Full Disclosure mailing list archives
Re: MyDoom.b samples taken down
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 02 Feb 2004 12:59:40 +1300
Kurt Weiske <kweiske () kataan org> wrote:
I know most of you will not believe this because you so stupid you already believe that live virus samples are _just_ information and therefore _should_ be subject to "full disclosure" (this is a special form of ignorance that very little empirical evidence seems able to budgeBefore I make a judgement here, are you against publishing the virus in executable form that could be accidentally launched, or against publishing the virus in any form?
Both. The problem is "publishing". Because most users insist of relying on known virus scanning methods, rather than any of the sensible approaches to "protecting" their computers, publishing virus code in any form simply leads to more "new" viruses. Most viruses are relatively minor "copy and tweak" variations on already existing ones, thus explaining a large chunk of whatever effectiveness you see in current heuristic and "generic" detection methods in use in popular known virus scanners, however, those approaches are far from perfect. Thus, making more virus code available today will result in more new (i.e. "not initially detected") viruses which means "the virus problem" will continue. If most folk actually used sensible code integrity mechanisms, I would not especially care about publication, as it would be irrelevant to the effect _on the user_. (I would probably prefer that such code not be published as why focus on such negative things when there is so much good software development talent could be turned to, but those are different issues rising from different dynamics, and one we do not face today...)
If the latter, then perhaps you might find other mailing lists with a more sympathetic audience. If the former, after consideration, I agree. Handling a live virus is akin to handling their real-world counterparts, and having some protection against accidentally launching it on a production system is a Good Thing. I've renamed mine to a non-executable extension, and they're off my production boxes.
You are clearly not aware that simply renaming to a "non-executable extension" may not be enough... And, as for your suggestion that virus code "should" be acceptable to this list, I'll point out there has been nothing new in viruses since Fred Cohen wrote his thesis. All actual "developments" we have seen implemented in viruses were foreshadowed in his theoretical work. Also, as a general pedagogical position, it is better to understand the underlying theory and methods of a discipline rather than a few of its specifics. We don't teach engineers how to build bridges by just sending them to study the Sydney Harbour Bridge, the Golden Gate Bridge and Tower Bridge. We teach them the theories underlying the choice of design types, materials and processes and so on necessary to be able to design _any_ safe bridge. Thus, knowledge of the specific is not that critical... Well, unless your bridge falls down or you face an actual outbreak of the virus, and then we tend to rely on the acknowledged experts to provide the analysis and solution. So, in a world where folk insist on relying on theoretically and practically inadequate measures to "protect" them from viruses, and where new viruses are thus trivially derived from existing ones, I strongly object to all publication of detailed virus code. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: MyDoom.b samples taken down Mike (Jan 31)
- RE: MyDoom.b samples taken down Frank Knobbe (Jan 31)
- Re: MyDoom.b samples taken down Kurt Weiske (Jan 31)
- Re: MyDoom.b samples taken down Nick FitzGerald (Jan 31)
- Re: MyDoom.b samples taken down Kurt Weiske (Jan 31)
- Re: MyDoom.b samples taken down Nick FitzGerald (Feb 01)
- Re: MyDoom.b samples taken down Ed Carp (Jan 31)
- Re: MyDoom.b samples taken down Nick FitzGerald (Feb 01)
- Re: MyDoom.b samples taken down Valdis . Kletnieks (Feb 01)
- Re: MyDoom.b samples taken down Paul Schmehl (Feb 01)
- Re: MyDoom.b samples taken down Valdis . Kletnieks (Feb 01)
- Re: MyDoom.b samples taken down Nick FitzGerald (Feb 01)
- Re: MyDoom.b samples taken down Nick FitzGerald (Jan 31)
- Re: MyDoom.b samples taken down Nick FitzGerald (Feb 01)
- Re: MyDoom.b samples taken down Nick FitzGerald (Feb 01)
- old bug - new wired Papp Geza (Feb 01)
- Re: MyDoom.b samples taken down Kurt Weiske (Jan 31)