Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Bug

Attack Registry And Intelligence Service 73

thelaw writes: "SecurityFocus just announced the start of their new service, ARIS (Attack Registry and Intelligence Service) Analyzer. The service allows you to submit logs from several different intrusion detection systems automatically and quasi-anonymously. Looking at the front page, they seem to have over 700,000 incidents already reported since starting."
This discussion has been archived. No new comments can be posted.

Attack Registry and Intelligence Service

Comments Filter:
  • by Decado ( 207907 ) on Monday March 26, 2001 @09:25AM (#339394)
    And I'll bet they can clear 1,000,000 attacks before the day is out.
  • by ChazeFroy ( 51595 ) on Monday March 26, 2001 @09:25AM (#339395) Homepage
    This centralized service for reporting will lead to some falsified logs being submitted to get somebody in trouble. I hope people use this service, but I also hope they take it with a grain of salt.
  • by blair1q ( 305137 ) on Monday March 26, 2001 @09:27AM (#339396) Journal
    Of course, all too soon, they will have a whole category for "slashdotted"...

    --Blair
  • ... and it'll be much harder for someone to break into a box and rifle the logs before someone else can look at them. It's not a guarantee that the system will be safe and secure, but it could be a nice deterrent to someone hacking and thinking that they can just clean the logs of their activities later...

    "Titanic was 3hr and 17min long. They could have lost 3hr and 17min from that."
  • Are sites linked from /. thinking they're in the middle of a DoS attack?

    DanH
    Cav Pilot's Reference Page [cavalrypilot.com]
  • by cavemanf16 ( 303184 ) on Monday March 26, 2001 @09:30AM (#339399) Homepage Journal
    Well, the US sure seems to be getting bombarded. I didn't know there were that many political attackers and script kiddie crackers out there. Maybe this will show some US companies just how big a deal security (including protecting the info they always collect on me) really is.

    And my bit of paranoia for the day:
    Why do they keep saying how 'secure and private' the log files you send them are? Can't they just trace the IP that sent the log right back to the company and/or individual who owns the IP (unless of course it's a dynamic IP being assigned)? Not that they would want to do so, but let's just stop advertising privacy. There is no privacy on the net. It's like streaking thru a crowded marketplace; not many people notice, but those that do get to see the whole deal.

  • Although some interesting information could pop out of the service, I don't see any real benefit for ME to submit MY logs. In fact, I only see potential harm... after all, what if their security is breached?

    If I'm shown to be wrong, then I must reconsider. But for now, I'll stay on the sidelines.
  • In fact, they're creating the biggest repository of cracker data in the Web!! If they get compromised, everybody using their services will be painted in red as potential targets.

    I sincerely hope this won't happen, but you can't be too careful...

  • Well, the US sure seems to be getting bombarded.

    Really? [attrition.org] It doesn't look like the US is disproportionately represented in this list. All of the 'generic' domains plus .us equals ~60%, and a significant number of .coms (over half of that 60%, BTW) are not US sites.

  • I was just thinking that would be a perfect attack for this system. Just submit enough falsified logs that it becomes worthless.

    You could prevent such an attack by implementing user IDs with cryptographic signing, but you lose some of your anonymity that way as you'd need to reject user ID applications from throwaway accounts such as from Hotmail.

  • cat /var/logs/security | awk '{print $2 " " $3 " " $4} | sort | uniq -c | sort

    doing the same thing except that it's not in pretty html format?
  • by Anonymous Coward
    Hey i'm still waiting for the cheesy Jon Katz article about the oscars for special effects and how those poor picked on geeks have changed the movie inuistry forever and set a new paradigm for the antiquated movie industry...

    blech...
  • by GodHead ( 101109 ) on Monday March 26, 2001 @09:50AM (#339406) Homepage
    I must have missed something.

    I'm not trying to troll or anything but other than the "Cool" factor what does this service do? How is knowing the most common attack types going to help me? The common ones are already patched by clued-in admins. I mean did you see the common attack list? If you're open to SNMP GET you have problems.

    Are they going to try and find new attacks with the data or something?

    G.H.
  • by Anonymous Coward on Monday March 26, 2001 @09:52AM (#339407)
    This service has two sides:
    The bright side is that it will bring stats of intrussion attempts. This is particularly interesting, because you can learn wha't going around and take measures before it's too late.

    The dark side is that I see a forthcomming IASD (Intrussion Attempt source database) available online, so many ppl will start banning IP's "Just in case".

