Re: RE: IDS (was: FW appliance comparison)

["Paul D. Robertson" <paul () compuwar net>]

On Wed, 25 Jan 2006, Marcus J. Ranum wrote:

> Paul D. Robertson wrote:
> > No, there's another reason not to collect it;  Everything you collect 
> > under almost all evnironments is ultimately legally discoverable.  
>
> That's the dumbest argument against logging I've ever heard. :(

It's not an argument against logging, it's an argument against logging 
everything you could ever possibly log.  The delta between "I'm sorry we 
don't keep that data, it's transient" and "let us see what we have that 
matches that criteria" can be *very* costly in terms of simple people 
time. 

If you don't believe that, look at service provider lawsuits in the last 
5-10 years, and look at how companies like Yahoo are getting away with 
being able to *charge* for civil subpoena compliance.  Think they make a 
profit on that?

Now put yourself in Yahoo's shoes and ask yourself how much actual 
business they'd get done if they stored everything they could possibly 
store.  I guarantee you it'd be less than they get done today and it'd 
take them more people, more storage and the cost of storage for 
preservation letters alone would be pretty damn impressive.

Remember, every time one of Yahoo's customers gets murdered in the US, 
Yahoo is dealing with preservation letters, subpoenas, and other record 
requests.  Now, have them log every packet ever, and keep it all for 
analysis and see where that leads them- becuase I assure you that it 
wouldn't be pretty, dumbest idea ever against logging every packet or not.

> If it existed in your network in some form or other such that it
> was transferred and could be logged, it's already legally discoverable.

There's a reason IBM had Notes set to expire mail every 30 days.  It's 
kept even the over-volumous SCO discovery stuff a lot shorter than it 
would have been otherwise (and yes, that's including the fact that it's 
gone on seemingly forever.)

> It just becomes a question of how. Yes, you can carefully construct
> your Email system to not retain anything but can you carefully
> construct your users so they don't? Can you construct your

It doesn't matter that you can't do it perfectly, it may matter simply 
that you don't store everything as a matter of course.

> backup system so that only the "right" data is non-transitory?
> Can you make your staff subpoena-proof? etc. That's where you
> are much more likely to have problems, not in your logging system.

That depends totally on what you do, what the opposition is trying to 
discover, and how vulnerable you are to fishing expiditions.  If you don't 
log it as a matter of purpose, then it's at least mostly transitory unless 
it's a store-and-forward type communication.

The difference between a machine record (admissible) of everything that 
ever went on your network and testimony can really make a difference in a 
lot of packet-chasing lawsuits.  It's also signifcantly different in terms 
of what you might have to store, report on, be able to redact information 
from, etc.

Go ahead, store every IM in and out of a large organization, log every 
sender, recipient, message, IP address, etc.  Then, once you have to start 
dealing with every civil suit between employee and spouse, tell me how 
productive you're being.  Once you have to produce everything every time 
you get a wrongful dismissal case, tell me again how productive it is- 
especially if someone in a happens to win one because some dimwit in 
management IM'd the wrong thing to his golf buddy.  Now extend that out 
ten years and put it all on backup tapes and start thinking of how much 
work you're gonna have.  

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
http://fora.compuwar.net      Infosec discussion boards 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards