Re: Responsiveness of remote admins

["R. DuFresne" <dufresne () sysinfo com>]

Ahh!  But, many ISP's have a AUP that will hold the client responsible for
damages!  And, it is the responsibility of that organization to keep you
informed of actions so that you can recoup expenses and losses.

btdt...

Thanks,

Ron DuFresne

On Wed, 19 May 1999, chuck wrote:

> On the other hand I, as an employee of a company that has
> nothing to do with you, often cannot report anything to you.
> I've been involved in things where a dozen reports come in that
> often leads us to watch someone more closely and THAT evidence
> is used to terminate a user/employee. (it's legal to scan our
> own network - "tcpdump host 10.9.8.7" is legal).  You and others
> provide 'probable cause' but that's it.
>
> No offense but bluntly, it's none of your business (especially
> with a simple (legal) scan).  If you report that a green van is
> driving erratically, the police aren't going to report back to
> you that they stopped it 30 miles later and found it full of
> stolen racoon bondage gear.  Or that nothing happened.
>
> Realisticly, it's nice to get acknowledgement and it was a
> really nice feeling when I pointed out some scans to an admin at
> a college and they found that the host had been compromised
> because of that.  But I can't and don't expect a reply and
> updates on the situation.
>
> Also note that the Feds, when investigating, are notorious for
> being information black holes.  While I understand it to a
> point, when dealing with technically unaware investigators, we
> could likely find more pertinent information when we have an
> idea of patterns they've seen.  As a random example, if they
> know probes are sent by sending 400 ftp requests before grabbing
> a core file, cracking passwords and logging in, it might occur
> to us to peruse or pass on a couple hundred meg of ftp logs (out
> of gigabytes of all logs).
>
> In short, don't expect to be kept apprised of actions taken
> against an offender.  Just because you don't hear back doesn't
> mean nothing happened.  You may not be the only person who
> reported it, but moreover, your role is over at that point, as
> much as you dislike it.
>  
> chuck
>
> Quoting Lance Spitzner (spitzner () dimension net):
> > On Tue, 18 May 1999, Randy Grimshaw wrote:
> >
> > > I have written to abuse () rr com and included the *full* logs. What I got
> > > back was an automated response that effectively says thank-you, now go
> > > away... which may be all that I can expect. We (at Syracuse) DO follow
> > > through and "smack" people but I can't say that we always respond to the
> > > original complaint with any follow through.
> >
> > I've been doing a little 'statistical' research on this.  My firewall
> > is setup to detect and log most standard scans.  The firewall also
> > emails the point of contact for the remote system.  The trend I have noticed
> > is the larger the organization, the less likely you are to hear from them.
> >
> > > From UUnet, mediaone, @home all I get are automated responses.  However,
> > the response is terrific from smaller organizations.  Twice the president
> > of the organization emailed me personally with their phone numbers.
> >
> > As I get more numbers, I'll present the results :)
> >
> > Lance Spitzner
> > http://www.enteract.com/~lspitz/papers.html
> > Internetworking & Security Engineer
> > Dimension Enterprises Inc

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!