Re: Virus to Virus Idea

From: Chet Uber (eidetic@mindspring.com)
Date: 09/02/01 

Message-ID: <3B918038.745F2594@mindspring.com>
Date: Sat, 01 Sep 2001 19:41:28 -0500
From: Chet Uber <eidetic@mindspring.com>
To: Mark A Lewis <mark@mnlewis.com>
Subject: Re: Virus to Virus Idea

> A system on the internet is NOT public, just publicly accessible. Simply
> plugging a box into the internet does not mean anyone that finds it can > do whatever they please unless you write a disclaimer or lock it down.

I am sorry, but it is freely accessible to the public for any use which
you do not disclaim. This is a matter of case law. Why do you think that
the legal, LE, and corporate community is so adamant about properly
worded banners. It is a public system until you state otherwise.

> Your statement is like saying that unless you lock your doors and put a > note on it anyone can legally steal your car or rob your house.

No it is not like that at all. First of all you are required to place no
trespassing signs in order to press no trespassing charges, or engage in
a conversation with the trespasser and tell him not to trespass. This is
the same thing as a banner. Then you have the fact that your house is
real property and since it is owned by an individual it is private
property. There is a big difference.

Further, we are talking about the virtual world with computers and the
physical world laws have not been designed to deal with them yet.
Trespassing in the physical world is a cut an dried thing. Violation of
Title 18 Section 1030 is a murky law which leaves to question what
constitutes "unauthorized" use. There is great latitude here for
interpretation.

Finally, the analogy to robbing your house and stealing your car also do
not map to the virtual world. When you "steal" intellectual property you
don't steal anything. You make a copy of it. This is not a trivial
distinction. You have to deprive the owner of possession to constitute
theft. Again, I am not shooting from the hip, I have been there, done
that, bought the T-shirt.

Do I think this is right? Hell no. I think that as usual, we have a
cumbersome system which rushes bills through the house and senate
without giving proper thought. Most often this is done when the item is
a hot button. Say Child pornography -- hence the CDA. Overturned by the
Supreme Court. Why, because the language was murky. The reason was
honorable -- people that peddle children's flesh are not human (IMHO).
The law was a disaster, so a second law was passed. Better than the
first. Marginally, but better.

Like I said this is a VERY VERY COMPLEX issue. The Internet's current
architecture (as a friend pointed out again) was never designed to be
secure, and it will never be. IPv6 may not be the end all, but it goes a
long way to solving some of the core issues. I sat through a number of
IPSEC meetings in IETF, and I am sorry, while the work done is noble it
is still a stop gap. Look at the flaws in PPTP. Look at the flaws in
SSL. Look at the flaws in SSH. Look at the flaws in WEP. Given that the
environment is insecure, we are reduced to limiting our risk. This
beings with basic tenants. Secure everything you can. Properly disclaim
your systems. Make and TEST backups of your systems. Log all your
systems to a separate machine and print hard copies. Use Anti Viral and
File Integrity Software. Run IDS. And. And. And.

> free to choose our ISP based on the "services" they do or don't provide.
> If you want an ISP that "filters" content to protect your boxes then you
> will find one that does that. You will have agreed to them intercepting > or eavesdropping on communications bound for you.

I agree that this service will be offered, but it will be a quagmire
they wish they never entered. For two reasons: (1) Virii are never going
away, (2) Mobile code, probably first in the form of intelligent agents,
will be indiscernible from malicious code in the near term, making the
distinction a nightmare. (Please don't bring up unicode or digital
signatures as they currently exist, we have already seen this exploited.
Also I am not really sure that having a third party verify a digital
signature gives you any more security, I could argue it gives you less)

What kind of world does this present us?

> I personally agree that I would prefer to do this myself, but AOL has
> gotten as big as it has by providing customers that want an easy to
> navigate "fluffy" internet experience. This is just another step that
> same direction. AOL already proxies their users.

