Re: Interesting reply

["Forrester, Mike" <mforrester () HSACORP NET>]

As most of you pointed or hinted at, it's hard to determine if a remote
system has been compromised that you don't have access to.  We determine the
problem by talking with the customer.  Since we talk with quite a few
people, you get a pretty good idea from talking to them what was going on.
I know what you're all thinking, but I'd bet my "most" is fairly accurate.
You'd be surprised at how many people share their whole hard drive with no
password.  It's something that I don't think can be easily explained and is
more of a gut feeling.  I've talked to some that I know are playing dumb.
Also, I know there are some that I thought were innocent and were not (if I
have reasonable doubt, they get ONE more chance).  Sure I could attempt to
verify it by logging traffic, but right now we have more important things to
do.  The traffic and scans we see are quite different than most other
companies (excluding ISP's).  There's a reason why script kiddies go after
the 24.0.0.0 network, easy prey.  Obviously, you don't have to trust or
beleive my "scientifically" gathered information.  However, I'd bet money
that at least 51% (that's why I said "most") of the problems we have are
with compromised machines.  My guess is in the 60-70% range.  I could be
wrong, but assuming (I know...) that there are more victims than
perpetrators is fairly safe assumption (especially on the 24.0.0.0 network).

Mike