    I do not like ORBS, I feel it's not usefull because of the tendence of give false positives.
    As an example, we use a very strict mail relay policy, and every week I get the ORBS tester machines sending mails that end up in postmaster because of their lack of valid rcpt addressess.
    Every time is because some ignorant saw SPAM w/bogus reply addresses in some of our domains and thinks that the spam was actually sent from one of our SMTP servers (false, all tend to came from yah00 or h0tmail or some server in korea, who cares).

    Imagine a script kiddie who, instead of deleting it's path in the victim's logfile, now replaces it's IP w/someone else's IP address.

    Who audits the victim's security policy? Who gives for grant that the supposed victim is honest?

    This is very, very difficult to prove.

  • I would hope that any system administrator, who was smart enough to know what a log is, would also know what a proxy server is. Problem solved.


    This message was encrypted with rot-26 cryptography.
  • I don't see any real benefit for ME to submit MY logs. In fact, I only see potential harm...
    "I don't see any real benefit for ME to stop spamming. In fact, I only see potential loss of revenue..."
  • That last sentence seems unclear - I don't mean to imply that over half of the .coms are not US sites, but that over half of the 60% (i.e. 38% of the total) are .coms, not all of which are US sites.
  • awk '{print $2 " " $3 " " $4}' /var/logs/security | sort | uniq -c | sort

    Also, your sort will look like this...
    1
    10
    11
    12
    2
    3
    4
    5
    6
    7
    8
    9
  • ...but looking at the overview page...

    "ARIS analyzer is a service designed, administered and maintained by SecurityFocus.com to allow participating network administrators to submit suspicious network traffic and intrusion attempts anonymously, for detailed analysis and tracking. Our aim is to help our participants track incidents and find patterns in attacks that will serve as a threat gauging system for the Internet community."

    ...DAMN! Doesn't apply to me! Still, this looks to be very useful, and I'd probably subscribe to this service if, you know, I weren't just a college kid on a personal computer.

  • In fact, they're creating the biggest repository of cracker data in the Web!! If they get compromised, everybody using their services will be painted in red as potential targets.

    As it says in their FAQ [securityfocus.com] :

    1) ...your account information is stored separately from the IDS logs you submit for analysis...

    2) ...You always have the choice of how much information you wish to send. You may decide to strip address information when cleaning logs in ARIS extractor...

    Also, they only know who you are if you choose to tell them, and, even so, that information is stored separately from the attacks on your system.

    but you can't be too careful... Amen to that.
  • Nice service...
    But, could've been far more interesting if you could see graphs of OVERALL statistics, not only graphs and data of the logs you sent.
    For example, I really wanted to know what are top 10 countries that most of the attacks origin from.
  • . . .is 7-10 hits on my network at work per day, on the average (we have a Class C, but most stuff is NATed behind the firewall), and 3-4 hits a day at home on the DSL line... it all seems a lot, but then both my work and my home firewalls include footprinting exercises as an attack.....

    I have no idea if those numbers are typical: the DSL ranges are well known, and so is my ISP's netblock. . . But I'd wager it's virtually ALL automated tools. . .

  • I got to be l337 over years of study. Now some kid can read a couple of logs and pull off a sweet DDoS in their first few hours. Wtf?

    What can there possibly be left for old-skool h4x0rz like myself? Those 455hol3z have taken all the phun out of it.

    A g4ll3ry of my h4x0r1ng k0nqu3sts [ridiculopathy.com]

  • This will be like having a free online survey of everyone who got hacked... Pretty soon we'll have the perfect profile for the vulnerable admin/setup and targetting spam,hacks,etc at. A little bit of stats work and you may as well have been handed the emails/ip's of the vulnerable systems. Better still, when their database does get hacked, how much do you wanna bet that info is gonna be worth?
  • Erm. Scratch sort problem.
    Sort is a bgit smarter then I thought.
    1
    10

    is different then
    1
    10
  • Paranoid freaks of the world unite!
  • The information will be usefull to security protocol designers such as myself I guess. But sysadmins surely need something more automated and targetted.

    Ad hoc descriptions of vulnerabilities only get so far however. Most of the time the average lamer is trying techniques that were reported on Bugtraq years before and were patched and CERT advised months ago.

  • Can I be geeky like you.

    Sorry to tell you, but I work for a very large organization in which I use this command on a daily basis to monitor our border routers' logs. This allows me to keep an eye out on different ports being probed and allows me the ability to create ACLs to block those ports..

