Slashdot Mirror
Killing Others' Malicious Processes
Roland Piquepaille writes "This opinion is not mine, but the one of Tim Mullen, from SecurityFocus Online. In this story, he expresses some strong ideas regarding systems infected by worms. "I believe you should have the right to neutralize a worm process running on someone else's infected system, if it's relentlessly attacking your network. I've even written code to demonstrate the process. Though the initial news coverage of the concept was grossly inaccurate in conveying my ideas, it has stirred up a constructive dialog. I knew my idea was controversial, but I was wrong about something -- I figured everyone in the security biz would "get it" and that the hard part would be convincing everyone else that if they can't or won't secure their machines, we as the defenders would have the right to terminate the process attacking us. It has turned out to be the opposite." The author then looks at the criticisms about this strikeback idea raised by some security experts -- to dismiss them of course. Check this column for a summary or read the original story for more details."
RIAA : Great. Now, who's running Kazaa ?
yet again under another pretense.
This will be abused like all the other technology laws.
You should not interact with other's machines :
Let them fix their worm problems themselves or they may not appreciate it.
It is normal and nice to tell them they have a problem but your work stops here !
Trolling using another account since 2005.
I'd rather see a set of worms released that infected machines on the scale of say code red or nimbda - but actually patched security holes, and or closed all the ports on the host machine. If the ports already closed by the machine were in actual use, the user would have the option to open the ones needed manually.
... will land you in jail real fast ... will have you labeled as a terrorist ... will give you lots of time to think your actions over ... will make you very old before you see the light again
Exactly who decides what constitutes "relentlessly attacking your network"?
A simple NMAP scan? What about Netbios scans? @Home scans for open NNTP servers... etc etc..
Trolling is a art,
There is a good justification in Mullen's letter as to why this proposal is different from the RIAA's proposed attacks on computers that they suspect of hosting unauthorised copyrighted material.
The only problem with this strikeback thing is what if the machine which is infected is business-critical?
If you're going to take it on yourself to fix other people's machines, what if this causes them loss of business? And there's also varying definitions of what "strikeback" or "fixing" could mean. What if someone decides to "fix" your database server by shutting it down? Shouldn't they be held liable for the damages caused, just as someone who does that maliciously can be held liable?
There's just too many holes in this strikeback philosophy. It opens the door to tons of abuse too: "I only broke into this machine to fix it, I swear, gov'nor!"
I think it would also result in pretty dire situations when a machine equipped for strikeback mistakenly decides another machine (also strike-back-enabled) needs to be "fixed", and starts attempting to hack into it - and then the other one detects it as well, and they start concurrently trying to hack into each other... probably saturating the network with crap on the way...
Daniel
Carpe Diem
I fully agree with his idea of stopping an attacking process if the admin/owner of the machine is unwilling to do anything about it.
However, like anything else someone is going to push this to limit and abuse it.
No no no, you have it all wrong! This proposition could see all Windows boxes out of action, as Windows is malicious code!
At least they can act to contain the spread of a virus, but not by killing processes on customer PCs. they can, however, disable service, whether it be a cable, *dsl, or dialup modem account. Shutting off service and forcing customers to take measures to clean their infected computers is allows by the acceptable use, terms of service, and other policies which protect the ISPs rights to take action.
perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'
If parents don't vaccinate their children, the state takes them out of school. If a dog consistently attacks people, the authorities put it down. If someone commits three felonies, they are put away for life. This is because the rights of the many outweigh the rights of the one.
This is an interesting point, because it shows the essential flaw in this logic. In all of these examples, who is acting? "The authorities", namely, the government. In this absurb "strikeback" proposal, who is acting? Vigilante sysadmins. If anything, his examples prove that we need a national cybersecurity enforcement agency, which is responsible for taking machines offline when they get virus-infected. Clearly, this is a bad idea, and that's why strikeback will never work.
Next you will be telling us that it's ok for government A to overthrow government B if it thinks B is destabilizing to it.
HHOS
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
So, if they have no rights to the process, there is no infringement against them when we neutralize it. If someone wants to claim that their rights were violated by our taking out the attacking process, then they should be held accountable for the actions of the process from its inception. They can't have it both ways.
That, I think, is a good point. The solution, however, is not to make the counterattack legal, thus continuing to absolve people of responsibility, but to make the owners of the systems legally responsible for their failure to secure their systems. If your system is 0wn3d and used to launch a DDoS attack on AOL (or Slashdot, Kuro5hin, whoever), then AOL should have the right to sue you for damages. Your incompetence caused their loss.
You say you can't afford to pay? Tough. Should have thought of that before you put your insecure system online. You say it's the fault of the manufacturer for selling the insecure system in the first place? Take them to court. Too expensive? Well, if their system is too expensive to use, then people won't use it.
Best Slashdot Co
It's next to impossible to determine what defines an attack or not... and I don't want people other than me shutting down my webserver thank you very much.
Wouldn't it be nice if there were programs that could automatically determine what's a worm or virus, and then attack the process from within the machine? No need for an outside user, just have the system kill its own rogue process as soon as it starts. Oh, it does exist. It's called Anti-Virus...
In his Dec 15th Cryptogram Bruce Schneier provides his argument against counter-attack, and there are some interesting reader responses to this in today's issue.
Can't you see that everyone is buying station wagons?
I think this guy lives in the world of theory, where everything works "in theory".
I don't want some idiot out in the world thinking he knows more about my system than I do going in and thinking he's doing everyone a favor -- when he's actually doing damage to my system. Intentions don't mean a crock of dog doo.
If my system is spewing garbage, then it should be the right of the ISP to pull the plug until I get it fixed. That's the way these things should work.
But there's no way I want fools poking into my computer, no matter what.
Sometimes it's best to just let stupid people be stupid.
I read this the other day when it was posted on "The Register" and I didn't like it then and I don't like it now.
Why?
Well it all boils down to an attempt to legitimise hacking. If it was allowed that we could "strikeback" ( which is just a cute word for hack ) and disable the attacking process, then where do we draw the line. I think we can all agree on the extremes, but lets consider another example.
What if a website was posted on slashdot, would all of the rampaging geeks be classed as attacking processes and therefore be liable to be struckback and eliminated. I am certain that the website administrator would consider the massive increase in traffic to be an "attack" as their poor server disappears in smoke.
Personally if you are likely to be attacked get better security. You can't enter somebody's house just to close an open window.
Patriotism is the opium of the masses
Read about it here, including a nice set of pros and cons here
There are two independent issues:One is a ethical issue. Is it morally right to attack (it is attacking, irrespective of defensive or offensive reasons) somebody else's machine?
The second one is a legal issue. Does the attacked person(both sides) has any legal recourse? Do they have any credible claims for damage?
Vigilante justice, at best is stupid and at worst, can lead to a more dangerous society than one without.
What we have here is no accountability and no responsibility. A ship's Master (Captian) is responsible and accountable for the ship in his charge and the actions of his crew. The owners, or administrators should also be responsible and accountable for the machines network in their charge. Hold them to account for their malicous machines - otherwise the problem will just get worse. Who then determines a malicious process on my network? The RIAA and other large political contributors? Remember, in the U.S. at least, money controls everything. Those with it get what they want and those without it suffer.
if you're that "good" and can kill a process on someone else's network, how about you use that excellent knowledge and contact the owner of the machine?
hacking (don't paint it any other way, you're breaking into someone's system) someone else's machine is not the answer. the system is not any more secure after you've killed it's process, it is still wormed, and the most important thing is that the admin of that machine hasn't learned a thing!
but then what do i know, i'm not a security expert...
I'm sure some people could draw a vague parallel with protecting your home using lethal force here... but i don't buy it. I certainly believe if a hacker is inside your system you have every right to st0mp his ass out of there by whatever means necessary, but if your neighbor is coming round ten times a day knocking on your door you call the cops and get a restraining order taken out - you don't go over there and shoot him.
I don't think it's ever right to trespass, whether it's for the "common good" or not. If it's not yours, stay clear. If a worm is hammering your system, call the offending ISP. If they don't reply call their upstream provider. If they don't reply call your ISP and tell them to block it before it gets to you. If they don't reply - tough shit, get a new ISP. It's the same thing as the spam blacklists - ISPs will never learn to provide better service if people don't start voting with their wallets.
I got a sig so you would remember me.
I had a botnet using my irc server as their jumping off point. I wasn't too happy with it cause I saw an attack happen. So I went through and removed them all. I wrote up the story here if anyone wants to know how to take down a subseven network.
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
I also find out that what people think is "if you know someone hacked into my server, then it must have been you that hacked my server". And this brings up the next point, if you start hacking people's computers to stop the worms, they are going to think that it was you who unleashed the worm, it is logical, they just don't know better.
What must happen is not System Administrators "hacking" every computer in the internet infected by code red or nimbda. What must happen is legislation that makes every person running a computer personably responsible for the security of that same computer. If people don't secure their server they must be penalized, instead of letting us fix the problem... even if they want us to.
rm -rf /home/leia
How is this a repeat? I can't find any article like this on slashdot.
Post the link to the previous thread if you're going to state it's a repeat... That way people can actually find more relevant content if they want to...
Nick...
This guy wants to give the power to kill remote processes to everybody. Everybody includes the people that he's saying can't secure their systems to begin with. Do you want them touching your box? Didn't think so.
We should also have the right to spank other people's children if they misbehave in public.
buy using the pateNTdead PostBlock(tm, va lairIE et AL) device.
.asp on the frauduleNT stock markup "bull" again today J., as everything they're peddling, has been given to US, buy those freedom fighters over at hobbyistwhiners.org.
va.msn.?net? forget about it.
don't bet yOUR
over at va.FUDge.controll, we call 'em freedumb fairIEs. they're all on yOUR foems list buy default.
Standard Disclaimer: IANAL
Could fixing someone else's critically broken system fall under this? Especially if instead of fixing, you break it worse?
How do you get counter attack software and whose to say that software is safe?
... the attack itself.
What if the counterattack software has its own buffer overflow? Then we get a cat and mouse game of one machine simulating an attack and when the counter attack is made the attacker could send a response to force a buffer overflow making the counter attack
Is this the beginning of (or maybe the continual evolution towards) Intrusion Countermeasures Electronics - aka ICE as proposed by Gibson and others? Not to mention this idea would fall under a reactive ICE that would sense the attack and not only deny it access to your system but actively seek it out and shut down the attack (what could be called Black ICE). IMHO this is the future arms race.
Dream as if you'll live forever.
Live as if you'll die tomorrow.
