On Thu, 11 May 2000 [EMAIL PROTECTED] wrote:
> IMHO doing nothing to discourage hackers is more of a form of "loosing
> the war against attackers".
I'd submit that fielding secure systems will do more to win the war than
stooping to the "playing games" level. It's also a better use of limited
business resources.
> People will continue to do illegal things when they believe that it is
> unlikely that they will be caught or penalized for it. We as the
If the VIN numbers on cars totaled by insurance companies were removed
prior to salvage, probably greater than 85% of late model car thefts would
be negated. Not because the car theives would get caught, but because the
fruits of their labor would be significantly less productive for them. If
more people limited Internet traffic to only those addresses and protocols
that were absolutely necessary, port scanning would be a zero sum game,
and therefore much less likely to be perpetrated on a routine basis.
> security community need to take a proactive approach. If we all
> installed "Honey Pots" capable of gathering sufficient evidence to
> prosecute the people that broke into them, I bet a large number of
> "script kiddies" would soon find something productive to do with their
> computer skill.
A lot of organizations would rather be passed over than invite closer
scrutiny by an attacker. It's also possible that eventually in some
jurisdiction we'll get the "That Solaris system was wearing a miniskirt,
she was asking for it" defense successfully run against such systems. "We
set this system up for the sole purpose of unscrupulous people attacking
it".... "Then what happned?" .... "They attacked it." "And your loss
was?" "*mumble*..."
> I'm not interested in letting them hack away. I'm interesting in getting
> them (or their parents) to help pay for all the time and effort I put
> into fixing the problems they cause.
In my (admittedly limited) understanding of the law, generally there are
mitigating factors to any damages- and culpability in most things is
shared between many parties. It's a viable argument that (a) The kiddie
trying to hack your honeypot isn't the one who caused you to "fix"
anything, so trying to get them to pay for your effort to honeypot them
seems rather self-serving. (b) Poor software development practices are
the cause of almost all non-DoS attacks and some DoS ones- if it wasn't
broken to begin with, you wouldn't have to spend time fixing it, (c)
Poorer due dilligence causes those to be fielded as production systems.
(d) Though one guy in the Phillipines *should* be spanked, so should the
morons who added active unchecked and unbounded content mechanisms into an
e-mail client. (e) The imbeciles who''ve decided that "one size fits all"
should be mandated also need to be spanked, probably just not quite as
hard as the other two sets of people.
As much fun as slinging packets and sicking lawyers on the bad guys is,
the absolute truth is that it's be *way* more productive and cost
effective to block everything not necessary at the border routers and make
the vendors fix what's broken, poorly designed, or just plain stupid in
what must be passed.
In the 8 years I was in the corporate IT structure at my last job, we
probably had a grand total of *4* non-virus incidents within the sphere
of IT things locally that fell in the scope of things I watched that
warranted a significant ammount of work Internet-wise that I can recall
(outside of the "I can't get to FOO!" whining luser diagnostic stuff and
stupid people who can't address e-mail correctly or who use
non-standards-based e-mail clients.)
The worst was a "test machine, test network, test Internet connection,
admin not keeping up to date" issue which should never have happened. The
next worst was a former employee gaining access to a private forum once
after they'd left the company. The last two were fairly aggressive probes
to exposed services by people who didn't go away after they couldn't
compromise things the first couple of times. One of those ended up being
a client-side bug, and the other stopped after a phone call.
In the same time period, you couldn't even count the malware incidents
for the set of people who ran Microsoft products for messaging or office
automation. (I've always been amazed that the cost of using such tools
isn't an *obvious* place to recoup money by switching to something
"safer.")
For a large portion of that timeframe, our primary Internet connection was
shared with the largest Web site in the corporation (then as that grew,
the highest trafficed node of that Web site), with hundreds of thousands
of anonymous remote users accessing servers through the same link.
We could have spent a few thousand dollars on a machine to play with, and
thousands of hours and (probably more importantly) lawyer hours on
tracking everyone who did a portscan (it's damned expensive to sick
lawyers on anyone) and/or attempted to breach such a system. Probably it
would have gotten us attacked more often, and the net result (pun
intended) to the business would have been exactly the same or worse.
If you've got time to play with attackers instead of blocking them, then
you should probably take a closer look at what value you *could* bring to
the business.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
