RE: Re: DoomJuice.A, Mydoom.A source code

["Nick Jacobsen" <nick () ethicsdesign com>]

Now Nick, don't take this wrong...  but this seems to me to be a case of
closing the barn door after the f***ing hourses already got away.  The
source code is now freely available from many sites, so why not share
with someone who at least seems a bit professional?
 
As four the source code, Riad...  check the following link:
http://www.astalavista.com/index.php?section=dir&id=84
<http://www.astalavista.com/index.php?section=dir&id=84> 
 
Now, I don't generally recommend that site, but hey...  if they got it,
use it...

        -----Original Message----- 
        From: Riad S. Wahby 
        Sent: Mon 2/9/2004 8:29 PM 
        To: full-disclosure () lists netsys com 
        Cc: 
        Subject: [Full-Disclosure] Re: DoomJuice.A, Mydoom.A source code
        
        

        Mr. FitzGerald,
        
        Nick FitzGerald <nick () virus-l demon co uk> wrote:
        > I can see how it could be used as an invaluable _publicity_
aid for
        > attracting folk to the class.  However, as a teaching aid, it
is highly
        > unlikely to be of much more or less value than the source of
any of
        > dozens upon dozens of other malwares, and and that value would
be very
        > low...
        
        People won't be attracted to the class based on the source code
I'm
        presenting, as they won't know about it beforehand.  To be sure,
the
        source to any old virus would in fact work, and I will certainly
        consider many others as well in deciding the specifics of the
        cirriculum.  My intent is to emphasize material taken from
issues that
        attendees can relate to directly; undergrads are extremely
unlikely to
        have much personal experience at all with Robert Morris's 1988
worm.
        
        > Unless you are planning on teaching malware _writing_?
        
        Of course not.  The seminar deals with the mechanisms, targets,
and
        psychology of a malware pandemic.
        
        > For folk interested in work in the antivirus and related
security
        > fields, source code is all but worthless.  We rarely have the
source
        > code of the malware we have to analyse -- at least, we rarely
have it
        > in advance of, or concurrent with, having do such analyses.
Reverse
        > engineering is the name of this game and source code is then
useless
        > -- if you have source you need not reverse and if you must
reverse you
        > would not have the source...
        
        The class in question is not about reverse engineering.  It
discusses
        not the response and interdiction from AV companies et cetera,
but the
        underlying social and technical infrastructure upon which
viruses and
        their authors rely.
        
        > Also, from a purely pedagogical perspective (I majored in
Psychology
        > and Education), I find your claim that having the source of
this
        > malware "could be an invaluable teaching aid" deeply
suspicious. 
        > Teaching from the specific is generally superficial, less
long-lasting
        > and generalizes much less well than providing a good
theoretical
        > grounding in the subject matter.  Could you expound the
theoretical
        > applications that presenting this specific malware's source
code to
        > your class would illustrate especially well?
        
        Clearly one must also recognize the importance of providing
        particulars in which to couch the theoretical.  Of course, I'm
not
        going to hand out pages of source and say "this is it kids,
study up."
        Instead, general claims will be augmented with carefully chosen,
        specific examples.
        
        > Finally, whether you obtain this code or not, what aspects of
the
        > ethics of possessing, handling, distributing, etc such code
will be you
        > be teaching?
        
        This is obviously an important topic, and one that I will go to
great
        lengths to stress.
        
        > Personally, I doubt they will be substantial (or even present)
as
        > your initial approach to obtaining the code shows a serious
lack of
        > concern for some significant ethical issues straight off...
        
        I asked people to email me personally; in doing so, I was
attempting
        to contact those who might be of assistance.  Moreover, by
attempting
        to do so in a personal context (off-list) I've implied that I'm
        willing to confirm my identity and describe in greater detail my
        intentions.  As far as I can tell, I have ignored no "ethical
issues"
        in attempting to establish a dialogue with those who might help
me.
        
        > And what controls will you be placing on your students
obtaining,
        > copying, etc the code?  Given your brazenly open and
"uncaring" request
        > here, why should we expect that you will take any special care
with the
        > code and its further distribution to and among those taking
your class
        > and their room-mates, buddies and other contacts?
        
        As I will neither be distributing code in electronic form nor
handing
        out intact code listings, there is little danger that my
students will
        be able to assemble a virus based solely on what I provide.
More to
        the point, and to be quite frank, this is MIT.  The students
here
        don't need someone else's source code to write an email virus;
they
        would, however, be well served to be shown examples germane to
the
        modern virus "landscape."
        
        My request was brief and to the point so as not to waste the
time of
        those it did not concern (a topic on which others might use a
lesson
        or two).  Your claim that it was "uncaring" is completely
without
        basis in fact.  It was an open request because I have nothing to
hide.
        It gave enough information to make initial contact with those
who
        might help me without unduly taxing the schedules of those who
cannot
        or will not.
        
        Mr. FitzGerald, I've read many of your posts to full-disclosure,
and I
        am familiar with the apparent intensity of your personality.
Clearly,
        vigilance in matters such as these is not only appropriate, but
        required.  On the other hand, your surplus of zeal in responding
to my
        message might be viewed by some as an attempt to quash the
responsible
        academic study of an issue of ever-increasing import, or
contemptuous
        holier-than-thou proselytizing based on a questionable
interpretation
        of my intentions.  In the future, I encourage you to temper your
tone
        in order to prevent such misunderstandings.
        
        Sincerely,
        
        --
        Riad Wahby
        rsw () mit edu
        MIT VI-2 M.Eng
        
        _______________________________________________
        Full-Disclosure - We believe in it.
        Charter: http://lists.netsys.com/full-disclosure-charter.html

<<winmail.dat>>