Slashdot Mirror
Killing Others' Malicious Processes
Roland Piquepaille writes "This opinion is not mine, but the one of Tim Mullen, from SecurityFocus Online. In this story, he expresses some strong ideas regarding systems infected by worms. "I believe you should have the right to neutralize a worm process running on someone else's infected system, if it's relentlessly attacking your network. I've even written code to demonstrate the process. Though the initial news coverage of the concept was grossly inaccurate in conveying my ideas, it has stirred up a constructive dialog. I knew my idea was controversial, but I was wrong about something -- I figured everyone in the security biz would "get it" and that the hard part would be convincing everyone else that if they can't or won't secure their machines, we as the defenders would have the right to terminate the process attacking us. It has turned out to be the opposite." The author then looks at the criticisms about this strikeback idea raised by some security experts -- to dismiss them of course. Check this column for a summary or read the original story for more details."
RIAA : Great. Now, who's running Kazaa ?
yet again under another pretense.
This will be abused like all the other technology laws.
You should not interact with other's machines :
Let them fix their worm problems themselves or they may not appreciate it.
It is normal and nice to tell them they have a problem but your work stops here !
Trolling using another account since 2005.
I'd rather see a set of worms released that infected machines on the scale of say code red or nimbda - but actually patched security holes, and or closed all the ports on the host machine. If the ports already closed by the machine were in actual use, the user would have the option to open the ones needed manually.
Exactly who decides what constitutes "relentlessly attacking your network"?
A simple NMAP scan? What about Netbios scans? @Home scans for open NNTP servers... etc etc..
Trolling is a art,
There is a good justification in Mullen's letter as to why this proposal is different from the RIAA's proposed attacks on computers that they suspect of hosting unauthorised copyrighted material.
The only problem with this strikeback thing is what if the machine which is infected is business-critical?
If you're going to take it on yourself to fix other people's machines, what if this causes them loss of business? And there's also varying definitions of what "strikeback" or "fixing" could mean. What if someone decides to "fix" your database server by shutting it down? Shouldn't they be held liable for the damages caused, just as someone who does that maliciously can be held liable?
There's just too many holes in this strikeback philosophy. It opens the door to tons of abuse too: "I only broke into this machine to fix it, I swear, gov'nor!"
I think it would also result in pretty dire situations when a machine equipped for strikeback mistakenly decides another machine (also strike-back-enabled) needs to be "fixed", and starts attempting to hack into it - and then the other one detects it as well, and they start concurrently trying to hack into each other... probably saturating the network with crap on the way...
Daniel
Carpe Diem
At least they can act to contain the spread of a virus, but not by killing processes on customer PCs. they can, however, disable service, whether it be a cable, *dsl, or dialup modem account. Shutting off service and forcing customers to take measures to clean their infected computers is allows by the acceptable use, terms of service, and other policies which protect the ISPs rights to take action.
perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'
If parents don't vaccinate their children, the state takes them out of school. If a dog consistently attacks people, the authorities put it down. If someone commits three felonies, they are put away for life. This is because the rights of the many outweigh the rights of the one.
This is an interesting point, because it shows the essential flaw in this logic. In all of these examples, who is acting? "The authorities", namely, the government. In this absurb "strikeback" proposal, who is acting? Vigilante sysadmins. If anything, his examples prove that we need a national cybersecurity enforcement agency, which is responsible for taking machines offline when they get virus-infected. Clearly, this is a bad idea, and that's why strikeback will never work.
Next you will be telling us that it's ok for government A to overthrow government B if it thinks B is destabilizing to it.
HHOS
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
So, if they have no rights to the process, there is no infringement against them when we neutralize it. If someone wants to claim that their rights were violated by our taking out the attacking process, then they should be held accountable for the actions of the process from its inception. They can't have it both ways.
That, I think, is a good point. The solution, however, is not to make the counterattack legal, thus continuing to absolve people of responsibility, but to make the owners of the systems legally responsible for their failure to secure their systems. If your system is 0wn3d and used to launch a DDoS attack on AOL (or Slashdot, Kuro5hin, whoever), then AOL should have the right to sue you for damages. Your incompetence caused their loss.
You say you can't afford to pay? Tough. Should have thought of that before you put your insecure system online. You say it's the fault of the manufacturer for selling the insecure system in the first place? Take them to court. Too expensive? Well, if their system is too expensive to use, then people won't use it.
Best Slashdot Co
It's next to impossible to determine what defines an attack or not... and I don't want people other than me shutting down my webserver thank you very much.
Wouldn't it be nice if there were programs that could automatically determine what's a worm or virus, and then attack the process from within the machine? No need for an outside user, just have the system kill its own rogue process as soon as it starts. Oh, it does exist. It's called Anti-Virus...
In his Dec 15th Cryptogram Bruce Schneier provides his argument against counter-attack, and there are some interesting reader responses to this in today's issue.
Can't you see that everyone is buying station wagons?
I think this guy lives in the world of theory, where everything works "in theory".
I don't want some idiot out in the world thinking he knows more about my system than I do going in and thinking he's doing everyone a favor -- when he's actually doing damage to my system. Intentions don't mean a crock of dog doo.
If my system is spewing garbage, then it should be the right of the ISP to pull the plug until I get it fixed. That's the way these things should work.
But there's no way I want fools poking into my computer, no matter what.
Sometimes it's best to just let stupid people be stupid.
I read this the other day when it was posted on "The Register" and I didn't like it then and I don't like it now.
Why?
Well it all boils down to an attempt to legitimise hacking. If it was allowed that we could "strikeback" ( which is just a cute word for hack ) and disable the attacking process, then where do we draw the line. I think we can all agree on the extremes, but lets consider another example.
What if a website was posted on slashdot, would all of the rampaging geeks be classed as attacking processes and therefore be liable to be struckback and eliminated. I am certain that the website administrator would consider the massive increase in traffic to be an "attack" as their poor server disappears in smoke.
Personally if you are likely to be attacked get better security. You can't enter somebody's house just to close an open window.
Patriotism is the opium of the masses
Read about it here, including a nice set of pros and cons here
There are two independent issues:One is a ethical issue. Is it morally right to attack (it is attacking, irrespective of defensive or offensive reasons) somebody else's machine?
The second one is a legal issue. Does the attacked person(both sides) has any legal recourse? Do they have any credible claims for damage?
Vigilante justice, at best is stupid and at worst, can lead to a more dangerous society than one without.