~Anonymous~
We won't differentiate between malicious processes and the computers that harbor them
If parents don't vaccinate their children, the state takes them out of school. If a dog consistently attacks people, the authorities put it down. If someone commits three felonies, they are put away for life. This is because the rights of the many outweigh the rights of the one.
In your country perhaps, but where I live not all of those suppositions are true. And here one sees an inherent problem that such a system would create - you may be operating within the legal framework of (for instance) the US, but does that give you the rights to close down a process on a machine in Iraq, or North Korea, or any other country for that mattter?
A little planning goes a long way...
block that IP in your firewall.
I'm constantly getting hit from taiwan and SE Asia so I block the whole class C if it gets worse I go up from there. Seems to solve 99% of my problems.
"Logic dictates that anyone who opposes a bill allowing corporate entities to attack our systems should support a technique to stop worm-ridden systems from doing the same."
This is flawed logic. The correct logic flows like so: Anyone who opposes a bill allowing corporate entities to attack our systems should oppose any technique that allows any other organization or individual to do the same.
Mr. Mullen's proposal is almost identical to the proposal made by the RIAA: let someone legally crack into a computer that is being used to do inconvenient things.
While I sympathize with Mr. Mullen's intent, this approach was wrong when suggested by the RIAA and it is wrong when suggested by Mr. Mullen.
Unfortunately, the best approach I can suggest that both contains the problem (eventually) and protects everyone's privacy to the largest possible extent is to isolate the offending computer from the rest of the Internet (possibly shutting down the user's outgoing Internet feed) until that user fixes the problematic system.
Of course, the details are the killer. How is something like this accomplished quickly enough to minimize the damage done to systems receiving the barrage of data? And does a Slashdotting result in Slashdot's Internet feed being cut?
This type of problem definitely needs a solution, but vigilante attacks are not the solution.
Mullen has been stoned since day one. This wacked out idea is just another bit of proof of that.
Becideds the blaten privicy issues etc. Lets assume computer A is attacking computer B with Worm1 which uses uses application X as its transport. The person who sees the worm attack his system he imeadeatly thinks it is work2 which uses application Y as its transport. So he gaines access of computer A and kills application Y. So he hasent killed the worm and he also killed an inocent application that may have been dooing something very important.
It is stupid to think a random person will be able to properly fix your system. Even if he is "Skilled" enough to break in he may not undertand what the system is for or what it is used for. Just because he thinks he is smart it dosent nessarly mean he is.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
You can't kill a remote process on a host you do not have access to. What is this guy a newbie?
Ahhh but you can, block by ip address / port number.
You can filter this out.
You can kill processes on your own host that
are connected to a remote socket.
they would decide over time a set of precedents just like for defending oneself from physical attack.
If you slap me I can't just shoot you, but if you stab me: you'd better be ready.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Initially this seemed to be a good idea. I am rather aggressive in defense of my business and home networks. However, the potential for abuse is quite strong. Now a hacker could quietly infect your network, and then under the pretense of striking back, make further intrustions. This would provide a legal grey area that I don't want when it comes to penetration of my network.
Is it just me, or does Mr. Mullen's email address:
- Tim Mullen <Thor@HammerofGod.com>
make you think "insightful security professional" or 1/2(swaggering red neck cop + 31334 haxor dooood)?By "passive strikeback", I mean a tool that does nothing more than respond to an active attacker in such a way that it turns the tables. I assume that most worms and spammer-tools are as poorly written as the buffer overruns and other assorted security holes they exploit. That being so, I would love some respectable white-hats to write open source tools which target weaknesses in the offending malware, so that when said malware comes a-knocking at my server, I might gently rip out its intestines and strangle it with its own entrails.
I'll settle for strikeback tools that do nothing more than neutralise the malware, although I'd be sorely tempted to do more in the case of spammer tools. Sending the malware into a flat spin, hang, or deadlock may be preferable to simple termination in many cases.
proof, n. A demonstration that a conclusion is implied by certain premises and axioms.
"If parents don't vaccinate their children, the state takes them out of school. If a dog consistently attacks people, the authorities put it down. If someone commits three felonies, they are put away for life. This is because the rights of the many outweigh the rights of the one."
So much of the decision as to what constitutes "relentlessly attacking your network" comes down to timing. I see probes and scans hit my network 24x7. Most of the time, I just shake my head at the futility. I figure this is similar to spam, try enough times and you'll find someone who'll buy or in this case does not have proper security. A week or so ago, I had an important task I was trying to do while I was being scanned hard. I had just a couple of minutes to finish the task before leaving and the scan was eating up bandwidth to the extent that it was eating up part of my two minutes. This had an impact on my ability to perform my task. Does that mean I was "relentlessly attacked"? Even though most of the time I would only find it annoying and not give it much attention? I hope not. I'm not sure I'm the best person to make those decisions, and I certainly don't trust the rest of you. :-)
What a moron. Look at his picture! This must be a moron. And then his ideas! It would give basically anybody a pretense for wrecking havoc under the guise of "protection"! Amazing. What a moron. And that picture!
The same holier-than-thou attitude that exists in Police and Intelligence services towards the public exists in the so-called security professional community.
Let's say my next-door neighbor and I live in a old neighborhood with big trees. If my neighbors tree has a disease that is affecting my tree, I do not have the right to trespass on my neighbors property and chop down or treat his tree.
The interests of security do not give someone the right to trespass on my property without due process. If Mr. Mullen wants to get some sort of court order, fine, but he does not have the right to screw with other people's computers for some perceived security problem.
If Tim Mullen can be identified hacking into any computer I am responsible for, he will be arrested and sued for computer crimes. Whether he is wearing a "white" hat or a "black" hat is irrelevant.
Conformity is the jailer of freedom and enemy of growth. -JFK
didnt the homeland security acts make it a terrorist act to hack? so if you get caught hacking a machine, although it's attacking your network, you're screwed.....
someone should just tell him not to worry so much....... the internet is just a fad anyway.
Fear Breeds Knowledge
That's a job for law enforcement, isnt it?
If somebody robs you, you dont have the right to break into his home and beat him up etc.
You are allowed to defend your "person" if you are being attacked, and you have the right to protect your property. But, I dont think you have the right to exert revenge.
The reason for this is simple, you are not the judge & jury to know whether the worm that's attacking you was placed there deliberately by the system owner. Unless there's a pressing safety issue, by attacking his system you may be causing unjust damage to it. It goes back to vigilantism, and why that's illegal.
who's competence is at stake did you say?
:
I'm sorry but my brain comes with a EULA
This brain is supplied "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose and the accuracy of the information contained within it
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Having been the victim of the effects of Code Red (our Linux boxes we not affected, but the hosting facility we were in was overwhelmed with traffic from all of it's unpatched IIS servers), I can certainly see the reason as to why this software was developed. Our site was inaccessible for close to half a day, because of other people's inability to keep security at the forefront of their minds. We were powerless to do anthing but wait for our hosting providers to track down all of the offending servers at our location and fix them.
I remember being so angry at the time and I would have welcomed the scenario where a "strikeback" type of application would have put a stop to this problem in an automated fashion. I'm sure part of the creator's reasoning is that if people's systems are left vulnerable to various worms, then there should be no problem allowing his software to "fix" the problem. Perhaps an applicable anaolgy would be a fire spreading from house to house on your block and "strikeback" acting as the firemen putting a stop to it. Firemen often make a huge mess of buildings when putting out fires (cutting through walls and roofs, dousing everything with water, etc), but the ends justify the means.
On the other hand, the "strikeback" process could almost be considered like a vigilante mob, having the best of intentions, but essentially operating outside the bounds of the law. Secretly, we might root for them, but in essence we really need the police to do the job, thereby obviating the need for the vigilante mob.
In regards to the world of crimes committed against servers, I just don't who the actual police are. So many of these attacks happen without anyone being punished. The FBI has a policy of not even spending any time investigating any computer crimes where the damages cannot be proven to exceed US $20,000. That leaves a great deal of smaller businesses / websites essentially unprotected by anything except for their own ability to manage their security efficently.
Strikeback is just a reaction to the frustration of having to deal with all of these continuously spawning worms / attacks without anything being done to counteract them other that react after the carnage is already done. I'm not saying it's the right solution, but I certain can see why it is here ...
...my process my choice??
The author proposes support for the concept of "no right without responsibility", a noble gesture at least. But that also means "no responsibility without right". He inadvertently offers me (as a malicious hacker) absolute indemnity from responsibility simply by abdicating my rights to the process. This would, for example, allow me to SPAM with impunity, and if anyone ever called me on it, I could just say "well, it's not my process, go ahead and kill it if you want to..."
How does an assaulted system owner know if the remote assult is coming from unauthorized worm-spawn or from an approved process actively trying to assault a remote system?
Wouldn't it be better to hold system owners responsible for the actions their system takes, with the presumption that any activity a host undertakes is either actively authorized or passively authorized through complicity?
My personal opinion, which I don't expect to carry much weight: I accept full responsibility for any action my system undertakes. You will never catch one of my systems granting a request to act as the base for a remote attack. If you do, you are welcome to ask my system to kill the process, and since I accept all responsibility for any actions my system undertakes, you can assume that my machine would not grant your request to kill the process unless it had my authorization to do so.
The thing about things we don't know is we often don't know we don't know them.
This is just a guy out looking for kicks and fun. If someone is "probing/attacking" your network thanks to a worm and you can't contact them, the solution is simple:
You simply block off their traffic.
Close your blinds, your door, or whatever real world analogy you would like to try and apply. You have the right to send the same traffic back to them, monkeyseemonkeydo, but in no way is it possible to justify altering the running of their machine. Doing so, is no better than the malicious process already causing the damage.
--- I do not moderate.
for i in $(ps -eaf |egrep cc awk '{print $2}' ) ; do
kill -9 $i
done
PC moderators can suck my White pierced, tattooed dick. If you think pride == hate, s/dick/Aryan meat mallet/g.
Well when I read the article the first time around, I was quite amazed than someone came up with such a nonsensical idea. However, I reread the article just for good measure.
The idea proposed was actually quite intruiging... it's like an analytical discussion of forward-defense of networked computer systems. Which, I finally conclude as worthy of further discussion.
Many sysadmins fail to patch their machines not mainly due to ignorance, but failing to keep abreast of the latest security news. This is where the proposed idea could actually come in handy.
A minor modification of this idea that would benefit most people would be if somehow a signed permission can be generated when a remote patch is to occur. The admin of the machine could request contact info of the fixer as well as logging the IP address and other important info.
To tell you the truth I'd rather computers under my administration be patched this way rather than defaced with shoutouts and then getting the fix via email or written on the defaced page itself.