I am glad to here that. It is what a reasonable prudent man would do. As
to AOL, they can keep there market, they are already as un-American as
you can get by censoring content. Anyone who violates the 1st Amendment
or condones it should not be able to use America in their name. Some
Americans want censored content -- hell just turn on the network news.
We see and hear what they want us to hear. Some of my best clients are
in the content distribution business. I know all to well.

I guess that what I was really driving at was just that we need to quit
being reactionary. We need to quit acting like we don't understand the
security issues. We have understood them for over 20 years. We need the
leaders in our community to get with the proper people in industry and
government and solve the problem proactively, rationally and in a
reasonable period of time.

>
> -----Original Message-----
> From: Chet Uber [mailto:eidetic@mindspring.com]
> Sent: Friday, August 31, 2001 9:30 AM
> To: Mark A Lewis
> Cc: sarisocks@visto.com; SECURITY-BASICS@securityfocus.com
> Subject: Re: Virus to Virus Idea
>
> Unfortunately a system on the Internet is public unless you properly
> secure it and disclaim it. If you leave finger running, and do not
> properly disclaim, then anyone can run finger on your machine.
>
> This is a highly complex issue.
>
> For example you talk about AVP products filtering at the ISP level. With
> the laws the way they are today you will split the legal community and
> the courts down the middle; as many people see that as eavesdropping or
> intercepting communications not intended for the original user. This is
> a violation of federal code. Should it be?? I really don't want to give
> mass power of uncontrolled search and seizure to anyone. I spend good
> money to but anti viral, file integrity software, IDS, and other counter
> measures on all my machines. I am more comfortable with that.
>
> Regards,
> Chet Uber
>
> Mark A Lewis wrote:
> >
> > ALOT of people would have a problem with someone doing this to their
> machine
> > without consent. I personally would view this as just as much of an attack
> > as Code Red. This are not public systems. There are a lot business systems
> > out there you may break by doing this also. Who would be responsible for
> the
> > lost time and revenue? While the Internet is a community and should act as
> > such by looking after our neighbors and such it is also a community
> without
> > a police force per se. The best thing we could do is to encourage our
> > "neighbors" to install all current patches and such to keep the
> neighborhood
> > safe. What is more likely than an "anti-virus virus" is ISPs that will
> start
> > filtering worms/viruses at that level.
> >
> > -----Original Message-----
> > From: sarisocks@visto.com [mailto:sarisocks@visto.com]
> > Sent: Wednesday, August 29, 2001 9:08 PM
> > To: SECURITY-BASICS@securityfocus.com
> > Subject: Virus to Virus Idea
> >
> > Here's an idea for debate:
> > Some creates a virus, whether code red or another, and shoots it off to
> > infect and destroy. Whatever the case. Why not have someone create a
> > program/anti-virus virus that proprogates itself to computers, thats sole
> > purpose is to go around and install the patches to defend?
> > The obvious would be more traffic, but could the advantages out weight the
> > disadvantages??
> >
> > Tuchus
> >
> > bye4now!
> > sari!
> >
> > -Perception is the only reality,
> > and mind games are the twist of perception-
> >
> >
> ___________________________________________________________________________
> > Visit http://www.visto.com.
> > Find out how companies are linking mobile users to the
> > enterprise with Visto.
>