    Why don't you go right click something and upload your logs to have the analisys done for you.
  • do they also offer hacker toolkits for download or do I have to go elsewhere for that?
  • Well the logs aren't always "hacked". An IDS registers 'invalid' or otherwise 'potentially hostile' traffic.

    Just because some kid set off my IDS scanning for SubSeven doesn't mean my site is vulnerable to SubSeven and doesn't mean it was hacked. Fact that they were probably scanning a Solaris system aside all it meant was that my IDS saw the traffic.

    Thats what a lot of these are is that the IDS see's the traffic, either because it is in front of the firewall or the port was opened on the firewall and the IDS behind it saw the packet. What that database could do is show you what are the most common scans performed and what type of sites see what type of attacks.
  • teehee, titter, hehehehe yup, i seem to have a mind of a 3 year old :D
  • Most of the time the average lamer is trying techniques that were reported on Bugtraq years before and were patched and CERT advised months ago.

    NO! The main problem in this sad landscape of crappy administration is that no one bothers patching any of their systems because they:

    a) Don't know what CERT is never mind read it
    b) Don't know what BUGTRAQ is never mind read it

    Most of the systems being hacked are NT or Linux servers which are deployed in the heat of the moment and then forgotten about forevermore.

  • There is no privacy on the net. It's like streaking thru a crowded marketplace; not many people notice, but those that do get to see the whole deal.

    LOL .. that's one of the most amusing internet privacy analogies I've ever heard.

    --
    Delphis
  • Wouldn't something like PortSentry [psionic.com] be easier?

    That and LogCheck [psionic.com] to make picking out interesting log entries a breeze.

    --
    Delphis
  • After looking over the ARIS [securityfocus.com] site, I'm left with a bunch of questions.

    First, what the heck is the definition of an "incident"? Their FAQ doesn't indicate what this means. If some goofball script kiddie runs a script that sends out 100,000 pings of death, is that one incident, or 100,000? If he tries a Syn flood attack on my site, setting up 1,000 sessions, is that one incident, or 1,000? It sounds like AOL's goofy customer count: "Here, set up seven screen names so that we can claim you're seven different customers."

    Secondly, does handing all your log files over to these guys remind anyone of the movie The Net? How do we know SecurityFocus [securityfocus.com] can be trusted? How do we know we're not handing our log files over to someone who's already hacked SecurityFocus? What does this service do for us?

  • Incidents.org [incidents.org] is run by the Global Incidents Analysis Center which is associated with the SANS institute. It's be operating for a while and the "current detects" section is very valueable for those of us who have to address day-to-day security issues.

    GIAC assigns a "handler" to be on-duty at any given time. All the reported incidents are filtered through the handler.

  • We're happy to have all users, whether corporate security professionals, college kids, or home users. if you have an IDS in place, please feel free to participate.
  • Did you even look at the site URL provided? Ofc, there are a whole lot of assumptions on whether or not you want to believe the data represented there is 'valid' or not, whether people are correctly listing their country...etc...
    Anyways, more to the point, it all comes down to this being another potentially useful tool when it comes to what kindof attacks and such are actually being used in the wild...
  • by ryanr ( 30917 ) <ryan@thievco.com> on Monday March 26, 2001 @10:46AM (#339432) Homepage Journal
    Absolutely. Users who create an account and submit their logs have access to the following:

    - A service designed to assist users in reporting incidents. We look up the appropriate contacts for the offending organization and their upstream provider, allow you to select which incidents you wish to report, and draft a report fo you with all the pertinant information.

    - Access to descriptions about what the attack was that your IDS spotted. This includes links into the Bugtraq database where approrpiate, articles, exploit code (so you can see if the compromise was successful or not), etc...

    - The ability to see how many other ARIS users your attacker has attacked, in case that factors into your decision on whether to report or not.

    - We track which incidents have been reported (thorugh our system) for you.

    - We cross-correlate reports from different IDS brands, for those users who have more than one type.
  • NO! The main problem in this sad landscape of crappy administration is that no one bothers patching any of their systems because they:

    Quite so, which is why the lamers don't need to be any more sophisticated.

    If more people stripped down the servers before they deployed them there would be fewer incidents. When I deploy a hardened system I remove ftpd from the inetd file and delete the executable off the system, same for sendmail, finger, nfs etc.

    A lot of security problems could also be eliminated by better O/S and programming language design. On the VAX system any attempt to overwrite the stack caused an exception. Array bounds checking was arround and standard in the 1960s. Today we have to put up with buffer overrun errors. It should not be necessary to take the performance hit of Java just to get array bounds checking (and yes I know the markethead claim that there is no hit if you code right - it is maketting bollocks)

    UNIX could do with a complete clean up job. There is far too much complexity and left over dross from years ago hanging arround.

