funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: So, did the BBC cross the line?

From: "Alex Eckelberry" <AlexE () sunbelt-software com>
Date: Sat, 14 Mar 2009 16:54:05 -0400
What about pollution and disruption of a botnet, be it via direct

participation, or outside measures like predictive DNS registration?
Where does mitigation end?

I would suggest that there is a world of difference between using a
botnet to send spam, even for experimental purposes, or to change user
settings, than what you're discussing here. 

 

The line I draw is actually clicking on buttons in the botnet, playing
with it like it's some kind of cat or something.   And then doing
anything with the botnet to do something on user systems. 

 

I hope this line is clear.  If it's not, I'm not sure what else to add. 

 

Alex

 

 

From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of nick hatch
Sent: Saturday, March 14, 2009 4:22 PM
To: funsec
Subject: Re: [funsec] So, did the BBC cross the line?

 

On Sat, Mar 14, 2009 at 10:02 AM, Alex Eckelberry
<AlexE () sunbelt-software com> wrote:

        But malware researchers routinely deal with botnets for analysis
        purposes.  It would be considered a high crime indeed to allow a
spambot
        to actually send spam to the outside world, even for "testing"
purposes.
        And, shutting down a botnet yourself, even with the best
intentions, is
        simply not a good idea.  You don't know what accidental harm you
may
        cause.  You also don't really know what's on the user's system
that will
        simpy restart the whole process.
        
        
        I've personally come across dozens of these things, as many of
you have.
        I know my personal feeling is always to get the hell out of
there.  We
        need to know what we need to know in terms of mitigation, etc.
but you
        just don't mess with these things. You don't get involved,
because it's
        not only wrong, there are too many unintended consequences that
can
        occurr.  You're playing with fire.  Report it to the ISP, report
it to
        the relevant authorities, but don't play with live ammo like
this.

 

I'm having a hard time following your argument. Are you saying "leave
this to the experts"? This sounds 

Is active enumeration of the number of clients in the Storm botnet (a la
Holz, Steiner et al) wrong?

What about pollution and disruption of a botnet, be it via direct
participation, or outside measures like predictive DNS registration?
Where does mitigation end?

I'm honestly curious: you sound very passionate that there is a clear
ethical line here somewhere, and I'd hate to miss exactly where you
believe it is.

-Nick


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: