RE: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)

["t. patrick o'hara" <tpohara () bigfoot com>]

This discussion devides into two parts: Code Green type active scanners and
CRClean type passive/response.

Most of the "not on my box" group presume that all are bad.

I agree that the active approach was not thought out.  The author might have
been better served to float the idea here before releasing the beta (he
would have found out that CRClean was about to come out).  Any ACTIVE scan
IS an attack.

But those of you who apply this to all responses must remember that in
CRClean type response, YOUR BOX must be attacking me FIRST!  Your rights
have just gone out the window.  Period.  If you are such a good admin, you
should already have caught the traffic and shut the dog down.  Period.
Especially true after EVERYONE in the security world knows there is a major
problem.  If your company has such lax control of it's boxes that they can
attack me, then you need to have someone else come in and provide a serious
security audit and policy upgrade.

Stan got the point backwards, the mass of users who have no clue and no
corporate admins to "guide" them are the victims of your hands off policy.
Maybe none of you moonlight on boxes outside of your corporate worlds, but I
do and the desire for an automatic fix is immense.

Would I want someone ACTIVELY doing my personal network?  No.  But if I'm
infected and someone responds to my attack by trying to fix it without
hiding it, I welcome the help.  Remember, the infection has to have already
gotten past my defenses and I have somehow missed it.  The person is at
least trying to do me a favor.  For those people who have no firewalls and
think snort is something an animal does, a peer reviewed passive is the
right answer.

IMHO.

T. Patrick O'Hara
(contractor, client not disclosed per client's NDE)