[Cryptography] The Bob Morris worm

Tom Mitchell mitch at niftyegg.com
Sat Apr 21 12:42:50 EDT 2018 

On Fri, Apr 20, 2018 at 3:09 AM, Jerry Leichter <leichter at lrw.com> wrote:
>
>>> In case we forget it, that worm
....
>> Well, that worked well enough for the Mirai worm in 2016. Quoting from
>> the Wikipedia page, Mirai scanned ranges of IP addresses and "identifies
>> vulnerable IoT devices using a table of more than 60 common factory
......
>
> You see, the Morris

One of the lessons of the Morris worm smacked a lot of responsible
Unix developers
up along side the head and embarrassed the heck out of them.
Embarrassment does
not seem to be getting the attention of IoT device vendors and the
hardware is too inexpensive
for the CEO or chancellor of the university to  write a memo and read
the riot act on the
manager of these shared resources.

What I take from this is there needs to be some leverage to require
IoT device vendors
to act on security bug reports made to responsible agencies.
Embarrassment is not enough.
Devices less than some value too inexpensive to maintain need to open
or escrow their software
and maintain an update service for at least a decade.

Legal framework...

National services like the DHS should mirror updates and minimize the
risk of traffic generating
download sites that also piggyback malware/adware and cruftware.
National agencies might
constrain themselves to a File verification service where a strong
check sum like  SHA-2, SHA-3 or ____
can be matched to a download object.

i.e. enter "a7e8a03b8b0313744c382d010405282a"
and the service returns "md5sum of PasswdSafe-chrome-6.10.0.zip from
SourceForge Apr 21, 2018".
The details are open to review but it is a risk to download a package
from a site and also trust
the verification sum from the same site.
The services being "light weight" allow a modest amount of dedicated
hardware.   The likes of Google, Apple,
Amazon, Microsoft,  Netgear, etc need not serve bits for the
competition just ID a package.  The content is almost static
and might run on a read only resource.

Entering something like: "bc03fd52652420a1e29192671909d489" should
return "Unknown".
In the case of packages with known problems the service should return
"Contains-virus",
"Obsolete-has-fixed-bugs", etc.

Registering an update service with multiple validation services might
notice problems quickly enough to
minimize risks.   Kaspersky does notice that packages are old but then
offers to update them which is
an improvement for some but a risk at another level.





















-- 
  T o m    M i t c h e l l

More information about the cryptography mailing list