Security Incidents mailing list archives
Re: How to obtain a complete list of CR2 compromised hosts
From: Kee Hinckley <nazgul () somewhere com>
Date: Mon, 6 Aug 2001 13:16:54 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 1:51 AM -0500 8/6/01, Joe Shaw wrote:
It is reckless and dangerous to suggest that the first step of recovery from any type of security compromise is to delete relevant information, especially system or application logs without first examining them.
There's the right way to do something, and there's what J.Random User running Personal Web Server is going to put up with. You need to come up with two solutions to any given attack--one for the savvy tech user and/or system admin, one for the unsavvy home user. The latter is not going to read log files, report compromised hosts or do anything else other than follow an absolutely minimal set of instructions. We need to change our mindset here. Server attacks are no longer just deal with by "admin/IT/Infosec/whomever staff". Solutions need to address both audiences. If we can't successfully come up with dual solutions, home users will eventually be unable to run services at all. (I posted a longer discussion of this issue a few days ago, but it was moderated out. Unfortunately I don't think it's wise to examine incidents without also examining the social consequences of the incidents and their solutions.) As a side note. The "wipe the machine and reinstall option" becomes doubly problematic with Windows XP. Never mind that most home users don't do backups--if I read the news on XP installations correctly, they won't be able to do a reinstall without getting permission from Microsoft. :-) - -- Kee Hinckley - Somewhere.Com, LLC http://consulting.somewhere.com/ I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Security 7.0.3 iQA/AwUBO27RHSZsPfdw+r2CEQIbKQCgnMUxhIsnL0TZuCH9mNhtFZC6hAkAnjr9 7ncjej1Cb7nQH/moYjQYYT2B =xC8x -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- How to obtain a complete list of CR2 compromised hosts aleph1 (Aug 05)
- Re: How to obtain a complete list of CR2 compromised hosts Joe Shaw (Aug 06)
- Re: How to obtain a complete list of CR2 compromised hosts Kee Hinckley (Aug 06)
- Re: How to obtain a complete list of CR2 compromised hosts Jay D. Dyson (Aug 06)
- Re: How to obtain a complete list of CR2 compromised hosts Kee Hinckley (Aug 06)
- Re: How to obtain a complete list of CR2 compromised hosts Joe Shaw (Aug 06)