Re: Hysterical first technical alert from US-CERT

To: Larry Seltzer <larry@xxxxxxxxxxxxxxxx>
Subject: Re: Hysterical first technical alert from US-CERT
From: Valdis.Kletnieks@xxxxxx
Date: Wed, 04 Feb 2004 09:31:15 -0500
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: Your message of "Tue, 03 Feb 2004 07:11:49 EST." <028f01c3ea4e$f75928b0$5b00005a@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <028f01c3ea4e$f75928b0$5b00005a@xxxxxxxxxxxxxx>

On Tue, 03 Feb 2004 07:11:49 EST, Larry Seltzer <larry@xxxxxxxxxxxxxxxx>  said:

> First, it's dated 1/28, the day MyDoom.B was discovered, and the message sent
 field says
> that too; other dates in the headers disagree.

Oh, like the fact that a lot of mail servers were getting pounded by MyDoom.*A*
doesn't mean that there could be delays along the line? (Remember to add in the
timezones - at least some of the boxes are running in GMT not EST5EDT).

> Second, and more to the point, it takes an extreme view of MyDoom.B that 
> nobody else is
> supporting, including the sources they cite. MyDoom.B is a flop.

OK. So let's see.  We've got one highly successful virus (MyDoom.A) on the
loose at the time of writing, another variant that's essentially identical
except for the target, and no clear indication why this one *shouldn't*
take off as well.

Yes, it took an extreme view that nobody is supporting *NOW*.  Now isn't
last Wednesday night, when there wasn't a week's worth of hindsight.

Yes, it fizzled.  Please point us at the information available to the CERT
guys *at the time* that proves there was *no* way that MyDoom.B could
possibly ever be a real threat.  What would you have the CERT guys do,
*not* send the advisory just because they aren't 100% sure at the time?

I suppose you also understand why MyDoom-A was huge and Dumaru-whatever that
showed up 2 days before was a yawner.  Also, note that I got more copies of
Dumary in the first 2 hours of THAT one than I got *total* of MyDoom-A - so
based on the first 2 hours from where *I* am, Dumaru was looking like a much
bigger event.

> Am I misreading something? Did anyone else get this on 1/28?

Received: from lists2.securityfocus.com  (lists2.securityfocus.com 
[205.206.231.20])    by outgoing2.securityfocus.com  (Postfix) with QMQP     id 
B5ECF8F5D0; Mon, 02 Feb 2004 12:27:56 -0700 (MST)
Received: (qmail 11614 invoked from network); Thu, 29 Jan 2004 00:11:38 +0000
Date: Wed, 28 Jan 2004 19:12:09 -0500

Looks like some delay there.  But it was already at SecurityFocus's qmail
within seconds (the Date: is actually 31 seconds ahead of the Received: once
you allow for timezones - somebody isn't using NTP ;)

Attachment: pgphYnXbIYAWv.pgp
Description: PGP signature

Follow-Ups:
- Re: Hysterical first technical alert from US-CERT
  - From: Stephen Samuel
- RE: Hysterical first technical alert from US-CERT
  - From: Larry Seltzer

References:
- Hysterical first technical alert from US-CERT
  - From: Larry Seltzer

Prev by Date: Re: getting rid of outbreaks and spam (junk)
Next by Date: Re: [security] Re: Major hack attack on the U.S. Senate
Previous by thread: Hysterical first technical alert from US-CERT
Next by thread: RE: Hysterical first technical alert from US-CERT
Index(es):
- Date
- Thread