http://212.100.234.54/content/55/28851.html

By Tim Mullen
Security Focus Online
Posted: 14/01/2003

Opinion - A lot has happened since my Right to Defend column in
SecurityFocus Online last July, and the subsequent presentation I made
at the Blackhat Security Briefings in Las Vegas. The idea has
withstood a lot of criticism.

To refresh, I believe you should have the right to neutralize a worm
process running on someone else's infected system, if it's
relentlessly attacking your network. I've even written code to
demonstrate the process. Though the initial news coverage of the
concept was grossly inaccurate in conveying my ideas, it has stirred
up a constructive dialog.

I knew my idea was controversial, but I was wrong about something-- I
figured everyone in the security biz would "get it" and that the hard
part would be convincing everyone else that if they can't or won't
secure their machines, we as the defenders would have the right to
terminate the process attacking us.

It has turned out to be the opposite.

TechTV's Cybercrime news magazine show did a segment about strikeback,
where I talked about my goals and demo'd a couple of my neutralizing
agents. Though the audience of Cybercrime is a much more generalized
group of computer users and enthusiasts, the very people I thought
would cry foul the loudest, I did not receive a single negative e-mail
in response. Every last message was wonderfully supportive, and most
of them eagerly offered assistance and asked how they could
participate.

It has been the "security experts" who have grouped as the opposition,
some even with a level of condescension. For instance, Eugene Schultz
of U.C. Berkeley's Lawrence Berkeley National Laboratory wrote in an
issue of SANS Newsbites that he "hoped no one would take Mr. Mullen
seriously" about this technology, as if it were some joke I was
playing on the community.

To the contrary, I am dead serious -- because we need strikeback. In
fact, had the technology been in place when Nimda first appeared,
institutions like the University of California at Berkeley, for
example, could have been spared the embarrassment of having Nimda rip
through their infrastructure, infecting untold numbers of innocent
external machines just because their IT staff couldn't secure IIS.

I think the main reason for the knee-jerk criticism from the likes of
Schultz is that they work largely in a theoretical rose-colored world
of security, where all problems are solved after a cup of coffee and a
bit of pontification. Those who actually work in the operational end
of network and system security see things as they really are. The men
and women who work the trenches of system administration know that
fast spreading worms like Nimda are a real problem that must be
addressed, and are willing to work for a solution.

No Accountability, No Rights

I was surprised to see Bruce Schneier try to draw a bit of the red,
red krovvy by lumping strikeback with legislation that the RIAA is
pushing -- and U.S. Representative Howard Berman is sponsoring -- that
would permit record companies to legally hack file sharing networks.
He even includes a quote from the "Declaration of the Rights of Man
and of the Citizen" in order to illustrate how such technology goes
against the rights of the people.

I'm not sure of the relevancy of a document the French National
Assembly drafted 200 years ago, but let's ignore that for now. If
anyone's rights are at issue here, it's yours and mine -- the people
whose systems are being attacked by worms and viruses running rampant
on negligently unprotected machines.

Schneier's reasoning ignores fundamental differences -- opposites,
really -- between the RIAA proposal and what my strikeback technology
does. Under the Berman bill, the RIAA could legally hack only people
infringing their copyrights -- people the RIAA already have ample
legal remedies against.

In contrast, my strikeback technique is aimed at an attacking
worm-infected box whose owners have no legal responsibility, and to
whom justice turns two blind eyes. We have no legal recourse against
these people. Maybe in the distant future we can prove that every
owner of a system connected to the Internet has a duty to perform due
diligence in securing their assets, but today proving such a duty
would be quite difficult, even in instances of the most grievous
neglect.

Logic dictates that anyone who opposes a bill allowing corporate
entities to attack our systems should support a technique to stop
worm-ridden systems from doing the same.

As the debate continues, I'd like to suggest a new way of thinking
about the parties involved in a strikeback scenario.

Since the owner of a system has no responsibility for the actions of a
worm, or any malicious process, that runs without their knowledge, I
submit that they also have no rights to the process. No responsibility
means no rights.

So, if they have no rights to the process, there is no infringement
against them when we neutralize it. If someone wants to claim that
their rights were violated by our taking out the attacking process,
then they should be held accountable for the actions of the process
from its inception. They can't have it both ways.

If parents don't vaccinate their children, the state takes them out of
school. If a dog consistently attacks people, the authorities put it
down. If someone commits three felonies, they are put away for life.
This is because the rights of the many outweigh the rights of the one.

And that is the way it should be.

Timothy M. Mullen is CIO and Chief Software Architect for
AnchorIS.Com, a developer of secure, enterprise-based
accounting software.

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]