Slashdot Mirror
Killing Others' Malicious Processes
Roland Piquepaille writes "This opinion is not mine, but the one of Tim Mullen, from SecurityFocus Online. In this story, he expresses some strong ideas regarding systems infected by worms. "I believe you should have the right to neutralize a worm process running on someone else's infected system, if it's relentlessly attacking your network. I've even written code to demonstrate the process. Though the initial news coverage of the concept was grossly inaccurate in conveying my ideas, it has stirred up a constructive dialog. I knew my idea was controversial, but I was wrong about something -- I figured everyone in the security biz would "get it" and that the hard part would be convincing everyone else that if they can't or won't secure their machines, we as the defenders would have the right to terminate the process attacking us. It has turned out to be the opposite." The author then looks at the criticisms about this strikeback idea raised by some security experts -- to dismiss them of course. Check this column for a summary or read the original story for more details."
There is a good justification in Mullen's letter as to why this proposal is different from the RIAA's proposed attacks on computers that they suspect of hosting unauthorised copyrighted material.
I seem to remember such a thing for unix/linux systems a while back, a search on google would probably find it.
I'm pretty sure no one liked it.(I think the creator got bashed for it actually.) Mainly for the reason that changing something to fix a worm might break another process running on your machine if not done the correct way.
If you are so worried about another machine trying to break into your own, I'd be securing yours better so you wouldn't have to worry...
In his Dec 15th Cryptogram Bruce Schneier provides his argument against counter-attack, and there are some interesting reader responses to this in today's issue.
Can't you see that everyone is buying station wagons?
Read about it here, including a nice set of pros and cons here
I had a botnet using my irc server as their jumping off point. I wasn't too happy with it cause I saw an attack happen. So I went through and removed them all. I wrote up the story here if anyone wants to know how to take down a subseven network.
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
I'm pretty sure no one liked it.(I think the creator got bashed for it actually.)
That's probably because the author, "Max Vision", programmed his worm to leave a backdoor open on your system - after it patched BIND to a safe version. He's in jail now.
This proposal is fundamentally flawed, and here is why:
Where I used to work, they run a set of public NTP servers. _Very_ regularly, complaints come in about attacks coming from port 123 on these hosts. In every case, after enough dialog between us and the person reporting the attack, they would actually look at the NTP configuration of the machine under "attack" and realize that they were trying to use these hosts as an NTP server and it was their fault that the IDS was reporting the traffic as attacks. If they were allowed to use strikeback, these machines would spend more time with NTP killed than running.
Stealing someone else's insightful post.
Best Slashdot Co