In message <4079C0BB.80509@ttec.com>, Joe Maimon writes:
Jeff Workman wrote:
--On Sunday, April 11, 2004 2:45 PM -0400 Joe Maimon <jmaimon@ttec.com> wrote:
Therefore the "good" people should beat the bad people to the punch and write the worm first. Make it render the vulnerable system invulnerable or if neccessary crash it/disable the port etc..... so that the "lazy" administrators fix it quick without losing their hard drive contents or taking out the neighborhood.
Such "corrective" behavior as suggested by you might also be implemented in such a "proactive" worm.
How many fewer zombies would there be if this was happening?
As I understand it, Netsky is supposed to be such a worm. Doesn't seem to make much of a difference, does it?
I thought that Nachi/Welchia was supposed to be such a worm as well, and it ended up doing more harm than good.
One could argue that those were implementation issues, probably performed by people who did not know what they were doing.
From a perspective of auto-patch, *no* programmers "know what they're doing". The state of the art of software engineering, even for well-designed, well-implemented, well-tested systems, is not good enough to allow arbitrary "correct" patches to be installed blindly on a critical system. Let me put it like this: how many ISPs like to install the latest versions of IOS or JunOS on all of their routers without testing it first?
From a purely legal perspective, even a well-written, benevolent worm is illegal -- the writer is not an "authorized" user of my computer. But I'd never authorize someone to patch my system, even an ordinary desktop PC, without my consent -- there are times when I can't afford to have it unavailable. (Many U.S. residents are in such a state for the next four days, until they get their income tax returns prepared and filed. I don't even like installing virus updates at this time of year.)
Auto-patch is a bad idea that just keeps coming back. Auto-patch by people other than the vendor, who've done far less testing, is far beyond "bad". --Steve Bellovin, http://www.research.att.com/~smb