Re: Intro and questions (fwd)

ddrew@mci.net
Wed, 22 Mar 1995 12:34:54 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Rens Troost: "Re: Intro and questions (fwd)"
Previous message: Abdelaziz MOUNJI : "Re: Intro and questions (fwd)"
Maybe in reply to: Sick Puppy: "Intro and questions (fwd)"
Next in thread: Rens Troost: "Re: Intro and questions (fwd)"

> From: ziese@gizmo.csap.af.mil (Kevin J Ziese)
> To: ids@uow.edu.au
> Subject: Re: Intro and questions (fwd)
> 
> After reading about sick puppy, then his detractors, then his supporter, then
> his detractor, then his <his detractor> detractor.  I'm moved to ask, 'can't
> we all just get along?' 

I think the overall issue is that there is an ethical obligation to ensure
that intrustion and/or vulnerability  detection code be protected from being
placed directly into the hands of those parties that may use it for 
malicious intent.

The hard part is to identify who is the good guy,and who is the bad guy -
which is why you don't see anyone jumping to create a Certification Authority
Root, regardless of the demand.

"Sick Puppy" added to this hysteria by fitting the traditional mold of
a computer cracker by the very nature of his request, therefore I do not blame
the caution that was put into action by the members of this list regarding
the response.

I will not begin to start the debate on whether vulnerability detection 
software should be publically released, as this is not directly relavent to
this discussion.
 
But the intention of these mailing lists is to provide education and assistance
to those people who are responsible for protecting their systems. Determining
who fits into that category - to any extent - certainly fits into the
ethical obligations of the list as a whole.

::Soapbox mode off::

>How about we talk about a new intrusion strategy.  I'll
> start by asking how much interest does the group see in proactive strategies
> that allow a rule base to take action when someone misbehaveson a system?
>

The concept of this is a good one, but the action taken is a very important
consideration.  The classical denial of service attack
comes to mind.  Let's say you have an Intrusion Detection module that monitors
for bad login requests to a secured system.  You have your module to
delete the username if there are more than 8 bad login requests to the
username within a 5 min period.  There was a case of a company who did
exactly this. 

There was the occasional employee who forgot their password, and had to call
and get their account reactivated, which they would have to do if they
forgot their password and didn't even try to log in....

The problem obviously, was when one of the system administrators left the
company.  He took the entire list of usernames home, and dialed into the 
LAN at 3:00am and ran through the whole list, which cancelled the customers
entire user community.

Our Intrusion Detection Systems certainly take action, depedning on the
category and priority of the anomoly.  That action can be anything from:
trace the session, page someone, associate the session with the users
"normal" behavior, etc....  But we only take "corrective" action on extreme
anomolies, because of the denial of service threat.

                         "Success through teamwork"
===============================================================================
Dale Drew                                                MCI Telecommunications
Manager                                                    internetMCI Security
                                                                    Engineering
Voice:  703/715-7058                                    Internet: ddrew@mci.net
Fax:    703/715-7066                                MCIMAIL: Dale_Drew/644-3335

Next message: Rens Troost: "Re: Intro and questions (fwd)"
Previous message: Abdelaziz MOUNJI : "Re: Intro and questions (fwd)"
Maybe in reply to: Sick Puppy: "Intro and questions (fwd)"
Next in thread: Rens Troost: "Re: Intro and questions (fwd)"