Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Being a Good Samaritan online

By Signal 11 in Culture
Mon Nov 20, 2000 at 01:19:49 PM EST
Tags: Security (all tags)
Security

Being a good samaritan online is a lot harder than it looks. For many of us who work on networks and systems it is pretty much inevitable that at some point we will be involved in some way with a systems compromise, or a potential one. What if you find a problem with someone's system? Say, someone scanning your system and you decide to respond and discover that some ISP in Iowa has had several systems on their network compromised: Do you make the call?


"Hackers, those young computer jocks who trespass, explore and sometimes manipulate forbidden systems with adolescent glee, do present a security problem. But it's tangential to the real dilemma: we entrust too much valuable information to systems that simply can't ensure safety...Strong computer security is extremely hard to implement and requires eternal, almost obsessive, vigilance to maintain. Even then, a clever intruder might discover a digital loophole... by flagging some of our vulnerabilities, they can actually help."
--Stephen Levy.

There are two problems with computer security. One, it's not well understood, and two, people tend to not think rationally for several weeks after a compromise occurs - it is entirely possible that if someone, acting in good faith, sounds the alarm that a system has been compromised to the authorities they will come under investigation and sometimes even charged with a crime! Ignorance and full on panic mode is a recipe for disaster, and these people are discouraging others by the thousands not to report genuine problems with the network.

People in the security industry generally hold that it is better to disclose a problem (exploit) publicly than to either sit on it and tell nobody (security through obscurity) or report it to the vendor and hope they get around to patching it. Many vendors will patch and say nothing, even more will not patch and/or assume it is a low priority "because none of our customers have reported it". Some vendors have even gone after the people reporting these problems - users who in their routine use of the product become aware of design deficiencies and oversights - charging them with breach of contract, electronic terrorism, and more.

These two problems combined make reporting a problem both "in the wild" and to lists like Bugtraq a dangerous proposition - there is no guarantee the problem will be fixed and a good probability that the person reporting the problem will be placed under investigation for a crime, a process that the government will not reimburse you for lost time and equipment over. All it takes is a phone call from a company manager and your life can be hell for months. Is it worth risking your livelihood, job, reputation, and time to try to help improve the state of the network? The resounding answer from our legal system is "No."

The question is, should you call anyway, even when there is a good chance you will be investigated and charged with a crime - for trying to help?

Further reading:
Good Samaritan squashes Hotmail lapse
Fast Net services vulnerable to hackers
Singapore: Security Holes In Web Services, Says Hacker.
Feds won't stand for Y2K Samaritan hackers
Singapore: Is There Such A Thing As A Good Hacker
New Zealand: It's Time All Hackers Were Prosecuted
Two Views of Hacking

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
Would you make the call?
o Yes, even if I could get in trouble. 18%
o Yes, but only if there was a law to protect me. 24%
o No, I don't want a girlfriend named Bubba. 11%
o No, it's their responsibility not mine. 8%
o I'm from Canada, our country doesn't suck like that. 16%
o 1 wi11 0wn j00 81tch @$$! 21%

Votes: 142
Results | Other Polls

Related Links
o Good Samaritan squashes Hotmail lapse
o Fast Net services vulnerable to hackers
o Singapore: Security Holes In Web Services, Says Hacker.
o Feds won't stand for Y2K Samaritan hackers
o Singapore: Is There Such A Thing As A Good Hacker
o New Zealand: It's Time All Hackers Were Prosecuted
o Two Views of Hacking
o Also by Signal 11


Display: Sort:
Being a Good Samaritan online | 46 comments (33 topical, 13 editorial, 4 hidden)
anonymity (3.70 / 10) (#13)
by noahm on Mon Nov 20, 2000 at 01:25:40 PM EST

Do any good, trustworthy anonymous re-mailers still exist, or have they all given in to legal pressure to provide government with their user info and/or gotten overrun by spammers?

I'd feel a whole lot better about reporting such a problem if I could do so anonymously. I suppose that could make me look even more suspicious to a company, but if I have reason to believe that they'll prosecute me, I don't want to tell them where to find me.