What we have here is no accountability and no responsibility. A ship's Master (Captian) is responsible and accountable for the ship in his charge and the actions of his crew. The owners, or administrators should also be responsible and accountable for the machines network in their charge. Hold them to account for their malicous machines - otherwise the problem will just get worse. Who then determines a malicious process on my network? The RIAA and other large political contributors? Remember, in the U.S. at least, money controls everything. Those with it get what they want and those without it suffer.
if you're that "good" and can kill a process on someone else's network, how about you use that excellent knowledge and contact the owner of the machine?
hacking (don't paint it any other way, you're breaking into someone's system) someone else's machine is not the answer. the system is not any more secure after you've killed it's process, it is still wormed, and the most important thing is that the admin of that machine hasn't learned a thing!
but then what do i know, i'm not a security expert...
I'm sure some people could draw a vague parallel with protecting your home using lethal force here... but i don't buy it. I certainly believe if a hacker is inside your system you have every right to st0mp his ass out of there by whatever means necessary, but if your neighbor is coming round ten times a day knocking on your door you call the cops and get a restraining order taken out - you don't go over there and shoot him.
I don't think it's ever right to trespass, whether it's for the "common good" or not. If it's not yours, stay clear. If a worm is hammering your system, call the offending ISP. If they don't reply call their upstream provider. If they don't reply call your ISP and tell them to block it before it gets to you. If they don't reply - tough shit, get a new ISP. It's the same thing as the spam blacklists - ISPs will never learn to provide better service if people don't start voting with their wallets.
I got a sig so you would remember me.
I had a botnet using my irc server as their jumping off point. I wasn't too happy with it cause I saw an attack happen. So I went through and removed them all. I wrote up the story here if anyone wants to know how to take down a subseven network.
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
I also find out that what people think is "if you know someone hacked into my server, then it must have been you that hacked my server". And this brings up the next point, if you start hacking people's computers to stop the worms, they are going to think that it was you who unleashed the worm, it is logical, they just don't know better.
What must happen is not System Administrators "hacking" every computer in the internet infected by code red or nimbda. What must happen is legislation that makes every person running a computer personably responsible for the security of that same computer. If people don't secure their server they must be penalized, instead of letting us fix the problem... even if they want us to.
rm -rf /home/leia
This guy wants to give the power to kill remote processes to everybody. Everybody includes the people that he's saying can't secure their systems to begin with. Do you want them touching your box? Didn't think so.
How do you get counter attack software and whose to say that software is safe?
... the attack itself.
What if the counterattack software has its own buffer overflow? Then we get a cat and mouse game of one machine simulating an attack and when the counter attack is made the attacker could send a response to force a buffer overflow making the counter attack
If parents don't vaccinate their children, the state takes them out of school. If a dog consistently attacks people, the authorities put it down. If someone commits three felonies, they are put away for life. This is because the rights of the many outweigh the rights of the one.
In your country perhaps, but where I live not all of those suppositions are true. And here one sees an inherent problem that such a system would create - you may be operating within the legal framework of (for instance) the US, but does that give you the rights to close down a process on a machine in Iraq, or North Korea, or any other country for that mattter?
A little planning goes a long way...
block that IP in your firewall.
I'm constantly getting hit from taiwan and SE Asia so I block the whole class C if it gets worse I go up from there. Seems to solve 99% of my problems.
"Logic dictates that anyone who opposes a bill allowing corporate entities to attack our systems should support a technique to stop worm-ridden systems from doing the same."
This is flawed logic. The correct logic flows like so: Anyone who opposes a bill allowing corporate entities to attack our systems should oppose any technique that allows any other organization or individual to do the same.
Mr. Mullen's proposal is almost identical to the proposal made by the RIAA: let someone legally crack into a computer that is being used to do inconvenient things.
While I sympathize with Mr. Mullen's intent, this approach was wrong when suggested by the RIAA and it is wrong when suggested by Mr. Mullen.
Unfortunately, the best approach I can suggest that both contains the problem (eventually) and protects everyone's privacy to the largest possible extent is to isolate the offending computer from the rest of the Internet (possibly shutting down the user's outgoing Internet feed) until that user fixes the problematic system.
Of course, the details are the killer. How is something like this accomplished quickly enough to minimize the damage done to systems receiving the barrage of data? And does a Slashdotting result in Slashdot's Internet feed being cut?
This type of problem definitely needs a solution, but vigilante attacks are not the solution.
Mullen has been stoned since day one. This wacked out idea is just another bit of proof of that.
Becideds the blaten privicy issues etc. Lets assume computer A is attacking computer B with Worm1 which uses uses application X as its transport. The person who sees the worm attack his system he imeadeatly thinks it is work2 which uses application Y as its transport. So he gaines access of computer A and kills application Y. So he hasent killed the worm and he also killed an inocent application that may have been dooing something very important.
It is stupid to think a random person will be able to properly fix your system. Even if he is "Skilled" enough to break in he may not undertand what the system is for or what it is used for. Just because he thinks he is smart it dosent nessarly mean he is.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
they would decide over time a set of precedents just like for defending oneself from physical attack.
If you slap me I can't just shoot you, but if you stab me: you'd better be ready.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
By "passive strikeback", I mean a tool that does nothing more than respond to an active attacker in such a way that it turns the tables. I assume that most worms and spammer-tools are as poorly written as the buffer overruns and other assorted security holes they exploit. That being so, I would love some respectable white-hats to write open source tools which target weaknesses in the offending malware, so that when said malware comes a-knocking at my server, I might gently rip out its intestines and strangle it with its own entrails.
I'll settle for strikeback tools that do nothing more than neutralise the malware, although I'd be sorely tempted to do more in the case of spammer tools. Sending the malware into a flat spin, hang, or deadlock may be preferable to simple termination in many cases.
proof, n. A demonstration that a conclusion is implied by certain premises and axioms.
"If parents don't vaccinate their children, the state takes them out of school. If a dog consistently attacks people, the authorities put it down. If someone commits three felonies, they are put away for life. This is because the rights of the many outweigh the rights of the one."
The same holier-than-thou attitude that exists in Police and Intelligence services towards the public exists in the so-called security professional community.
Let's say my next-door neighbor and I live in a old neighborhood with big trees. If my neighbors tree has a disease that is affecting my tree, I do not have the right to trespass on my neighbors property and chop down or treat his tree.
The interests of security do not give someone the right to trespass on my property without due process. If Mr. Mullen wants to get some sort of court order, fine, but he does not have the right to screw with other people's computers for some perceived security problem.
