Full Disclosure mailing list archives
RE: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source
From: "Jason Coombs" <jasonc () science org>
Date: Thu, 21 Aug 2003 11:30:06 -1000
Nick FitzGerald came to his senses and removed me from the pedestal he had placed me on, and then launched into a well-written barrage of fact, beginning thus:
I agree completely. The sobig spam is valuable -- it shows us who we should not trust to operate a computer._If_ you know what to take from the headers _AND_ have omniscient access to the mythical IP-to-user mapping address list...
Ah, but Nick, I *DO* have omniscient access to the non-mythical IP-to-user mapping list -- and so do you. How many FD subscribers post to the list from the ISP "NetZero/United Online/untd.com" out of Honolulu, Hawaii? I can assure you that I am the only one. Received: from smtp04.lax.untd.com (outbound28-2.lax.untd.com [64.136.28.160]) by netsys.com (8.11.6p2/8.11.6) with SMTP id h7KJJA401175 for <full-disclosure () lists netsys com>; Wed, 20 Aug 2003 15:19:10 -0400 (EDT) Received: from dialup-67.30.168.213.dial1.honolulu1.level3.net (HELO win2kdev) (67.30.168.213) by smtp04.lax.untd.com with SMTP; 20 Aug 2003 19:19:08 -0000 Likewise, you are quite possibly the only person who posts from CLEAR Net Mail, New Zealand. At least while using your mobile device... From: Nick FitzGerald <nick () virus-l demon co uk> Received: from smtp2.clear.net.nz (smtp2.clear.net.nz [203.97.37.27]) by netsys.com (8.11.6p2/8.11.6) with ESMTP id h7LDigC13293 for <full-disclosure () lists netsys com>; Thu, 21 Aug 2003 09:44:42 -0400 (EDT) Received: from mobilenick (218-101-96-116.dialup.clear.net.nz [218.101.96.116]) by smtp2.clear.net.nz (CLEAR Net Mail) with ESMTP id <0HJZ0009D26ETO () smtp2 clear net nz> for full-disclosure () lists netsys com; Fri, 22 Aug 2003 01:44:41 +1200 (NZST) I appreciate your attention to detail, but the relevant detail you missed was my conclusion, a witty challenge to Len Rose to stop concealing the truth and give us full disclosure:
it's the least he could do after intentionally covering up for these people.
Humor was the detail you missed, and a strict interpretation of the empirical evidence of the design of SoBig just wasn't very funny. I did get a private "Hah!" e-mail out of Len, which revealed to me the IP address, OS, mail transfer agent and patch level, and mail user agent he was using at the time, which allowed me to launch an attack against his computer and its surrounding network, which turned out to be the same network used by the FD server itself. I noted that the patch level of my ISP's mail transfer agent is lower than that of FD's and I was appropriately humbled. Return-Path: <len () netsys com> by helsinki.west-network.net (8.11.6/8.11.6) with ESMTP id h7KLIox30956 for <jasonc () science org>; Wed, 20 Aug 2003 17:18:50 -0400 Received: (from len@localhost) by netsys.com (8.11.6p2/8.11.6) id h7KLDU105559 for jasonc () science org; Wed, 20 Aug 2003 17:13:30 -0400 (EDT) Date: Wed, 20 Aug 2003 17:13:26 -0400 User-Agent: Mutt/1.4i Thor Larholm then came up with a very good idea to post a Web-based full-disclosure archive of everything received not just everything that ends up distributed to the list. The potential forensic value of Thor's suggestion is staggering. Thor Larholm wrote:
In that case, I would prefer if Len put up an archive of all the virus mails sent to FD so everybody on the list could have fun analyzing it. Couple it with the archives of normal posts and some regging+grep'ing you will be bound to find correlations between posting IP addresses.
Nick, I truly did not deserve to be on your pedestal, anyway, so this has all been very constructive. It's important that we remember to laugh a little, especially at ourselves. The funniest thing I've seen in a long time is the direct relationship between Symantec's stock price (SYMC) and the release of successful worms/virii... Antivirus software vendors may not be paying the authors of malware directly, but it sure looks like a good business to write and release malware in order to manipulate the market price of certain A/V vendors' stock. You gotta love the free market... Sincerely, Jason Coombs jasonc () science org -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Nick FitzGerald Sent: Thursday, August 21, 2003 3:45 AM To: full-disclosure () lists netsys com Subject: RE: [inbox] Re: Fwd: Re: [Full-disclosure] Administrivia: Binary Executables w/o Source "Jason Coombs" <jasonc () science org>, whose input is usually intelligent, considered and well-reasoned, chose to fall from his pedestal thus: ... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Fwd: Re: Administrivia: Binary Executables w/o Source, (continued)
- Re: Fwd: Re: Administrivia: Binary Executables w/o Source Ron DuFresne (Aug 18)
- RE: Fwd: Re: Administrivia: Binary Executables w/o Source Steve Wray (Aug 19)
- RE: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source Curt Purdy (Aug 19)
- RE: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source Jason Coombs (Aug 20)
- Re: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source Dietmar Goldbeck (Aug 20)
- Re: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source Thor Larholm (Aug 20)
- RE: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source Nick FitzGerald (Aug 21)
- RE: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source Jason Coombs (Aug 21)
- RE: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source Nick FitzGerald (Aug 21)
- RE: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source Jason Coombs (Aug 22)
- RE: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source Jason Coombs (Aug 21)
- RE: [inbox] Re: Fwd: Re: Administrivia: Binary Executables w/o Source Jason Coombs (Aug 21)