Slate On Worms That Plug Security Holes 417
gwernol writes "Slate has a well-written article on 'white knight" worms like Nachi that attempt to automatically patch security holes; Nachi try to patch the hole that MyDoom exploits. The article calls for Google and others to incent White Hat programmers to create better White Knights. But are 'good viruses' really a good idea? Nachi created almost as much bandwidth congestion as MyDoom. Do we really want programs jumping onto our systems and 'fixing' them without permission? What about a socially engineered worm that claims to be doing good?"
No. (Score:2, Insightful)
No.
These could be Trojan.
If I give you some worm that's supposed to cure another but which in fact is another one...
No.
One bad idea (Score:5, Insightful)
There is no "good virus". (Score:3, Insightful)
Viruses to attack Viruses which patch Viruses (Score:5, Insightful)
The answer is to have a secure system, as that's not happening in the Windows world at the moment, then frequent patches to plug the holes and a way to encourage everyone who uses Windows on the net to download them is the way to go, as is installing more secure software (e.g. Firefox rather than Internet Explorer.)
Like stealing your bike (Score:5, Insightful)
Would you like that?
Are they a good thing? (Score:5, Insightful)
Even valid updates from manufacturers have the odd really bad messup. Making a service crash, modifying a config file so it doesn't work, causing unexpected behaviour.
To give support to those writing such whiteknight worms gives support to any anonymous coder who might wish to fix a problem, with no concept of testing things on a system other than their own or a few others belonging to a "friend of a friend".
How would Anti-virus programs react ? (Score:2, Insightful)
No, no, and no. (Score:2, Insightful)
It's not for someone who "knows better" to decide for me how to "Secure" my computer. What happens if one of these virus-like apps(either from MS or a third part) "patches" my server with my multi-million dollar application system and somehow breaks it, as unintentional as it may be?
If these hackers want to do good and create 3rd party patches that people can download and install on their own, that's one thing and I applaud them for their efforts. But, please, don't insult my intelligence and do something that's "best" for me without my knowledge or consent.
Wrong approach (Score:2, Insightful)
Being an IT professional, I get on average 1 request per week to remove viruses / spyware / browser hijacks etc from people's computers.
Recently I started turning them down, but offer to install Linux on their computer instead of trying to fix their Window installation.
If I were writing a worm, however, I'd take a different approach. I'd make it spread quietly, and then destroy the Windows install completely 1 day after infection. The whole fucking lot. People who get viruses are asking for it. If you put your computer on the internet, you have a responsibility to do the right thing by everyone else. If you stick your head in the sand and click on all the 'click here' and 'free hardcore XXX' links, then come bitching to me when the whole thing comes crumbling to the ground then you really only have yourself to blame.
ALL computer users should take reasonable steps to keep their computers secure. ALL computer users who don't take these steps should have their hard disks wiped clean.
Once a few viruses start doing this, people will get the hint and keep their systems secure.
QOTD particularly appropriate (Score:1, Insightful)
Too true!
The road to hell is paved with good intentions (Score:5, Insightful)
Blaster had very little impact on our network. Nachi on the other hand caused absolute bloody chaos.
There is absolutely nothing "white hat" about running code on someone elses machine without their permission.
Re:No. (Score:2, Insightful)
I'd prefer that no worms existed at all but given the choice I'd much rather have my idiot neighbor to open a good virus then a bad one, there's going to be wasted bandwith either way but atleast the good virus could stop some waste in the future.
Re:Probably.. (Score:2, Insightful)
Kind of like having robbers in charge of security in a bank.
Subscription system (Score:4, Insightful)
What about a subscription-type system for such a service? I can imagine a variant of the virus definitions auto-update that does this. It wouldn't be kicked off by the user's computer, as it could be disabled by the Blaster-style worm, but would rather be initiated by a remote server. Next time a 'bad worm' spreads across the Internet, the service releases the 'good worm' to patch its customers' systems. My mom would probably appreciate something like that.
Re:Mission Critical (Score:2, Insightful)
There is no excuse for Corporate security exploits. Unless the corporation just doesn't care about it's computing.
Push vs Pull (Score:5, Insightful)
Anyway, I should have the right to take attackers and use their own exploit to inform them about their situation. A real world comparision would be me finding a trespasser and instead of just kicking them out, telling them they are doing wrong and then kicking them out.
Granted, this kind of vigilate action can be seen as, say, tracking down the trespasser and going on his property to yell at him. I guess this is where the analogy breaks down, but its a good concept and doesnt waste bandwidth like the "friendly trojan" shotgun approach.
This would only work with worms with machines with open firewalls, but it sure beats nothing.
I agree with Schneier (Score:5, Insightful)
Automatically installing code on a user's system without their consent is never a good idea. Virally propegated code, no matter the intent, still generates network traffic, just because the payload is different doesn't mean the virus/worm/whathaveyou isn't adding to the problem of conjested networks. And as someone else pointed out, even if the 'white hat' programmer has good intentions, that doesn't mean they won't make mistakes in their code which could have adverse effects on the systems they are attempting to patch.
