Re: auto-reporting to ISPs

[network_ops () TIDALWAVE NET (Network Operations)]

Robert,

A few things...

First let me say that BlackICE is a fine product.  We recommend this program
to many of our customers who have security concerns (and every broadband
customer).  We feel that it is our duty to help people protect themselves
should they come to us for advice.  And, yes, we do have a number of users
who like to consistently submit logs and ask that we prosecute everyone who
scans their machine.  So, in that regard, such programs could conceivably
place an added workload on abuse monitors.  Heck, I see it every morning,
and I'm pretty sure that it will never completely stop.  However, I think
that I have managed to slow it a bit.

I worked up a few simple form letters that I mail to customers who submit
somewhat erroneous logs.  The form explains our purpose and goals in
monitoring abuse accounts, and offers some links to various security sites
(including networkice.com) where users can learn more about what they are
seeing in their logs.  At first I had some reservations about this approach,
fearing that customers would take the suggestions as an insult or blow-off.
However, the response has been quite the contrary.  Users have been
extremely thankful that we would go the extra distance to help educate them
in what can be a very confusing field, even if all we did was send a
prefabricated e-mail. Thus, this approach truly does a service to the
provider and the customer.

Now, as far as adding a reporting feature to the program itself?  This is a
bad idea for the simple reason that users will find it too easy to
"point-and-click" and report every incident to every provider.  If an
incident has occurred, then the customer should, by all means, send an
e-mail to the abuse monitor.  However, there must be some element of thought
involved.  The user should compose and e-mail and attach the relevant
portion of their logs.  They must understand what it is that is happening!
And allowing them to mindlessly submit all of their logs to providers is not
the way towards a safer and more informed world of internet users.

Lastly (I promise) there are utilities available that will sort logs by
source, attack time, and so on.  For BlackICE, there is a ClearICE freeware
plug-in that does this very thing.  Couple these with a little educational
help from big providers (small web sites and simple letters) and we can ALL
start focusing on what's important.

I'll stop now.  Sorry if I went a bit beyond the scope of this discussion,
but such problems are the nature of the internet.  We can't stop this kind
of thing, but we can all do our small part to make it easier.

Keith
------------------------------------------------------------------
Below is an e-mail from a customer who would like to see us add an
auto-email feature to our product in order to notify the ISP of the
offending hacker. This is pretty funny because we've already seen some
complaints by ISPs from such a feature in other products appear on this list
over the past couple of days.

Could abuse@isp people please send me e-mail:
* what is the proper way a product like BlackICE Defender should assist the
user in reporting such events?
* what should I tell this user about why we haven't put such a simple
feature into the product?

Thanks,
Robert Graham
CTO/Network ICE