Snort mailing list archives
Re: cultural questions from a newbie
From: JP Vossen <vossenjp () netaxs com>
Date: Thu, 7 Aug 2003 17:44:44 -0400 (EDT)
Starting to get OT...
Date: Thu, 7 Aug 2003 11:56:16 -0700 Subject: Re: [Snort-users] cultural questions from a newbie Cc: snort-users () lists sourceforge net To: Erek Adams <erek () snort org> From: Ricky Charlet <rcharlet () speakeasy net> OK, The feedback I have is: No, there is no current established netiquette for handling sending feedback to attacking systems whom you suspect are run by unwitting admins. And further more there is no reliable channel to give the feedback. And further more, most of these unwitting admins would not comprehend the feedback. I do not believe or accept the last line above. I think a great many
I disagree. I believe Erek is correct.
people who have bothered to install a server on their system would be
That assumes they KNOW they installed the software/service/server. I think the intent of the statment to which you are referring was aimed in some part at home users.
able to follow directions on a vendors webpage about how to install patches and follow directions on another vendor's webpage about how to update virus definitions. And a great many more would be able to ask a friend how to do it.
Able to, perhaps. But past experience has proven that they do NOT actually do it. Every study of vulnerabilities and patching I've seen shows that people don't patch. This has much less to do with them being "bad" or incompetent and much more to do with the virtual impossibility of keeping up. Home users have neither the time, interest, experience nor skill to keep up. You can talk about WindowsUpdate, but I've personally found that not to be anywhere near 100%. And that assumes that it's used. Smaller shops may have the will and skill, and be small enough that the scale is possible. However, they also usually have only 1 or 2 people to do everything, so stuff slides. Larger shops depend. Some really try to keep up, at least on Internet facing boxes. But others are so hopelessly out-scaled that they'll never get there. Look at how many times Microsoft has had problems with their own servers not being patched! Granted it's not THAT many, but it gives them such a black eye you think they would go to almost any length to avoid it--yet it still happens. The bottom line is that your argument is perfectly logical and rational, and I wish it happened like that. But it just doesn't. Look at both Slammer and DCom. You must be TOTALLY INSANE to run systems with those services and ports open to the Internet. Even the most basic security (e.g. default deny on the FW) *should* prevent either of those attacks from ever working across the 'Net. But look what happened... Or look at RFC3013 [1], "Recommended Internet Service Provider Security Services and Procedures", esp. re: ingress, egress and mail relay. You would think that ISP's especially would be highly skilled and motivated to ensure all the security they could. It doesn't happen. If every ISP were forced to comply with this RFC, the Internet would be hundreds of time safes than it is... :-(
As for the reliable feedback channel problem, we need something new. A new tcp port and server for "please stop attacking me" messages. This new communication channel needs to have a reliable server (always on) listening for messages, needs to be spam proofed, and needs to be moderately trusted. This could be done. I'm posting a "what do you think" question on this topic to slashdot. And I'm asking this list, "What do you think?" I think the internet can be made a better place. --- Ricky Charlet rcharlet () alumni calpoly edu 510.324.3163
Hummm. See RFC3514 [1]. Later, JP [0] http://www.faqs.org/rfcs/rfc3013.html [1] http://www.faqs.org/rfcs/rfc3514.html ------------------------------|:::======|-------------------------------- JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http://www.jpsdomain.org/ ------------------------------|=========|-------------------------------- "The software said it requires Windows XP or better, so I installed Linux..." ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- cultural questions from a newbie Ricky Charlet (Aug 05)
- Re: cultural questions from a newbie Erek Adams (Aug 06)
- Re: cultural questions from a newbie Ricky Charlet (Aug 07)
- <Possible follow-ups>
- FW: cultural questions from a newbie support (Aug 05)
- Re: cultural questions from a newbie JP Vossen (Aug 07)
- Re: cultural questions from a newbie Ricky Charlet (Aug 07)
- Re: cultural questions from a newbie Erek Adams (Aug 06)