One thing I might consider is using the spam tactic of sending my message by way of an open relay in some asian country. It's not likely that the U.S. prosecutors are going to demand the server logs from a machine in Japan or Korea or some such country.

I wish we didn't need to be so paranoid. The way the companies see it, though, if you don't work for them doing some officially sanctioned work, then you're a criminal trying to break in. You wouldn't have known the door was unlocked unless you tried opening it, so you were obviously up to no good. It's unfortunate, but that's the way they see things.

noah

Why not (2.80 / 5) (#15)
by Quark on Mon Nov 20, 2000 at 01:47:25 PM EST

send them a little mail through a web based e-mail adress? Im not that much of a hacker, or better said, me no know squat about hacking, but can these web-adresses be traced back to you personally?

So much bandwidth, so little time...
[ Parent ]
not anonymous (4.00 / 6) (#17)
by noahm on Mon Nov 20, 2000 at 01:58:22 PM EST

[why not] send them a little mail through a web based e-mail adress? Im not that much of a hacker, or better said, me no know squat about hacking, but can these web-adresses be traced back to you personally?

It's actually not hard at all for a web based message to be traced back with a pretty good degree of accuracy. At least one of the major web mail providers (yahoo or hotmail) includes the IP address from which you are logged on to their system in the actual mail headers of all sent messages. This would allow somebody to know where you're coming from without even having to talk to the webmail provider. I'm sure all webmail providers would provide that info to the feds if asked.

noah

[ Parent ]

re: not anonymous (3.80 / 5) (#25)
by douper on Mon Nov 20, 2000 at 04:05:30 PM EST

It's actually not hard at all for a web based message to be traced back with a pretty good degree of accuracy. At least one of the major web mail providers (yahoo or hotmail) includes the IP address from which you are logged on to their system in the actual mail headers of all sent messages.

yes, but you could always use an open proxy... or a string of proxys to hide your IP address

[ Parent ]

That hurts (none / 0) (#44)
by Quark on Thu Nov 23, 2000 at 03:56:17 AM EST

I access my Yahoo accounts from work. Which means that they have the IP adress of our firewall, which could cause the entire company to fall under suspicion. Tnx for the explanation.

So much bandwidth, so little time...
[ Parent ]
Yes, they can (3.50 / 4) (#26)
by Pakaran on Mon Nov 20, 2000 at 04:11:39 PM EST

Hotmail, for one, includes your IP address with the message. The best idea, I suppose, is to send the message using a web browser through remote login to a fairly busy server. I know a few people who do that at my school.

[ Parent ]
Of course there are anonymous remailers (3.66 / 6) (#19)
by agl on Mon Nov 20, 2000 at 02:07:18 PM EST

Try the MixMaster network, the best anonymous remailer system you are going to find, anywhere.

URL: http://www.obscura.com/~loki/remailer/mixmaster-faq.html

also, the upcoming O'Reilly on P2P networking book will have a short chapter on it (written by myself)



[ Parent ]
(not many topical posts?) (2.62 / 8) (#14)
by ramses0 on Mon Nov 20, 2000 at 01:43:00 PM EST

In cases like this, I'd definitely try to report it, but I might try obfuscating my identity. I've found that if you're honest with people, they're usually willing to work with you.

Every once in a while, anonymity is a good thing (too bad you're out of luck on K5).

The really tricky thing about online identities is that they are so available, their 'value' is approaching zero. I mean, it's pretty easy to make an account on scoop and tie it to a throwaway geocities account, which is effectively anonymous, because the value of that account is zero.

...but that's a topic for another day- does anybody want to write up an article about it? :^)=

--Robert
[ rate all comments , for great justice | sell.com ]

Anonymity on k5 can be had. (2.50 / 6) (#20)
by your_desired_username on Mon Nov 20, 2000 at 02:18:55 PM EST

If one is willing to work for it.

