Re: cultural questions from a newbie

[JP Vossen <vossenjp () netaxs com>]

Starting to get OT...


> Date: Thu, 7 Aug 2003 11:56:16 -0700
> Subject: Re: [Snort-users] cultural questions from a newbie
> Cc: snort-users () lists sourceforge net
> To: Erek Adams <erek () snort org>
> From: Ricky Charlet <rcharlet () speakeasy net>
>
> OK,
>       The feedback I have is: No, there is no current established netiquette
> for handling sending feedback to attacking systems whom you suspect are
> run by unwitting admins. And further more there is no reliable channel
> to give the feedback. And further more, most of these unwitting admins
> would not comprehend the feedback.
>
>       I do not believe or accept the last line above. I think a great many

I disagree.  I believe Erek is correct.


> people who have bothered to install a server on their system would be

That assumes they KNOW they installed the software/service/server.  I think
the intent of the statment to which you are referring was aimed in some part
at home users.


> able to follow directions on a vendors webpage about how to install
> patches and follow directions on another vendor's webpage about how to
> update virus definitions. And a great many more would be able to ask a
> friend how to do it.

Able to, perhaps.  But past experience has proven that they do NOT actually do
it.  Every study of vulnerabilities and patching I've seen shows that people
don't patch.  This has much less to do with them being "bad" or incompetent
and much more to do with the virtual impossibility of keeping up.

Home users have neither the time, interest, experience nor skill to keep up.
You can talk about WindowsUpdate, but I've personally found that not to be
anywhere near 100%.  And that assumes that it's used.

Smaller shops may have the will and skill, and be small enough that the scale
is possible.  However, they also usually have only 1 or 2 people to do
everything, so stuff slides.

Larger shops depend.  Some really try to keep up, at least on Internet facing
boxes.  But others are so hopelessly out-scaled that they'll never get there.
Look at how many times Microsoft has had problems with their own servers not
being patched!  Granted it's not THAT many, but it gives them such a black eye
you think they would go to almost any length to avoid it--yet it still
happens.


The bottom line is that your argument is perfectly logical and rational, and I
wish it happened like that.  But it just doesn't.  Look at both Slammer and
DCom.  You must be TOTALLY INSANE to run systems with those services and ports
open to the Internet.  Even the most basic security (e.g. default deny on the
FW) *should* prevent either of those attacks from ever working across the
'Net.  But look what happened...

Or look at RFC3013 [1], "Recommended Internet Service Provider Security
Services and Procedures", esp. re: ingress, egress and mail relay. You would
think that ISP's especially would be highly skilled and motivated to ensure
all the security they could.  It doesn't happen.  If every ISP were forced to
comply with this RFC, the Internet would be hundreds of time safes than it
is... :-(


>       As for the reliable feedback channel problem, we need something new. A
> new tcp port and server for "please stop attacking me" messages. This
> new communication channel needs to have a reliable server (always on)
> listening for messages, needs to be spam proofed, and needs to be
> moderately trusted. This could be done. I'm posting a "what do you
> think" question on this topic to slashdot. And I'm asking this list,
> "What do you think?" I think the internet can be made a better place.
>
> ---
> Ricky Charlet
> rcharlet () alumni calpoly edu
> 510.324.3163

Hummm.  See RFC3514 [1].


Later,
JP

[0] http://www.faqs.org/rfcs/rfc3013.html
[1] http://www.faqs.org/rfcs/rfc3514.html
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows XP or better, so I installed
Linux..."



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users