While I don't think users should have to directly interface with security protocols/techniques, I do think they should be aware of them. If they are made fully aware of the damages that can be done to them, they're more likely to patch, or back away from the internet in fear, either way, there is a reduction in exploitable hosts.
Re:Are they a good thing? (Score:2, Insightful)
I DO think automatic, "valid" updates can be considered as viruses in the effect they may have. They can actually halt a production system. This is real life experience: I have seen network emulation updates, source code sontrol systems updates fucking up production. More than once. No kidding: even anti-viruses updates broke the prod for some dlls incompatible with XYZ. Isn't it a nightmare? The anti-virus stuff becomes a virus!
The point is, in production you are assumed to know what's on your box. Anything automatic that you can not 100% predict, is braking this statement. You don't know any more. And the point of the automatic update stuff is "you don't want to care" and it is legitimate.
So my point: yes a trojan, no matter how it modifies a system, has a chance of fucking it up. Non acceptable.
Ciao ciao.Re: "People who get viruses are asking for it" (Score:5, Insightful)
"I really am sick of viruses. Being an IT professional, I get on average 1 request per week to remove viruses / spyware / browser hijacks etc from people's computers."
Welcome to the IT club. So far, you aren't sounding special.
"Recently I started turning them down, but offer to install Linux on their computer instead of trying to fix their Window installation."
I hope you like supporting that Linux install... And like fielding questions like: "I just bought a brand new digital camera. How do I get my pictures and video into the computer? Oh, and I bought a new printer, too. I want to print my new pictures with my new printer. Oh, oh, and my cellphone has this cool service where I can download ringtones... I want to do that, too. I need to do XYZ with some application I use for XYZ. How do I get it on my Linux PC?" Face it. Linux is still a second-class citizen in the desktop market. Having one or two category apps isn't the same thing as having 99% of the market.
"If I were writing a worm,
Then I would hope that you got caught and spent a few years in jail to think about it, and have it on your record for the rest of your life. Maybe you'll be branded as a terrorist! Talking about writing worms doesn't get you my respect. Even hypothetically. It has been done before. It has been discussed to death before. There were viruses that damaged your equipment. There were other viruses that repartitioned your hard drive. Plenty of worms can do these things.
"ALL computer users should take reasonable steps to keep their computers secure. ALL computer users who don't take these steps should have their hard disks wiped clean."
A) What are reasonable steps?
B) What is secure? If I get an email from "you" telling me to run the attached security update to my computer, and don't know any better, and I run it, and it is an emailing worm, then I am now hosed. Worms do this all the time. Do I blame you because I thought I could trust you, or do I blame the worm author who masqueraded as you through their program.
If some application I download to do X has a bug that's exploited and does Y, and I don't know it, is it my fault?
C) Your statements are quite harsh. Have you ever had your hard disks wiped clean with all of your hard work on them? Your statement is akin to saying, "People who get diseases should be shot. That'll teach 'em to get sick!"
I can't believe your post was modded insightful. Flaimbait, yes. Insightful, no.
The biology analogy (Score:3, Insightful)
So the same should be applied to the software immune system, after all nature knows its shit better than we do.
Re:Here is a related article... (Score:5, Insightful)
Easy. They're all bad, including the good.
It might be justified if "enough is enough!", but if you have to ask, it is never justified. It might be good at the moment, but once the moment is past, it is a bad virus.
Re:No. (Score:3, Insightful)
Is a there such a thing as "good SPAM" or "good junk mail?" Aren't they just all an unneeded drain on our resources? Same goes with these worms. When are these kids going to get it? Breaking into our networks does not help us!
And, yes, we need to have proactive security (for the most part we do) but just because we have an opening is not an invitation to come on in. If I have a crappy lock on the front door of my house it does not give you leave to break in and install a better lock.
(\rant) Now I feel better.
worms are colorblind (Score:2, Insightful)
and this ignores the problem that in a lot of shops, the IT staff likes to test out patches & make sure the patch doesn't break anything. if a patch hasn't been installed on an office box, there might very well be a good reason for it. a worm is a one-size-fits-all sledgehammer of a solution to the problem of unpatched boxes. how would you feel about allowing an unknown process, not critical to apps or OS function, run on every desktop in a LAN?
ed
Well, Slate *is* still owned by Microsoft. (Score:3, Insightful)
Sometimes I think the whole antivirus industry mostly serves as a diversionary tactic that lets companies keep shipping software with deep, fundamental security problems.
Note to Paul Boutin... (Score:2, Insightful)
Re: "People who get viruses are asking for it" (Score:3, Insightful)
I hope you like supporting that Linux install... And like fielding questions like: "I just bought a brand new digital camera.
Er, I may be slow, but I fail to see how the grandparent poster's users, in a professional environment, couly justify the need of fancy stuff like digital cameras or downloading ringtones, or installing printers themselves. If there's an IT professional where he works, it is most probably in an environment big enough so that users should not mess with their computers.
How do you define White? (Score:2, Insightful)