[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[rsk@GSP.ORG: Re: 10th anniversary of the Internet Worm]



Hi,

sorry, wenn der eine oder andere das schon gelesen hat, aber ich finde es
wirft ein paar sehr interessante Gedanken auf.

gert

----- Forwarded message from Rich Kulawiec <rsk@GSP.ORG> -----

Approved-By: aleph1@DFW.NET
X-Mailer: Mutt 0.93.2i
Date:         Wed, 4 Nov 1998 00:23:41 -0500
Reply-To:     Rich Kulawiec <rsk@GSP.ORG>
From:         Rich Kulawiec <rsk@GSP.ORG>
Subject:      Re: 10th anniversary of the Internet Worm
To:           BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <3D3FC13074F5D11191E700A0C9C874FF2BE7DE-100000@mail.ils.unc.edu>;
              from Gregory Newby on Mon, Nov 02, 1998 at 10:33:51PM -0500

On Mon, Nov 02, 1998 at 10:33:51PM -0500, Gregory Newby wrote:
> Lest we forget, today was the 10th anniversary of the
> Internet Worm, released by Robert Tappan Morris, Jr.

I remember -- I was in the trenches that day.  In fact, I'd gone
into work (the Purdue University Computing Center, a large Unix site)
early that day because I needed to leave early as well.

I didn't. ;-)  In all the years I've done Unix, that was the
most exciting 36 hours I went through.

Most of what we did there is documented in Spaf's paper on the
subject, so you can read that to find out what Dave Stevens and
Kevin Braunsdorf and George Goble and all of us there at Purdue
did that day.  (We invented the "condom".  No, really!)

I remember two major concerns that are still with me years later --
which is why I'm babbling this at bugtraq:

1. We had almost no way to communicate out-of-band with other sites.
That's why I keep an address/phone/fax book now.  It's far from
complete, and it's frequently outdated, but I keep it in hardcopy --
and handy -- against the day when things go foom again.  As you
pointed out, CERT was formed in part to take on this role, but much
to my great disappointment, CERT is largely an information black hole,
and reacts at a glacial pace, far too slowly to be any help in a crisis.
I also know where several local ISPs are physically located -- guessing
that the next attack might come when voice/data/cable/etc. are unified
and that it might take them *all* out.  And I don't think sending them
postcards will cut it. ;-)

2. Our biggest worry wasn't figuring out who launched it, or why, or
how it propagated.   Our worry was "Is it destructive (i.e. does it
deliberately corrupt data)? or is it just meta-destructive (i.e. does
it corrupt data only as an accidental by-product)?"  Granted, we've got
a lot more tools that have been developed since then, but if we were
put in that precise circumstance again by a different threat, I'm not
sure we're in a position to answer that question quickly and
accurately.  The best response to this that I've come up with is to do
on-site and off-site backups with near-religious fervor (including
verifying them) and to use tools like tripwire regularly.  But I'm not
satisfied that this adequately addresses the problem of answering that
same question under severe time pressure.

---Rsk
Rich Kulawiec
rsk@gsp.org

----- End forwarded message -----

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert@greenie.muc.de
fax: +49-89-35655025                        gert.doering@physik.tu-muenchen.de