The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #189 [Re: Disassembled virus?] (1 message, 1039 bytes)
NOTICE: recognises the rights of all third-party works.


From: Paul A Vixie <[email protected]>
To: phage
Date: Wed 02:34:51 09/11/1988 EST
Subject: Re: Disassembled virus?
References: [Thread Prev: 186] [Thread Next: 192] [Message Prev: 187] [Message Next: 191]

# The rest of the code is the "body" of the virus, and is of no interest to a
# sysadmin trying to improve security, but of great interest to some twit who
# wants to write another virus.

I don't agree.  To sysadmins and other white0hat-wearing hackers, the body of
the thing could be quite helpful.  My two main arguments on this point are:

1. many {black,grey}-hat-wearing hackers Already Have The Code.  They have it
   or they can get it.  Not "all" of the bad guys, but some number of them.

2. whatever advantage the body of the worm takes can probably be minimized if
   enough people stare at the code.  It may be something as simple as watching
   for certain patterns of activity in some security daemon; the point is that
   if the structure of the net makes propagation of worms very easy once you've
   found a new hole in some commonly used network service, then the structure
   has a security problem which should be looked into.

# I can think of exactly one use for the code: [...]

And I can think of another.  People _will_ use the general mechanism for other
things; good and bad people with good and bad jobs to get done.

# Do you agree with this transformation [... "plutonium" ...]

No, I don't.  If WGP were already sitting around in 6,000 warehouses owned
by private individuals, waiting to be uncrated and used, I think you'd want
to encourage as much public research into WGP and counter-agents as you could,
and if that included sending WGP to people that didn't already have it.  The
analogy is obviously very weak...