Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)

["Stanley G. Bubrouski" <stan () ccs neu edu>]

On Thu, 6 Sep 2001, Gert-Jan Hagenaars wrote:

> Apparently, Stanley G. Bubrouski wrote:
> % On Thu, 6 Sep 2001, Emre Yildirim wrote:
> % 
> % It may sound unreasonable but using access-lists on routers on routers is
> % great way for companies and providers to stop the spread of Code Red.  By
> % blockign all traffic from a person's machine they are then forced to call
> % their provider's tech support to report they lost their connection.  The
> % provider then can inform the customer they are infected, explain to them
> % they must patch their system, remove them from the ACLs, wait 24 hours and
> % if they show signs they are patched then do not reapply the ACL.
>
> This doesn't work on machines that connect via DHCP.

With access-lists you can compare them to RADIUS for dial-up users and see
who they are and call them.  Think before you speak.

> The whole notion of using manhours to combat a DOS attack is an out of
> date idea.  Besides, you're turning the problem into a problem for
> the ISPs.  Which (essentially) means that you're turning the ISPs into
> internet-cops.

If an ISPs customer is causing traffic and infecting otehr customers what
would you expect the ISP to do?  Take a long lunch break and ignore the
problem?

> I see four distinct problems with this approach:  on one server we got
> about 1200 distinct hits of code-red in 24 hours.
>
> (first problem) How many thousands of emails do I have to send in a
> week to get through to the ISPs, and
>
> (second problem) who's going to handle all these requests in a timely
> manner and
>
> (third problem) judge the validity of my claims?  And,
>
> (fourth problem) who's going to pick up the bill for calling all these
> customers?

And who are you to claim infecting unknowing people wit hanotehr virus is
any way to solve teh problem.  I mean someone brought up an interestng
point about CodeGreen, does it actually stop once a machien is fixed or
just keep infecting other machines?

> Consider the cost of a support call when a customer calls an ISP (CDN
> 7 about four years ago (when I worked for an ISP), very likely higher
> now), and that's when you don't have to spend time finding out which
> number to call, nor having to find the right person at the other end of
> the phone ("my son always takes care of this stuff, but I can't get to
> yahoo and i'm paying you guys for my internet connection!")

A lack of social/people skills is not justification for using a virus.

> If your proposed approach worked, we wouldn't have any SPAM either.
> And that's an area where (most) ISPs _want_ to battle this.

My approach works, I have been using for a month in a corporate network
and the for the dial-up users on the road.  They call in, they are
informed of the problem, they are sent the fixes, they install them, all
done.

> I think a passive inoculation (worm) that doesn't seek out victims, but
> only counters infected systems (where the admins (if they exist) don't
> care) is a far better approach.  It's certainly more cost effective,
> definitely quicker and obviously less prone to error.

LESS PRONE TO ERROR?  HELLO?  First of all CodeGreen does seek out victims
via scanning, second with human interaction if there are problems they can
be worked out in real time.  What if CodeGreen doesn't patch a system say
in eh Ukraine?  And what if that system fails as a result of the so-called
"good" worm, what?  What if that machien going down costs a company
thousands of dollars and they are stuck trying to figure out why their
system failed?  How is that cost effective?  The only cost effective
approach there is if they sue the party that unleashed the worm on their
system that caused the failure.  If something goes wrong, nobody has been
informed of what was being done to the system, it could takes hours or
days oftime and manpower to fix whatever damage might have been done.

> So... where's the linux version?
>
> CHeers,
> Gert-Jan.
>
> -- 
> +++++++++++++ -------- +++++ --- ++ - +0+ + ++ +++ +++++ ++++++++ +++++++++++++
> sed '/^[when][coders]/!d         G.J.W. Hagenaars -- gj at hagenaars dot com
>     /^...[discover].$/d          Remembering Mike Carty 1968-1994
>    /^..[real].[code]$/!d         UltrixIrixAIXHPUXSunOSLinuxBSD, nothing but nix
> ' /usr/dict/words                I'm Dutch, what's _your_ excuse?

This whole thing is like horror movie...

Stan

--
Stan Bubrouski                                       stan () ccs neu edu
23 Westmoreland Road, Hingham, MA 02043        Cell:   (617) 835-3284