Hosting Provided By

Re: Administrivia...

From: Dan Hanson <dhanson(at)securityfocus.com>
Date: Wed Jul 09 2003 - 13:30:48 EDT

Hi Paul,

Others have also pointed this out or danced around the subject in private emails to me. My idea isn't to get rid of the "help what do I do" messages. My intention is to short circuit the discussion that goes as follows, and jump to the point that people can actually get their teeth into it.

-==-=-=-=-=-=-=-=-=-
Message 1 -> "Help I think I'm owned, what do I do" Response 1(x 10 people) -> "What operating system, what services, what

makes you think you are owned"

Message 2 -> "I'm running Windows 2000 Server, IIS, Telnet, SQL Server,

	      Windows Media Services. My router light is lit almost
	      continually."

Response 2(x 5 people) -> "What network connections are open"

Message 3 -> "Huh"
Response 3 -> "go to <insert site> download <tool> and post output.

Message 4 -> "Never mind, it was my p2p application, I didn't realize Iwas

	      sharing something"
	or
Message 4 -> "It says something about .exe" and google doesn't
	      have anything about that.

=-=-=-=-=-=-=-=-=-=-

My concern is not that we are getting people asking for help, or even that we are getting "simple" questions. In fact I think that this is good, after all, for those of us who have been in the game long enough, we know that there is evolution in bot development, maliciuos behaviour, and vulnerable programs etc.

Do you need help?

Rather what I think is that the initial forensics or information discovery is not done, and I either walk them through it via "reject" messages (somewhat time consuming), allow the post, or point them to a number of external sites. The discussion of actual break-ins is good, but there are far to many times when the simple use of fport, netstat, or tcpdump shows that it's not a problem at all.

I guess that my feeling is that too much of the list is dedicated to instructions on how to gather more information about standard processes, rather than discussion of how to detect the non-standard/malicious processes, or discussion about the evolution of these techniques, or best practices to help defend or detect against this.

I don't want to limit the asking of questions, but rather, I would like to get a bare minimum of information included before something is posted. In my example, that would have eliminated 4-5 messages in the exchange. That 4-5 messages is pretty similar each time.

Wow, this turned longer than I anticipated.

On Tue, 8 Jul 2003, Paul J. Morris wrote:

> Let me offer an argument for not rejecting the "help, what do I do"

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com

Received on Wed Jul 9 15:25:02 2003

This message: [ Message body ]
Next message: Mayo, Brad: "RE: Administrivia..."
Previous message: James C. Slora, Jr.: "RE: Administrivia..."
In reply to Paul J. Morris: "Re: Administrivia..."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:10 EDT

Do you need more help?