Welley Corporation - SLM Scammers
First secure your own machine (which seems to be the primary concern for wanting to allow something like this)... Then, send the infected machine a note with instructions on how they can fix the problem.
Just because my car makes a funny klunking noise, doesn't mean I want Joe Mechanic sticking his head under my head when I'm in the grocery store.
Scott
It would mean you could sue them. You can sue makers of any other type of product if it turns out that product is defective, why not software manufacturers?
Best Slashdot Co
One of the major arguments mr Mullen has for striking back is that the virus attackas are eating his bandwith. Bandwidth is something most people can use more of.
:-)
BUT!
When I browse my tcpdumps it is evident to me that it is not only viruses that consume my precious bandwidth. These figures aren't scientific but I would guess that 40% of the attacks on my system is through netbios (I suspect these are most often real virus attacks) and another 40% are "attacks" from various distributed file-sharing services. Most commonly used port appears to be 4662.
Now I am fucking mad about that these file-sharing-kiddies are using my bandwidth to locate other file-sharing-islands. Time to strike back...!
Mullen tries to draw a few parallels:
"If parents don't vaccinate their children, the state takes them out of school. If a dog consistently attacks people, the authorities put it down. If someone commits three felonies, they are put away for life."
These are all good examples, and it's worth pointing out that in *none* of these cases does the "victim" get any special rights. One student can't kick another out of school even if the other hasn't been vaccinated. Someone who has been bitten by a dog does not have the right to shoot the dog. If a repeat offender steals your car stereo, you have no right to lock him in your basement for the rest of his life. The government-- both executive and judicial branches, each with many oversight systems in place-- is the *only* entity with a right to do any of these things.
Why should computer worms be any different?
If someone eggs my house, I can't shoot out their tires to keep them from coming back. I report them to the police, and it's taken care of from there.
OR, if I'm in a gated neighborhood, they install a guard, and only allow residents and invited guests in.
Either you contact authorities, or you get your ISP to block the traffic (and if your ISP won't, it's time for a new one). Vigilante justice never works out in the long run.
let the remote user to do this. But warn him that he is vulnerable or have that worm or have the potential to became infected, and give some hints on how be secure with his actual configuration (is very easy to say "use linux" :)
In the codered times, there was perl/php/etc scripts to put a note in remote user desktop that warns about being infected. Also there are scripts that sends a message to the IP block owner to warn his user or take appropiate measures.
What about vulnerabilities? Killing worms is not so different to the idea of killing vulnerabilities that make that worms succeed. Think in the thousands of clueless Windows users that share his hard drive and connect to the net, beign vulnerable to a lot of worms that spread thru open shares. Probably there are several scripts that put a note in the remote desktop (like the codered warner did before) if the user is vulnerable, but is a bad idea to use this vulnerability to close the share, install a firewall or delete his C drive until he learns.
I'm sorry but if I am playing loud music at 1:00 in the morning, even if this is against the law, if you break into my house to turn the music off, you _will_ be charged with break and enter.
The appropriate course of action would be to complain to an upstream provider, not to hack into their systems.
Questions:
1. How would you protect yourself from damage claims coming from the owner of the attacking machine?
2. Who will determine that the process running on that other machine is, beyond doubt, malicous code? Can you make that call independent of others? If so, see the first question.
-- Slashdot: When Public Access TV Says "No"
The sad part is that some people actual think this is a good idea.
What part of strikeback is going to prevent the offending system from being re-infected and attacking you again?
My two cents:
If you THINK a system is attacking you, then you report it to your ISP. Your ISP does it's job and contacts the "attacker's" ISP, who then checks to see if the offending box is violating the terms of service. If so, the system should be removed from the network and the owner properly notified.
If the issue doesn't get resolved to your satisfaction, then you SUE your ISP for not holding up their end of the contract to provide you with the bandwidth and service that you paid for.
You will probably lose because your own terms of service provide no guarantee on bandwidth or service. So now you complain to the BBB and switch to a new ISP.
Tim Mullen obviously has no clue. Let us draw an analogy with the public phone system.
Your telephone constantly gets calls from one particular number. All hours of the day and night. What do you do (other than turn off the ringer)? You call the phone company and report the problem. The phone company resolves the issue.
-SignalFreq
Back in the Nimda/CodeRed days, a friend of mine was getting really sick of all the hits on his Apache server. He wrote a program to parse the log every few hours and then use the information to connect back to the attacker. He didn't do anything like stopping the process, but he did upload an app that would notify the user of what was wrong with their system and how to fix it. I think he managed to deliver the message to over a hundred machines on his first try.
This also shows the problem with these strike back programs--sure you can stop the process, but you only provided a temporary fix. I like my friend's version better in that you at least let the user know what they need to do to clean things up. After he started doing this the attacks on his cable modem subnet dropped to almost zero.
Back when I first set up my webserver, I was getting hundreds of hits from nimda a day... I've built up quite a blacklist over the past several months.
When I first set up my server, I was interested in this virus as it was cluttering up my logs. Of course I was running apache, so I was immune, but nonetheless it was annoying.
So I used a few of the URL requests and reverted them back to the calling host just to see what would happen. I was amazed at how easy it was to get into their box. So after about two trials, I stopped, didn't want to get into trouble, but I was discussing this with collegues and fellow sys-admins. Based on my reasearch (two attempts reflected back on the attacking host) I determined it would be VERY VERY easy to write a little program that monitored my apache log, as soon as it saw a nimda hit, it would automatically attack the calling machine, only with the intent of irradicating the nimda virus on that machine.
(ok, so now that I've built up this story)...
So anyway, I chickened out... even though they were attacking me, I was afraid of the rammifications that might come back onto me if I were to "cleanse" these attacking machines.
My point is that this concept has some merit. I think we should consider whether or not this should be an allowable practice. And what would the penalty be for wrongly "cleansing" a computer?
I donno, this is becoming too complicated and it is too early in the morning. Forget I suggested it.
This is simply vigilante hacking, supported by selective quotes from Black's Dictionary (the finest source of misleading legal information anywhere). It is telling that Mullen simply discards admin notification as a step; his software doesn't do so much as fire a warning shot across the bow before mounting its own attack. Some obvious problems:
1. Mullen's thesis essentially comes down to the idea that a compromised system is like a rabid dog. But this is a misleading, and emotional, simile; a worm does not pose the health dangers described by Mullen. Its threat is one to property, not safety, and thus the threshold to action is correspondingly higher.
2. The idea that private individuals should have the right to attack and compromise the systems of others is remarkable, not least because he doesn't suggest that those individuals should be subject to tortious responsibilities for their hacks: he does not himself accept the legal responsibility he insists others take.
3. In the world of the author, all systems are evidently equal: if my home workstation is being tagged by a worm from an American Express server, I would be able to hack AmEx (or the government!) with impunity. This is obviously an insupportable doctrine; if someone is lobbing water balloons at me, I don't have the right to trespass on a government installation to stop him.
4. Finally, Mullen argues for active attacks against compromised systems because passive defenses are, well, just too much trouble. But they are certainly no less trouble to create and maintain, and much less disruptive, than a horde of automated systems hacking their way through the Internet and claiming self-defense as a justification. Where a passive defense is available, one should provide convinicing reasons why not to use them. Mullen could build a fence; instead, he prefers to use firearms.
Somewhere I have a hornbook on tort law that contains an article by Judge Posner on a similar topic: that of tripwire defenses used to secure property. He convincingly demonstrates, through case law and economic analysis, why such weapons are a Bad Idea in law and society. Perhaps Mullen should take off his smoke-colored glasses and look at the issue as something other than a technical problem.
"Freedom is kind of a hobby with me, and I have disposable income that I'll spend to find out how to get people more."
I can't remember the name of the company, but last year I had just installed IIS, then ran to the store. By the time I got back, around 45min later, I had already been hit by CodeRed. There was a message on my screen saying 'You have been infected by CodeRed. We did not infect you. Your server is trying to infect us. Please look on your hard drive to prove how open your system is. You can click here for more help. Again, we did not infect you.' (something like that anyway.) They left a small folder in my WINNT/system folder that had a link to them. Once I clicked their link they had other links on how to remove it, you could download the script they wrote so you to could load it and detect other people infecting you. And they had stats on how many servers had tried to infect them already (around 2000), and they explained more how they were only trying inform those that were attempting to infect them to be more aware about codered. I have the link and script at home, not with me here. Sorry.
If my neighbor leaves and his stereo kicks on at a loud volume, which annoys me, I don't think I have a right to break in to shut off the stereo. The "right" to do something like that has to really match the threat posed. If someone else's network is threatening yours, you should first do everything you can on your own system to block them. If you can't block them, then consider the real severity of the threat. And if you break in, be prepared to have to justify yourself.
You don't have the right to trespass on someone else's network. Ever. You can contact them and discuss the problem; if that does not produce satisfactory results, you contact their ISP (and so on, up the chain, until you eventually talk to a Tier-1 ISP).
There is always a way to take care of the situation. Nobody wants to have their Internet service cancelled by an upstream provider because they violated their TOS by ignoring reports of a DoS attack originating on their network.
And your immediate reaction shouldn't be to launch an attack back at them. It should be to block the offending network at your own firewall. Come on people, this is Network Administration 101. I can't believe it's even being discussed.
Tired of FB/Google censorship? Visit UNCENSORED!
Yes, and.. one point I haven't seen made yet: The government can't vaccinate your children without your permission. They can kick them out of school, isolate them and make your life pretty miserable, but they can't invade their bodies without due process of law, which is missing in this equation.
And now DUCK, because here comes the straw man:
I think the main reason for the knee-jerk criticism from the likes of Schultz is that they work largely in a theoretical rose-colored world of security, where all problems are solved after a cup of coffee and a bit of pontification
While it's valid to argue that Shultz is responding knee-jerkedly (somebody have a better adverb?) It's not valid to attack him by virtue of the fact that he's an academic and to denigrate him with the cheap-shot coffee comment.
Academics study things like unintended consequences, the big picture, etc.. These are things most geeks can't be bothered to consider. While stupid academics tend to rise to the top in the media, very few are actually addle-headed theoretical bloviators. These smart people can contribute a lot to our discussions.
As for the actual argument about killing others' rogue processes, I don't have anything original to say, but in the "real world" it would be called vigilantism and trespassing.
Yes, it's a blog. Sorry if that offends you.
You might have the right to attack ("strike back") a site. You probably (in almost all cases) do not.
What if you do your analysis work, pick the site to strikeback against, and are totally wrong ? What if that site also supports innocent clients / subscribers to its services?
What if it supports large numbers of financial transactions?
What if it belongs to a charity?
