Fog Creek Software
Discussion Board




"Good" worm?

Apparently a new worm called "Welchia" is spreading that attacks through the same vulnerability as blaster and attempts to patch the systems it infects.  Here's a link to the article on yahoo:

http://story.news.yahoo.com/news?tmpl=story&u=/nm/20030818/wr_nm/tech_worm_dc_1

Anyone here actually think this is justified?  What if it really worked well and and didn't create a net traffic jam?  Could anyone envision a scenario where it would be justified?

Ken
Tuesday, August 19, 2003

I can envision a scenario where Microsoft proactively patches pc's via these.

Oh, I can hear it now.  "How dare you run code on my server." 

Well, if you get your f'ing code red laden box of the web we wouldn't have too.

Good idea
Tuesday, August 19, 2003

Damn.  They stole my idea.

The only problem is the unannounced reboot; I hadn't figured out a way around that bit.  However, "good" worms like this are a hell of a good idea in my opinion.  Sure, they might slow traffic down SOME, sure, they might cause ONE unexpected reboot, but those are very SMALL costs to pay in light that a malicious worm could come around later and do untold amounts of damage.

Alyosha`
Tuesday, August 19, 2003

PS:

"Despite the apparently good intentions of the new worm, spreading "good" worms is a very bad idea, said Jimmy Kuo, research fellow at anti-virus vendor Network Associates Inc."

Consider the source.

Good worms are bad for the anti-virus biz.

Alyosha`
Tuesday, August 19, 2003

You know, if you break into someone's house and get caught, "but officer, I was doing their laundry for them!" isn't much of an excuse.

Software is the same.  Running code without the box owner's consent is badness, regardless of good intentions.  "Good" worms are every bit as illegal as malicious ones.

Eric

Eric Lippert
Tuesday, August 19, 2003

Well, considering how often malicious worm writers are caught and punished, why should white hat's worry?

Mike
Tuesday, August 19, 2003

I have to agree with Eric.  Who's deciding what's good and what isn't.

_*_
Tuesday, August 19, 2003

I think you folks should keep in mind that there's bigger issues than just "well what gives them the right to run code on my machine".  First of all, no one on this planet knows all the code they are running; anyone who installs an operating system has implicit faith that the half-gigabyte of code they are running is not malicious.  Secondly, if you absolutely care about that, patch your system yourself.  If you don't, well, SOMEONE's going to hack your system, I absolutely guarantee you 100%.  The only question is whether you want to be hacked by a white hat or a black hat.

It's a worldwide security issue.  Blaster cost literally billions of dollars in lost productivity.  It could have easily been a 100 times more.  It could have formatted hard drives, stolen credit card numbers, installed back doors to your system, launched EFFECTIVE denial of service attacks against all kinds of businesses.

What gives people the right to keep their computer an infection vector for millions of other machines around the world?

Alyosha`
Tuesday, August 19, 2003

I don't want someone "helping" me in this fashion, unless I've consented to it in advance via the OS or some sort of certificate-based permissions (via which I could say "always accept security updates from MS" or some other trusted vendor).

Hmmm, sounds like XP's "automatic updates".

Zahid
Tuesday, August 19, 2003

>>Hmmm, sounds like XP's "automatic updates".

A feature, by the way, that would have prevented the spread of the worm if it was used.

Jeff MacDonald
Tuesday, August 19, 2003

Zahid

If you keep you server patched, no one will "help" you in this fashion.  I think whether or not you patch internal systems is your business.  But whether or not you patch a web facing system, well I think you need to be neighborly and kill your weeds so they don't seed into my yard if you know what I mean.

Mike
Tuesday, August 19, 2003

>>Blaster cost literally billions of dollars in lost productivity

Do you have an unbiased (by which I mean not a linux zealot or anti-virus vendor) citation for this?  I thought Blaster turned out to be more sound than light.

Brian
Tuesday, August 19, 2003

I can name a major Fortune 500 and Fortune 1000 company that would tell you different.  It was a lot more light.

Mike
Tuesday, August 19, 2003

Here is a link to a story about the problems of patching and how it costs money.

http://computerworld.com/securitytopics/security/holes/story/0,10801,84083,00.html?from=imuheads

I know most of you home users here with 3 machines in your basement were all patched up, but what about the company with 500 servers?

Quaalude
Tuesday, August 19, 2003

If you keep you server patched, no one will "help" you in this fashion.  I think whether or not you patch internal systems is your business.  But whether or not you patch a web facing system, well I think you need to be neighborly and kill your weeds so they don't seed into my yard if you know what I mean. - Mike

Mike -
I've already vented my frustration at the systems administrators who don't keep their houses safe.

But your analogy would be better if the person who came to weed my yard were unfamiliar to me, wearing a mask, and showed up in a car without license plates. As I watch this character "help" me, I don't know if that's weedkiller he's spreading or anthrax. I'd just as soon keep the keys to the gate.

