PHWinfo - Afficher un message

03/09/2006, 14h12

responder <no@spam.invalid> (06-09-02 03:38:25):

> >> Ultimately the solution is for an agency to provide the tarpit as a
> >> proxy. Once the connection is determined to be offensive, the
> >> socket should be forwarded to a server run by the police with an
> >> out-of-band session to provide the true source address and related
> >> statistics. One honeypot, many parallel data flows pointing back at
> >> the origin.
> >
> > That's not a solution, because many, if not most of these attacks
> > come from innocent people, who don't even know about it. I'd rather
> > call these SSH _worms_, because they spread like them.
>
> A _child_ is "innocent" and not (mostly, in civilized societies)
> responsible even if s/he signs an otherwise valid contract. Many
> children of well heeled parents have their own computers and internet
> connections. If a phishing site were being hosted on that
> "innocent"'s computer, is the financial damage to the victims any less
> real? (No.) Is there any less reason to shut down that phishing
> site, just because it is running on a computer in a child's bedroom,
> playroom or den? (No.)
>
> [...]

Calm down, my friend. IMO the suggestion above is not a solution,
because it would be heuristic and _may_ prevent legitimate traffic from
passing through. Also it's a bit of security through obscurity, because
the actual problem (careless admins and software bugs) will not be
solved.

In the non-deterministic real life, defenses are the best bet in some
cases (such as in your example with 09/11), but in the deterministic
e-world problems shouldn't be hidden, but rather solved.

The other problem with the suggestion is: Firstly, the real bad guys
wouldn't be found that way, and the police had too much work filtering
out those "innocent" bad admins (i.e. PEBKAC users, who need the
computer for their work or other things, and wouldn't care much about
computing security). And there are probably hundrets of thousands of
them.

Secondly, it would have an immense impact on privacy, as the police
would have to be able to associate IP addresses with persons in this
case. "So don't send such packets out", might be your argument. But
depending on the filters at that "agency", this may be easy to enforce.

I wouldn't want any agency to intercept all my traffic, anyway. Neither
automatically, nor manually.

Regards,
E.S.

03/09/2006, 14h12	#5
Ertugrul Soeylemez Messages: n/a Hébergeur:	Re: ssh dictionary attacks responder <no@spam.invalid> (06-09-02 03:38:25): > >> Ultimately the solution is for an agency to provide the tarpit as a > >> proxy. Once the connection is determined to be offensive, the > >> socket should be forwarded to a server run by the police with an > >> out-of-band session to provide the true source address and related > >> statistics. One honeypot, many parallel data flows pointing back at > >> the origin. > > > > That's not a solution, because many, if not most of these attacks > > come from innocent people, who don't even know about it. I'd rather > > call these SSH _worms_, because they spread like them. > > A _child_ is "innocent" and not (mostly, in civilized societies) > responsible even if s/he signs an otherwise valid contract. Many > children of well heeled parents have their own computers and internet > connections. If a phishing site were being hosted on that > "innocent"'s computer, is the financial damage to the victims any less > real? (No.) Is there any less reason to shut down that phishing > site, just because it is running on a computer in a child's bedroom, > playroom or den? (No.) > > [...] Calm down, my friend. IMO the suggestion above is not a solution, because it would be heuristic and _may_ prevent legitimate traffic from passing through. Also it's a bit of security through obscurity, because the actual problem (careless admins and software bugs) will not be solved. In the non-deterministic real life, defenses are the best bet in some cases (such as in your example with 09/11), but in the deterministic e-world problems shouldn't be hidden, but rather solved. The other problem with the suggestion is: Firstly, the real bad guys wouldn't be found that way, and the police had too much work filtering out those "innocent" bad admins (i.e. PEBKAC users, who need the computer for their work or other things, and wouldn't care much about computing security). And there are probably hundrets of thousands of them. Secondly, it would have an immense impact on privacy, as the police would have to be able to associate IP addresses with persons in this case. "So don't send such packets out", might be your argument. But depending on the filters at that "agency", this may be easy to enforce. I wouldn't want any agency to intercept all my traffic, anyway. Neither automatically, nor manually. Regards, E.S.