A sufficiently careful person (not me:-) could set up a k5 account with no clear connection to their real identity.

[ Parent ]
Real Life comparision (3.66 / 3) (#31)
by douper on Mon Nov 20, 2000 at 05:43:16 PM EST

If you walk into a store somewhere and say "hey I saw some kids on your roof throwing rocks at people on the street" it's rather anonymous.

On the Net, when you talk to anyone, the first thing you leave is your nick, emai address, homepage, ip address etc. stuff that can be used very easily to find you.

hell, if you've got a halfway not common nick, put that into a search engine, and see what you can find that you forgot you said or did online a few years ago...

Unlike your face and voice, unless you have your home address tattooed on your forehead, it's hard to trace you, and you don't need to fear being punished, but then again you didn't have to climb on to the roof too see who was doing it=)



[ Parent ]

proof-of-concept code (4.00 / 9) (#16)
by ellF on Mon Nov 20, 2000 at 01:48:07 PM EST

"...the real dilemma: we entrust too much valuable information to systems that simply can't ensure safety..."

how entirely true. as a fledgling member of "the internet security community", i was suprised to not see mentioned a third and somewhat more effective method of dealing with an uncovered security exploit: proof-of-concept code. while vendors do seem to be notorious for not responding to an intellectual observation along the lines of, "hey, you guys should really do X and Y to prevent Z" - anyone remember the infamous "purely theoretical" l0pht-discovered microsoft exploit in '92? - they start listening when given a working bit of code that actually takes advantage of said exploit. it's a bit forceful, but a mature vendor is apt to be more interested in recognizing and fixing such a problem then "sitting on it".

~ellF~

It's tough not to get screwed ... (4.54 / 11) (#21)
by kostya on Mon Nov 20, 2000 at 02:38:16 PM EST

See this article on rootprompt ... this guy tried to help some people and they threatened him with legal action.

Security Etiquette

After reading this and some personal experiences of my own, I have decided to be very selective in my cyber-sluething and helping others. People seem to be unable to make mistakes. So if you alert them that something is wrong, they get all ridiculous on you, threatening and posturing. I personally have had some great experiences, but the negatives are pretty hard to ignore.

The problem is that people approach security much like encryption: you are not allowed to look at my system. If you look at their systems, they immediately assume evil intent. The tools used by serious admins and crackers are very similar. Nmap for example. So people assume the worst--but that is because their lively hood is at stake. I found that most sysadmins are very appreciative--but only if you contact them directly. One company refused to give me direct contact with the guy I needed; the email asking them to look at a system because it was attacking my system was not received well. I can understand, because someone ended up looking stupid, but at the same time, as the sysadmin at that time, my top priority was shutting down the attacks.

Maybe some nice public contact info and the ability to actually get through (how many DNS records really point to the right guy?) would be a good solution. Then all of us in this together could keep in touch and help one another without bring the suits into the equation. Business people fear what they do not understand--and security is often one of these things.



----
Veritas otium parit. --Terence
Re: It's tough not to get screwed (none / 0) (#41)
by erotus on Wed Nov 22, 2000 at 05:56:47 AM EST

I read the link you posted as well as all the comments. I've read multitudes of posts where good samaritans are charged with crimes, treated like criminals, or sued alltogether. I have become very reluctant to go as far as the sysadmin in your "security etiquette" link. The masses are ignorant and so are most sysadmins. The good sysadmins are getting it up the bootie because the rest of the dumbasses had no idea you could telnet to port 25!!! I've known sysadmins who were shocked that you could do that. I will do a traceroute, whois, nslookup, and that is all if I want to help. I will NEVER use nmap or telnet into the attacking machine to find more info. It has become harder and harder to be a good samaritan.

One of the comments in the "Security Etiquette" link mentioned a man who rescued his neighbor from being raped but accidently broke her wrist in the rescue. She sued Mr. good samaritan! I don't know about you, but this world is becoming a hostile place. More incidents like this and nobody will be helping anybody!