If Tim Mullen can be identified hacking into any computer I am responsible for, he will be arrested and sued for computer crimes. Whether he is wearing a "white" hat or a "black" hat is irrelevant.
Conformity is the jailer of freedom and enemy of growth. -JFK
who's competence is at stake did you say?
:
I'm sorry but my brain comes with a EULA
This brain is supplied "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose and the accuracy of the information contained within it
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Having been the victim of the effects of Code Red (our Linux boxes we not affected, but the hosting facility we were in was overwhelmed with traffic from all of it's unpatched IIS servers), I can certainly see the reason as to why this software was developed. Our site was inaccessible for close to half a day, because of other people's inability to keep security at the forefront of their minds. We were powerless to do anthing but wait for our hosting providers to track down all of the offending servers at our location and fix them.
I remember being so angry at the time and I would have welcomed the scenario where a "strikeback" type of application would have put a stop to this problem in an automated fashion. I'm sure part of the creator's reasoning is that if people's systems are left vulnerable to various worms, then there should be no problem allowing his software to "fix" the problem. Perhaps an applicable anaolgy would be a fire spreading from house to house on your block and "strikeback" acting as the firemen putting a stop to it. Firemen often make a huge mess of buildings when putting out fires (cutting through walls and roofs, dousing everything with water, etc), but the ends justify the means.
On the other hand, the "strikeback" process could almost be considered like a vigilante mob, having the best of intentions, but essentially operating outside the bounds of the law. Secretly, we might root for them, but in essence we really need the police to do the job, thereby obviating the need for the vigilante mob.
In regards to the world of crimes committed against servers, I just don't who the actual police are. So many of these attacks happen without anyone being punished. The FBI has a policy of not even spending any time investigating any computer crimes where the damages cannot be proven to exceed US $20,000. That leaves a great deal of smaller businesses / websites essentially unprotected by anything except for their own ability to manage their security efficently.
Strikeback is just a reaction to the frustration of having to deal with all of these continuously spawning worms / attacks without anything being done to counteract them other that react after the carnage is already done. I'm not saying it's the right solution, but I certain can see why it is here ...
This is just a guy out looking for kicks and fun. If someone is "probing/attacking" your network thanks to a worm and you can't contact them, the solution is simple:
You simply block off their traffic.
Close your blinds, your door, or whatever real world analogy you would like to try and apply. You have the right to send the same traffic back to them, monkeyseemonkeydo, but in no way is it possible to justify altering the running of their machine. Doing so, is no better than the malicious process already causing the damage.
--- I do not moderate.
Well when I read the article the first time around, I was quite amazed than someone came up with such a nonsensical idea. However, I reread the article just for good measure.
The idea proposed was actually quite intruiging... it's like an analytical discussion of forward-defense of networked computer systems. Which, I finally conclude as worthy of further discussion.
Many sysadmins fail to patch their machines not mainly due to ignorance, but failing to keep abreast of the latest security news. This is where the proposed idea could actually come in handy.
A minor modification of this idea that would benefit most people would be if somehow a signed permission can be generated when a remote patch is to occur. The admin of the machine could request contact info of the fixer as well as logging the IP address and other important info.
To tell you the truth I'd rather computers under my administration be patched this way rather than defaced with shoutouts and then getting the fix via email or written on the defaced page itself.
Welley Corporation - SLM Scammers
First secure your own machine (which seems to be the primary concern for wanting to allow something like this)... Then, send the infected machine a note with instructions on how they can fix the problem.
Just because my car makes a funny klunking noise, doesn't mean I want Joe Mechanic sticking his head under my head when I'm in the grocery store.
Scott
It would mean you could sue them. You can sue makers of any other type of product if it turns out that product is defective, why not software manufacturers?
Best Slashdot Co
If someone eggs my house, I can't shoot out their tires to keep them from coming back. I report them to the police, and it's taken care of from there.
OR, if I'm in a gated neighborhood, they install a guard, and only allow residents and invited guests in.
Either you contact authorities, or you get your ISP to block the traffic (and if your ISP won't, it's time for a new one). Vigilante justice never works out in the long run.
Questions:
1. How would you protect yourself from damage claims coming from the owner of the attacking machine?
2. Who will determine that the process running on that other machine is, beyond doubt, malicous code? Can you make that call independent of others? If so, see the first question.
-- Slashdot: When Public Access TV Says "No"
This is simply vigilante hacking, supported by selective quotes from Black's Dictionary (the finest source of misleading legal information anywhere). It is telling that Mullen simply discards admin notification as a step; his software doesn't do so much as fire a warning shot across the bow before mounting its own attack. Some obvious problems:
1. Mullen's thesis essentially comes down to the idea that a compromised system is like a rabid dog. But this is a misleading, and emotional, simile; a worm does not pose the health dangers described by Mullen. Its threat is one to property, not safety, and thus the threshold to action is correspondingly higher.
2. The idea that private individuals should have the right to attack and compromise the systems of others is remarkable, not least because he doesn't suggest that those individuals should be subject to tortious responsibilities for their hacks: he does not himself accept the legal responsibility he insists others take.
3. In the world of the author, all systems are evidently equal: if my home workstation is being tagged by a worm from an American Express server, I would be able to hack AmEx (or the government!) with impunity. This is obviously an insupportable doctrine; if someone is lobbing water balloons at me, I don't have the right to trespass on a government installation to stop him.
4. Finally, Mullen argues for active attacks against compromised systems because passive defenses are, well, just too much trouble. But they are certainly no less trouble to create and maintain, and much less disruptive, than a horde of automated systems hacking their way through the Internet and claiming self-defense as a justification. Where a passive defense is available, one should provide convinicing reasons why not to use them. Mullen could build a fence; instead, he prefers to use firearms.
Somewhere I have a hornbook on tort law that contains an article by Judge Posner on a similar topic: that of tripwire defenses used to secure property. He convincingly demonstrates, through case law and economic analysis, why such weapons are a Bad Idea in law and society. Perhaps Mullen should take off his smoke-colored glasses and look at the issue as something other than a technical problem.
"Freedom is kind of a hobby with me, and I have disposable income that I'll spend to find out how to get people more."