I can't believe you're arguing that I have to thank this guy afterward, rather than give him permission beforehand. An apparently benign act could mask a less benign purpose.

Zahid
Tuesday, August 19, 2003

A thought:

On the face of it, it seems unethical (at least to me)  to run code (even "white hat" code) on another box without the owner's permission.  Note two things.  First, someone already *did* run unathorized code on the box--that's why it's infected!  This point, while interesting, is not terribly relevant.

The second point is that once you're infected, while someone's pondering the question whether or not it's right to patch your machine without your consent, your machine is *itself* running code on hundreds/thousands of machines without your consent.

So, is it better unethically run code that prevents the unethical running of larger amounts of damaging, also unethical code?

Tough call.  It's akin to quarantining people without their consent to stop the flow of a disease.  Yes, there are important differences, but a similar situation nonetheless.

Under the "do unto others" rule, I think I'd prefer to have the patch.  Here's my rationale.  I don't like code (say, from Microsoft) automatically being installed on my machine(s).  However, in cases such as this it is already clearly demonstrated that code can and is being run without your permission. So some other code to stop that transgression is, I think, permissable.

An important point that may come up in the future:  Where do you draw the line between an exploit and a service?  It's pretty easy now, but what if I *wanted* to have the functionality that worm X utilized?  We're assuming that the infectee is unaware of the problem and would wish to have  it fixed.  This is clearly the case usually at the moment, but in the future this could become a more sticky issue.

-Rich

Rich
Tuesday, August 19, 2003

Yes, when you have a security hole you could march an elephant through, demanding that all your code be properly signed and certified is no longer an option.

No one is going to go back and say, "no, I wanted that security hole there!  What gives you the right!?"

You may feel queasy about strange code running on your system, but making people feel queasy is not a crime.  Causing actual damage is.

Alyosha`
Tuesday, August 19, 2003

"I know most of you home users here with 3 machines in your basement were all patched up, but what about the company with 500 servers?"

You know what MS needs to do? Add configurability to the Windows "Autopatch" they're talking about so you can point it at your *own* patch host. Run a Windows Patching service on a local server and make patches available when you've finished testing on them - then your Windows machines autopatch themselves.

Philo

Philo
Tuesday, August 19, 2003

Philo wrote:

>>You know what MS needs to do? Add configurability to
>>the Windows "Autopatch" they're talking about so you
>>can point it at your *own* patch host. Run a Windows
>>Patching service on a local server and make patches
>>available when you've finished testing on them - then
>>your Windows machines autopatch themselves.

http://www.microsoft.com/downloads/details.aspx?FamilyId=A7AA96E4-6E41-4F54-972C-AE66A4E4BF6C&displaylang=en

Works great. We use it for all of our large clients.

Jason Catlett
Tuesday, August 19, 2003

Wow, Jason.  Thanks for the link.  I thought (and had read articles about) how Windows Update forced you to go direct to MS, and not set up an internal server.

-Rich

Rich
Tuesday, August 19, 2003

Crap!  SUS requires IIS.  That is verbotten where I work.  We took Gartner's advice and fled IIS and could not be happier.

Gene
Tuesday, August 19, 2003

You may feel queasy about strange code running on your system, but making people feel queasy is not a crime.  Causing actual damage is. - Alyosha`

Alyosha -
Making me feel queasy may not be a crime, but trespass is. I don't know if that's the crime they charge hackers with, but whatever it is, I believe I could make the case. You might have a solid defense if I were "causing actual damage" but I'm guessing you would be SOL otherwise.

Maybe your argument only bugs me because I am one of the people who firewalls my machines and keeps virus definitions up to date. I'm sure someone will get past those defenses some day soon, and maybe then my perspective will change.

Oh, and by the way -- I suspect that intentionally making someone queasy would be actionable as assault -- a crime  :)

Zahid
Tuesday, August 19, 2003

> Crap!  SUS requires IIS.  That is verbotten where I work.  We took Gartner's advice and fled IIS and could not be happier.

Yes, well, Gartner's advice includes sending your work to India ( where Gartner has an office, of course.)


Tuesday, August 19, 2003

Blaster was a minor problem. This stupid beggar was ping-flooding so hard it took down the RSM in our core Catalyst switch. I have had SO much non-fun today, I had to eventually autogen access lists to block suspiciously energetic ICMP sources to get things down to a dull roar, while we had people scurrying around finding and patching infected PCs.

Good Samaritan, bah. More like a serial killer.

Peter da Silva
Tuesday, August 19, 2003

According to the CBC, Air Canada's computers were brought down by this "benevolent" worm, stranding several thousand passengers in the process.

Jeff Wright
Wednesday, August 20, 2003

Well, then, Air Canada needs to add the downtime cost to their TCO of Windows. 

Mike
Wednesday, August 20, 2003

*  Recent Topics

*  Fog Creek Home