Re: Responsiveness of remote admins

[chuck <fwwiz () yerkes com>]

On the other hand I, as an employee of a company that has
nothing to do with you, often cannot report anything to you.
I've been involved in things where a dozen reports come in that
often leads us to watch someone more closely and THAT evidence
is used to terminate a user/employee. (it's legal to scan our
own network - "tcpdump host 10.9.8.7" is legal).  You and others
provide 'probable cause' but that's it.

No offense but bluntly, it's none of your business (especially
with a simple (legal) scan).  If you report that a green van is
driving erratically, the police aren't going to report back to
you that they stopped it 30 miles later and found it full of
stolen racoon bondage gear.  Or that nothing happened.

Realisticly, it's nice to get acknowledgement and it was a
really nice feeling when I pointed out some scans to an admin at
a college and they found that the host had been compromised
because of that.  But I can't and don't expect a reply and
updates on the situation.

Also note that the Feds, when investigating, are notorious for
being information black holes.  While I understand it to a
point, when dealing with technically unaware investigators, we
could likely find more pertinent information when we have an
idea of patterns they've seen.  As a random example, if they
know probes are sent by sending 400 ftp requests before grabbing
a core file, cracking passwords and logging in, it might occur
to us to peruse or pass on a couple hundred meg of ftp logs (out
of gigabytes of all logs).

In short, don't expect to be kept apprised of actions taken
against an offender.  Just because you don't hear back doesn't
mean nothing happened.  You may not be the only person who
reported it, but moreover, your role is over at that point, as
much as you dislike it.
 
chuck

Quoting Lance Spitzner (spitzner () dimension net):
> On Tue, 18 May 1999, Randy Grimshaw wrote:
>
> > I have written to abuse () rr com and included the *full* logs. What I got
> > back was an automated response that effectively says thank-you, now go
> > away... which may be all that I can expect. We (at Syracuse) DO follow
> > through and "smack" people but I can't say that we always respond to the
> > original complaint with any follow through.
>
> I've been doing a little 'statistical' research on this.  My firewall
> is setup to detect and log most standard scans.  The firewall also
> emails the point of contact for the remote system.  The trend I have noticed
> is the larger the organization, the less likely you are to hear from them.
>
> > From UUnet, mediaone, @home all I get are automated responses.  However,
> the response is terrific from smaller organizations.  Twice the president
> of the organization emailed me personally with their phone numbers.
>
> As I get more numbers, I'll present the results :)
>
> Lance Spitzner
> http://www.enteract.com/~lspitz/papers.html
> Internetworking & Security Engineer
> Dimension Enterprises Inc