  • Well, the US sure seems to be getting bombarded.

    That's the number of attacks the US is sending, not receiving.
  • If you would have bothered to actually read some of the info, you would have noticed that you can scrub your logs to preserve such things as privacy...

    Q: Do I have to clean my IP address and other identifying information out of my IDS logs before sending them to ARIS analyzer?

    A: You always have the choice of how much information you wish to send. You may decide to strip address information when cleaning logs in ARIS extractor.

    So clean yer logs of IP's you don't want to give them... :)

  • Hey, dumbass. Only ISPs with peering have "border routers". Perhaps you were trying to come up with a cool word for "external router".

    Boy, you sure are smarter than your average pet rock. Maybe you should take that Netopia router back to where you bought it and let them know that you finally realized that having it != you being a network admin.

    It'd be hard to run a global network with multiple links to the net and multiple campuses running on that single router eh?
  • Did you even look at the site URL provided?

    Yes, why do you ask? To me, it looks like roughly 50% of the cracks are in the US, which is roughly the share of websites. YMMV.

  • by doctor_oktagon ( 157579 ) on Monday March 26, 2001 @11:07AM (#339438)
    GMac, your plan is (adopts Sean Connory accent) "Sherioushly Flawed".

    If you automatically shut down a system which looked like it was being hacked, you risk turning off the front door on your 24/7 international business!

    It's very difficult to detect a real alert from a false alarm. Case in point:
    Last client I was working in had a pair (!) of Sun E10Ks in a failover cluster forming the engine of their website. The Cisco Netranger IDS in the network segment occassionally thought one E10K was launching "ping smurf" attacks on the other E10K, and no amount of IDS tuning would get round it. It turned out it was part of normal Sun cluster network chatter, and it's extremely difficult to harden a clusterised E10K: that's why you deploy an extremely tight firewall in front of it.

    Hilarious I grant you, but not at 3am when your mobile goes off and someone is screaming "Help!!" down it ;-)

  • These could be useful for forensics after a major DDoS, since security professionals and law enforcement could look for origin sites in these logs.

    The common attacks ARE patched against by clued-in admins, but you don't get an army of DDoS zombie boxes by ignoring the obvious exploits. I get scanned all the time for the most obvious security holes; port 137, port 53, port 111. When I've bothered to look, the source boxes have been (half the time - often the sources are fake!) unpatched-looking RedHat boxes from home internet connections (ISPs,broadband or otherwise). And in the weeks following the recent issues with BIND, I have regularly been scanned for port 53, and these guys are scanning whole networks of addresses for this port only.

    In an ideal world, I would report these scans, and the administrators of the source boxen might be notified that their machines have already been hacked and are being used for scans, which could help prevent major DoS attacks, or even be used to observe packet monkeys early enough in the game to trace back to their origin (as opposed to getting to the attack boxes and finding a bunch of erased logs).

    I'm not saying it will work, or that this is the best way to acheive that goal, but there are solid reasons (beyond giving wannabes a source of interesting info) to think that this is useful.

    Boss of nothin. Big deal.
    Son, go get daddy's hard plastic eyes.

  • by ryanr ( 30917 ) <ryan@thievco.com> on Monday March 26, 2001 @11:12AM (#339440) Homepage Journal
    First, what the heck is the definition of an "incident"?

    Actually, that's done on a per IDS entry basis. We take each attack description that comes out of each IDS, and correlate those all to a central attack description of our own creation. Then, for each of those, we make a judgement call on whether it is something that should be reported or not. The majority of reports we get are classified as event or probes, things you should't report on. They aren't attacks in and of themselves. There are other attempts that, were the victim vulnerable to what was being checked for, they would just have been penetrated. Those we classify as incidents.

    If some goofball script kiddie runs a script that sends out 100,000 pings of death, is that one incident, or 100,000? If he tries a Syn flood attack on my site, setting up 1,000 sessions, is that one incident, or 1,000?

    It depends how your IDS groups them. We get our information from the IDS logs. Many IDS systems can treat that sort of thing as a collective event.

    How do we know SecurityFocus can be trusted? How do we know we're not handing our log files over to someone who's already hacked SecurityFocus?

    That's the reason we provide an anonymous upload capability, and the upload tool is open-source. You can check yourself exactly what is being sent.

    What does this service do for us?

