Slapper worm redux;

[nick () virus-l demon co uk (Nick FitzGerald)]

Mark Renouf <mark () tweakt net> replied to Ron DuFresne:

> > the second worm. "It was significant that source code for the original
> > Slapper was distributed within the computer underground immediately after
> > the worm was detected in the wild," he said.

["he" is David Morgan of ISS]

> Uhhh... didn't the worm distribute it's own source code?

Yep.

_But_ that does not mean that the further distribution of its source 
code did not further contribute to the likelihood of new variants 
appearing.

The biggest "flaw" in the original story (as quoted by Don DuFresne)
is not this, _but_ that at least two significant variants were
spotted over the weekend following th worm's release.

There is a special kind of short-sighted, close-minded "openness is 
always good" bigotry that goes into the belief-set that may have 
prompted Mark's comment.  Often the further _and largely 
uncontrolled_ distribution of malicious code is actually the source 
of future variants.  "Open" and "so open your mind falls out" need 
not be the same thing -- sadly, in many proponents of the "full 
disclosure" mind-set, such obvious issues are never fully realized 
(at least, not until it is too late).

Just as "fully open markets" are not "perfectly competitive" (go ask 
any _informed_ economist -- there are a few of then out there), full 
open disclosure is not always the best security approach in the real 
world.

You don't agree -- fine, but please don't expose your ignorance by 
trying to explain to me why I am wrong...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854