Firewall Wizards mailing list archives
Re: "Who else picked this one up?"
From: Carsten Goebels <protect () iphh de>
Date: Sat, 1 May 1999 17:56:52 -0400
On Fri, 30 Apr 1999, Marcus J. Ranum wrote:
with Paul that putting heavy disclaimers around the database would be a sensible precaution, but I don't want to trust people's ability to read disclaimers.
Use the same schema that you use for NFR downloads perhaps?
[Complete agreement on the rating scheme]
Do you intend to make the database available, the data, or both?
NFR-like graphs would be useful for generating reports justifying ID systems.
How do you envision using the data, and how much of it (if any) should be blind analysis?Well, that's the _really_ interesting question!!!
[snip] I have more of those really interesting questions :) For instance, how do you make sure your data base will not contain lots of spoofed ip-addresses ( especially the ideas of taking actions automatically would be a nice _exploitable_ problem in that regard, wouldn't it ? ) ? Or is NFR able to track them down ? Or how does NFR distinguish between scanning for possibly attackable computers ( malicious scan ) and adminstrators scanning because they try to discover network problems ( non-malicious scan ) ? Or just some cpsc-student making his first experiences with a port scanner, or my grandma, etc. ? In summary, how do you want to decide whether the data you have really shows an attacker or just some innocent person ( who might actually try to help others when you catch him ) ? Don't misunderstand me, I think it is a good idea to try to catch people that pose a threath to others. However, especially if you talk about publishing data and taking automated actions, you have to make sure that your database will _not_ accidently catch innocent people.IMHO, you did not solve that problem ( yet ? ). To me, a database like that, one that does not ( cannot ? ) make sure that it _only_ catches the bad guys, but still has the potential of causing lots of trouble for everyone it catches, that seems much more frightening to me than anyone scanning for any exploits. Why ? Because I can protect myself against attackers. But how do I protect myself from your database and its consequences ? Greetings, Carsten +-+-+-+-+-+-+-+-+-+-+ +-+ +-+-+-+-+-+-+-+-+ |P|G|P|-|K|E|Y|-|I|D| |:| |4|D|C|D|A|4|3|1| +-+-+-+-+-+-+-+-+-+-+ +-+ +-+-+-+-+-+-+-+-+
Current thread:
- Re: "Who else picked this one up?", (continued)
- Re: "Who else picked this one up?" R. DuFresne (May 04)
- Re: "Who else picked this one up?" Paul D. Robertson (May 04)
- Re: "Who else picked this one up?" Joseph S D Yao (May 05)
- Re: "Who else picked this one up?" David Gillett (May 07)
- Re: "Who else picked this one up?" R. DuFresne (May 04)
- Re: "Who else picked this one up?" Paul D. Robertson (May 04)
- Re: "Who else picked this one up?" carson (May 05)
- Re: "Who else picked this one up?" Eric Budke (May 05)