Firewall Wizards mailing list archives

Re: "Who else picked this one up?"

From: Carsten Goebels <protect () iphh de>
Date: Sat, 1 May 1999 17:56:52 -0400

On Fri, 30 Apr 1999, Marcus J. Ranum wrote:

with Paul that putting heavy disclaimers around the
database would be a sensible precaution, but I don't want to
trust people's ability to read disclaimers.

Use the same schema that you use for NFR downloads perhaps?

[Complete agreement on the rating scheme]

Do you intend to make the database available, the data, or both?

NFR-like graphs would be useful for generating reports justifying ID
systems.

How do you envision using the data, and how much of it (if any) should
be
blind analysis?


Well, that's the _really_ interesting question!!!


[snip]


I have more of those really interesting questions :)
For instance, how do you make sure your data base will not
contain lots of spoofed ip-addresses ( especially the ideas of 
taking actions automatically would be a nice _exploitable_ 
problem in that regard, wouldn't it ? ) ? Or is NFR able to track 
them down ? Or how does NFR distinguish between scanning for 
possibly attackable computers ( malicious scan ) and
adminstrators scanning because they try to discover network 
problems ( non-malicious scan ) ? Or just some cpsc-student
making his first experiences with a port scanner, or my
grandma, etc. ? 
In summary, how do you want to decide whether the data you
have really shows an attacker or just some innocent person 
( who might actually try to help others when you catch him ) ?
Don't misunderstand me, I think it is a good idea to try to catch 
people that pose a threath to others. However, especially if you
talk about publishing data and taking automated actions, you
have to make sure that your database will _not_
accidently catch innocent people.IMHO, you did not
solve that problem ( yet ? ).
To me, a database like that, one that does not ( cannot ? ) make 
sure that it _only_ catches the bad guys, but still has the 
potential of causing lots of trouble for everyone it catches, 
that seems much more frightening to me than anyone scanning for any exploits. Why ? Because I can protect myself 
against 
attackers. But how do I protect myself from your database and its 
consequences ?



Greetings,
Carsten




+-+-+-+-+-+-+-+-+-+-+ +-+ +-+-+-+-+-+-+-+-+
|P|G|P|-|K|E|Y|-|I|D| |:| |4|D|C|D|A|4|3|1|
+-+-+-+-+-+-+-+-+-+-+ +-+ +-+-+-+-+-+-+-+-+

Current thread:

Re: "Who else picked this one up?", (continued)
- - - Re: "Who else picked this one up?" R. DuFresne (May 04)
    - Re: "Who else picked this one up?" Paul D. Robertson (May 04)
    - Re: "Who else picked this one up?" Joseph S D Yao (May 05)
    - Re: "Who else picked this one up?" David Gillett (May 07)
    - Re: "Who else picked this one up?" R. DuFresne (May 04)
    - Re: "Who else picked this one up?" Paul D. Robertson (May 04)
    - Re: "Who else picked this one up?" carson (May 05)
    - Re: "Who else picked this one up?" Eric Budke (May 05)
- Re: "Who else picked this one up?" dreamwvr (May 03)
- Re: "Who else picked this one up?" Adam Shostack (May 03)
- Re: "Who else picked this one up?" Carsten Goebels (May 03)
- RE: "Who else picked this one up?" Russ (May 05)