What if it supports military operations?
What if the "innocent" site then counter-strikes you? This would be (by the presented logic), justified. Are you then justified to commit a counter-counter-counter strike?
I see fantastic liability for an individual or organization if they attack a system and are wrong about the source of the attack the are retaliating against.
Sam Nitzberg
sam@iamsam.com
http://www.iamsam.com
This is seriously flawed. It has way too many possibilities for misuse. If someone is hammering your network the appropriate place to take care of it is in the firewall of your router, and the courts.
If such a method of counterattack is used whats to stop people from using said programs in others ways eg to attack systems with. Or imagine if the RIAA/MPAA were given the green light to attack systems to stop piracy, could not a third party direct an attack aginst someone by making it look as if they are using pirated software (like painting a target laser for a bomb to drop). One thing we should have learnt by now is that any weapon can be put to bad use, no matter how noble the initial cause for use.
Mullen's proposal is very different from the RIAAs.
The RIAA wants the right to hack your computer because they suspect you copied CDs. Metaphorically, they want the right to break into your home because you sneaked into the disco without paying.
Mullen wants to shut you down if you attack him. Metaphorically, he wants the right to knock you out if you try to rob him.
Guess what, in the real world, one of these rights already exists. It's called self-defense. The point is that the two things are not only related, they also depend on each other. The RIAA hacking your machine will not stop you from copying CDs. Shutting down your machine will stop the virus from spreading, at least temporarily.
Assorted stuff I do sometimes: Lemuria.org
This concept relates to self-defense, and deadly force. Follow along with me...
If a person is in public, and is threatened, that person must make every reasonable effort to avoid the use of deadly force as a means of self defense, prior to useing such force. He must attempt to leave the scene, etc. In short, there is a Duty to Retreat.
If, however, that person is in his home, his own property, that person may use deadly force as a means of self defense without having to exhaust every means of escape or avoidance. On his own property, a person has No Duty to Retreat.
How is the scenario for Cyber-attack any different? Unlike most of the people commenting on this article, I believe you do have the right to take active measures in protecting your property.
Obviously, we're not talking about deadly force... We're simply talking about electronic countermeasures.
If an unsecured system on the Internet has been infected by a malicious program, and is now launching it's own attack against your system, your property, denying you the use of bandwidth or resources that you are paying for, I think you're perfectly within your rights to put the attack down, and if necessary, the offending system.
A person utilizing the Internet has a certain responsibility not to cause harm, either through action, or inaction. Most people on the Internet today seem tragically unaware of this. Without this, the Internet is ripe for a tragedy of the commons situation.
Is it wrong to still believe that with Rights come Responsibilities, or that with Priviledge comes Obligation?
Your rights to swing your arms around recklessly ends at the tip of your fingers, and at the beginning of my nose.
I think Tim Mullen is 100% correct, and I'm surprised there aren't more people that agree with him.
For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
If I am being DoSed by a computer (or several computers) it can cost a company thousands, if not tens of thousands of dollars. If I'm a sysadmin of Yahoo! And my service is interupted, I want every means possible to shut down an attacking system. Most the time ISP's ignore pleas about DoS attacks (just ask anyone on IRC!)
The tools he's talking about use the same exploits the worm/virus/trojan does, but instead of doing something bad, it kills the flooding. If you have an insecure machine, you're lucky that you don't get sued by it.
There will come a time when you *can* be sued for having an insecure machine used as a proxy for a hack. Until then, his solution seems to be a good real-world solution.
Moderation: Put your hand inside the puppet head!
The right to exercise self defence IRL is recognised in both International and National laws providing the defence response is proportionate to the assault.
As a IT Professional with some interest in the security arena I think I could live with the same situation with regard to IT security providing a similar burden of proportionality existed.
I suggest that a proportionality criteria also allows a firm distinction between the demands of RIAA/MPAA for cracking rights for a minor civil copyright violations and the rights of a system operator/administrator seeking to halt DDOS attack or worm attack by remotely halting the attacking process.
- You know they're vulnerable, because you know how the worm got in.
- Everyone else knows they're vulnerable, because the worm is being noisy about it.
Face it, those systems are going to get owned, one way or another. His proposal is to neutralize them before some script kiddie strings them all together for a DDOS attack.The converse is that a properly patched system is NOT vulnerable to strikeback, because the strikeback proposal only targets well-known worms. If your systems are vulnerable to well-known worms, then you have bigger problems than the possibility of having a process killed by this guy's neutralizing agent.
So, he's not talking about giving or gaining any kind of power. The ability is already there. He's talking about whether or not it's a good idea to use it.
Here's an analogy:
A guy in the apartment above you has left his door unlocked and then gone away. A malicous child walks in and turns the tap on for a laugh and then leaves. A while later the apartment is flooded and water is pouring though the ceiling into your property. Do you have the right to walk in though his unlocked door and turn off the tap?
I know what I'd do. It might not be legal, but I don't think anyone would stop me or arrest me and I don't think the owner would mind that much either.
Nick...
I can understand him wanting to kill genuinly malicious processes on other peoples' machines. I would want to too. My problem is that it's open to abuse. Who decides what malicious processes are? What if a malicious person starts using this to kill other processes?
There's also the whole legal kettle of fish. AFAIK, killing processes on someone else's machine is illegal. Even if the US government passed laws allowing such actions (which I think unlikely), you can guarantee that major parts of the rest of the planet wouldn't, which in turn could land people in hot water...
As has already said, I think the best course of action is that the ISP be held responsible for terminating the network connection of any machine behaving maliciously (mbm), which means that nobody messes with the mbm itself. It's legally, and IMO ethically, much safer, but you'd still need to define precisely what malicious behaviour is, eg: just because a server is sending lots of data to one IP address doesn't make it malicious.
-- Steve
George Bush has released his own network security suite "Homeland Security" with many advanced features.
/etc/hosts.deny.trade.
"Homeland Security" allows you to scan another system for 'Toolz of Mass Hax0ring' and to kill any processes that try to stop you. It even allows you to take a remote host down if you belive it to have such Toolz in its possession.
Furthermore, "Homeland Security" allows the admin to arbitarily flag a process as 'Bin Very Nasty' and gain root on any host that you belive may be running it. After root is gained on the remote host, "Homeland Security" sets up its own daemons to police secuirty on the remote host. As an extra bonus, hosts that do not help police your process control can be added to
Of course no modern security package would be complete without a broad range of settings to really lock down your users and remove from them as many privildges as you think you can get away with under the guise of Security.
GWB Homeland Security, proudly sponsored by the 'Land of the Free' Software Foundation *sarcastic cough*
those who control the past, control the future. those who control the present, control the past.
Who will be the admin of the list of approved process to kill? And if we are trying to make our machines more secure from outside control, ie worms, viruses and hackers, will we have to make a "secure backdoor" so that someone can remotely kill the "approved process". We should make the manufactor of the operating system responsible for the safety of the system, the sane as car, drug and other manufactors are reponsible for there products. I think that before we make another hacking tool avaiable we need to fix the system. And educate users, management, who controls the money spent for IT as well as system admins. On a lighter note, Can we use this to stop spammers????
Everyone knows that Slashdot is perfect, and needs no improvements. That is why all complaints about the features of slashdot are redundant and off-topic.
....the law grant us the permission to kill malicious users, instead.
There is a reason why this is generally frowned upon in real life... It's because the person who takes the law into their own hands often decides their own own definition of justice. Your method of terminating the process may be wildly different from Joe hacker's, who is more than willing to format your harddrive to do it, even if you have no knowledge of the worm.
Lets face it, this is going to be another elitist club here. After all, what percentage of the population would have the knowledge to do this sort of remote termination? And then there is the age old question of the UN-- Would you allow those incompentents to attempt to terminate process on YOUR computer? I know, I know, your computer is secure, whatever. But would you let AOL Joe have a crack at your computer like you have the right to crack his? BE HONEST NOW. Hell no.
I'll admit, vigilantism has it's positive points, but when you can just as easily set up a firewall and run anti-virus or something on a regular basis, it really doesn't give you the justification to [analogy] break into somebodies home to turn down there stereo becuase it's annoying you [/analogy]. After all. If your l55t nuff to terminate stuff remotely, you should be l55t enough to block it just as easily.
You need a FREE iPod Nano
Legally it would be the same as if there were a gunman on your neighboors lawn without his permission, shooting at your house. You have every right to defend your house. AND with the right circumstances get damages from your neighboor for violation of duty of care or negligence.
-- Insert wisdom here:
Go ahead and try this method. You will soon be sued out of existance. And rightfully so, imho.
The strikeback proposal is simply that if another system is currently in the act of attacking you, it should be okay for you to put a stop to it, using the minimum force necessary. It does not involve "teaching them a lesson," shutting down the server, or attempting to patch holes...his sample code makes the bare-minimum change to stop the worm from hitting you. Damaging the opposing system in retaliation should be illegal, just as knocking out a mugger and then shooting him in the head is illegal. Retaliation is out of bounds. Minimum-force self-protection is allowed.
Of course, the first step should be to ask the sysadmin to stop it himself. And if you can stop damage to your system simply by patching your own system, you should stop there. But if you can't reach anyone, and the worm is resulting in a denial-of-service even after you've patched, a little extra force seems entirely appropriate to me.
I've always wondered why someone hasn't taken the time to modify existing worms to simply patch the holes they exploit. Or even disable the box on some level. It wouldn't be hard to accomplish either, I could probably do it in an evening if I had the time...
This proposal is fundamentally flawed, and here is why:
Where I used to work, they run a set of public NTP servers. _Very_ regularly, complaints come in about attacks coming from port 123 on these hosts. In every case, after enough dialog between us and the person reporting the attack, they would actually look at the NTP configuration of the machine under "attack" and realize that they were trying to use these hosts as an NTP server and it was their fault that the IDS was reporting the traffic as attacks. If they were allowed to use strikeback, these machines would spend more time with NTP killed than running.
The moral is that one must be very careful when constructing laws that propose solutions to difficult problems. Any law making it legal to hack somebody's machine is subject to enormous abuse, and shold not be lightly passed.
But there has to be a grey zone in between. Where do we draw the line? Where do you think a judge will draw it?
In Murphy We Turst
I agree that this 'strikeback' capability could be abused. But I've seen a lot of questions people have posed:
(1) What if the machine you attack back is running some critical process and you disable it?
(2) What if the machine you attack back is also hosting other, innocent clients?
and various arguments along the line of 'What if your strikeback also affects X, who doesn't deserve to be affected?'.
