Re: [PEN-TEST] Network Attack Trend Analysis

[H Carvey <keydet89 () YAHOO COM>]

>  It's great that we have the sort of authority 
in Mr. Carvey to
> explain this all for us,  having "taken graduate 
courses in
> statistics and statistical analysis" -- 
something I would never
> have guessed if he had not volunteered this 
information.
>

Well, on the one hand, my post struck a cord with 
someone...guess I should have put on my flak 
jacket at this point...

*Content snipped.  Interestingly enough, none of 
it was addressed.

>   Anyone that knows the definition of histogram 
knows that
> histograms represent frequency or proportions of 
frequency of the
> intervals or classes on the x-axis.  

Great.  It still isn't clear what the "intervals 
or classes on the x-axis" are...

> I'll leave 
it to the
> graduate students among us to infer fraction 
from proportion.

Ouch!  My comment regarding my educational 
background was intended only to say, "hey, look, 
I'm a smart guy, I know how to look things up that 
I don't know...but I just don't get it."  After 
all, it shouldn't be rocket science...

> Mr. Carvey here demonstrates a complete lack of 
very basic
> statistical concepts and diagnostics.

Really?  And here I was thinking that it was just 
a matter of not being able to determine what the 
graph is intended to show.

>   He baffles himself with my use of the word 
"simple." I meant
> "simple" in the sense of untreated, or 
unadjusted by
> proportion.  The word could be left out, but was 
meant to
> distinguish the variable from other "Defacement 
Per Day" (dpd)
> variables, which were sometimes moving averages 
of dpd of
> differing composition, proportions of dpd, and 
so on.
>

Interesting.  Still doesn't address the question 
of what "simple" refers to.  

Could you tell me what the difference between 
"Defacements per day, simple" and "defacements per 
day" is?  Perhaps that would clear things up?  
What exactly _is_ a "simple defacement"?  
Untreated?  Unadjusted by proportion?  

For the sake of clarity then, let me 
rephrase...what is this "defacements per day, 
simple" variable, and how is it important?

> > This one:
http://www.attrition.org/mirror/attrition/graphs/b
ar_osto
> > tals.gif
> >
> > is entitled "OS totals by month"...but what do 
the
> > various colors on the bars indicate?
>
>   It is reading this that leads me to believe 
that perhaps our
> graduate student is subjecting Attrition to 
gratuitous abuse.

And herein lies the issue...you feel that my post 
constitutes gratuitous abuse.  At no point do I 
direct any abuse of any kind at Attrition or even 
you.  In the above question, all I did was quite 
simply ask what the various colors stand for.

> Until a couple of weeks ago, this graph was part 
of
>
http://www.attrition.org/mirror/attrition/os-graph
s.html where
> the color of the bars were clearly labeled.  The 
most recent
> version of this graph is now on that page, where 
it is now named
> "bar_ostotals_stacked.gif", where it is likewise 
labeled.  None
> of the graphs are erased month-to-month, but are 
typically
> renamed.  They can be found in the browseable
http://www.attrition.org/mirror/attrition/graphs/, 
and often you
> can find my tar-balls of the graphs there as 
well.  Yes, gifs,
> sans HTML legends or headings.  A casual perusal 
of our graph
> pages would have discovered the labeled HTML 
page.
>

Oh, okay.  I see now.  The graph is question is 
not, in fact, labeled...and it is expected that 
someone visiting the page will do enough browsing 
to discover the legend for that graph.  
Interesting approach...not one I would have taken.  
I'd have a difficult time delivering a report to a 
customer and telling him that all the legends and 
labels to all the data in the report was included 
as part of report done for another part of the 
company, several weeks ago...and that if he 
wanders around enough, he should eventually find 
it.

No, my comments were not abuse of any kind.  The 
thread, it seemed, was directed toward finding 
statistically significant data to justify 
resources to support security efforts.  As there 
is no link from the above listed graph to it's 
original location, hence no immediate way to view 
the legend, it seems to me that the graph itself 
offers very little.


> > I guess the point is this...if you have 
nothing better to
> > do and want to waste someone's time...sure, 
show
> > these graphs to your boss.  They are 
meaningless,
> > though colorful and probably quite enjoyable 
to look at
> > when printed on a color printer.
>
>   Mr. Carvey's conclusions are as out of 
proportion as his
> authoritative observations.  And we are meant to 
take these
> seriously?

So, I get it.  Read the post in SF, assume it's 
some sort of "gratuitous abuse", and then launch 
your own brand of abuse...is that it? 

>   "Meaningless.... suspect, but hey, to be 
fair...." is like
> saying, "With all due respect, [insert 
gratuitous insult here]".
>

No, not at all.  The intention is rather 
obvious...to point out, quite specifically, that 
this post does not constitute "gratuitous abuse".  
The point is that the CSI/FBI's sample and very 
method of data collection (ie, a survey) does not 
provide accurate data...some assumptions are that 
(a) respondants have a definition of what 
constitutes an "intrusion", (b) respondants have 
the ability to detect an "intrusion", and (c) 
respondants are fully disclosing information.

The issue of how the data for the graphs on the 
Attrition site is collected was not even addressed 
in Mr. Dickerson's response...he was quite 
obviously more concerned with this preceived 
"gratuitous abuse" than anything else.  It was 
never my intention to deliver abuse of any kind.

H. Carvey