Re: "Nimda"?

["Jay D. Dyson" <jdyson () treachery net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 28 Feb 2002, Greg Williamson wrote:

> Summary type email (like that in ARIS) is good, but for something that
> leaves an open door behind it (such as Code Red) it can be better to use
> that back-door to your advantage.  With CodeRed, I cobbled together an
> automated response that notified the netblock administrator, but also
> used the root.exe hole to put a WinPopup box on the infected machine. 
> That was fairly effective. 

        There's a reference to that in the EB FAQ.  The problem with that
approach is that -- here in the States -- that sort of thing could be
construed as tampering with a crime scene.

        Mr. Woods' major problem with EB is that he doesn't understand how
it works.  He claims that such services should only send out one notice
per day per IP.  EB does that.  In fact, it's even covered in the FAQ.

        If Mr. Woods bothered to RTFM, he'd understand that.

- -Jay

  (    (                                                          _______
  ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) |    = |-'
 `--' `--'  `The armed are citizens.  The unarmed are subjects.'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SunOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iEYEARECAAYFAjx9qroACgkQGI2IHblM+8F45gCgglrCD3JLPgJ3m5TpbvGrXuGD
EJoAn3JHpYZegQEkENnFngQUfFI4wti3
=+gAH
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com