Forwarded from: "Deus, Attonbitus" <ThorHammerofGod.com>
Cc: security curmudgeon <jerichoattrition.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 11:45 AM 1/17/2003, security curmudgeon wrote:

>Please don't make the mistake of thinking you are the first to consider
>strikeback, write about it, propose it, or even implement it.
>
>If I write about some buffer overflow concept and don't provide much
>information, it's fair to say you can intelligently respond to it because
>there is already considerable information on the topic, yes?

I know strike-back, hack-back, counter-attack, etc has been discussed for
quite some time, but I have not seen a framework put together like we have
in regard to combating worm propagation. Regardless, if you published a
buffer overflow concept and provided links to papers on it, sure I
would. Just like I did with the Shatter stuff- nothing really new there,
but I wanted to make sure of that- *particularly* if I were to render an
opinion of it. I honestly can't see how I would *not* research something
before making any public comment. But let's not spend too much time on
that- it doesn't really matter. Let's talk about the technology now.

>I agree now, more than ever. I am tired of the worms and I would love to
>have the ability to strikeback at servers hitting me. But that just can't
>happen until the idea is fleshed out more and all scenarios are
>considered.

So let's do it. All of us here who give a damn, let's flesh it out and
consider the scenarios. If the examples in the whitepaper are wrong, then
lets come up with some that are right.

>Exactly my point. What YOU define may different than what I define or what
>WE define as a collective group. Without some form of standards, more
>liability will end up on YOUR shoulders and mine for striking back. That
>is not what you want clearly.

In the whitepaper (that you, uh, ahem, haven't read yet ;) we call for
standards.

>Out of curiosity, have you read Schwartau's and other
>posts/papers/comments on strikeback as a foundation for your own? Have you
>read past criticism of their writings? I specifically mention him for a
>reason.

Yes I have- to be honest it was a while back, but I just re-visited to make
sure I remembered correctly. I believe that those concepts are quite
different that what we are discussing here. The term "strikeback" is
actually much more in tune to that mindset- that is why we have been trying
to refer to our stuff as "neutralizing agents" than "strikeback" but once a
term is coined, it is hard to get away from it.

>it's currently loaded in my browser, just haven't had a chance to read it
>yet =)

Looking forward to your interpretations.

>Preaching to the choir here. I'm one of those nutjobs who complain about
>every single piece of spam, every worm/virus that hits us. I'm tired of
>their lack of reactino and indifference.

I still think you have a valid point about having it be an area to
explore. I just don't know how to go about that.

>Until all of these questions (and more?) are answered to the satisifaction
>of legilators and the masses.. strikeback remains a topic for coffee and
>pontification i believe.

You're gonna keep kicking me on that one, aren't you ? =)

>Not blindly, no. If you provide logs and my ISP has multiple complaints,
>they should contact me or pull my plug until it is resolved. This is being
>said with a lot more in mind that I haven't typed out. Factoring in the
>type of system, who the customer is, etc .. should all weigh in on how the
>ISP reacts. My comment was made because I feel that it is easier to define
>parameters for that kind of reaction and would readily be accepted by more
>people before strikeback would.

Right- my problem here is the reaction time frame- Let's say we've got all
of our neutralizing bots deployed world-wide; when SlapperII hits, we've
got to get all the IR and code guys on it pronto so they can present vector
and neutralization options. We've got to get the standards body to make an
informed decision on if/how to apply neutralization measures, and then
deploy the updates to the field units. Case-by-case ISP analysis won't cut
it. They'll be flooded before they can get a single phone call off...

But, that is still something to consider.

> > While there a many questions to all of this, the only way for us to
> > get an answer is to talk about it and explore the possibilities- and
> > that is my intention in all of this.
>
>Agreed.

Looks like we are doing it!

Tim

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPihuHohsmyD15h5gEQIsRwCfeuDRNw3H5Y647VpL7iXRI/dye10An2s6
XsV9kby/ISY0DtmyAsJMEWCc
=dGzW
-----END PGP SIGNATURE-----

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]