On Fri, Jun 20, 2003 at 07:33:49PM -0400, Barry Shein wrote
We've seen various blacklists. I consider them a mostly bad idea,
perhaps of some use to individuals, but it's something we should
all be familiar with.
Some of the more notorious black lists actively scanned the net
with software for systems which fit their notion of "open relays"
and would add these to the net as a hazard.
Now, would it be possible to scan similarly for systems infected
with Jeem or one of the other spammer slave bugs?
This would have to be at least partially a legislative solution.
Let's just say that anybody scanning large portions of the net raises
eyebrows, and is reason for termination at many ISPs.
What would we do with that information?
That's probably not necessary to answer, unless someone doubts
anything good could be done. But, for example, inform the owner,
an ISP might quarantine or mail rate-limit a known infected computer
until it's fixed, block it entirely (from mail, from everything), etc.
From postings I've seen on nanae (news.admin.net-abuse.email), when
some large outfits are provided with headers of virus emails day-in,
day-out from certain IP addresses, they don't seem very active in
getting the customer off the net.
Anyhow, this all starts with whether it's possible to write a piece
of software which begins to scan the net for infected systems?
The problem so far is that people take virus/trojan compromises too
lightly. That's because the compromises go out of their way not to be
noticed. The trojan sends out a bunch of spams from your machine while
you're sleeping. The typical end-user reaction is "so what?". Maybe
governments need to do a "Hatch-job" (senator from Utah?).
Notice that almost all viruses/trojans are "intelligent parasites"
that don't eat up enough resources to kill their hosts. What we need is
for governments to authorize law-enforcement agencies to release viruses
("Killer-V's") that low-level unformat harddrives, and flash BIOSes with
garbage for good measure so that you can't just slap in the install CD
and have the same crap reconnected to the net 3 hours later.
The people whose machines are susceptable to viruses/worms which set
up zombies for spammers and DDOS attacks will get knocked off the net.
The people whose machines are immune to the killer virus will tend to
also be immune to being used as zombies for spammers and DDOS attacks.
And the net will be a much better place for those that remain.
Maybe we should also issue an RFC that simply says that the days of
computer, including personal and desktop computer, operating systems
being vulnerable to viruses (within some problem definition) should
have been over years ago via widely distributed and well-known
techniques utilized in highly successful and comparable operating
systems software.
An RFC means nothing if it isn't enforced. You almost need an
"internet driver's licence" or a "Killer-V" to get the problems off the
net.
For the love of money, XP and Windows/ME (and all earlier MS windows)
are both vulnerable to Jeem, sobig.a, and Proxy-Guzu, some of the more
cited viruses used in this sort of spamming.
And, in all cases, according to Symantec's database:
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
I've used DOS and OS/2 and linux and Windows. As a current linux
user, I know its warts as well as its beauty. I think that any
sufficiently powerful server OS in the hands of a newbie is asking for
trouble.
- Windows' problems stem from its origins as a LAN-based system. The
idea was "wouldn't it be cool if the admin could send an executable
email that would cause subscribers' machines to auto-update on reading
the email?". That is a godsend for admins running an office LAN.
Connect that same OS to the internet, and you have major security
problems.
- linux is a unix-clone. Until approximately version 6.2, Redhat came
with a "workstation" install that had sendmail wide-open for relay, and
portmap and a whole bunch of other services listening to the internet.
It was only a few years ago that Lion and Ramen were driving linux users
nuts. And don't get me started on wu-ftp. At first, it didn't matter.
The linux install was so damn hard that if you were cluefull enough to
get it installed and connected to the net, you were cluefull enough to
do it right. Even today, the first thing I do with a fresh linux
install is "netstat -tupan" and see what services I have to shut down.
Oh yeah, I do this *BEFORE* the first connection to the net. It was
only whem the install was automated to the point where the clueless could
point-and-click their way through it, that the problems became obvious.
- The MAC's original niche was desktop publishing. There wasn't a
need to have scripted emails auto-update the system, or for the machine
to come with server daemons running under the default install. For a
newbie whose major concern is finding the "any key", the MAC is probably
the most secure choice.
The problem is due in large part to newbies. 20 years ago, only
sysadmins who knew what they were doing ran machines connected to the
internet 24X7. Today, any fool can do so... and many do.
--
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org>
Email users are divided into two classes;
1) Those who have effective spam-blocking
2) Those who wish they did
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg