por favor

[Aleph One <aleph1 () UNDERGROUND ORG>]

Date: Tue, 12 Sep 2000 10:00:17 -0700
From: zen () fish com
To: tct-users () porcupine org
Cc: wietse () porcupine org
Subject: por favor
Message-ID: <20000912100017.S26387 () fish com>

This is a rather sizeable request for help from Wietse and dan.  We're
offering to give a joint security talk (1-2 hours) to the person that
helps us out with this, wherever they are (at least, to most continents!)

As all of you (should!) know we recently released TCT, the forensic data
collection & analysis toolkit.  We're now working on some data analysis
tools, but require a significant amount of data in order to exercise
the tools.

We are looking for someone who can run a streamlined and simplified
TCT version on about 150-250+ systems. We have a preference for a
site that does *NOT* protect all its systems with a proxy/bastion
style firewall.  Two sites that talk via the network to each other
a fair bit would be fine as well - then we'd only need something
100-150+ systems from each site.

Our ideal situation would be a university or other large organization
that has had a history of security problems (you don't have to tell
us what they are ;-))  The systems would be preferably from a
heterogenous environment (but that's not neccessary), and must be
running unix (sun, *bsd, or linux.)  Servers, workstations, whatever,
it doesn't matter.  We wouldn't mind a few systems (less than 10%)
that are currently not supported by TCT (HP-UX, AIX, etc.)

We estimate that the modified TCT would generate roughly about
10-20 megabytes of data per system - perhaps a bit less, perhaps
a bit more on the largest of systems; the package we send to you
would automatically gather & send this to us via ftp or scp.

Although we do a best effort to make all this as painless as
possible, we realize that what we ask for is a significant task.

We could guarantee that:

        o       none of the raw data would be made public; we would
                protect it as violently as we do with our own data.

        o       anything of interest we find that concerns your site's
                security we would tell you about.

        o       we have no prurient interest in the contents of the
                data - we simply need it to test our next (freely
                available) tool we're working on.

        o       TCT normally collects individual user "dot" files,
                like .rhosts, .forward, etc.  No such files will
                be collected by this modified version.

        o       anything we publish about this we would run by
                you to ensure that there are no violations of privacy
                or secrecy.  At a minimum we would change the host and
                user names to protect the innocent (and guilty!  ;-))

        o       you would (if you desire) have first access to test out
                our next tool.

        o       we'd thank you privately - and publically, if you don't
                mind the exposure.

Thanks for your consideration!

Wietse & dan