My response to this is: What if? Let them be collateral damage. It wouldn't have happened at all if you'd SECURED YOUR SYSTEM. I saw an analogy about someone stealing your car and trying to run over someone else. What if that someone else shoots out your tires? You left your car unlocked, you pay the price.
Another common one is 'just block their IP on your firewall'. I find that response so stupid it's bewildering; people who respond with that have never seen a real ATTACK. I (normally) chat on an IRC network named DALNet. For the past few weeks, all 31 servers have been completely offline, because of a few thousand idiots on cable and DSL, infected with a trojan. If you have a 1.54mbps pipe and you are being sent 3 megs a second from compromised hosts, a firewall won't do $#!t. Nothing. And do you think the ISPs giving access to those people are going to shut off access? No way! DALNet is a free service, it has no budget to sue anybody, why would an ISP bother cutting off paying customers?
So many people here talk out their @$$es it's not even funny.
How do so many people get infected? By running unpatched copies of IE and visiting malicious webpages. Who sets up these webpages? Why, GeoCities! Geocities will NOT shut down any of these malicious sites, since their AUP doesn't say anything about viruses. The only way to get a Geocities page shut down is if it has nude photos on it.
So -- what to do then?
1) You do not have a legal right (not even in Vermont) to shoot a gunman on your neighbor's lawn.
2) Not only will you spend 20 years in jail for the shooting, expect to pay heavy fines, any probrably additional jail time for filing a seriously frivilous lawsuit against your neighbor. Your lawyer would also face disbarrment.
3) Not only is your analogy factually flawed, it is logically flawed as well. Your analogy would match Mullen's scenario if you were to shoot your neighbor if a gunman was found on his lawn, which blows Mullen's thesis out of the water.
Summarized, this law says that you are allowed to handle someone elses affairs (here: kill a malicious process), if you assume that the owner wants it to be done and can't do it himself for some reason.
But doing so, you need to take special care not to do any damage, else you are responsible to compensate the owner for any damages.
Additionally, you must inform the owner as soon as possible, and give him the chance to do the job himself, if possible. So if you kill a process on someone elses machine, you must take any reasonable measure to find out who is responsible for that machine, and inform him about your actions.
This posting describes my unprofessional understanding of german law - I probably got some details wrong, but I think I got the point. See this page, subchapter 11, for a translation of that law.
ok, this idea is ridiculous to the point of being funny - i guess i don't get it. who determines what a "malicious" process is? so under this scenario i could just terminate random processes on other people's computers?
imagine the repercussions on the battle.net ladders.
"i was totally beating the shit out of this kid and then right at the end my war3 exe terminated out of nowhere"
"OMG WHAT A FAG"
"no dude it's ok, i terminated his kernel32.dll"
"HAHA 0WNED"
"Where are we going, and why am I in this handbasket?"
The rights of the many do not outweight the rights of the one! Your above example is flawed since nobody has a right to infect other people with diseases, commit crimes, or let their dog attack peoples.
If I have the flu, I have a moral duty not to infect others with it. But what if, through necessity or ignorance, I do so anyway? Others in my environment do not have the right to forcibly vaccinate me against the flu or to force-feed me antibiotics, much less to restrain me from going about my business (unless they work in a sterile environment).
The appropriate response for people at risk of catching my disease is to avoid me, to take steps to protect themselves from me--not to stage a counter-invasion.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
The idea of writing "strikeback" scripts, as you describe, has been tossed around before. I recall reading a quick-and-dirty script for Apache posted on slashdot some time ago that would detect attacks from machines infected with Code Red, and would then exploit the security holes Code Red had opened on those machines to clean them. I used to support this idea, but I'm afraid after some thought, I've changed my mind.
I'd agree that if a worm is running on someone's machine without their knowledge, then the owner of that machine has no rights to that process (the obvious exception being the person who is spreading the worm, who runs it intentionally on his or her own machine, but we'll ignore him or her for now). In order for you to terminate that process, however, you have to break into their machine, and run your own process. You are, in effect, creating your own worm. Your worm may only run for a short while, and may be "for the greater good", but that doesn't change the fact that you are running code on other poeple's machines without their consent.
Even if we opt to ignore the ethics and look at this from a more practical angle, can you guarantee that your strikeback process is not going to adversely affect the machines it cleanses? What if your strikeback process causes a machine gathering scientific data to reboot, or kills the wrong task? This has the potential to set someone back by several days in their work. What if it reboots a machine monitoring medical equipment? You could end up killing more than just a process, if you catch my meaning, however unlikely that may be.
Since you are intentionally running a process on someone else's machine, you are accountable for it's results. If you cause damage to a machine, or cause data to be lost, even if it is inadvertant, you open yourself up to litigation from the owners of those machines.
Treating computer processes and network connections as extensions of human being ignores the great complexity of computer systems and the irreducible nuances to responsibility, origin, and intent such machines introduce.
Translating your argument into the world of atoms, that would be like holding someone responsible for a vandal who goes into someone's unlocked car, releases the emergency brake, and lets the car go careering into a crowd of innocent bystanders. Just because computers seem to "act" does not mean that their actions are always the fault of their owners, secure systems or no.
The key is to hold those who crack systems accountable for their actions and to educate victims about how to better secure their systems. Those users unwilling or unable to secure their systems should pay third parties to secure their systems for them.
Even the best secured system is not uncrackable. Would you hold the best sysadmin in the world responsible for a script kiddie's lucky guess?
Your post says you would.
blog
If you witness a 16 year driving a stolen car while drunk, it is your responsibility as a member of society to either stop him (if possible) or notify the appropriate authorities. The owner of the vehicle is not usually notified of the crime until after the fact. And any damages incurred to the vehicle are not paid by the police or arresting individual. If you own a car that CAN be stolen and used to commit property crime, then you assume a certain responsibility to do everything possible to prevent this. If after that, it is still stolen, then any damages that happen to it are your problem (and your insurance company's). If you leave the 'keys' in the ignition and the doors unlocked, don't blame me for the flat tires my spike belt inflicts while trying to protect my family!
That's the way it is already. If you left your door wide open, knowing people were going into houses and blowing up entire neighborhoods, you would be responsible. If the lock was defective, and the manufacturer knew that and didn't take corrective action, then they would be responsible.
Best Slashdot Co
You don't have that right for lots of good reasons. Do I have the right to go into someone's house and unplug their stereo if the noise is annoying me. Nope. Should I? Of course not. If the noise is bothering me I'm supposed to call the police. If the attacks are bothering you, call their ISP. Vigilanteism is not the way to handle things, escpecially since what they may be doing might not even be illegal, but what you might do in response is.
Here are some good reasons why this guy should not be messing around with other's computers:
BTW, I had a linux box get owned by the ramen worm a couple years ago. I never knew (I rarely used the box) until I got a call from my isp (my school at the time) telling me they had recieved a complaint from someone claiming I was scanning their network. They said they would disconnect me if it continued. I fixed the box, didn't get disconnected and the world was a better place once again. If my computer goes haywire and starts doing things it should, I accept that it may be pulled off the internet. I signed a contract saying that. I did not sign one saying anyone was allowed to log onto my box without my permission and try to fix things. If someone breaks into my computer, I'll press charges. It doesn't matter if they say they were only trying to be helpful, I can't/won't trust them.
I have personal info on my computer. I don't want anyone else getting it. If I send them to jail and have their computer confiscated, I'll at least have a better chance that they don't have any of it.
Life is too short to proofread.
Code that will neutralize South Korea!?
Insanity is the last line of defence for the master diplomat. But you have to lay the groundwork early.
what if some h9x7r was more l55t than me though? i would get 8wn2d! :P
"Where are we going, and why am I in this handbasket?"
An operating system could be designed to selectively allow remote hosts control over portions of the system.
For instance an operating system could allow any host to kill the processes that had open sockets to that host. You could even narrow that down to allowing a host to kill any process which had an open socket not originated by the host. This would disable remote hosts from killing servers that they initiate connections to but would allow processes to be killed that originated connections to remote hosts.
At the operating system or even hardware level you could also engineer a system in which a remote host could request a stop on all traffic targeted at it. If this could be done securely people that were being targeted by another machine could request the operating system to stop all processes from directing traffic its direction.
Grrrrr... don't bother me, I'm thinking.
Because your EULA terms state that you will not hold the manufacturer liable, that's why.
So, you want to implement technology where any random third party can kill processes on your servers? In what universe should security people "get this"?
Stealing someone else's insightful post.
Best Slashdot Co
Quietly attack and justify it. hummmm....
You know you've considered serving a spiked cmd.exe for all those hacked boxes out there that keep asking for it!
No I'm not trolling.
We do "get it." Its called "vigilantism" and in a country based on law its a bad idea. There's neither a need nor room for Wyatt Earp in the twenty-first century.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Computers don't have rights or responsibilities. Processes don't have rights or responsibilities. If computer A attacks computer B (via a worm or whatever else.) and computer B "strikes back", self-defense is a fair metaphor, but it isn't a relevant legal or ethical argument, because the computer don't have rights.
Computers are property. More specifically, my computer is my property. I have a right to keep my property, and you have a responsibility to keep your hands off my property, and if you don't keep your end of that agreement, you've broken the law and I can bring the government into it.
Yes, your property rights are violated if my computer has a worm that attacks yours. Maybe the government will acknowledge that and step in, and maybe it won't. If you don't like the way the government handles this, elect somebody who will change it, write a letter to your legislators. But the government's refusal to step in doesn't mean, as Mullen asserts, that the owner of the attacking computer has no responsibility. It just means that the government has opted not to hold him responsible. The only way to fix that is democratically.
But suppose Mullen is right about that, and this person has no responsibility. He says "no responsibility means no rights". Wrong. The constitution says that no person shall be deprived of life, liberty or property without due process of law. In practice, that limits the action of government, not offended sysadmins. But the principle here is that my rights are my rights, and nothing I do, however, bad, foreits them automatically. Maybe, after a fair legal process, society (i.e. government) may decide to take away some of my rights (i.e. lock me up, fine me, whatever). But not before. That's a fundamental part of the social contract which makes us civilized.
Then Mullen makes a different argument: the rights of the many outweight the rights of the few. (Thank you, Spock.) Maybe. But the same principle applies. My rights are my rights. Maybe you can get a court order to require me to donate blood, if it will save 100 lives. But if you take my blood without getting the court order, you have still violated my rights and broken the law.
Now, if the guy who took my blood is a real hero, and believes what he did was right and necessary, then he'll say that going to jail is a small price to pay for saving 100 lives. Good for him. If Mullen really believes this is a case where the law runs contrary to ethics and morality, he can wear a grey hat and illegally hack systems for the greater good. But unless he's willing to wear a black hat, he'd better admit what he's doing it illegal, and a violation of rights, and be prepared to take the punishment when he does it.