[ Parent ]
Most times they welcome it Sometimes they don't (4.44 / 9) (#22)
by Eric_ on Mon Nov 20, 2000 at 03:23:52 PM EST

In the course of doing my job I have found allot of systems from other networks compromised. Either the compromised system scanned my network or someone tried to exploited my sandbox from a compromised system. This is usually how I'm able to find other compromised systems.

Because I despise spammers and crackers - script kiddies I have setup a sandbox wide open on my network and very very visible. (geee like most systems on the internet) When a person hits the sandbox (Sandbox is to emulate an Internet environment/Operating System as realistically as possible while maintaining isolation from the real OS and the rest of the network. This way the cracker thinks he has control of the system, but in reality dose not) I'm able to see every move he makes and what exploit he is using and were he is coming from. I guess you can call it entrapment.

Because I know what he is up to and were he is coming from, I'm able to give a very good guess if that the system he is on is compromised or not, either way I pick up the phone and start making calls. And so far every one of those systems was compromised and the sysadmins were very grateful for the information I gave them, except one.

That one exception was from a sysadmin in Poland, now either he was compromised and did not want to hear the truth or he was the one trying to break into my system. Either case this person was very irate once I told him the news and even threatened me. But after that call I have had no problems from that system since. (things that make you go hmmm) So I considered that I did do the right thing.

I think it is our duty (our being Network admins and Sys admins around the world) to share this information so that we may slow down this type of activity and stay one step ahead of the black hats. If we do not, it just makes our job that much harder.

Cheers,
Eric


"Pico When I'm Drunk Vi When I'm Sober"
cuckoo's egg (3.50 / 6) (#24)
by unstable on Mon Nov 20, 2000 at 04:02:03 PM EST

by Cliff Stoll.

If you havent already read this book then you should now.
It tells of Cliff's discovery of a small acounting error (less that a dollar) that lead to him discovering that a cracker from germany, hired by the KGB(i think it was KGB), trying to access data from US military computers, and his problems and solutions he came up with that lead to the capture and conviction of said cracker.

....

I feel that the type of data you detect coming from another machine should dictate your reaction... if its a port scan a simple e-mail saying "hey, I was just scanned by your machine and am checking up on it" is fine but a more serious attack (attempts at root, buffer overflows etc) require an "Hey whats up, you need to find out whats going on and stop this" along with examples of logs, etc.





Reverend Unstable
all praise the almighty Bob
and be filled with slack

Cuckoo's Egg (3.33 / 3) (#30)
by Eponymous, Showered on Mon Nov 20, 2000 at 05:11:53 PM EST

Yes, but Mr. Stoll was an employee responsible for his own (university's) system. Signal 11 is talking about probing others' systems "as a favor." I see a major distinction there.

[ Parent ]
thanks for the recommendation (none / 0) (#46)
by gmhowell on Tue Nov 28, 2000 at 12:37:15 PM EST

Picked it up last night at the local Border's. Read the first 250 pages, before succumbing to sleep. Can't wait to finish it tonight.

This would have made a MUCH better movie than the Net and many others loosely related to the topic.


When I used a Mac, they laughed because I had no command prompt. When I used Linux, they laughed because I had no GUI.
[ Parent ]
they did make a movie (none / 0) (#47)
by vsync on Wed Jan 03, 2001 at 02:26:50 PM EST

I think it was "Nova" that did it.

--
"The problem I had with the story, before I even finished reading, was the copious attribution of thoughts and ideas to vsync. What made it worse was the ones attributed to him were the only ones that made any sense whatsoever."
[ Parent ]
Report; don't investigate (much) (4.00 / 7) (#28)
by gbroiles on Mon Nov 20, 2000 at 04:49:40 PM EST

I think it's a mistake to spend a lot of time or effort "investigating" a potentially compromised machine - your efforts will probably appear different from normal activity, and may arouse suspicion in people who aren't especially well-clued about security to begin with.

I do think it's neighborly to drop visible contacts a note letting them know that their machine(s) or network(s) are apparently being misused - and to remind them that you may choose to protect your own rights, if that misuse is irected at your machine(s) or network(s).

