[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Slightly OT: Worms: Exploit Plug-ins and Benevolent Worms
- To: Shlomi Fish <shlomif(at-nospam)techst02.technion.ac.il>
- Subject: Re: Slightly OT: Worms: Exploit Plug-ins and Benevolent Worms
- From: Tzafrir Cohen <tzafrir(at-nospam)technion.ac.il>
- Date: Tue, 7 Aug 2001 11:22:40 +0300 (IDT)
- cc: linux-il(at-nospam)linux.org.il
- Delivered-To: linux.org.il-linux-il@linux.org.il
- In-Reply-To: <Pine.GSO.4.33.0108061640280.24455-100000@techst02.technion.ac.il>
- Reply-To: Tzafrir Cohen <tzafrir(at-nospam)technion.ac.il>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
Hi
On Mon, 6 Aug 2001, Shlomi Fish wrote:
>
> Just a thought I had in mind. It is probably a matter of time before some
> smart hacker will write a worm that can be linked with the code or the
> specification of various exploits. That way, this worm can propagate into
> many computers, and in a way live on, assuming its source code is
> available.
>
> Now, I know there are differences of architectures and systems and that
> not all computers are affected by the same worm (unless it compiles itself
> or is written in perl or something like that), but it isstill a very big
> hazzard.
Actually I believe that root-kits are generally available, and it is
generally not a problem to add them to an exploit code (you get the
exploit code to download the root kit from somewhere etc.) .I believe that
the system works well enough as it is, and has a quick enough response
time :-(
>
> What could be done to solve it, is to make the worm a benevolent one. I.e:
> one that closes the exploits as soon as it infiltrated the computer. This
> is still illegal according to the law, but it's probably the best solution
> yet. The worm should also make the existence of the potential exploit
> known to the administrator, so he can fix it.
There are many arguments against using such methods. Read, for instance,
http://www.thestandard.com/article/0,1902,18348,00.html
>
> One could write an anti-Code-Red-II worm and put its source on USENET. He
> should probably do it anonymously.
And then another one could write an anti-CRII worm but with a small
backdoor . He may even publish sources (and nobody will notice that the
binaries he published were not exactly compiled from those sources).
No. This is not a reliable software distibution mechanism.
A better solution is with better mechnisms to propagate security patches.
Debian has such a mechanism working quite nicely for some time. Other
linux distros are following.
Microsoft is indeed lagging here (but have you noticed that internet
explorer checks MS's updates site for critical updates on each
invocation? If only their updates server wasn't crackable ;-))
>
> In any case, this fiasco raises some issues about the importance of
> writing good code, and code auditing etc. My personal program (Freecell
> Solver, which I mentioned quite a few times now) used to have quite a lot
> of memory leaks and bugs in it. After I received some input confirming it,
> and having learnt some tools to help me analyze it (and a lot of testing),
> I managed to remove most of them. AFAIK, Freecell Solver 1.6.4, which is
> the current stable version is bug-free, but I can never be certain.
On which internet exactly do you want to debug your worm?
Have you got a couple of spare internets?
What is the implication of such a bug in your code on the test internet?
Realease-Early-Realease-Often is not always applicable.
(I read somewhere that one of the first netwrok worms was a failed
attempts of ditributiong a patch. I don't remember where)
--
Tzafrir Cohen
mailto:tzafrir@technion.ac.il
http://www.technion.ac.il/~tzafrir
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il