IANAL, yadda.
If you're a 95 pound paraplegic being punched in the face, you may use enough force to halt the attack.
If that requires a firearm, then so be it.
The court will back you on that one.
While GuiltyOfThoughtCrime = True
Do
InvoluntaryElectiveBrainsurgery (GuiltyParty);
(* Thanks, but I think I'll pass. I'd rather own my own machine. *)
You see? You see? Your stupid minds! Stupid! Stupid!
his idea is a hell of a lot more invasive and more "wrong" than simply noting an attack, blacklisting the source and sending the ISP an email notifying them of the situation.
I realize that it's frustrating as a sysadmin to see attacks from the same place, by the same virus/worm all the time, but the answer isn't a counter strike. it's to simply contain the virus and let the people that are infected unfuck themselves and learn from their mistakes.
besides, even if it weren't morally and ethically wrong, just who would control such a program? would sysadmins have to be federally or state liscensed, much like concealed weapons holders? who would be there to ensure that the vigilante sysadmins weren't abusing their abilities and crushing boxes left and right, then claiming that they were being attacked.
no, a knee jerk reaction of "wtf! this mother fucker's infected and trying spread it on to me! fuck him! I'll fuck his box up for that shit! stupid dumbass n00b!" isn't going to advance the Internet community, sysadmins or users anywhere. just stick to blacklisting IPs and domains. it works.
The World's Worst Webcomic!
gee roland, then if i can show that some event is going on in your house, and i can find some people who agree that it is a bad thing, then i can just go on inside your home and break that event generator? now that's 'getting it'.
am i missing anything in your thesis?
Sure they do. Through negligence lawsuits. It's why you have homeowners or renters insurance. So that when you negligently forget to clean your toaster oven and burn down the entire row of condos your insurance company pays for the damages. Unless you have insufficient insurance, in which case you pay the damages.
Best Slashdot Co
I have never before seen so many flawed analogies in one place. Do so few of you actually understand computers that you must relentlessly compare them to something else in your life?
whatever happened to hosts.allow and hosts.deny on a firewall??? simple answers to simple problems.
On a legal level this should be peachy. If your server is being attacked, you should be able to respond. On a systems security level, this is NOT OK. Giving access to other companies/entities to shutdown proccess on machines which they are not entitled access, is more of a security hazard than what it intents to fix.
Ok, so does this mean I could finally write my worm removing tool, Remote Windows Uninstaller?
Does anyone remember CodeGreen?
This was a worm that propagated like CodeRed, but instead of diong malicious things, it patched the insecure system.
There's also CRclean, which does the same, but only to machines that attempt to infect it first.
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
As part of the service agreement, ISPs should be allowed to test for security problems prior to allowing new machines / customers access. As new vulnerabilities arise, the ISPs should test again. Machines with vulnerabilities are not allowed on the network. That is more palatable to me.
Anyone besides my ISP attacking my machine should be illegal.
Every good Bleveskovolokian could tell you that this idea just won't work. If a system such as the said system was to gain popularity the writers of the worms could easily guard against it by fixing/blocking the service that they exploited to get in. Once this is done, and it wouldn't be difficult, it would become impossible for this method to work unless of course they decided to scan a whole list of known exploits, but that seems kind of scary.
The ethical consequences here are too much. Nobody better be messing with my box. It's illegal for a reason. If you think something is wrong with my box you should contact me and I shall be the one to repair it my way. There is of course a much better alternative than what this guy is recommending. Write a little script that automatically blocks the attacking IP either on the local system, firewall, or router. Once this is done their attacks will not harm you (except for occasional slight wasted bandwidth.) If you break into my box you will be prosecuted.
If someone's computer establishes a relationship with your computer by initiating activity, and their computer is not acting with the sincere intent to communicate in a meaningful manner, they have waived certain rights they would normally have -- just as a person who points a gun at me has waived certain rights they would normally have. I'm not saying any of this frees the "vigilante" from having to answer for their actions later if they act inappropriately. But to say they shouldn't be allowed to act at all (whether it makes sense or not) simply because it's "vigilante" action instead of government action, is just wrong.
If my modem's bandwidth is being used up by some jerk's 64K pings, I have the right to try to do something about it right now, and shouldn't have to wait 2 weeks for some 'net cop to look into it.
I think this would be a good idea but a lot of preperation will need to be done and the code constantly reviewed until release in the wild...
But in the event of this virus actually doing more wrong then good in the wild what would happen then. I would if working on this sort of thing have installed a backdoor, which I realise now was also Max Visions intentions with his worm incase it joined the dark side.
My other point is a lot of admins would not realise they were dis/infected in the first place....we can not keep sending out worms to sort out the Incompetent admins everytime they is a new worm...the internet is already noisy enough.
.
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
Thinking like this is predicated on a person's sense of right-and-wrong. This guy believes something should be fixed on someone else's machine. He might be annoyed to know that someone else's machine is not as he'd prefer...but in practice all he has is an opinion.
I happen to believe that there is a universal morality. But it's a big step from believing that...and meddling with other people's private lives and personal property just because you might think they are wrong, or ignorant, or merely unaware and you're doing them a favor.
Obvious considerations fall out of this proposal. The RIAA might think it is right in it's preemptive meddling with my personal property. Or, what if the software designed to do us all a big favor was designed to roam the net like a bot looking for viruses? Would it always know what is a virus and what is not? Would it delete the wrong things? Would it delete harmless collections from some kind of museum of viruses?
Can I get this with a Quake 3 front end?
--That, I think, is a good point. The solution, however, is not to make the counterattack legal, thus continuing to absolve people of responsibility, but to make the owners of the systems legally responsible for their failure to secure their systems. If your system is 0wn3d and used to launch a DDoS attack on AOL (or Slashdot, Kuro5hin, whoever), then AOL should have the right to sue you for damages. Your incompetence caused their loss.--
What about the software companies that make their software so easy to exploit? I doesn't seem fair that the user should have to keep up with this 24/7.
Regardless, I meant "gun-toting" and the reference to my gut was a typo.
This policy would be irresponsible to both the owner of the system and the vigilante cracker.
System owners get in trouble because suddenly someone has another reason to mess with their machine. It's not clear-cut for even an expert- You might say that it's criminal negligence to leave a system unsecured. Actually, no. We don't have the legal definition for these things yet. Furthermore, there's already an incentive for system owners to secure their own machines- the integrity of their own services and data.
Vigilantes are also on thin ice because it's easy to do more than you intended when "defending the law", and even the cops are in danger when they fuck up. What will you do when you accidentally cause collateral damage in the commission of your act of citizen policing? What if you just have the totally wrong machine? You don't have the authority of a uniform and a department to back you up.
All in all, this is a thoughtless proposal that should never be accepted by any legal authority worthy of the name.
What we call folk wisdom is often no more than a kind of expedient stupidity.-Edward Abbey
I'm guessing that one will be allowed and one won't. You can guess which one....
http://www.rootstrikers.org/
Exactly what I'm saying! Some idiot l33t kid decided to root your box and use it to attack other people. But you were the one who didn't take reasonable measures to prevent the rooting, such as applying the appropriate patches. You were negligent and your negligence resulted in damage to other people. That's why you have insurance.
Best Slashdot Co
I think the US has the right idea, pre-emptive action. If there is a possibility of attack, take 'em out. No proof required.
With overwhelming opinion stacked against a *B*A*D* idea, (in this case, the use of gratuitous, crotch-hardening force to solve a problem which has been proven in the past to be fixable through any number of other effective options), is refreshing to say the least!
I don't even have to use the analogy I was brewing up while reading the headline, (but will offer here anyway just as a point of interest and cuz I don't like to let even a half-assed brain-wave to go to waste.).
-Fantastic Lad
if a person was battering at my front door, i have the right to take steps to stop that from happening. if that person's dog was battering on my front door, i have the same right. if that person didn't know that his dog had rabies and it was battering on my front door, i still have that right.
in all cases, i think i have the right to protect any and all of my property, even if it is just a bunch of magnetic storage.
All of this discussion is irrelevant, since this technique can be easily circumvented. All a virus writer needs to do to not be vulnerable to rehacking is make sure the hole that it orignally used is closed.
Of course, the defensive rehacker could attempt to use other exploits than the one attempting to be used, but that doesn't seem likely. The worm could close as many exploits as it could to prevent this.
The interesting thing is that a worm could end up have the effect of making your computer more secure by protecting itself from counterattacks.
This leads one to consider a similar idea of worm like updates. I'm sure it's been thought of before, but what if, for example, a Windows exploit was found, and so a worm was released that looked for the exploit, infected, repaired the hole, and then tried to propogate. After a time, the worm could simply expire with the only damage being done that it fixed a security hole. In this way, the good worms would compete with the bad worms, which should at least cut down the damage done by any one exploit by 50%. Kind of reminds me of the good bacteria and bad bacteria that live in the human body. Simply the fact that something "infects" a host, doesn't mean it is bad!
Why allow any "unwanted software" to run at all?
http://www.geocities.com/ichinin/appwall.htm
I wrote this app a while ago (*) to effectively toast any crap i didn't want to run without my permission, I hope that anyone find it usefull.
(* the tutorial doesn't match the pictures)
P.S: No - i'm NOT giving the source away.
This is a much more frightening spector than anything else Tim mentions in his column. This mantra can and would be applied to many other areas if such a policy became commonplace. Apply this to dissemination of knowledge. Suppose I have data available on my webserver that is viewed as "malicious" say how to build a bomb or exploit commonly known vulnerabilities in a web server. Does this give someone the right to remove said data from my server simply because I have a disclaimer saying I have no responsibility for how someone might use this data? This sounds like a piggy back onto another round of "strategic protection of US citizens" i.e. read "strategic reduction of fundamental freedoms of US citizens".
"No responsibility means no rights" gimme a break.
Every computer connected to the internet is a "server". I'm sorry, but my grandmother does not deserve to be put in jail because she didn't know enough about computers to apply the latest Microsoft service pack to her Windows box, to patch a problem that Microsoft created in the first place.
There is probably a good solution to this problem, but making ordinary people "responsible" for the bad coding standards at Redmond is NOT IT! If someone trespasses on your property, then shoots someone else, are you responsible because you failed to secure your property? If you buy a defective coffee pot that you use as directed, yet it catches on fire and burns down your apartment complex, are you responsible?
The answer is no, but perhaps the manufacturer of the coffee pot is.
WWJD? JWRTFA!
Let's think about this for a while.
How does this scenario resemble the situation in Afghanistan?
