Administrivia #8704 (I think we should just be friends)

[BlueBoar () THIEVCO COM (Blue Boar)]

(warning, long)

M J wrote:
> <for the moderator>
> Can this be the last of this thread please?  Looking for
> additional news and surfing CNN/ZDNET/etc regarding this
> virus really doesn't seem to have any berring on developing
> vulnerabilities or the like.
>
> hmmm....just look thru SecurityFocus.com news and follow
> the links.

Well, that's a really good point.

When a major problem like this crops up, this list (like many
other security-related lists) tends to go into Emergency
Broadcast Mode (beeeeeeeeeeeeeeeep.)  This is due mostly to
an assumption on my part that most of the subscribers (like
me) actually have the real job of protecting stuff, rather than
breaking it.  Perhaps a bad assumption.

I like to think that we do/can go a bit beyond most other
lists in terms of technical detail, and absolutely do
better than any of the traditional media sources.  Bugtraq
is as full disclosure as we are, but doesn't allow for the
discussion (one of the main reasons I wanted to start this
list.)

I do consider taking a peek at the latest worm/trojan/virus
making the rounds on-topic.  There's usually some interesting
technical bit.  Sadly, I'm stuck, like the media, with defining
"interesting" as whatever is getting the most attention.  For
evil code, that is maybe one definition of "success."  Naturally,
I would advise against releasing new malware, unless you really
want to have a $10 Billion (yes, United States "B") damages
charge stuck to you, and have every law enforcement group in the
world looking for you.   However, if you insist, you can probably
get pointers here.  My personal set of morals draws a thin line
between doing exploits, for which the problem exists with or
without you, and writing malware, which DOESN'T exist until
you create it.  Don't get me wrong... I've written a couple
of toy viruses myself, and I fully support your right to write them.
I just question the individual who actually releases them in the
wild.

Now, there's a difference between handing everyone the code to do
with as they need, and beating the horse to death and converting
the list into a prevention list.  I need help determining where
to cut it off.  If you care one way or the other, shoot me
(not the list) a note with your thoughts.

Moderation over the last couple days:  In the last two days,
I've received about 2000 emails... the vast majority of
which were bounces, errors, and mail gateways with virus
scanners informing me that I sent out a "virus".  Yeah,
thanks for the info. :)  That means in the future, I will
be trying to do a better job encapsulating bad code to
avoid setting those off, for the sake of my mailbox.  The
zip with a password seemed pretty good... only a couple
gateways refused to let in a zip that they couldn't open.

This also means that I was probably sloppy and over or
under selective about what I let through.  If your note
didn't get posted, especially if was on a regular topic,
then I probably accidentally deleted it in the middle
of a 300 message block of errors or something.  If you
sent a note to the effect of "yeah, me too." or "Outlook
sucks." then I probably declined to send it through.

I also let through a bunch of messages about how to fix
the damn thing.  These are really off-topic, but some were
really good or provided good pointers to info.  I'll start
dropping these now (and I've already dropped a bunch.)
However, if there's something I like (and sorry, you're
stuck with my judgment) I may let it through for the next
day or two.

For example, I let through a thread regarding the follow-the-sun
nature of the thing.  I thought that was very interesting, and
relevant to worm behaviour in general.

OK, I'll shut up now.  Basically, if you think I should
just have sent through the code, and then dropped the
discussion, shoot me a note.  Back to breaking stuff.

                                BB