0xDECAFBAD

It's all spinning wheels and self-doubt until the first pot of coffee.

White Hat Worms and robots.txt?

Or maybe it's time to release our own Defender.A worm which could invasively close down the relevant "holes" in Internet security. A defensive worm could use standard intrusion tactics for benign result. For example, it could worm it's way into Windows XP computers and get the owner's permission to turn their firewalls on. It could survey open TCP/IP ports and offer to close them.

So, anger is my first reaction to the idea of any unwelcome visitors on any of my machines, well intentioned or not. I’m sure that there aren’t many who wouldn’t feel the same way. But, although a lot of us try to keep up on patches and maintain decent security, there’s the “great unwashed masses” who just want to “do email“.

<p>On one hand, it&#8217;s easy to say, &#8220;Tough.  Learn the care &#38; feeding of your equipment.&#8221;  Yeah, as if that will help or get any response from all the people who&#8217;ve bought into <span class="caps">AOL</span> and have been reassured for years that computers are friendly and easy beasts (despite their intuitions to the contrary).  Hell, I&#8217;d bet that, more often than not, the same person who gets regular oil changes and tune-ups for the car has no idea how to do the equivalent for a computer (or that it even needs it).  Cars have been positioned differently than computers.  No one expects a Spanish Inquisition when they live in a virtual preschool of a user interface with large and colorful buttons and happy smiling faces.  They know there&#8217;s some voodoo going on underneath, but the UI tells them that it&#8217;s nothing to worry about (until <a href="http://www.decafbad.com/blog/geek/not_working.html">it isn&#8217;t working</a>).</p>

<p>Now if the problem was just that stupid users ended up with broken computers, there&#8217;d be no problem.  But, like cars with problems waiting to happen (like worn down tires), their users become a hazard to others.  Unlike cars, however, the problems of stupid users&#8217; computers are contagious and self-replicating: every tire blowout becomes a 1000 car pileup.</p>

<p>It&#8217;s like everyone sits on their recliners watching TV in their houses; not even realizing that there are doors to lock; not even hearing the intruders rummaging through the fridge in the kitchen; and certainly not knowing that there&#8217;s a guy sleeping on the sofa at night working by day to let his army of clones into the neighbor&#8217;s houses.</p>

<p>So, about what about vigilante &#8220;white hat&#8221; worms?  Wouldn&#8217;t it be nice if there was a guy wandering the neighborhood locking door for the ignorant?  Wouldn&#8217;t it be nice if there was a truck driver on the road that forced cars with bald tires off to the side for free tire replacement?  Okay, maybe that&#8217;s a bit whacky, but then again, people with bald tires aren&#8217;t causing 1000 car pileups.</p>

<p>I&#8217;m thinking that &#8220;white hat&#8221; virii and worms are one of the only things that will work, since I&#8217;m very pessimistic about the user culture changing to be more responsible.  Though, what about a compromise?  Install a service or some indicator on every network-connected machine, somewhat like <a href="http://www.robotstxt.org/wc/robots.html">robots.txt</a> , which tells friendly robots where they&#8216;re welcome and where they&#8216;re not.  Set this to maximum permissiveness for white hat worms as a default.  The good guys infect, fix, and self-destruct unless this indicator tells them to stay out.  Then, all of us who want to take maintenance into our own hands can turn away the friendly assistance of white hat worms.  It&#8217;s an honor system, but the white hats should be the honorable ones anyway.  The ones which ignore the no-worms-allowed indicator are hostile by definition.</p>

<p>So, then, the internet develops an immune system.  Anyone can release a white hat worm as soon as they find an exploit to be nullified, and I&#8217;m sure there are lots of geeks out there who&#8217;d jump at the chance to play with worms and virii in a constructive way.  And if you want to opt-out of the system, go for it.  Hell&#8230;  think of this on a smaller scale as a next-gen anti-virus software.  Instead of internet-wide, just support <span class="caps">P2P</span> networks between installations of your anti-virus product.  When it&#8217;s time to close a hole, infect your network with a vaccinating update.  I doubt this would work as well as a fully open system, but might have less controversy.</p>

<p>Anyway, it&#8217;s a whacky idea to a whacky problem that just might work.</p>

shortname=superworm

Archived Comments

  • How would a system tell the difference between white hat and black hat worms or virii when they arrive? Distributed trust network?
  • Well, my incredibly naive idea is this: White hats knock (ie. contact a known local service), and go away if told to. Black hats sneak in the back door as usual.
  • I think this is a bad line to cross. It's harder to argue against RIAA worms when you're supporting other "good causes" worms. Unfortunately I don't have any great alternative ideas. Get the OEMs to bundle ZoneAlarm lite? (Get ZoneAlarm to make a version that's tweaked to scare clueless users into paranoid fears?)
  • Hmm, maybe. Though I'd still say that, if worms sent out by the RIAA don't go away when told, they're rogue. The only worms with white hats are the ones that stop other worms and virii. Anything else is unwelcome, and subject to neutralization by other worms. Hmm. But yeah, lots of issues and it's a very naive idea
  • i actually thought your idea was awesome...just send out worms to fix security holes and they respect your no worms directive unless you specifically allow them in... nice site i'll come back later.
  • Another thought: have a site that tests the holes in your computer when you ask it to. Then you need someone like EFF to promote it. But at least it's a 1-stop-shop.
  • Another step back: aren't pretty much all the victims of these big worms users who click on email attachments? (Sorry if that's a stupid question, I haven't been playing close attention to the technical coverage of the latest infections...)
  • What happens if I'm running some private protocol on a port and this comes along and tried to send some other random data and breaks things? Not a good idea