Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: RE: Bening Worms (Cosmin Stejerean)
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sun, 15 May 2005 12:20:25 +1200

Stejerean, Cosmin wrote:

I think you are going a little overboard with this kind of response. The guy


The guy is clearly a chopper.

Ten minutes "research" with Google would have shown him that "benign" 
worms aren't, and only a very narrow fringe of mostly highly marginal 
IT folk think that the idea is worth more than immediately flushing 
down the toilet.  Further, among those who do think it might be a good 
idea or one worth studying, that support falls off very quickly with 
actual, relevant academic or work experience.

His floating such a stupid, time-worn, discredited notion, which he so 
easily could have found to be such, in this list is much more closely 
akin to trolling than "research".

had a couple of questions about "benign worms." If you are going to provide
some useful feedback then go ahead and do it. If you are going to write an
insulting email you should probably think twice about it.

Thanks for the advice.

I've filed it where my experience tells me it should be filed...

<<big snip>>
If I recall properly Stanford also used similar techniques to get rid of MS
Blast on their networks especially from laptop machines that were infected.
They had no administrative control over those machines yet the machines
posed a threat and the threat had to be eliminated.

Assuming this is a correct recollection of whatever...

Run that past us again -- Stanford had machines on their network that 
posed a risk to the rest of their network BUT the Stanford IT folk had 
no administrative rights to those machines?  They couldn't configure 
their network infrastructure so it didn't offer an IP to these 
"anonymous" threats or at least configure it so it wouldn't route their 
traffic?  If there really was a "need" to allow such anonymous machines 
to come and go from their network, why had they not configured their 
network so it only allowed such "anonymous" machines very limited 
access (such as putting them in a separate sub-net so they screwed with 
each other but not with "Stanford real", and that, perhaps, only had 
very limited off-site access through their firewalls)?  Sounds like 
Stanford runs (ran?) a _really_ screwed-up network...

Worse though, you seem to imply that it was alright for Stanford to 
take action against those machines by exploiting a vulnerability on 
them to "fix" the threat posed to Stanford's network.  That is clearly 
wrong, both ethically and legally.  By acting as you suggest, Stanford 
would almost certainly have been exposing itself criminally (and quite 
possibly federally -- what are the odds that at least one of those 
laptops "belonged" to someone doing "critical" US government work on 
contract, or pretty much any work relating to the banking, or other 
"critical commerce", industries).

Stanford could have legally and "rightly" acted by denying further 
access to its network from machines it had no administrative control 
over, but of course that would have required it to have already 
designed and implemented a better network infrastructure than it seems 
they had in place.  Their lack of forethought in that regard in no way 
justifies their unethical (and almost certainly illegal) actions.


Nick FitzGerald

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]