Firewall Wizards mailing list archives
Re: Responsiveness of remote admins
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Wed, 19 May 1999 16:58:48 -0500 (CDT)
Ahh! But, many ISP's have a AUP that will hold the client responsible for damages! And, it is the responsibility of that organization to keep you informed of actions so that you can recoup expenses and losses. btdt... Thanks, Ron DuFresne On Wed, 19 May 1999, chuck wrote:
On the other hand I, as an employee of a company that has nothing to do with you, often cannot report anything to you. I've been involved in things where a dozen reports come in that often leads us to watch someone more closely and THAT evidence is used to terminate a user/employee. (it's legal to scan our own network - "tcpdump host 10.9.8.7" is legal). You and others provide 'probable cause' but that's it. No offense but bluntly, it's none of your business (especially with a simple (legal) scan). If you report that a green van is driving erratically, the police aren't going to report back to you that they stopped it 30 miles later and found it full of stolen racoon bondage gear. Or that nothing happened. Realisticly, it's nice to get acknowledgement and it was a really nice feeling when I pointed out some scans to an admin at a college and they found that the host had been compromised because of that. But I can't and don't expect a reply and updates on the situation. Also note that the Feds, when investigating, are notorious for being information black holes. While I understand it to a point, when dealing with technically unaware investigators, we could likely find more pertinent information when we have an idea of patterns they've seen. As a random example, if they know probes are sent by sending 400 ftp requests before grabbing a core file, cracking passwords and logging in, it might occur to us to peruse or pass on a couple hundred meg of ftp logs (out of gigabytes of all logs). In short, don't expect to be kept apprised of actions taken against an offender. Just because you don't hear back doesn't mean nothing happened. You may not be the only person who reported it, but moreover, your role is over at that point, as much as you dislike it. chuck Quoting Lance Spitzner (spitzner () dimension net):On Tue, 18 May 1999, Randy Grimshaw wrote:I have written to abuse () rr com and included the *full* logs. What I got back was an automated response that effectively says thank-you, now go away... which may be all that I can expect. We (at Syracuse) DO follow through and "smack" people but I can't say that we always respond to the original complaint with any follow through.I've been doing a little 'statistical' research on this. My firewall is setup to detect and log most standard scans. The firewall also emails the point of contact for the remote system. The trend I have noticed is the larger the organization, the less likely you are to hear from them.From UUnet, mediaone, @home all I get are automated responses. However,the response is terrific from smaller organizations. Twice the president of the organization emailed me personally with their phone numbers. As I get more numbers, I'll present the results :) Lance Spitzner http://www.enteract.com/~lspitz/papers.html Internetworking & Security Engineer Dimension Enterprises Inc
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too!
Current thread:
- Re: Scans Observed by Officer Friendly, (continued)
- Re: Scans Observed by Officer Friendly Jonathan Care (May 18)
- Re: Scans Observed by Officer Friendly David C Niemi (May 19)
- Re: Scans Observed by Officer Friendly chuck (May 18)
- Re: Scans Observed by Officer Friendly Randy Grimshaw (May 18)
- Responsiveness of remote admins Lance Spitzner (May 19)
- Re: Responsiveness of remote admins chuck (May 19)
- Re: Responsiveness of remote admins Lance Spitzner (May 19)
- Re: Responsiveness of remote admins Tim Kramer (May 21)
- Re: Responsiveness of remote admins Philip S Holt (May 21)
- Re: Norton AV for Firewalls mht (May 21)
- Re: Scans Observed by Officer Friendly Randy Grimshaw (May 18)
- Re: Responsiveness of remote admins R. DuFresne (May 21)
- Re: Scans Observed by Officer Friendly Jonathan Care (May 18)
- Re: Responsiveness of remote admins Craig H. Rowland (May 21)
- Re: Scans Observed by Officer Friendly R. DuFresne (May 19)
- Re: Scans Observed by Officer Friendly Larry Chin (May 21)
- RE: Scans Observed by Officer Friendly James D. Wilson (May 22)