Antti S. Brax - Old school - http://www.iki.fi/asb/
just to get more lawyers in on it.
/domains/abcnet/htdocs/scripts/root.exe /domains/abcnet/htdocs/msadc/root.exe /domains/abcnet/htdocs/c/winnt/system32/cmd.exe
setup scripts/root.exe to a eula with i agree being msadc/root.exe, which will then attempt to take down the worm.
its not an attack but a service/product the server had to agree to, right?
<a snip from my logs...>
[Wed Jan 15 01:15:24 2003] [error] [client 64.172.131.88] File does not exist:
[Wed Jan 15 01:15:27 2003] [error] [client 64.172.131.88] File does not exist:
[Wed Jan 15 01:15:30 2003] [error] [client 64.172.131.88] File does not exist:
Hey, has anyone ever written a worm that somehow benefits the "infected" systems by ... say... killing off other viruses?
Imagine a worm that installed an antivirus program....
could we call this an innoculation?
42 - So long and thanks for all the fish.
with Mr. Mullen's proposal, is this.
He sees the world this way: 1. People are negligent, and allow machines to become compromised, which allows harm to come your way. 2. Therefore, if people will not defend their own machines, you should be able to defend yours by disabling theirs.
This is a little like the following: 1. People are negligent, and allow their cars to get stolen, which allows hit-and-run drivers to take you out with them. 2. Therefore, if people will not defend their own cars, you should be able to defend yours by being given a rocket launcher to disable theirs.
The second example sounds kinda weird, doesn't it?
I've watched "World's Scariest Police Chases" and suchwhat. If a driver's acting like a maniac, the police bust out these cars with large ramming devices on them, and beat the crap out of the offending vehicle. If someone is driving recklessly on the highway, I can't just take my SUV and ram them off the road myself.
While I may have justification for doing so -- after all, that driver is endangering me and those around me -- I do not have authority. There is a reason that only police are given the power of arrest and other various things they have. (Just try walking around with a pistol in broad daylight in Philadelphia, for example.)
Mullen would have us all issued shotguns, to defend ourselves from any would-be vandals and thieves who enter our homes. While it is justifiable for us to use these weapons against those who would cause us harm, is it really wise to give everyone a shotgun? There are most certainly those who would use them improperly. The obvious solution, of course, is to give everyone some sort of shield, that prevents them from being hit by a shotgun shell, to protect us from bad users of shotguns. But, uhm, then shotguns don't work against the vandals, because they have shields too. So a perpetual arms race against ourselves would develop.
There's a reason weapons aren't issued to us for our own defense -- collectively, we are not responsible enough to operate that way. Only special agencies are given the Authority to administer Justice; justice itself does not belong to the rest of us. Unfortunately, we don't have an "internet police force", nor would one even be desirable.
But ISPs can still pull the plug on users who aren't operating "correctly," and University and other networks can block down a MAC address if it's causing trouble. And that's about as close as we really should want.
I like that idea. Now I can fire most of my Sysadmins because all holes are automatically fixed by strikeback.
This is what I call effective outsourcing.
Thanks for the opportunity to think.
RIAA: We want to hack back because we're the victims of piracy.
DARPA: We want to track all the minutiae of your life because we want to find terrorists.
Mullen: We want to exercise a(n admittedly limited) degree over your systems because they're harming us.
These notions aren't necessarily wrong, but any proposal to allow people to be exempt from laws or standards of conduct because they think they have a good reason to be bears careful scrutiny. IMO, this isn't much better than those users who just can't possibly get their job done without having the root password, in spite of the fact that everyone else does. We do not need the ability to manipulate others' systems to suit our security needs. I'd suggest a much better solution is responsive ISPs at all levels. If you're hosting a DDoS client, cut their feed and we mean now, or we (the guys above you) cut yours. Likewise, if we don't cut you off, we get cut off by the guys above us. Perfect? Nope, but I'm more comfortable with this than letting any yahoo who happens to think they're under attack by my systems have the right to cause my server to start or stop doing things without regard for the outcome.
Mr. Mullen's idea isn't stupid and it might not be "bad", but it is definitely not the right solution.
Great, now evil has ANOTHER weapon.
Pii said, "Wow, great response..." thus giving me cause to smile.
I forgot to add that the courts have, in the past, interpreted the Oklahoma Computer Crimes Act of 1984 in a very strict manner. For example, Ryan Breding was running a warez site at OU in 1997 and was prosecuted not only for the copyright violations, but also for violation of the OCCA because the popularity of his site affected bandwidth at the school. Another words, under the 1984 OCCA, simply having a site that is more popular than your provider anticipated can be a crime in Oklahoma if that impacts the bandwidth of your provider.
How is that germane to the current topic? Well, I suspect - remember IANAL, and this is only opinion - that the same courts that decided slowing a school's connections is a violation of the law would also consider interrupting the function of a webserver by causing a reboot to be a similar violation. Further suppose that the target system is a) in Oklahoma, and b) running NT...
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
Whenever some Korean faggot spams me, I do a:
smbclient -L $IPADDRESS
From this I get the netbios name of the computer, and then do a:
smbdie -i $IPADDRESS -p 139 -t $NETBIOSNAME
This blue-screens the offender's computer. When I'm satisfied it works (some people have patched their systems), I add it to a cron job to repeat every 4 minutes.
So the spamming faggot doesn't get a chance to spam me as he is continually rebooting.
So yes I agree 100% with the suggestion that we take down others' malicious processes. If only it were so easy to bring the US military industrial complex back into line...
I'm sorry, sir, but the CC & Rs of our network neighborhood expressly forbid the presence of Windows 9x boxes unless they are hidden behind a fire wall. We are trying to maintain a pleasant, livable place here. Good day.
Yow! I'm supposed to have a plan?
You can kill my gun when you take it from my cold dead fing-...!
Wait...
Never mind.
"We have to go forth and crush every world view that doesn't believe in tolerance and free speech." - David Brin
Well, gosh-durn it, Son! Was it the Iraq analogy, a perceived slur against inbreeding, or is it simply that you are generally in favor of computer worms?
Speak up, Son! Don't leave me in suspense. I gotta know how to refine my routine. If I know what gets under your skin, then I can purify it and hopefully make you break out in hives some day! Stupidity-specific pathogens; that's the goal here, Son. --Seeing as how you're obviously not quite dumb enough for Darwin to have taken care of himself. (Where Darwin fails, the rest of us have to roll up our sleeves.)
-Fantastic Lad
Then fine Microsoft, fine Linus Torvalds, just fine someone. The sense of impunity is something that cannot happen because when people are imune to law, you tend to be your own law.
rm -rf /home/leia
After reading the article and the discussions posted on the CounterPane site, everyone seems to be harping on the same issues over and over again.
First of all, people are using really bad analogies to try and prove their point but I think they're just missing what exactly Mr. Mullen is trying to say. Breaking into peoples houses, loud dogs barking, and slapping your neighbor's kid for mouthing off are just some examples of these (IMHO) "flawed" analogies.
I don't think you need an analogy to understand the situation. When is it ever LEGAL to be an unauthorized intruder in someone else's computer system? That's right, never. (If you have permission, it's not unauthorized. If you own it, it's not someone else's.)
The reasoning behind this proposal is to allow the "victims" of a "relentless attack on their network" the right to "neutralize a worm process running on the infected system". "Neutralize", in this context, can basically be read as "obtain unauthorized access to the infected system and terminate", presumably by exploiting some vulnerability in the system (since most modern OS's do not allow anonymous people to just terminate processes at will). However, in doing so, the "victim" here is assuming the role of an unauthorized intruder and thus breaking the law. And there's a damn good reason why things are set up like that (at least in the US).
Hell, even the police (supposedly), need a search warrant or permission to access your computer systems and read your data. Why would I want to give that ability to every "administrator" that hooks a system up to the internet just because they don't like the data that my computer is sending to theirs? If they don't like it, they have several available options including contacting my ISP to shut off my service, contacting their ISP to block my address at their upstream router, or (in the case of criminal actions) contacting the police. If what my computer is doing is not a criminal act, and neither my ISP nor theirs wants to act on it, maybe they need to find a new ISP or maybe what I'm doing is not a large enough nuisance for anyone except the "victim" to care.
Another problem with this proposal is what exactly constitutes a "relentless attack"? What about an attack that isn't relentless? What about unsolicitied commerical email (aka SPAM)? Who gets to say whether something is an "attack" or not? There is way too much "grey area" there for any sane person to just blindly give out ROOT LEVEL ACCESS to their systems based on such a statement (killing arbitrary processes is definately a root-level operation).
From his original paper, I found the following paragraph particularly troubling:
I say that we have the right to defend our systems from blatant worm attacks, and that we are within our rights to take measures to stop an attacking system from further infringing on our assets, consuming system resources and service availability, and from their ultimate attempt to compromise our systems.
He's talking about "Code Red" and "Nimda" specifically so I'll use those examples also. When you hook a web server up to the publically accessible internet, you are implicitly allowing other systems to send HTTP requests to you over port 80. How you can say that certain requests are "infringing on [y]our assets" is beyond me, but then again, I don't agree with much of the logic of Mr. Mullen's argument. And, yes, each request consumes system resources and if you get enough of them, it could affect the service availability of your web server. However, by putting up a web server, you are implicitly allowing such requests. As far as their "ultimate attempt to compromise our systems", that is a legal matter and should be tracked and referred to the police. You don't have the resources to do that? Well, how important is it for you that the "attacks" stop?
Sorry, Mr. Mullen, but I disagree with your proposal and your opinion that you should have the right to access my computer system without my authorization. Let's leave this up to the authorities and just worry about securing our own systems. Your "right" to defend your system/network from worms stops at my system/network.
Leaving a machine unsecured and unmonitored on the Internet is a sure-fire way of ensuring it is hacked and used to attack other machines. We know this. Yet people continue to do it. They do not secure their machines once hacked, and they allow their own machines to attack others once hacked. This is negligence, pure and simple. "
In the case of the car, this is true, since it requires no technical expertise to secure the car by removing the keys. Manufacturers have made efforts to design an appropriately secure system that is easy to use, and if we do not use it, we are legally responsible (in some states) for leaving the keys in the car.
However, the manufacturers of most computer software have NOT made efforts to make the software trivially easy to secure. Even for those with grea expertise, it requires significant effort (many settings, checks tests, etc.). Thus, holding a normal user responsible for the actions of a hijacked computer is unreasonable.
Requiring that one be an expert to hook up their computer to the net is also ridiculously elitist and unreasonable. It would destroy the internet as we know it when 99%+ percent of the people were disqualified from dialing up or getting a broadband connection.
