Security Incidents mailing list archives

Re: Flash Worms

From: Jose Nazario <jose () biocserver BIOC cwru edu>
Date: Sun, 19 Aug 2001 19:20:15 -0400 (EDT)

On Fri, 17 Aug 2001, Robert Graham wrote:

People often ask me "what motivates people to write worms". The above
discussions highlights one of the prime motivations. In the scientific
community, we don't believe theories and propositions, only
experimental evidence. Therefore, to prove that somebody can take down
the Internet in 30 seconds, you actually have to do it. Otherwise,
nobody really believes you.


robert's almost right. (1) the scientific community doesn't ncessarily
discard something without experimental evidence, but instead accepts well
reasoned and founded arguments. example: einstein's theory of relativity,
which took decades to gain experimental evidence (and we're still finding
some), but was accepted much earlier due to the clean, solid reasoning
behind it.

i'm really sorry to see these two discussions gaining such blind
acceptance. it strikes me as obvious that for both the warhol worm and the
flash worm that people don't understand basic elements of dynamics, such
as kinetic theory, which includes things like encounter theory and
propogation. if such analysis were included, done, or even simply
understood, i think that this whole discussion would have been seen as
obviously lacking in technical merit, and ripe in hyperbole. in a
nutshell, think sigmoidal growth patterns, not exponential.

that's not to say that there can be an architecture for fast spread, but
neither the warhol worm nor the flash worm seem to be adopting it.

as such, i don't see the need for experimental demostration of this, only
a more sound backing of the theory with some mathematical workings. sure,
we can all assume infinitely fast transfer rates, sub-second
exploitation/control gain, and inifinitely fast pipes, but even then 15
minutes is not going to plausibly happen.

i've started working on framing kinetic theory for the information
scientist to discuss worms specifically. in the meantime, those who wish
to seriously analyze these offerings in the flash worms and the warhol
worm scenarios, please read this excellent paper by the IBM antivirus
research team:

http://www.research.ibm.com/antivirus/SciPapers/Kephart/ALIFE3/alife3.html

notes: 1. i'm a scientisit, specifically a biochemist. i live in the
scientific community, so .. thats my perspective. i don't speak for all,
only ofering a perspective here that seems to be lost.

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Flash Worms, (continued)
- - Re: Flash Worms Stuart Staniford (Aug 18)
    - Re: Flash Worms Michal Zalewski (Aug 18)
    - Re: Flash Worms jaywhy (Aug 18)
    - Re: Flash Worms Dragos Ruiu (Aug 19)
    - Re: Flash Worms Shoten (Aug 23)
    - Re: Flash Worms Kevin Reardon (Aug 24)
    - Re: Flash Worms Stuart Staniford (Aug 22)
    - Re: Flash Worms Bruno Treguier (Aug 21)
    - Re: Flash Worms Kevin Reardon (Aug 22)
  - Re: Flash Worms Robert Graham (Aug 18)
    - Re: Flash Worms Jose Nazario (Aug 19)
    - Flash Worms and congestion Stuart Staniford (Aug 22)
- Re: Flash Worms Vern Paxson (Aug 22)