The exact nature and cause of that misuse - negligence in system administration or hostile intent - aren't really relevant to securing your own system (because you must assume that somewhere at the end of that chain, there's someone who does intend to hurt your system), and the owners/operators of the other machine are in a much better position to judge how much time and energy should be devoted to solving their problems, and figuring out exactly what the source of their problems are. The immediate problem might be a vulnerable daemon - but the ultimate problem is likely to be a lack of attention or budget for technical and security issues, and you can't fix that from outside.

Don't report a thing (3.40 / 5) (#33)
by KindBud on Mon Nov 20, 2000 at 07:22:33 PM EST

... if your only evidence is logs from some stupid PC firewall or lame DSL router. I get accused at least once a week of scanning some LUSER running ZoneAlarm or some el-cheapo DSL or ISDN router. The scans always come from one of my web servers, source port 80. I am tired of explaining how TCP works to Windows users who haven't a clue what their stupid little firewall gizmo is complaning about. Blinky lights != hack-attack. If the packets were blocked, don't sweat it, the thing is probably working as intended.

--
just roll a fatty

no (2.00 / 3) (#34)
by maketo on Tue Nov 21, 2000 at 12:03:58 AM EST

You turn the blind eye like 99.9% of your fellow "civilized" westerners do. Do not go into the discomfort of doing the right thing just because it might cause...oh God, problems for you. And yeah, forget about the immorality of what you are about to (not) do, the cowardness of it and of the double standard (sure, you would like to know if _your_ machine got compromised).
agents, bugs, nanites....see the connection?
Buffer between Good Samaritans and legal trouble. (4.63 / 11) (#35)
by Louis_Wu on Tue Nov 21, 2000 at 03:28:39 AM EST

It seems one way to mitigate the danger to 'Good Samaritans' is to have an EFF-like organization which would exist to help users/hackers report security problems to the proper people and organizations. This hacker-friendly organization (the Security Accountability Board, maybe?) would have several prominent, respected people associated with it to make it look legitimate to managers/lawyers/judges/the public.

These well-known people on the board should be from the Free/Open software community and software companies on the stock market (think Oracle, Microsoft, IBM, AOL, ...) to give it even more legitimacy. The advantage to having a MS VP on this hacker-friendly board is that MS would look really stupid prosecuting someone their own VP had helped.

I bet an example would get the juices flowing.

Say J. Random Network Admin, who codes for a GPL'd project in her off-time, sees someone try a rather amateurish exploit on her sandbox. She back-tracks the script-kiddie, and finds said script-kiddie is using a compromised system at the DoD. Now, she was completely reasonable in tracing the source of the sandbox attack, and only after she performed this function necessary to her duties as NetAdmin, did she realize that she herself had fooled around with a computer at the Department of Defense. The worry isn't immediate, after all, the box was compromised by a script-kiddie, so no-one at DoD is likely to notice her presence. But she does feel it her duty to report compromised systems to their admins; her only problem is that they might think she was looking for nuclear secrets or who really killed Kennedy. Her fear - for herself, her husband and children, her employer, and all of her friends who would be questioned in a National Security investigation - turns out to over-ride her sense of duty; she doesn't report the compromised system. And she covers what tracks she can. A month later, CNN reports that a secret CIA memo details how military secrets were taken from a DoD computer - two weeks after she almost told DoD about their compromised security. J. Random feels guilty, and wonders if anyone will die because she didn't report a compromised box.

