Security Incidents mailing list archives
Re: auto-reporting to ISPs
From: network_ops () TIDALWAVE NET (Network Operations)
Date: Thu, 2 Mar 2000 11:26:57 -0500
Robert, A few things... First let me say that BlackICE is a fine product. We recommend this program to many of our customers who have security concerns (and every broadband customer). We feel that it is our duty to help people protect themselves should they come to us for advice. And, yes, we do have a number of users who like to consistently submit logs and ask that we prosecute everyone who scans their machine. So, in that regard, such programs could conceivably place an added workload on abuse monitors. Heck, I see it every morning, and I'm pretty sure that it will never completely stop. However, I think that I have managed to slow it a bit. I worked up a few simple form letters that I mail to customers who submit somewhat erroneous logs. The form explains our purpose and goals in monitoring abuse accounts, and offers some links to various security sites (including networkice.com) where users can learn more about what they are seeing in their logs. At first I had some reservations about this approach, fearing that customers would take the suggestions as an insult or blow-off. However, the response has been quite the contrary. Users have been extremely thankful that we would go the extra distance to help educate them in what can be a very confusing field, even if all we did was send a prefabricated e-mail. Thus, this approach truly does a service to the provider and the customer. Now, as far as adding a reporting feature to the program itself? This is a bad idea for the simple reason that users will find it too easy to "point-and-click" and report every incident to every provider. If an incident has occurred, then the customer should, by all means, send an e-mail to the abuse monitor. However, there must be some element of thought involved. The user should compose and e-mail and attach the relevant portion of their logs. They must understand what it is that is happening! And allowing them to mindlessly submit all of their logs to providers is not the way towards a safer and more informed world of internet users. Lastly (I promise) there are utilities available that will sort logs by source, attack time, and so on. For BlackICE, there is a ClearICE freeware plug-in that does this very thing. Couple these with a little educational help from big providers (small web sites and simple letters) and we can ALL start focusing on what's important. I'll stop now. Sorry if I went a bit beyond the scope of this discussion, but such problems are the nature of the internet. We can't stop this kind of thing, but we can all do our small part to make it easier. Keith ------------------------------------------------------------------ Below is an e-mail from a customer who would like to see us add an auto-email feature to our product in order to notify the ISP of the offending hacker. This is pretty funny because we've already seen some complaints by ISPs from such a feature in other products appear on this list over the past couple of days. Could abuse@isp people please send me e-mail: * what is the proper way a product like BlackICE Defender should assist the user in reporting such events? * what should I tell this user about why we haven't put such a simple feature into the product? Thanks, Robert Graham CTO/Network ICE
Current thread:
- Re: @home: Is *anyone* really home there??? Robert G. Ferrell (Feb 29)
- Complaining to providers (was: @home: Is *anyone* really home there??? Rob Quinn (Mar 02)
- <Possible follow-ups>
- Re: @home: Is *anyone* really home there??? Jason Spence (Feb 29)
- auto-reporting to ISPs Robert Graham (Feb 29)
- Re: auto-reporting to ISPs Jon Lewis (Mar 01)
- Re: auto-reporting to ISPs Network Operations (Mar 02)
- Re: auto-reporting to ISPs Greg A. Woods (Mar 02)
- Re: auto-reporting to ISPs Rasmus Andersson (Mar 02)
- CNET Hackers hit e-commerce site Vincent Lee (Mar 02)
- UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 04)
- Re: UDP Probes (?) from port 28432 to 28431 ? Alexander Schreiber (Mar 07)
- UDP Probes (?) from port 28432 to 28431 ? Klaus Moeller (Mar 07)
- Re: UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 09)
- auto-reporting to ISPs Robert Graham (Feb 29)
- Re: CNET Hackers hit e-commerce site Chris Davis (Mar 04)
- Port 65535 Murray, Mike (Mar 02)
- @home: Is *anyone* really home there??? (fwd) Light Of Day (Mar 04)