Mark A Lewis wrote:
>
> A system on the internet is NOT public, just publicly accessible. Simply
> plugging a box into the internet does not mean anyone that finds it can do
> whatever they please unless you write a disclaimer or lock it down. Your
> statement is like saying that unless you lock your doors and put a note on
> it anyone can legally steal your car or rob your house. And, all of us will
> be free to choose our ISP based on the "services" they do or don't provide.
> If you want an ISP that "filters" content to protect your boxes then you
> will find one that does that. You will have agreed to them intercepting or
> eavesdropping on communications bound for you. I personally agree that I
> would prefer to do this myself, but AOL has gotten as big as it has by
> providing customers that want an easy to navigate "fluffy" internet
> experience. This is just another step that same direction. AOL already
> proxies their users.
>
> -----Original Message-----
> From: Chet Uber [mailto:eidetic@mindspring.com]
> Sent: Friday, August 31, 2001 9:30 AM
> To: Mark A Lewis
> Cc: sarisocks@visto.com; SECURITY-BASICS@securityfocus.com
> Subject: Re: Virus to Virus Idea
>
> Unfortunately a system on the Internet is public unless you properly
> secure it and disclaim it. If you leave finger running, and do not
> properly disclaim, then anyone can run finger on your machine.
>
> This is a highly complex issue.
>
> For example you talk about AVP products filtering at the ISP level. With
> the laws the way they are today you will split the legal community and
> the courts down the middle; as many people see that as eavesdropping or
> intercepting communications not intended for the original user. This is
> a violation of federal code. Should it be?? I really don't want to give
> mass power of uncontrolled search and seizure to anyone. I spend good
> money to but anti viral, file integrity software, IDS, and other counter
> measures on all my machines. I am more comfortable with that.
>
> Regards,
> Chet Uber
>
> Mark A Lewis wrote:
> >
> > ALOT of people would have a problem with someone doing this to their
> machine
> > without consent. I personally would view this as just as much of an attack
> > as Code Red. This are not public systems. There are a lot business systems
> > out there you may break by doing this also. Who would be responsible for
> the
> > lost time and revenue? While the Internet is a community and should act as
> > such by looking after our neighbors and such it is also a community
> without
> > a police force per se. The best thing we could do is to encourage our
> > "neighbors" to install all current patches and such to keep the
> neighborhood
> > safe. What is more likely than an "anti-virus virus" is ISPs that will
> start
> > filtering worms/viruses at that level.
> >
> > -----Original Message-----
> > From: sarisocks@visto.com [mailto:sarisocks@visto.com]
> > Sent: Wednesday, August 29, 2001 9:08 PM
> > To: SECURITY-BASICS@securityfocus.com
> > Subject: Virus to Virus Idea
> >
> > Here's an idea for debate:
> > Some creates a virus, whether code red or another, and shoots it off to
> > infect and destroy. Whatever the case. Why not have someone create a
> > program/anti-virus virus that proprogates itself to computers, thats sole
> > purpose is to go around and install the patches to defend?
> > The obvious would be more traffic, but could the advantages out weight the
> > disadvantages??
> >
> > Tuchus
> >
> > bye4now!
> > sari!
> >
> > -Perception is the only reality,
> > and mind games are the twist of perception-
> >
> >
> ___________________________________________________________________________
> > Visit http://www.visto.com.
> > Find out how companies are linking mobile users to the
> > enterprise with Visto.
>
> --
>
> Chet Uber, Senior Advisor
> SecurityPosture
> Information Assurance & Information Security
> vmail 402.498.2673 eidetic@mindspring.com
> http://www.securityposture.com
>
> If you are not the intended recipient be advised that you have received
> this email in error and any use, dissemination, forwarding, printing
> or copying of it is strictly prohibited. It is the responsibility
> of the addressee to scan this mail and any attachments
> for computer viruses or other defects. The sender does not
> accept liability for any loss or damage of any nature,
> however caused, which may result directly or indirectly
> from this email or any file attached.
>
> ----------------------------------------------
> "Are You In A Security State Of Mind?"
> (c) 1998-2001. Chet Uber. All Rights Reserved.
> ---------------------------------------------- 

--

Chet Uber, Senior Advisor
SecurityPosture
Information Assurance & Information Security
vmail 402.498.2673 eidetic@mindspring.com
http://www.securityposture.com

If you are not the intended recipient be advised that you have received 
this email in error and any use, dissemination, forwarding, printing 
or copying of it is strictly prohibited. It is the responsibility 
of the addressee to scan this mail and any attachments 
for computer viruses or other defects. The sender does not 
accept liability for any loss or damage of any nature, 
however caused, which may result directly or indirectly 
from this email or any file attached.

----------------------------------------------
"Are You In A Security State Of Mind?"
(c) 1998-2001. Chet Uber. All Rights Reserved.
----------------------------------------------