I can't remember the name of the company, but last year I had just installed IIS, then ran to the store. By the time I got back, around 45min later, I had already been hit by CodeRed. There was a message on my screen saying 'You have been infected by CodeRed. We did not infect you. Your server is trying to infect us. Please look on your hard drive to prove how open your system is. You can click here for more help. Again, we did not infect you.' (something like that anyway.) They left a small folder in my WINNT/system folder that had a link to them. Once I clicked their link they had other links on how to remove it, you could download the script they wrote so you to could load it and detect other people infecting you. And they had stats on how many servers had tried to infect them already (around 2000), and they explained more how they were only trying inform those that were attempting to infect them to be more aware about codered. I have the link and script at home, not with me here. Sorry.
If my neighbor leaves and his stereo kicks on at a loud volume, which annoys me, I don't think I have a right to break in to shut off the stereo. The "right" to do something like that has to really match the threat posed. If someone else's network is threatening yours, you should first do everything you can on your own system to block them. If you can't block them, then consider the real severity of the threat. And if you break in, be prepared to have to justify yourself.
You don't have the right to trespass on someone else's network. Ever. You can contact them and discuss the problem; if that does not produce satisfactory results, you contact their ISP (and so on, up the chain, until you eventually talk to a Tier-1 ISP).
There is always a way to take care of the situation. Nobody wants to have their Internet service cancelled by an upstream provider because they violated their TOS by ignoring reports of a DoS attack originating on their network.
And your immediate reaction shouldn't be to launch an attack back at them. It should be to block the offending network at your own firewall. Come on people, this is Network Administration 101. I can't believe it's even being discussed.
Tired of FB/Google censorship? Visit UNCENSORED!
Yes, and.. one point I haven't seen made yet: The government can't vaccinate your children without your permission. They can kick them out of school, isolate them and make your life pretty miserable, but they can't invade their bodies without due process of law, which is missing in this equation.
And now DUCK, because here comes the straw man:
I think the main reason for the knee-jerk criticism from the likes of Schultz is that they work largely in a theoretical rose-colored world of security, where all problems are solved after a cup of coffee and a bit of pontification
While it's valid to argue that Shultz is responding knee-jerkedly (somebody have a better adverb?) It's not valid to attack him by virtue of the fact that he's an academic and to denigrate him with the cheap-shot coffee comment.
Academics study things like unintended consequences, the big picture, etc.. These are things most geeks can't be bothered to consider. While stupid academics tend to rise to the top in the media, very few are actually addle-headed theoretical bloviators. These smart people can contribute a lot to our discussions.
As for the actual argument about killing others' rogue processes, I don't have anything original to say, but in the "real world" it would be called vigilantism and trespassing.
Yes, it's a blog. Sorry if that offends you.
Mullen's proposal is very different from the RIAAs.
The RIAA wants the right to hack your computer because they suspect you copied CDs. Metaphorically, they want the right to break into your home because you sneaked into the disco without paying.
Mullen wants to shut you down if you attack him. Metaphorically, he wants the right to knock you out if you try to rob him.
Guess what, in the real world, one of these rights already exists. It's called self-defense. The point is that the two things are not only related, they also depend on each other. The RIAA hacking your machine will not stop you from copying CDs. Shutting down your machine will stop the virus from spreading, at least temporarily.
Assorted stuff I do sometimes: Lemuria.org
This concept relates to self-defense, and deadly force. Follow along with me...
If a person is in public, and is threatened, that person must make every reasonable effort to avoid the use of deadly force as a means of self defense, prior to useing such force. He must attempt to leave the scene, etc. In short, there is a Duty to Retreat.
If, however, that person is in his home, his own property, that person may use deadly force as a means of self defense without having to exhaust every means of escape or avoidance. On his own property, a person has No Duty to Retreat.
How is the scenario for Cyber-attack any different? Unlike most of the people commenting on this article, I believe you do have the right to take active measures in protecting your property.
Obviously, we're not talking about deadly force... We're simply talking about electronic countermeasures.
If an unsecured system on the Internet has been infected by a malicious program, and is now launching it's own attack against your system, your property, denying you the use of bandwidth or resources that you are paying for, I think you're perfectly within your rights to put the attack down, and if necessary, the offending system.
A person utilizing the Internet has a certain responsibility not to cause harm, either through action, or inaction. Most people on the Internet today seem tragically unaware of this. Without this, the Internet is ripe for a tragedy of the commons situation.
Is it wrong to still believe that with Rights come Responsibilities, or that with Priviledge comes Obligation?
Your rights to swing your arms around recklessly ends at the tip of your fingers, and at the beginning of my nose.
I think Tim Mullen is 100% correct, and I'm surprised there aren't more people that agree with him.
For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
If I am being DoSed by a computer (or several computers) it can cost a company thousands, if not tens of thousands of dollars. If I'm a sysadmin of Yahoo! And my service is interupted, I want every means possible to shut down an attacking system. Most the time ISP's ignore pleas about DoS attacks (just ask anyone on IRC!)
The tools he's talking about use the same exploits the worm/virus/trojan does, but instead of doing something bad, it kills the flooding. If you have an insecure machine, you're lucky that you don't get sued by it.
There will come a time when you *can* be sued for having an insecure machine used as a proxy for a hack. Until then, his solution seems to be a good real-world solution.
Moderation: Put your hand inside the puppet head!
The right to exercise self defence IRL is recognised in both International and National laws providing the defence response is proportionate to the assault.
As a IT Professional with some interest in the security arena I think I could live with the same situation with regard to IT security providing a similar burden of proportionality existed.
I suggest that a proportionality criteria also allows a firm distinction between the demands of RIAA/MPAA for cracking rights for a minor civil copyright violations and the rights of a system operator/administrator seeking to halt DDOS attack or worm attack by remotely halting the attacking process.
- You know they're vulnerable, because you know how the worm got in.
- Everyone else knows they're vulnerable, because the worm is being noisy about it.
Face it, those systems are going to get owned, one way or another. His proposal is to neutralize them before some script kiddie strings them all together for a DDOS attack.The converse is that a properly patched system is NOT vulnerable to strikeback, because the strikeback proposal only targets well-known worms. If your systems are vulnerable to well-known worms, then you have bigger problems than the possibility of having a process killed by this guy's neutralizing agent.
So, he's not talking about giving or gaining any kind of power. The ability is already there. He's talking about whether or not it's a good idea to use it.
Here's an analogy:
A guy in the apartment above you has left his door unlocked and then gone away. A malicous child walks in and turns the tap on for a laugh and then leaves. A while later the apartment is flooded and water is pouring though the ceiling into your property. Do you have the right to walk in though his unlocked door and turn off the tap?
I know what I'd do. It might not be legal, but I don't think anyone would stop me or arrest me and I don't think the owner would mind that much either.
Nick...
