Why I should have the right to kill a malicious process on your machine

[InfoSec News <isn () c4i org>]

http://212.100.234.54/content/55/28851.html

By Tim Mullen
Security Focus Online
Posted: 14/01/2003 

Opinion - A lot has happened since my Right to Defend column in 
SecurityFocus Online last July, and the subsequent presentation I made 
at the Blackhat Security Briefings in Las Vegas. The idea has 
withstood a lot of criticism. 

To refresh, I believe you should have the right to neutralize a worm 
process running on someone else's infected system, if it's 
relentlessly attacking your network. I've even written code to 
demonstrate the process. Though the initial news coverage of the 
concept was grossly inaccurate in conveying my ideas, it has stirred 
up a constructive dialog. 

I knew my idea was controversial, but I was wrong about something-- I 
figured everyone in the security biz would "get it" and that the hard 
part would be convincing everyone else that if they can't or won't 
secure their machines, we as the defenders would have the right to 
terminate the process attacking us. 

It has turned out to be the opposite. 

TechTV's Cybercrime news magazine show did a segment about strikeback, 
where I talked about my goals and demo'd a couple of my neutralizing 
agents. Though the audience of Cybercrime is a much more generalized 
group of computer users and enthusiasts, the very people I thought 
would cry foul the loudest, I did not receive a single negative e-mail 
in response. Every last message was wonderfully supportive, and most 
of them eagerly offered assistance and asked how they could 
participate. 

It has been the "security experts" who have grouped as the opposition, 
some even with a level of condescension. For instance, Eugene Schultz 
of U.C. Berkeley's Lawrence Berkeley National Laboratory wrote in an 
issue of SANS Newsbites that he "hoped no one would take Mr. Mullen 
seriously" about this technology, as if it were some joke I was 
playing on the community. 

To the contrary, I am dead serious -- because we need strikeback. In 
fact, had the technology been in place when Nimda first appeared, 
institutions like the University of California at Berkeley, for 
example, could have been spared the embarrassment of having Nimda rip 
through their infrastructure, infecting untold numbers of innocent 
external machines just because their IT staff couldn't secure IIS. 

I think the main reason for the knee-jerk criticism from the likes of 
Schultz is that they work largely in a theoretical rose-colored world 
of security, where all problems are solved after a cup of coffee and a 
bit of pontification. Those who actually work in the operational end 
of network and system security see things as they really are. The men 
and women who work the trenches of system administration know that 
fast spreading worms like Nimda are a real problem that must be 
addressed, and are willing to work for a solution. 

No Accountability, No Rights 

I was surprised to see Bruce Schneier try to draw a bit of the red, 
red krovvy by lumping strikeback with legislation that the RIAA is 
pushing -- and U.S. Representative Howard Berman is sponsoring -- that 
would permit record companies to legally hack file sharing networks. 
He even includes a quote from the "Declaration of the Rights of Man 
and of the Citizen" in order to illustrate how such technology goes 
against the rights of the people. 

I'm not sure of the relevancy of a document the French National 
Assembly drafted 200 years ago, but let's ignore that for now. If 
anyone's rights are at issue here, it's yours and mine -- the people 
whose systems are being attacked by worms and viruses running rampant 
on negligently unprotected machines. 

Schneier's reasoning ignores fundamental differences -- opposites, 
really -- between the RIAA proposal and what my strikeback technology 
does. Under the Berman bill, the RIAA could legally hack only people 
infringing their copyrights -- people the RIAA already have ample 
legal remedies against. 

In contrast, my strikeback technique is aimed at an attacking 
worm-infected box whose owners have no legal responsibility, and to 
whom justice turns two blind eyes. We have no legal recourse against 
these people. Maybe in the distant future we can prove that every 
owner of a system connected to the Internet has a duty to perform due 
diligence in securing their assets, but today proving such a duty 
would be quite difficult, even in instances of the most grievous 
neglect. 

Logic dictates that anyone who opposes a bill allowing corporate 
entities to attack our systems should support a technique to stop 
worm-ridden systems from doing the same. 

As the debate continues, I'd like to suggest a new way of thinking 
about the parties involved in a strikeback scenario. 

Since the owner of a system has no responsibility for the actions of a 
worm, or any malicious process, that runs without their knowledge, I 
submit that they also have no rights to the process. No responsibility 
means no rights. 

So, if they have no rights to the process, there is no infringement 
against them when we neutralize it. If someone wants to claim that 
their rights were violated by our taking out the attacking process, 
then they should be held accountable for the actions of the process 
from its inception. They can't have it both ways. 

If parents don't vaccinate their children, the state takes them out of 
school. If a dog consistently attacks people, the authorities put it 
down. If someone commits three felonies, they are put away for life. 
This is because the rights of the many outweigh the rights of the one. 

And that is the way it should be. 

Timothy M. Mullen is CIO and Chief Software Architect for
AnchorIS.Com, a developer of secure, enterprise-based 
accounting software.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.