RE: disinfection tool

[Rob McCauley <robmccau () RadOnc Duke EDU>]

> Perhaps a very controversial viewpoint is using the backdoor installed by the 
> copycat code red worm to patch these systems.  The majority of sysadmins who 
> by now haven't patched (or unmapped the script mappings from) their systems 
> are mostly ignorant anyway.  Perhaps a couple of honeypot systems built to 
> automatically connect back, patch and reboot.

This has been discussed before and remains a very dangerous, in addition
to very controversial, idea.  We really need to stick to a general
principle of "If it's not yours, don't touch."  In some jurisdictions,
what you propose is, I suspect, illegal[0].  Imagine the legal mess you'd
be in if you turned loose a worm which then acted on your behalf in nearly
every jurisdiction on the planet.  In some cases, the system is doing
something important and rebooting it may cause harm to people or
property.  Yes, certainly an unmaintained, hacked system is a danger to
people or property, but if you cause the harm by causing the reboot, you
could and should be held liable.  By all means, notify the system owner
and their upstream provider of the compromised system.

>              If we live in a an ideal world, we'd eventually get the idiots 
> to listen.  However, I find that unlikely.

I think you're correct.  There will always be someone who doesn't secure
their systems.  Put another way in a much more sensitive context, "There's
always some son of a bitch who doesn't get the message!"[1]  Still, that's
not justification for me to assume the risk and liability of managing
security on a system without knowledge of its intended use or
authorization of any kind.  Its much simpler, safer, and won't get you
fired to secure your systems, accepting that some people out there simply
won't ever do so.  Further, this could do more harm than good if we
convert the population of people who think about security now and again,
but never bother to fix it, into people who never think about it at all
because SomeInternetSecurityGroup will create a patch worm and do it for
them.  No, I think it far better for responsibility to remain on the
system owner.  I'm certainly not adopting the risk for them.  I'll
certainly not be happy if you penetrate my systems for any reason, and
I'll have just as much work to do to clean up the mess.  I wouldn't
believe your good intentions any more than I'd believe the words on a
defaced web page which say "We didn't damage anything, we just moved your
web content to /foo."

Rob

[0] - There are proposed laws before the U.S. Congress which would make it
      illegal in some contexts.

[1] - JFK apparently said this during the Cuban missile crisis when a US
      plane crossed into USSR airspace, a time when that was a Really Bad
      Idea.  Classic quote, that one.  Simple, short, and undeniably true.

-- 
------------------------------------------------------------------------------
Rob McCauley
Radiation Oncology
Duke University Medical Center

On Mon, 6 Aug 2001, Mark Ng wrote:

> The only issue that creates is the problem of transparent proxies.  Not sure 
> how you'd solve that one.
>
> This may eventually be the only way of actually getting rid of code red 
>
> Mark
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com