Now, if J.R. (who lives in Dallas, BTW :) could go to the SAB with her report, they might be able to confirm the compromised computer, and they could tell DoD that it had a problem. DoD would actually listen, because the SAB doesn't just talk to hear itself speak; DoD knows it has a problem. DoD fixes the problem, but it wants to prosecute the 'offender' who found this compromised system. SAB refuses to help DoD crucify a 'Good Samaritan'. DoD takes SAB to court (SAB needs lawyers and lots of money.), and SAB refuses to give the name over. A lawyer for SAB puts the CTO of Oracle on the stand, to give testimony on the aspects of network security as it relates to Good Samaritans. Being an Executive at a respected, mainstream software company, he is quite convincing: both in the details and the manner of his testimony, and in his credentials as a non-EvilHacker who knows computer network security. The judge or jury hear testimony from SAB experts about how network administrators routinely check out who is probing or trying to compromise their network, how that is sometimes in the job description, and that it is so common-place as to be routine. "Just because she was being attacked from a Department of Defense computer she is not supposed to defend herself? NO! She had to act to protect her network ... and her job. She didn't compromise the DoD computer, she was attacked from it! And she should suffer because she looked her attacker in the eye and identified him? I say, No!" After hearing such compelling testimony (Well, much more compelling testimony than that. I'm not much of an orator.), the judge or jury decide to tell DoD to not push its luck. They found out about the problem from a "nice guy", and not from a terrorist.

This is an extreme example. But extraordinary cases often help clarify the details of the ordinary cases. Maybe the compromised box only leads to the credit card information of 1000 Amazon users. ;)

Security holes happen, whether from mistakes, laziness, bad software, overwork, or really clever attackers. And the consequences of these holes, if exploited, grow as more of meat-space moves into the ether. Always on/connected windows boxes at home, the networked hospital ('The computer says you get an amputation.' "But I only need a few stiches!"), the stock traders, the company supply chain, air-traffic control, CIA/NSA/FBI/DoD branch offices networked to the main office - all of these have 'real' consequences of varying degrees if their security is breached. We NEED people to report any security problems discovered, almost without regard to the motives. (I suppose if an Iraqi terrorist said that he only got partial access to nuclear secrets, we might want to find and punish him. :) We need a way for people to report these security problems without being punished for the good deed.

( Oh, please don't think that the length of this comment has any bearing on the thought I've put into it. I wrote down the core idea in a paragraph, then back-burnered the thing for a few hours, then spent an hour fleshing it out and making it pretty. Take with a grain of salt. YMMV )


In conclusion, an organization which is separate from any one or two companies, and controlled by 'respectable' as well as 'fringe' members of the computing industry, could take great strides toward the ideal of all companies accepting security breach reports with a smile and a "Thank you, Ma'am." It wouldn't be easy, but nothing good is.

The only question I have now is: How do we do this?

Louis_Wu
"The power to tax is the power to destroy."
John Marshal, first Chief Justice of the U.S. Supreme Court

One way (4.33 / 3) (#36)
by kostya on Tue Nov 21, 2000 at 11:11:39 AM EST

One way to do this is to setup a registry that is blinded--i.e. one way. Sysadmins could register their contact information and the ip addresses they are responsible for. That way no one can see who belongs to what IP addresses--i.e. anonymous. Additionally perhaps the reports would be one way. That way there wouldn't be a public list of available backdoors into a certain network :-)

A system like this could allow everyone to register as users, supplying public keys, etc. Sysadmins could receive notifications on possible security problems discreetly and privately. Good Samaritans would have an easy way to log problems. When they log the problem, an encrypted email is sent to the sysadmin, notifying them of the problem. Limiting the notifications to registered users would help keep spam or false reports down. It might also lend credibility to the reporters ("If you are so innocent, why are you anonymous?"). This could allow reporters to be rated as well, giving them more credibility.

Reports could also be one-way to the reporters. Sysadmins could respond the emails by posting back to the site. Reporters could then check in (or have it mailed encrypted back to them) periodically, allowing them to interact with sysadmins.

The main goal would be a reliable place for people to post potential problems that lends them some credibility as to NOT being a cracker in disguise.



----
Veritas otium parit. --Terence
[ Parent ]
You are wrong on a few points (4.25 / 4) (#37)
by scheme on Tue Nov 21, 2000 at 01:09:33 PM EST

People in the security industry generally hold that it is better to disclose a problem (exploit) publicly than to either sit on it and tell nobody (security through obscurity) or report it to the vendor and hope they get around to patching it.

