> From: ziese@gizmo.csap.af.mil (Kevin J Ziese) > To: ids@uow.edu.au > Subject: Re: Intro and questions (fwd) > > After reading about sick puppy, then his detractors, then his supporter, then > his detractor, then his <his detractor> detractor. I'm moved to ask, 'can't > we all just get along?' I think the overall issue is that there is an ethical obligation to ensure that intrustion and/or vulnerability detection code be protected from being placed directly into the hands of those parties that may use it for malicious intent. The hard part is to identify who is the good guy,and who is the bad guy - which is why you don't see anyone jumping to create a Certification Authority Root, regardless of the demand. "Sick Puppy" added to this hysteria by fitting the traditional mold of a computer cracker by the very nature of his request, therefore I do not blame the caution that was put into action by the members of this list regarding the response. I will not begin to start the debate on whether vulnerability detection software should be publically released, as this is not directly relavent to this discussion. But the intention of these mailing lists is to provide education and assistance to those people who are responsible for protecting their systems. Determining who fits into that category - to any extent - certainly fits into the ethical obligations of the list as a whole. ::Soapbox mode off:: >How about we talk about a new intrusion strategy. I'll > start by asking how much interest does the group see in proactive strategies > that allow a rule base to take action when someone misbehaveson a system? > The concept of this is a good one, but the action taken is a very important consideration. The classical denial of service attack comes to mind. Let's say you have an Intrusion Detection module that monitors for bad login requests to a secured system. You have your module to delete the username if there are more than 8 bad login requests to the username within a 5 min period. There was a case of a company who did exactly this. There was the occasional employee who forgot their password, and had to call and get their account reactivated, which they would have to do if they forgot their password and didn't even try to log in.... The problem obviously, was when one of the system administrators left the company. He took the entire list of usernames home, and dialed into the LAN at 3:00am and ran through the whole list, which cancelled the customers entire user community. Our Intrusion Detection Systems certainly take action, depedning on the category and priority of the anomoly. That action can be anything from: trace the session, page someone, associate the session with the users "normal" behavior, etc.... But we only take "corrective" action on extreme anomolies, because of the denial of service threat. "Success through teamwork" =============================================================================== Dale Drew MCI Telecommunications Manager internetMCI Security Engineering Voice: 703/715-7058 Internet: ddrew@mci.net Fax: 703/715-7066 MCIMAIL: Dale_Drew/644-3335