....the law grant us the permission to kill malicious users, instead.
There is a reason why this is generally frowned upon in real life... It's because the person who takes the law into their own hands often decides their own own definition of justice. Your method of terminating the process may be wildly different from Joe hacker's, who is more than willing to format your harddrive to do it, even if you have no knowledge of the worm.
Lets face it, this is going to be another elitist club here. After all, what percentage of the population would have the knowledge to do this sort of remote termination? And then there is the age old question of the UN-- Would you allow those incompentents to attempt to terminate process on YOUR computer? I know, I know, your computer is secure, whatever. But would you let AOL Joe have a crack at your computer like you have the right to crack his? BE HONEST NOW. Hell no.
I'll admit, vigilantism has it's positive points, but when you can just as easily set up a firewall and run anti-virus or something on a regular basis, it really doesn't give you the justification to [analogy] break into somebodies home to turn down there stereo becuase it's annoying you [/analogy]. After all. If your l55t nuff to terminate stuff remotely, you should be l55t enough to block it just as easily.
You need a FREE iPod Nano
I've always wondered why someone hasn't taken the time to modify existing worms to simply patch the holes they exploit. Or even disable the box on some level. It wouldn't be hard to accomplish either, I could probably do it in an evening if I had the time...
The moral is that one must be very careful when constructing laws that propose solutions to difficult problems. Any law making it legal to hack somebody's machine is subject to enormous abuse, and shold not be lightly passed.
But there has to be a grey zone in between. Where do we draw the line? Where do you think a judge will draw it?
In Murphy We Turst
That *isn't* a better analogy though. If you don't like the man with the disease, you can walk past him. You don't have to let him persistantly spit in your mouth 6 times a day or rape you, while you just stand back and take it (the equivalent of a worm trying to infect your system using known vulnerabilities).
These viruses are attempting to infiltrate your systems *maliciously*. The unfortunate sick man from your analogy is just minding his own business and trying to survive. He's probably already seen a doctor, because it's *HIS* problem, not yours.
It doesn't matter if it has been defined as a worm or not - you have the right to protect yourself or your own property from theft/damage/rape/disease by a 3rd party and use reasonable force to do so (in the UK anyway).
Nick...
If I have the flu, I have a moral duty not to infect others with it. But what if, through necessity or ignorance, I do so anyway? Others in my environment do not have the right to forcibly vaccinate me against the flu or to force-feed me antibiotics, much less to restrain me from going about my business (unless they work in a sterile environment).
The appropriate response for people at risk of catching my disease is to avoid me, to take steps to protect themselves from me--not to stage a counter-invasion.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
The idea of writing "strikeback" scripts, as you describe, has been tossed around before. I recall reading a quick-and-dirty script for Apache posted on slashdot some time ago that would detect attacks from machines infected with Code Red, and would then exploit the security holes Code Red had opened on those machines to clean them. I used to support this idea, but I'm afraid after some thought, I've changed my mind.
I'd agree that if a worm is running on someone's machine without their knowledge, then the owner of that machine has no rights to that process (the obvious exception being the person who is spreading the worm, who runs it intentionally on his or her own machine, but we'll ignore him or her for now). In order for you to terminate that process, however, you have to break into their machine, and run your own process. You are, in effect, creating your own worm. Your worm may only run for a short while, and may be "for the greater good", but that doesn't change the fact that you are running code on other poeple's machines without their consent.
Even if we opt to ignore the ethics and look at this from a more practical angle, can you guarantee that your strikeback process is not going to adversely affect the machines it cleanses? What if your strikeback process causes a machine gathering scientific data to reboot, or kills the wrong task? This has the potential to set someone back by several days in their work. What if it reboots a machine monitoring medical equipment? You could end up killing more than just a process, if you catch my meaning, however unlikely that may be.
Since you are intentionally running a process on someone else's machine, you are accountable for it's results. If you cause damage to a machine, or cause data to be lost, even if it is inadvertant, you open yourself up to litigation from the owners of those machines.
Treating computer processes and network connections as extensions of human being ignores the great complexity of computer systems and the irreducible nuances to responsibility, origin, and intent such machines introduce.
Translating your argument into the world of atoms, that would be like holding someone responsible for a vandal who goes into someone's unlocked car, releases the emergency brake, and lets the car go careering into a crowd of innocent bystanders. Just because computers seem to "act" does not mean that their actions are always the fault of their owners, secure systems or no.
The key is to hold those who crack systems accountable for their actions and to educate victims about how to better secure their systems. Those users unwilling or unable to secure their systems should pay third parties to secure their systems for them.
Even the best secured system is not uncrackable. Would you hold the best sysadmin in the world responsible for a script kiddie's lucky guess?
Your post says you would.
blog
That's the way it is already. If you left your door wide open, knowing people were going into houses and blowing up entire neighborhoods, you would be responsible. If the lock was defective, and the manufacturer knew that and didn't take corrective action, then they would be responsible.
Best Slashdot Co
You don't have that right for lots of good reasons. Do I have the right to go into someone's house and unplug their stereo if the noise is annoying me. Nope. Should I? Of course not. If the noise is bothering me I'm supposed to call the police. If the attacks are bothering you, call their ISP. Vigilanteism is not the way to handle things, escpecially since what they may be doing might not even be illegal, but what you might do in response is.
Here are some good reasons why this guy should not be messing around with other's computers:
BTW, I had a linux box get owned by the ramen worm a couple years ago. I never knew (I rarely used the box) until I got a call from my isp (my school at the time) telling me they had recieved a complaint from someone claiming I was scanning their network. They said they would disconnect me if it continued. I fixed the box, didn't get disconnected and the world was a better place once again. If my computer goes haywire and starts doing things it should, I accept that it may be pulled off the internet. I signed a contract saying that. I did not sign one saying anyone was allowed to log onto my box without my permission and try to fix things. If someone breaks into my computer, I'll press charges. It doesn't matter if they say they were only trying to be helpful, I can't/won't trust them.
I have personal info on my computer. I don't want anyone else getting it. If I send them to jail and have their computer confiscated, I'll at least have a better chance that they don't have any of it.
Life is too short to proofread.
Code that will neutralize South Korea!?
Insanity is the last line of defence for the master diplomat. But you have to lay the groundwork early.
So, you want to implement technology where any random third party can kill processes on your servers? In what universe should security people "get this"?
Stealing someone else's insightful post.
