RE: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)

["Everhart, Glenn (FUSA)" <GlennEverhart () FirstUSA com>]

The legalities trail the technical realities here.

Consider that if someone starts throwing punches at you, you are
generally allowed to throw punches back and are not required merely
to attempt to block the punches thrown.

We should think about the poor security of platforms out there,
the lack of proper administration of many (most?) of them, and
realize that we are dealing with attacking engines, not attacking
people. Where the attacker is a person, as the law has generally
been set up to assume, then response directed at that person only
is the appropriate model. Here, the attacker is an autonomous
agent.

Probably the closest analogue in the non-cyber world is a disease.
How do we deal with an epidemic? At least some of the time, massive
and compulsory vaccination, and compulsory isolation of the infected,
has been done to contain such events. A second analogue would be what
happens when some new plant or animal gets introduced where it has
no natural enemies, and new predators must be brought in as well to
control it.

We should consider that this may be a decent model to think about in
this case. Yes, the counter-virus invades vulnerable machines. Note
that in an epidemic situation, those who have already been treated (or
who may have recovered and are naturally immune) are not vaccinated.
Note too that in epidemic situations a few folks get the disease from
the vaccine. Here we are dealing with something that seems similar
to a public health problem, caused by infectious agents, and a population
which is overly susceptible to them.

What is the best way to deal with such?

I would love to see rules in place that imposed costs on the makers of the
vulnerabilities where they repeatedly designed in security-reckless ways.
Machines don't have the same rights as people: it is not contrary to
legal custom to require they be designed safely and that failure to
follow safe design and construction practice leads to product liability.
Such liability must be crafted so that it takes hold when a program
is sold or is represented as ready for mass use; that is where most
of the "public health" danger exists.

However the population of systems already out there needs to be dealt with.
A remedy should be crafted which will, like a vaccine, increase the strength
of the system being immunized, and it should not impede later
immunization against other problems nor damage too many vulnerable systems
with unusual configurations.

In medicine, there is a known group of workers who know the subject and
can devise vaccines, which works with government agencies which decide when
they get released.

In computer security, it appears that those able to devise remedies are much
more widely scattered and largely self-taught (and often superbly well
taught
in this way). Government is not well coupled in this space, so that the
quiet
interaction in the background with expert labs is likely not to be very
effective here.

I view it as entirely appropriate for someone to come up with a proposal and
to have it discussed openly among people who can examine it. I consider it a
trial formula for a vaccine or antibiotic, suitable for experimentation in
controlled circumstances, and well suited for discussion. 

A list like this can make a positive contribution by working out design
principles
for how to deal with issues like this best, starting with some of the basic
design principles and proceeding to the details. This is not well served by
piling on the initial discussor and telling him "this is illegal". We need
to
discuss what the law should be and needs to be, illuminated by understanding
the technology and what it can and cannot do, and work out some principles
under which it may be decided to release a vaccine or a predator which can
then
be legislated. It may well be that some systems should be preemptively
strengthened
en masse, given the availability of a well designed strengthener designed
and known openly.

People like those on this list should be taking part in such decisions,
along
with the government, and not leaving this work in the hands only of vendors
who made the vulnerabilities in the first place and who may not be inclined
to do any more than address published holes. 

Solutions should be general in nature, as much as possible, should be
insensitive
to details of configuration (to do as little collateral damage as possible)
(which
will mean using published interfaces in likely practice), and need to be
well
discussed and well tested before use in the wild.

This is enough for one message.

Glenn C. Everhart
(everhart () gce com)
 



-----Original Message-----
From: John R. Morris [mailto:jrmorris () lycurgus nerdality com]
Sent: Thursday, September 06, 2001 9:08 PM
To: 'Jay D. Dyson'; 'Vuln-Dev List'
Subject: RE: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)


I can't believe anyone honestly considers a "counter-attack" worm the same
as self-defense. Deadly force, or otherwise normally illegal amounts of
force, is justified only in defense of your life, or the lives of others,
your physical well-being, or the physical well-being of others. Defense is
something done to prevent something from happening, retaliation is something
\[...]



**********************************************************************
This transmission may contain information that is privileged, confidential and/or exempt from disclosure under 
applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, 
distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If 
you received this transmission in error, please immediately contact the sender and destroy the material in its 
entirety, whether in electronic or hard copy format. Thank you
**********************************************************************