Re: Publishing Nimda Logs

[Jordan Frank <jfranka () sfu ca>]

What's next? I propose we start publishing lists of every host that hits a
webserver and sends a browser string with ".NET" in it. Then when the .NET
worms start running rampant we're prepared and we can have some idea of what
kind of potential threat we're facing. In fact, maybe we should write some
scripts to portscan any host that sends a ".NET" browser string to check up
on things like the UPNP bugs and whatnot. In fact, why not just create a big
public database that has every single host with a static IP, what ports they
have open, what services they're running, their OS, and other useful
information. Besides, if they connect to your webserver and perform such
malicious actions as sending a GET request, then they shouldn't have any
expectations of privacy, right?

It's funny hearing the same people argue that web-bugs that track people's
browsing habits are huge invasions of privacy, while suggesting that we make
public lists of people who issue certain GET requests. Maybe we need an RFC
that would let us all know exactly what line we have to cross in order to
throw away all our rights, and become "bad enough" that our information
should be made public. What expectations of privacy we should have based on
the types of HTTP requests we issue. For example, "Information that is
willingly submitted to a webserver by a user cannot be shared without
properly informing and warning the user, while information that is submitted
due to a host being infected by a virus or worm can be made public without
the sender being warning", or "Any information submitted to a webserver that
could possibly be used to enumerate hosts that are running software that is
deemed 'malware' by the general public can be made public without the sender
being warned". Something to that effect. There should be general agreed-upon
rules for this kind of behaviour, instead of going on a case-by-case basis.
Just a thought.

In addition to all this, I have a legal question. Probably the wrong forum,
because it seems that most legal questions posed on this list are answered
by people with no legal background who make educated guesses, but here goes.
It is my understanding that, at least in Canada and the United States, there
are laws addressing the issue of monitoring private conversations and making
the contents of such conversations public. Are any of these laws directly
applicable to the situation we're discussing.

I know that this thread has gone on for quite some time, but I hope my
comments and questions will sway the general contents of this thread away
from the "Yes list good"/"No list bad" conversation that we're all probably
sick of by now. To the person who got this thread started I have a few
comments. Please don't go ahead with your "project" without carefully
picking the brain of a good lawyer. Maybe even a couple of lawyers. Don't
proceed based on "the suggestions of the posters", where "> 90%" of the
"posters" are really a bunch of pissed off administrators who would love to
see something like this implemented on a wide scale, as long as someone else
does it and they're not putting themselves or their networks at risk.

jordan
young naïve student
jfranka () sfu ca

PS: What happens if I'm tricked into clicking on a seemingly innocent link
that in fact sends a GET request matching the one sent out by NIMDA infected
hosts. Is that reason enough for you to then post all of my information to
some public list of 'evildoers'? How do you know that every NIMDA probe is
in fact malicious. If I send a NIMDA probe to your Apache webserver then
there's absolutely no threat whatsoever, so can you call that a malicious
probe? What if JordanOS v0.1's IP Stack was flawed in such a way that an
ICMP ECHO request would cause the whole OS to crash. Would it be fair to
then label every ICMP ECHO sent to my network as malicious, and publish a
public list of anyone who has pinged my network? I'm pretty sure that if I
made all of my webserver logs public it would be considered extremely
unethical (if not illegal), so why would publishing a subset that I dub
malicious be any different.

PPS: It is my opinion that if you do proceed with your project, and
accumulate a large list of hosts that have sent out the evil GET request,
then you should also make public the IP's of everyone that has browsed that
list. Suppose one of my hosts were in that list. If you had done what I
would consider the 'right' thing, and alerted myself and possibly my
upstream provider, then I believe that I have every right to know exactly
who you've sent the alerts to. I feel the same should hold if you post my
information to a list. Either that, or you should require the administrators
consent before their information is published to the list, and you should
properly inform them that their information will be made public and they
will not be privy to who has been given their information. This is just my
opinion on the matter though.

----- Original Message -----
From: "Healy, S. S., CTM2" <sshealy () nsgasg navy mil>
To: <vuln-dev () securityfocus com>; <dufresne () winternet com>
Sent: Wednesday, May 08, 2002 7:01 AM
Subject: RE: Publishing Nimda Logs


> I'm just waiting for the day where a sysadmin gets fed up with being
scanned
> by NIMDA and rewrites NIMDA to start patching the systems it infects.
>
> What would you call such a beast, a retro-virus or an anti-virus virus?
>
> -Steve-
>
> -----Original Message-----
> From: Ron DuFresne [mailto:dufresne () winternet com]
> Sent: Tuesday, May 07, 2002 6:48 PM
> To: Chip McClure
> Cc: Deus, Attonbitus; vuln-dev () securityfocus com
> Subject: Re: Publishing Nimda Logs
>
> I've also pretty much given up on trying to clue folks to nimda issues
> they still have, same with code red variants which are still plentiful.
> I've started to blackhole whol IP blocks due to this problem.  Some
> companies, even when notified of their systems compromise and their
> being used to further attack other systems don't even take the time to
> either investigate, nor repair such systems.  We've taken to having to
> block the whole netspace for many sites, such as the City of Ashland in
> Oregon, (NETBLK-SPRINT-D00150-2) SPRINT-D00150-2 208.1.80.0 -
> 208.1.83.255, whose systems are so infested with code-red and nimda
> variants and who fail as well as Sprint, their upstream provider, in
> taking any action about their systems attacks on others on the Internet
> infamous highway.   We tried to actually call and talk to their techs and
> were rudely hung up on, this after over 6 months of notifications to them
> and their upstream ISP Sprint.  Although Jose Nazario does mention these
> systems can be 0w3d after a publication of IP's of infected systems, I'm
> at this point not caring if they get taken.  They are a pain and further
> spreading their problem as it is.  I suspect many of these systems are at
> least partially 0w3d and used as DDOS mechanisms already.  The hame of
> shame list should include the ISP's in question too, the upstreams have
> been notified as well as the direct offender, most many times over many
> months.  Nothing else has worked...
>
> Thanks,
>
> Ron DuFresne