Best Slashdot Co
We do "get it." Its called "vigilantism" and in a country based on law its a bad idea. There's neither a need nor room for Wyatt Earp in the twenty-first century.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Computers don't have rights or responsibilities. Processes don't have rights or responsibilities. If computer A attacks computer B (via a worm or whatever else.) and computer B "strikes back", self-defense is a fair metaphor, but it isn't a relevant legal or ethical argument, because the computer don't have rights.
Computers are property. More specifically, my computer is my property. I have a right to keep my property, and you have a responsibility to keep your hands off my property, and if you don't keep your end of that agreement, you've broken the law and I can bring the government into it.
Yes, your property rights are violated if my computer has a worm that attacks yours. Maybe the government will acknowledge that and step in, and maybe it won't. If you don't like the way the government handles this, elect somebody who will change it, write a letter to your legislators. But the government's refusal to step in doesn't mean, as Mullen asserts, that the owner of the attacking computer has no responsibility. It just means that the government has opted not to hold him responsible. The only way to fix that is democratically.
But suppose Mullen is right about that, and this person has no responsibility. He says "no responsibility means no rights". Wrong. The constitution says that no person shall be deprived of life, liberty or property without due process of law. In practice, that limits the action of government, not offended sysadmins. But the principle here is that my rights are my rights, and nothing I do, however, bad, foreits them automatically. Maybe, after a fair legal process, society (i.e. government) may decide to take away some of my rights (i.e. lock me up, fine me, whatever). But not before. That's a fundamental part of the social contract which makes us civilized.
Then Mullen makes a different argument: the rights of the many outweight the rights of the few. (Thank you, Spock.) Maybe. But the same principle applies. My rights are my rights. Maybe you can get a court order to require me to donate blood, if it will save 100 lives. But if you take my blood without getting the court order, you have still violated my rights and broken the law.
Now, if the guy who took my blood is a real hero, and believes what he did was right and necessary, then he'll say that going to jail is a small price to pay for saving 100 lives. Good for him. If Mullen really believes this is a case where the law runs contrary to ethics and morality, he can wear a grey hat and illegally hack systems for the greater good. But unless he's willing to wear a black hat, he'd better admit what he's doing it illegal, and a violation of rights, and be prepared to take the punishment when he does it.
IANAL, yadda.
While GuiltyOfThoughtCrime = True
Do
InvoluntaryElectiveBrainsurgery (GuiltyParty);
(* Thanks, but I think I'll pass. I'd rather own my own machine. *)
You see? You see? Your stupid minds! Stupid! Stupid!
This is getting a little silly, but the diseased guy knows where you live and is standing in your doorway with an infected needle. Are you really going let him keep stabbing you with it, even if you know you are immune to his disease?
I get your point and respect your opinion but I think I would still want to prevent someone from using up my DSL line to try and hurt my machine and if the guy upstairs left his tap on, I'd have no guilt over turning it off.
Nick...
his idea is a hell of a lot more invasive and more "wrong" than simply noting an attack, blacklisting the source and sending the ISP an email notifying them of the situation.
I realize that it's frustrating as a sysadmin to see attacks from the same place, by the same virus/worm all the time, but the answer isn't a counter strike. it's to simply contain the virus and let the people that are infected unfuck themselves and learn from their mistakes.
besides, even if it weren't morally and ethically wrong, just who would control such a program? would sysadmins have to be federally or state liscensed, much like concealed weapons holders? who would be there to ensure that the vigilante sysadmins weren't abusing their abilities and crushing boxes left and right, then claiming that they were being attacked.
no, a knee jerk reaction of "wtf! this mother fucker's infected and trying spread it on to me! fuck him! I'll fuck his box up for that shit! stupid dumbass n00b!" isn't going to advance the Internet community, sysadmins or users anywhere. just stick to blacklisting IPs and domains. it works.
The World's Worst Webcomic!
Sure they do. Through negligence lawsuits. It's why you have homeowners or renters insurance. So that when you negligently forget to clean your toaster oven and burn down the entire row of condos your insurance company pays for the damages. Unless you have insufficient insurance, in which case you pay the damages.
Best Slashdot Co
whatever happened to hosts.allow and hosts.deny on a firewall??? simple answers to simple problems.
On a legal level this should be peachy. If your server is being attacked, you should be able to respond. On a systems security level, this is NOT OK. Giving access to other companies/entities to shutdown proccess on machines which they are not entitled access, is more of a security hazard than what it intents to fix.
--That, I think, is a good point. The solution, however, is not to make the counterattack legal, thus continuing to absolve people of responsibility, but to make the owners of the systems legally responsible for their failure to secure their systems. If your system is 0wn3d and used to launch a DDoS attack on AOL (or Slashdot, Kuro5hin, whoever), then AOL should have the right to sue you for damages. Your incompetence caused their loss.--
What about the software companies that make their software so easy to exploit? I doesn't seem fair that the user should have to keep up with this 24/7.
This policy would be irresponsible to both the owner of the system and the vigilante cracker.
System owners get in trouble because suddenly someone has another reason to mess with their machine. It's not clear-cut for even an expert- You might say that it's criminal negligence to leave a system unsecured. Actually, no. We don't have the legal definition for these things yet. Furthermore, there's already an incentive for system owners to secure their own machines- the integrity of their own services and data.
Vigilantes are also on thin ice because it's easy to do more than you intended when "defending the law", and even the cops are in danger when they fuck up. What will you do when you accidentally cause collateral damage in the commission of your act of citizen policing? What if you just have the totally wrong machine? You don't have the authority of a uniform and a department to back you up.
All in all, this is a thoughtless proposal that should never be accepted by any legal authority worthy of the name.
What we call folk wisdom is often no more than a kind of expedient stupidity.-Edward Abbey
I'm guessing that one will be allowed and one won't. You can guess which one....
http://www.rootstrikers.org/
Exactly what I'm saying! Some idiot l33t kid decided to root your box and use it to attack other people. But you were the one who didn't take reasonable measures to prevent the rooting, such as applying the appropriate patches. You were negligent and your negligence resulted in damage to other people. That's why you have insurance.
Best Slashdot Co
This is a much more frightening spector than anything else Tim mentions in his column. This mantra can and would be applied to many other areas if such a policy became commonplace. Apply this to dissemination of knowledge. Suppose I have data available on my webserver that is viewed as "malicious" say how to build a bomb or exploit commonly known vulnerabilities in a web server. Does this give someone the right to remove said data from my server simply because I have a disclaimer saying I have no responsibility for how someone might use this data? This sounds like a piggy back onto another round of "strategic protection of US citizens" i.e. read "strategic reduction of fundamental freedoms of US citizens".