    A took a short at proving that bit of info here:
    http://slashdot.org/comments.pl?sid=01/03/26/16312 41&cid=92 [slashdot.org]
  • Oh good god man, use common sense. If you're responsible for corporate network security, hopefully you have some...

    Q: First, what the heck is the definition of an "incident"? Their FAQ doesn't indicate what this means.

    A: Again, common sense...if you're getting DDoS'd, you can generate huge amounts of logs if everything is getting recorded...one incident even though (potentially) 2.4million packets were reported (lol).
    Um, what else... if someone probes for 34 different vulnerabilities, hell, report it 34 times if you want.

    Q: Secondly, does handing all your log files over to these guys remind anyone of the movie The Net? How do we know SecurityFocus can be trusted?

    Aa: Um, no not really, "the net" thing was a back door. :P (and a bad movie when it comes to technical points, although not as bad as the infamous 'hackers'...lol.)

    Ab: Hrm, if you're the really paranoid type, SecurityFocus can't be trusted. No one can. Therefore it would be logical to clean your logs of the "attacked address" before submitting them. :)

    Anyways, hopefully this has helped out, sorry if I'm a bit off in these responses, I'm tired and this was too unfortunately typical of responses for me to not respond. :/
  • If he tries a Syn flood attack on my site, setting up 1,000 sessions, is that one incident, or 1,000? It sounds like AOL's goofy customer count: "Here, set up seven screen names so that we can claim you're seven different customers."

    It's one attack. If you don't understand how these things are reported, then you are certainly not up to date or involved in ongoing network security. This is not a criticism, I am pointing out that you seek to knock Security Focus without realising what a valuable community they provide to anyone involved in network security.

    How do we know SecurityFocus can be trusted?

    See above comments. While I would hesitate to give them the password to my numbered Swiss bank accounts (I wish!), I have been using their services FOR FREE for the last 15 months, and I think they deserve a massive THANK YOU from everyone trying to stop people cracking their systems, or trying to evaluate best of breed security products.

    I don't work for Security Focus. I am a completely unbiased consultant who recommends their site to anyone wishing to get into the field of security.

  • Depends a lot on how the IDS is configured. The software tends to gather reports in a set timeframe. An incident is whatever happens from a given source in that time. Be it 30 seconds or 30 days.

    May seem a tad 'goofy' but if the same ip does one thing today then another 6 months from now is it one incident (same source) or two separate ones (time differential)? There isn't a definite line in the sand though stating exactly what the timeframes should be except each organizations security policy. This isn't as precise as nuclear science, yet. Give it a few years.
  • CyberDawg, to clarify the point (and provide some amusement to everyone else), I've just launched my l337 army of zombie machines based in Thailand against your robson.org website.

    You should see a variety of D-DOS attacks, NMAP syn scans, spam-probes on 25, and a look for any recent DNS vulnerabilities.

    Once you have cooled your LAN cable down and paid your 10Gb ISP bill you can analyse your logs and decide how to start categorising it *grin*

  • I found it humorous that a exploit cataloging system is being hosted on an NT machine.
  • If they get compromised, everybody using their services will be painted in red as potential targets.

    Not really. IDS' don't typically record whether the intrusion was successful, they just record attempts. This information doesn't really help you attack anybody. You'd still have to make the attempt yourself to determine vulnerability.
  • How secure a particular NT installation is is dependant on the skill of the administrator securing it, and how carefully the administrator watches for new holes, and aggressively patches them away. We have those functions adequately covered.
  • Actually a lot of places already ban netblocks just because of location. Most of the IPs in the Gaza strip/Palastine etc areas are blocked at numerous places for instance.

    I know I don't think anything of whipping out a default drop on entire B class networks if they are owned in a country that the customers have little business with currently or are known for trouble (Pakistan for instance is really starting to find itself unwelcome in a lot of places).

    There are social issues against doing this but frankly if a given area is known for fire, why play with it. Drop and forget, revist later if conditions improve. Case in point, B class network today in Russia just found itself permanently unwelcome at any of the sites for the company I'm with, and companies where I know friends. They're blocked in 12 B classes and a few C classes on the side now just from refusing to respond against one of their users lauching a hostile attack.

    Ultimately the best solution is that the ISPs or uplinks for the areas take action against attacks but you try getting an internet cafe in the middle of the Gaza strip to block attacks against a jewish owned business. Go ahead, if you can manage it great. My only sucessful recourse has been to drop all incoming packets.

