RE: Recent Attacks

["Staggs, Michael" <Michael_Staggs () NAI com>]

I find it rich that someone who takes their time to design and execute a
DDoS on a commercial interest should use the word "fair" to describe the way
they wish to be treated. Were their actions fair to the IT pers who design,
build and maintain the affected networks? Is it fair that people who do
honest, dedicated work to support their families are attacked by someone
soley motivated by the thrill of vandalism?

What is fair is that these folks are required to make the DDoS vics whole.
Fine the little cowards an amount equal to the projected lost revenue
averaged over the last several months- 1 day lost = 1/30th of the last
month's revenue. Now add punative damages. How about sharing a cell with
"Bubba" for a few weeks? Let them feel what it is like to be vandalized.

Poor little criminals.

MJ
-----Original Message-----
From: Ryan Russell [mailto:ryan () securityfocus com]
Sent: Wednesday, February 16, 2000 1:39 PM
To: Philip J. Koenig
Cc: firewall-wizards () nfr net
Subject: Re: Recent Attacks


> You mean Mitnick?  

Yes.

> As far as I can see, the figures that were thrown 
> around supposedly putting a price tag on the 'damage' he did were
> pure unfounded fantasy.

Yes!

As is the 1.2B dollar amount for a few hours each for several e-commernce
companies.

It's not (IMO) fair to try to charge for potential lost customers.
There's no way to tell exactly how much business would have been done,
whether the customers came back later to buy the same item, etc..

One of the few things that is fair to charge for damages in such cases is
investigation time.  If the witch hunt continues for a few more weeks are
the current levels, we might burn 1.2B.

One of the many things that needs to be fixed with the current security
situation is that we don't have a fair, or even agreeed upon, way to tally
damages.

                                Ryan