classic "Are 'Good' Viruses Still 
a Bad Idea?" paper before you can even begin to enter this debate.  And 
if you think the age of that paper automatically disbars it from 
contemporary discussion, the reason there are no more recent papers 
worth reading is because no-one has meaningfully challenged Bontchev's 
position since that paper was written.

I hope the HP folk have read it and thought very carefully about all 
this...  (Sadly the media reports are too "light and fluffy" to make 
anything sensible of what HP is really proposing.)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html