"No responsibility means no rights" gimme a break.
Every computer connected to the internet is a "server". I'm sorry, but my grandmother does not deserve to be put in jail because she didn't know enough about computers to apply the latest Microsoft service pack to her Windows box, to patch a problem that Microsoft created in the first place.
There is probably a good solution to this problem, but making ordinary people "responsible" for the bad coding standards at Redmond is NOT IT! If someone trespasses on your property, then shoots someone else, are you responsible because you failed to secure your property? If you buy a defective coffee pot that you use as directed, yet it catches on fire and burns down your apartment complex, are you responsible?
The answer is no, but perhaps the manufacturer of the coffee pot is.
WWJD? JWRTFA!
Hey, has anyone ever written a worm that somehow benefits the "infected" systems by ... say... killing off other viruses?
Imagine a worm that installed an antivirus program....
could we call this an innoculation?
42 - So long and thanks for all the fish.
with Mr. Mullen's proposal, is this.
He sees the world this way: 1. People are negligent, and allow machines to become compromised, which allows harm to come your way. 2. Therefore, if people will not defend their own machines, you should be able to defend yours by disabling theirs.
This is a little like the following: 1. People are negligent, and allow their cars to get stolen, which allows hit-and-run drivers to take you out with them. 2. Therefore, if people will not defend their own cars, you should be able to defend yours by being given a rocket launcher to disable theirs.
The second example sounds kinda weird, doesn't it?
I've watched "World's Scariest Police Chases" and suchwhat. If a driver's acting like a maniac, the police bust out these cars with large ramming devices on them, and beat the crap out of the offending vehicle. If someone is driving recklessly on the highway, I can't just take my SUV and ram them off the road myself.
While I may have justification for doing so -- after all, that driver is endangering me and those around me -- I do not have authority. There is a reason that only police are given the power of arrest and other various things they have. (Just try walking around with a pistol in broad daylight in Philadelphia, for example.)
Mullen would have us all issued shotguns, to defend ourselves from any would-be vandals and thieves who enter our homes. While it is justifiable for us to use these weapons against those who would cause us harm, is it really wise to give everyone a shotgun? There are most certainly those who would use them improperly. The obvious solution, of course, is to give everyone some sort of shield, that prevents them from being hit by a shotgun shell, to protect us from bad users of shotguns. But, uhm, then shotguns don't work against the vandals, because they have shields too. So a perpetual arms race against ourselves would develop.
There's a reason weapons aren't issued to us for our own defense -- collectively, we are not responsible enough to operate that way. Only special agencies are given the Authority to administer Justice; justice itself does not belong to the rest of us. Unfortunately, we don't have an "internet police force", nor would one even be desirable.
But ISPs can still pull the plug on users who aren't operating "correctly," and University and other networks can block down a MAC address if it's causing trouble. And that's about as close as we really should want.
RIAA: We want to hack back because we're the victims of piracy.
DARPA: We want to track all the minutiae of your life because we want to find terrorists.
Mullen: We want to exercise a(n admittedly limited) degree over your systems because they're harming us.
These notions aren't necessarily wrong, but any proposal to allow people to be exempt from laws or standards of conduct because they think they have a good reason to be bears careful scrutiny. IMO, this isn't much better than those users who just can't possibly get their job done without having the root password, in spite of the fact that everyone else does. We do not need the ability to manipulate others' systems to suit our security needs. I'd suggest a much better solution is responsive ISPs at all levels. If you're hosting a DDoS client, cut their feed and we mean now, or we (the guys above you) cut yours. Likewise, if we don't cut you off, we get cut off by the guys above us. Perfect? Nope, but I'm more comfortable with this than letting any yahoo who happens to think they're under attack by my systems have the right to cause my server to start or stop doing things without regard for the outcome.
Mr. Mullen's idea isn't stupid and it might not be "bad", but it is definitely not the right solution.
Pii said, "Wow, great response..." thus giving me cause to smile.
I forgot to add that the courts have, in the past, interpreted the Oklahoma Computer Crimes Act of 1984 in a very strict manner. For example, Ryan Breding was running a warez site at OU in 1997 and was prosecuted not only for the copyright violations, but also for violation of the OCCA because the popularity of his site affected bandwidth at the school. Another words, under the 1984 OCCA, simply having a site that is more popular than your provider anticipated can be a crime in Oklahoma if that impacts the bandwidth of your provider.
How is that germane to the current topic? Well, I suspect - remember IANAL, and this is only opinion - that the same courts that decided slowing a school's connections is a violation of the law would also consider interrupting the function of a webserver by causing a reboot to be a similar violation. Further suppose that the target system is a) in Oklahoma, and b) running NT...
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
Whenever some Korean faggot spams me, I do a:
smbclient -L $IPADDRESS
From this I get the netbios name of the computer, and then do a:
smbdie -i $IPADDRESS -p 139 -t $NETBIOSNAME
This blue-screens the offender's computer. When I'm satisfied it works (some people have patched their systems), I add it to a cron job to repeat every 4 minutes.
So the spamming faggot doesn't get a chance to spam me as he is continually rebooting.
So yes I agree 100% with the suggestion that we take down others' malicious processes. If only it were so easy to bring the US military industrial complex back into line...
Well, gosh-durn it, Son! Was it the Iraq analogy, a perceived slur against inbreeding, or is it simply that you are generally in favor of computer worms?
Speak up, Son! Don't leave me in suspense. I gotta know how to refine my routine. If I know what gets under your skin, then I can purify it and hopefully make you break out in hives some day! Stupidity-specific pathogens; that's the goal here, Son. --Seeing as how you're obviously not quite dumb enough for Darwin to have taken care of himself. (Where Darwin fails, the rest of us have to roll up our sleeves.)
-Fantastic Lad
After reading the article and the discussions posted on the CounterPane site, everyone seems to be harping on the same issues over and over again.
First of all, people are using really bad analogies to try and prove their point but I think they're just missing what exactly Mr. Mullen is trying to say. Breaking into peoples houses, loud dogs barking, and slapping your neighbor's kid for mouthing off are just some examples of these (IMHO) "flawed" analogies.
I don't think you need an analogy to understand the situation. When is it ever LEGAL to be an unauthorized intruder in someone else's computer system? That's right, never. (If you have permission, it's not unauthorized. If you own it, it's not someone else's.)
