And, contrary to one other post on the topic, it shouldn't be to hard to perform a trial run;
If one made the worms code modular enough that one could plug in a variety of "victim finding" code stubs. This way, one could plug in a fixed list of targets, (which one owned oneself so that one could watch how they responded). Once one had the field test working one would then replace the stub with real "victim finder" code and away it goes... Advantage; better testing. Disadvantage; what if people detect the trial runs? Ummmm actually, as a sysadmin I think I might swap the Advantage/Disadvantage there! :) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of jkm > Sent: Monday, 20 October 2003 2:02 p.m. > To: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] AT&T early warning system > > > > On 18 Oct 2003 12:27:23 -0400, "Hoho" <[EMAIL PROTECTED]> said: > > On Fri, 2003-10-17 at 22:44, jkm wrote: > > > Quote 2: > > > "AT&T saw anomalies in its network three to four weeks > before that worm > > > hit and was able to take certain precautions. "When the > worm actually > > > happened, AT&T's network did not take a hit,'' Eslambolchi said." > > > > > > Doesn't it seem like they're trying to violate causality? > If the worm > > doesn't exist yet, then its associated traffic doesn't > exist yet, hence > > there's nothing to detect. Wonder what those 'anomalies' > were. Seems no > > more effective than just watching MS security patches and > reading FD. > > -- > > Yeah, I agree unless as other threads are saying, the worm author > releases a test worm. I wonder if it would in fact catch > script kiddies > and other criminal traffic, thus actually acting as an intrusion > detection system? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