Using a vigilante approach also makes no sense when we are attacking the computers of hapless victims who A. purchased insecure software when there is little practical other choice and B. had it hijacked by others who they have never seen.
We need to hold the vendors responsible to build stable and reliable software, with sound default values. Then, when someone deliberately DE-secures a box and hooks it up, it might be reasonable to consider strikeback action.
Will site admins start attacking /. at any sign of a slashdotting.
One thing, however, that is common with all the detractors is the presumption that the "counter attack" would be all encompassing, i.e., "his system had a worm trying to infect mine, so I wiped his BIOS in return so the machine can't boot" [that would be seriously wrong...]
BUT that isn't how I (and I suspect the original author) interperet the situation -- someone mentioned the concept of a "surgical strike", and I think that is far more appropriate: "his system had a worm trying to infect mine, so I killed just the worm..."
Mind you, there should be a few other things that "should be done" in the process, mainly, notification (as best as is possible) that the offending system has "something amiss with it", actual pointers to process names or what have you [i.e., proof that it was indeed a "malicious process" and not merely thousands of slashdotters hitting the system w/browsers], notification that the one particular process was stopped (and a request not to start it until it can be verified as "clean" or whatever), and so on.
Yes, this will annoy those folks that are too lazy to take responsibility for their system's actions. They'll piss and moan and complain. If you have a "body of evidence" that you were acting in defense of your system and/or resources, and if this "goes public", then the sysadmin of the offending system will be exposed for the idiot that he is [IOW, a competent admin will clean up the problem, **possibly** thank you and/or acknowledge that there was a foul up, and life will go on without name calling or anyone's panties getting in a bunch.]
One of the threads drew an analogy of a neighbor's monkey throwing rocks and breaking windows, with the "solution" of "shooting the monkey, problem solved..."; my suggestion is that instead of shooting the monkey, clear the neigbors yard of any rocks big enough to break your windows :)
(*) the "discussion" was centered around some things I found in my web server's logs, namely "404 errors" for attempts to retrieve files with names like "../../c/windowsnt/system/cmd32.exe?...." [code red stuff] My premise is simple: "hey, he asked for the file, it just so happens that on my linux system the file 'cmd32.exe' is a script that copies a gigabyte of data FROM /dev/null"
So, since an ISP wont give you the customer's info without a court order, and obtaining one could take weeks or months, wouldnt it be logical, that when reported, after a certain period of time, the ISP becomes liable? I even beleive there are points of law to support this.
Point being, if so, how does one perhaps advise and enforce this on ISPs, and secondly, how does one implement a system that allows an easier way of dealing with this?
Currently, dealing with such "Internet Giants" as Comcast and RoadRunner have resulted in nothing but email after email after email, begging, pleading, explaining, complaining, and eventually threatening legal action - and regardless, no action but the automated response.
How much can you sue a negligent ISP for damage to image (for instance, spoofed emails with derogatory or virus laden content), loss of bandwith or other profit generating resources, etc?
I think this may be the big issue. With a simple "Check here what type of attack you are reporting" and a submission field for the IP address, a simple automated routine could monitor, verify and take action [whether informing a (for instance) Comcast tech or automatically blocking that type of/or all traffic from the offending IP].
For many types of attacks (other than Code Red, Nimbda, etc - this consists of 95% of our attacks), since they are ongoing till someone contacts the user and stops them (or blocks their connection which amounts to the same thing whther they are an innocent infected or guilty of initiating the attack).
These are some of the biggest causes of internet attacks. If you measure the number of businesses and the number of non-commercial entities on the net, and then factor int he massive number of attacks that were Code Red/Nimbda/The NeverEnding MS Hole Of The Week Saga... it's interesting to note that selective, planned attacks against businesses by (presumed by myself - and SANS - as well as others) presumably competition ranks in the top causes of such traffic on the net.
In addition, what most non-commercial entities never realize is, name an Internet worm/virus/script... tell me when you think it came out. Now, 80% of you are probably wrong. It came out many months if not YEARS before you think, and was used to target specific businesses. This includes Nimbda and Code Red and all their variants. The worms later make it mainstream. We had been receiving attacks like these often a year before someone shoved the vulnerability down MS's throat so they coudlnt ingore it. Stive Gibson at GRC has info on some similar incidents.
The ease of it is astonishing, especially with so many "script kiddies" and so many legititmate hackers - jump into an IRC chat room of such type, and claiming to be the business in question, tell them what type of losers they are. Or post such an post with "forged" headers in the newsgroups - it happened to us (newsgroup post). The ISP wouldnt help us, and by the time we knew and responded that the post was not made by us with "proof" ("well, you could have been on a dialin" - "um, not with those host names, which have never been registered to that dialin IP - it's a forged header on a fake post") - by then, attack bots were already being circulated on the IRC channels, much like the ones used against Steve Gibson, attacking us on average 30,000+ a day... some days hitting 6 digits. Our servers can laugh at that, but our bandwidth cant. And you cant firewall it either. Those scripts infect near anything with WinCrap on them. We had universities with OC3s attacking us, people from all over the world, you name it.
If you cant beat the competition, take down their servers. That seems to be the big motto.
If ISPs were liable for inaction, the attacks (including stuff like Nimbda and Code Red that could be blocked with simple filters in many cases) would eventually die off.
Just my 1 or 2 cents...
Rob
WebMaster:
BinFeeds
XXX Thumbnailed Image Newsgroups but
Who wouldn't enjoy playing a good game of doom and blowing away any nasty process?
I believe you should have the right to neutralize a worm process running on someone else's infected system, if it's relentlessly attacking your network.
Technically speaking, you do. No, I'm not kidding. It's called the right of "abatement", and it's a right dating back a millenium or so. It's even a defence to criminal charges that you were exercising your right of abatement in a manner that was reasonable in the circumstances.
The problem with this is that they might still charge you.
Now if you're willing to take the risk, the right of abatement is a right to take steps to prevent a trespass or nuisance affecting your property or your enjoyment of your property, even if this requires violating the property rights of somebody else from whose property the trespass or nuisance originates. For example, if somebody sits outside your house at midnight, playing a ghetto blaster at maximum volume, and refuses your request to stop, you can slap them around until they stop, or smash the ghetto blaster. Legally, you will be exercising your right to abate a nuisance.
Yes, theoretically this could be applied against spammers and open relays too.
Since the owner of a system has no responsibility for the actions of a worm, or any malicious process, that runs without their knowledge, I submit that they also have no rights to the process. No responsibility means no rights.
So, if they have no rights to the process, there is no infringement against them when we neutralize it. If someone wants to claim that their rights were violated by our taking out the attacking process, then they should be held accountable for the actions of the process from its inception. They can't have it both ways.
So by that same token, if there is a thief in your house while you are away, he is perfectly justified in burning down your house to get rid of the thief?
The key is to hold those who crack systems accountable for their actions
We already do that, and have done so for years. It doesn't seem to be working, and the primary reason for this is because there are too many unsecured systems available to perpetuate these attacks.
Most posters have failed to grasp that what Tim Mullen is REALLY complaining about is that law enforcement has been ineffective in preventing worm and other kinds of hacker attacks. He's right, but the reason is not because the hackers are somehow "unassailable" by law enforcement. It's because law enforcement spends very little effort in enforcing "cybercrime" laws.
See, in the USA it's a popular pasttime among politicians to pass new laws against X without even thinking about how that law is to be enforced, let alone allocating resources to do it. Consequently a great many laws in the USA go virtually unenforced. There are numerous other exmaples besides "cybercrime".
What Tim should be doing is lobbying for a "Cybercrime Enforcement Agency" that spends significant resources tracking down Internet criminals.
Now clearly a lot of ad hoc vigilantes attacking "offending" systems would consitiute significant resources, but as many other posters have pointed out the solution is worse than the problem. Such authority (if legally enshrined) would be incredibly open to abuse, and everyone knows this. Other posters have pointed out that they have "struck back" against worms and other attacks even knowing that it was illegal to do so. But the subtext behinds this is that they were willing to "strike back" because they knew that there was little chance they would be caught and punished. This is literally the exact same thinking that led them to be attacked in the first place.
Tim Mullen shouldn't be suprised that the white hats are aligning against him because his solution and his thinking is exactly that of a black hat. He's justifying hacking into others computers by making the claim that he's "doing no harm" and that in fact he's actually helping them. Exactly the same arguments that many "grey hat" crackers make about breaking into systems but not damaging them. To most white hats, systems are "private" and there is no justification for vigilantes to break into them.
This contraversy remids be quite about of the blacklists of spam sites and open relays that are being propogated. The huge difference here is that the blacklists are voluntary limitations people put on thier OWN property and servers, and opposed to changes to other people's property and servers. And analogous situation to what Tim proposes would be hacking into other people's computers to shut down open relays or spam sites. The only difference is that creating and propogating worms is illegal and spam isn't (yet). However I fail to see why this should make any difference to a vigilante.
Security experts see themselfs as providing a service to individuals and not to the entire internet.
Preventing unatherised access is the holy grail of security.
But individual users do not see it that way. They don't see the harm in a cracker fixing a security fault.
Look at it like this:
Kids break into your home throw dogy doo everywhere and trash the place. Then a nabor enters though what was your front door cleans up the mess and gives you a new steal door with your same old lock (the lock the bad guys didn't pick when they kicked the flimsy door to splinters).
The cops arrive then you.
They are tecnicly tresspassing and interfearing in a crime seen. Do you care?
I'm the vindictive type.. I'd be pissed.
I don't actually exist.
If I had my life to live over, I'd try to make more mistakes next time. I
would relax, I would limber up, I would be sillier than I have been this
trip. I know of very few things I would take seriously. I would be crazier.
I would climb more mountains, swim more rivers and watch more sunsets. I'd
travel and see. I would have more actual troubles and fewer imaginary ones.
You see, I am one of those people who lives prophylactically and sensibly
and sanely, hour after hour, day after day. Oh, I have had my moments and,
if I had it to do over again, I'd have more of them. In fact, I'd try to
have nothing else. Just moments, one after another, instead of living so many
years ahead each day. I have been one of those people who never go anywhere
without a thermometer, a hotwater bottle, a gargle, a raincoat and a parachute.
If I had it to do over again, I would go places and do things and travel
lighter than I have. If I had my life to live over, I would start bare-footed
earlier in the spring and stay that way later in the fall. I would play hooky
more. I probably wouldn't make such good grades, but I'd learn more. I would
ride on more merry-go-rounds. I'd pick more daisies.
- this post brought to you by the Automated Last Post Generator...