Re: Responsiveness of remote admins

[Lance Spitzner <spitzner () dimension net>]

On Wed, 19 May 1999, chuck wrote:

> On the other hand I, as an employee of a company that has
> nothing to do with you, often cannot report anything to you.
> I've been involved in things where a dozen reports come in that
> often leads us to watch someone more closely and THAT evidence
> is used to terminate a user/employee. (it's legal to scan our
> own network - "tcpdump host 10.9.8.7" is legal).  You and others
> provide 'probable cause' but that's it.
>
> No offense but bluntly, it's none of your business (especially
> with a simple (legal) scan).  If you report that a green van is
> driving erratically, the police aren't going to report back to
> you that they stopped it 30 miles later and found it full of
> stolen racoon bondage gear.  Or that nothing happened.
>
> Realisticly, it's nice to get acknowledgement and it was a
> really nice feeling when I pointed out some scans to an admin at
> a college and they found that the host had been compromised
> because of that.  But I can't and don't expect a reply and
> updates on the situation.

You raise some excellent points.  However, if nothing else, the
remote administrators should, as a courtesy, acknowledge 
receipt of your email.  Also, on several occasions, I have
included logs and key strokes of systems being compromised
(such as bof logs or sniffit traces).  It can be frustrating
when you have documented evidence, and you still hear nothing.

My intent is not to debate the rights and wrongs of
"responsiveness".  Rather, to state the fact that, based on
my experiences, I find smaller organizations more responsive.
Larger organizations may be acting on the information I have
sent them, I just do not know since I never hear anything back.

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html
Internetworking & Security Engineer
Dimension Enterprises Inc