The reasoning behind this proposal is to allow the "victims" of a "relentless attack on their network" the right to "neutralize a worm process running on the infected system". "Neutralize", in this context, can basically be read as "obtain unauthorized access to the infected system and terminate", presumably by exploiting some vulnerability in the system (since most modern OS's do not allow anonymous people to just terminate processes at will). However, in doing so, the "victim" here is assuming the role of an unauthorized intruder and thus breaking the law. And there's a damn good reason why things are set up like that (at least in the US).
Hell, even the police (supposedly), need a search warrant or permission to access your computer systems and read your data. Why would I want to give that ability to every "administrator" that hooks a system up to the internet just because they don't like the data that my computer is sending to theirs? If they don't like it, they have several available options including contacting my ISP to shut off my service, contacting their ISP to block my address at their upstream router, or (in the case of criminal actions) contacting the police. If what my computer is doing is not a criminal act, and neither my ISP nor theirs wants to act on it, maybe they need to find a new ISP or maybe what I'm doing is not a large enough nuisance for anyone except the "victim" to care.
Another problem with this proposal is what exactly constitutes a "relentless attack"? What about an attack that isn't relentless? What about unsolicitied commerical email (aka SPAM)? Who gets to say whether something is an "attack" or not? There is way too much "grey area" there for any sane person to just blindly give out ROOT LEVEL ACCESS to their systems based on such a statement (killing arbitrary processes is definately a root-level operation).
From his original paper, I found the following paragraph particularly troubling:
I say that we have the right to defend our systems from blatant worm attacks, and that we are within our rights to take measures to stop an attacking system from further infringing on our assets, consuming system resources and service availability, and from their ultimate attempt to compromise our systems.
He's talking about "Code Red" and "Nimda" specifically so I'll use those examples also. When you hook a web server up to the publically accessible internet, you are implicitly allowing other systems to send HTTP requests to you over port 80. How you can say that certain requests are "infringing on [y]our assets" is beyond me, but then again, I don't agree with much of the logic of Mr. Mullen's argument. And, yes, each request consumes system resources and if you get enough of them, it could affect the service availability of your web server. However, by putting up a web server, you are implicitly allowing such requests. As far as their "ultimate attempt to compromise our systems", that is a legal matter and should be tracked and referred to the police. You don't have the resources to do that? Well, how important is it for you that the "attacks" stop?
Sorry, Mr. Mullen, but I disagree with your proposal and your opinion that you should have the right to access my computer system without my authorization. Let's leave this up to the authorities and just worry about securing our own systems. Your "right" to defend your system/network from worms stops at my system/network.
So, since an ISP wont give you the customer's info without a court order, and obtaining one could take weeks or months, wouldnt it be logical, that when reported, after a certain period of time, the ISP becomes liable? I even beleive there are points of law to support this.
Point being, if so, how does one perhaps advise and enforce this on ISPs, and secondly, how does one implement a system that allows an easier way of dealing with this?
Currently, dealing with such "Internet Giants" as Comcast and RoadRunner have resulted in nothing but email after email after email, begging, pleading, explaining, complaining, and eventually threatening legal action - and regardless, no action but the automated response.
How much can you sue a negligent ISP for damage to image (for instance, spoofed emails with derogatory or virus laden content), loss of bandwith or other profit generating resources, etc?
I think this may be the big issue. With a simple "Check here what type of attack you are reporting" and a submission field for the IP address, a simple automated routine could monitor, verify and take action [whether informing a (for instance) Comcast tech or automatically blocking that type of/or all traffic from the offending IP].
For many types of attacks (other than Code Red, Nimbda, etc - this consists of 95% of our attacks), since they are ongoing till someone contacts the user and stops them (or blocks their connection which amounts to the same thing whther they are an innocent infected or guilty of initiating the attack).
These are some of the biggest causes of internet attacks. If you measure the number of businesses and the number of non-commercial entities on the net, and then factor int he massive number of attacks that were Code Red/Nimbda/The NeverEnding MS Hole Of The Week Saga... it's interesting to note that selective, planned attacks against businesses by (presumed by myself - and SANS - as well as others) presumably competition ranks in the top causes of such traffic on the net.
In addition, what most non-commercial entities never realize is, name an Internet worm/virus/script... tell me when you think it came out. Now, 80% of you are probably wrong. It came out many months if not YEARS before you think, and was used to target specific businesses. This includes Nimbda and Code Red and all their variants. The worms later make it mainstream. We had been receiving attacks like these often a year before someone shoved the vulnerability down MS's throat so they coudlnt ingore it. Stive Gibson at GRC has info on some similar incidents.
The ease of it is astonishing, especially with so many "script kiddies" and so many legititmate hackers - jump into an IRC chat room of such type, and claiming to be the business in question, tell them what type of losers they are. Or post such an post with "forged" headers in the newsgroups - it happened to us (newsgroup post). The ISP wouldnt help us, and by the time we knew and responded that the post was not made by us with "proof" ("well, you could have been on a dialin" - "um, not with those host names, which have never been registered to that dialin IP - it's a forged header on a fake post") - by then, attack bots were already being circulated on the IRC channels, much like the ones used against Steve Gibson, attacking us on average 30,000+ a day... some days hitting 6 digits. Our servers can laugh at that, but our bandwidth cant. And you cant firewall it either. Those scripts infect near anything with WinCrap on them. We had universities with OC3s attacking us, people from all over the world, you name it.
If you cant beat the competition, take down their servers. That seems to be the big motto.
If ISPs were liable for inaction, the attacks (including stuff like Nimbda and Code Red that could be blocked with simple filters in many cases) would eventually die off.
Just my 1 or 2 cents...
Rob
WebMaster:
BinFeeds
XXX Thumbnailed Image Newsgroups but
I believe you should have the right to neutralize a worm process running on someone else's infected system, if it's relentlessly attacking your network.
Technically speaking, you do. No, I'm not kidding. It's called the right of "abatement", and it's a right dating back a millenium or so. It's even a defence to criminal charges that you were exercising your right of abatement in a manner that was reasonable in the circumstances.
The problem with this is that they might still charge you.
Now if you're willing to take the risk, the right of abatement is a right to take steps to prevent a trespass or nuisance affecting your property or your enjoyment of your property, even if this requires violating the property rights of somebody else from whose property the trespass or nuisance originates. For example, if somebody sits outside your house at midnight, playing a ghetto blaster at maximum volume, and refuses your request to stop, you can slap them around until they stop, or smash the ghetto blaster. Legally, you will be exercising your right to abate a nuisance.
Yes, theoretically this could be applied against spammers and open relays too.