The accepted procedure on bugtraq at least and probably most other places is to first inform the author/company that writes the program and give them time to fix the problem. If they don't respond or do anything in a reasonable time period[1] then you publish an exploit. It is fairly irresponsible to publish a brand new exploit without giving the authors of the program some time to fix the problem so that users aren't suddenly made vulnerable to every script kiddy in existence.

BTW, I believe that security through obscurity refers to not making source code or algorithms for your security programs available. I don't think it is typically used in reference to hiding exploits from the general public.

There are two problems with computer security. One, it's not well understood, and two, people tend to not think rationally for several weeks after a compromise occurs - it is entirely possible that if someone, acting in good faith, sounds the alarm that a system has been compromised to the authorities they will come under investigation and sometimes even charged with a crime!

If you're alluding to the recent story about the guy who got busted by the FBI for probing the Yankees' web site, I don't think that is a very example to use. First, it was presented from only one party's point of view. He could have deliberately shaded his account so that it made the FBI seem to be the bad guys. Second, it was reasonable for the FBI to investigate him. Even if his scans were after the fact, he could have been the original cracker checking to see if his backdoors/rootkits were still in place. Third, the fbi's confiscation of his equipment was also somewhat reasonable. If he was the cracker then the fbi would need his equipment as evidence. In order to be able to use the evidence effectively in court without the defense killing their case, the fbi has to be able to prove that the evidence has not been altered or modified. The easiest way to have the original equipment and to have a record detailing who did what to it and when.


"Put your hand on a hot stove for a minute, and it seems like an hour. Sit with a pretty girl for an hour, and it seems like a minute. THAT'S relativity." --Albert Einstein


Counter Niggle (3.00 / 1) (#39)
by Smiling Dragon on Tue Nov 21, 2000 at 10:23:14 PM EST

In response to your statement about vendors not hiding exploits from the public. I've seen my boss asked to first sign an NDA by Sun before they will address a particular problem (and yeah, the NDA makes it hard for me to rant specifically too <grumble>)


-- Sometimes understanding is the booby prize - Neal Stephenson
[ Parent ]
Not quite... (2.50 / 2) (#40)
by scheme on Wed Nov 22, 2000 at 12:50:58 AM EST

My point is that security through obscurity is usually not used in this context. It usually refers to keeping protocols or algorithms secret in order to prevent them from being cracked. It doesn't refer to hiding exploits or security breaches after the fact. I'm not saying that companies don't do this, because they do.


"Put your hand on a hot stove for a minute, and it seems like an hour. Sit with a pretty girl for an hour, and it seems like a minute. THAT'S relativity." --Albert Einstein


[ Parent ]
Aaah :) (none / 0) (#43)
by Smiling Dragon on Wed Nov 22, 2000 at 08:17:41 PM EST

I see your point now yeah.

I'd say the phrase was technically used correctly though. It _is_ maintaining security by hiding infomation...

-- Sometimes understanding is the booby prize - Neal Stephenson
[ Parent ]
Reporting intrusion attempts (3.00 / 1) (#45)
by dshield on Fri Nov 24, 2000 at 10:56:37 AM EST

One of the problems with reporting all those 'nasty' portscans is the time it takes to report and the time ISPs have to spend to respond.

Not only that. As this data is kept within a close circle (victim <-> ISP), others usually don't have a chance to learn from it.

I am currently trying to come up with a "clearing house" for firewall logs. See DShield.org for the current state of afairs. The idea is fairly simple:
Users e-mail firewall log excerpts ot report@dshield.org (currently, Linux kernel logs and ZoneAlarm format is supported). They will entered into the system. ISPs (or everyone else for that matter). Can search the database and assemble custom reports. Right now, only a 'top ten scanner' list is up. But more will come soon.

YOu can also use the data to just log out certain 'problem IPs'.

Being a Good Samaritan online | 46 comments (33 topical, 13 editorial, 4 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!