  • Briefly, we provide a way to automate your incident reporting, correlation with other users who have been attacked by the same IP, and essentially a way to cast one more "vote" against an attacker. The latter two items can't be done in isolation. Plus, we provide links to what your IDS description actually means, in case you want to look it up.
  • The value of this data could theoretically extend far beyond prevention of current attacks. A large body of data on the types and frequency of attacks could potentially lead to statistical analyses allowing predictions of the most common origins of attacks. One could then use this data to inform the development of internet routers and filters to minimize international attacks.

    Further, one could do post-hoc correlations of attacks to salient events, yearly cycles, etc. Such data could lead to more accurate predictions of the impacts of same on a company.

    In other words, this will be useful for helping to figure out the big picture of how the internet creates and deals with attacks.
  • Someone hacks on me site, I shut it down using whatever mechanism required, including pulling the plug.

    Don't hack on me!
  • Thank you, Ryan.

    It's refreshing to see a vendor reading the articles on SlashDot and replying with useful information. I appreciate it.

  • Shardis wrote, "If you're responsible for corporate network security, hopefully you have some..."

    What makes you think I'm responsible for corporate network security? I never said that. My day job is in curriculum development, and doesn't involve IP security at all. That, however, doesn't stop me from trying to understand how it all works, and asking lots of questions.

    Um, no not really, "the net" thing was a back door. :P ...

    Details, details ;) I know the background of SecurityFocus, and I've followed BugTraq for years. The point I was making is that I don't know the people. I don't know who would have access to my information. My sole rationale for trusting them (or not) is what other people say about them.

    "...and a bad movie when it comes to technical points, although not as bad as the infamous 'hackers'"

    My wife won't even watch that kind of movie with me anymore, because I keep pointing out the technical flaws. It takes some serious willing suspension of disbelief to enjoy movies like those. I did enjoy Sneakers, though.

    "I'm tired and this was too unfortunately typical of responses for me to not respond."

    No sweat.

  • Am I the only one who likes to watch script kiddies try and infultrate my machine. I mean I love to watch them try tired old attacks and fail. If this service would let me watch the activities on other servers as well I can double my fun. Actually I'd like the ability to see if the same h4x0r is trying to attack my neighbors as well.


  • had to, it just sounded great
  • GIAC [sans.org] has a similar system already at incidents.org [incidents.org]. They assign a "handler" to be on duty at any given time, and all incident reports are filtered through the handler. Someone might submit falsified logs, but unless a lot of sources report the same incidents they problably won't get much mention.

  • What's even better is getting logged intrusion attempts from people with static IPs. Six and seven times a day for a week. Then watching them completely go away after you email their provider once.

    I'm glad I have my log size limited...otherwise I'd have a drive full of logs and no room to run Quake III.

  • And they have a link to their homepage
    *ON* their homepage.

    Plus this (a link back to the old site):
    Welcome
    Incidents.org is the new name of the SANS Global Incidents Analysis Center (GIAC).

    NEWS: New Linux worm. Check out www.sans.org/current.htm

    Not ready?
  • No, that's

    "All your Jew are belong to us!"

  • The incidents.org website is new, but the GIAC has been around for a while. It used to be just the "current.html" page but they are now expanding to include a whole website. Obviously the web site is nothing much yet. I have a lot of faith in both GIAC and SecurityFocus but I tend to think that GIAC will do a better job by virtue of the experience of their handlers and especially because of the quality of the people already submitting incidents to GIAC.

  • Exactly my point!!! It's like watching the cops arrest someone on the street. Watching hackers fail to crack your system can be pretty entertaining. That was my favorite part of Coocoo's Egg. You, Me and Cliff Stoll should have our own show. We'll narrate it like Battle Bots.

    "This h4x0r who calls himself 'ma573r0fm4yh3m' comes from Point Pleasant, WI and is using the 486 Dell his mother brought home from work after the last upgrade. He's never going to get beyond the firewall here at (fill in juicy target) but let's watch him try. What's this he's using a Smurf attack to overwhelm his own ISP. OOps looks to me like he forgot to spoof the return address. Better luck next time."

  • Deja Vous baby...

    --
    *Condense fact from the vapor of nuance*
    25: ten.knilrevlis@wkcuhc
  • That's kind of funny. I'd watch that.
  • I'm not disagreeing with you about the skill of the administrator making a huge difference, but how do you patch holes that Microsoft has neglected to release a patch for yet? They can be rather tardy with their patch releases at times..

    Disclaimer: I'm not a Linux zealot, please don't classify me as one :)
  • I think this will be an interesting tool. Perhaps by determining which attacks are more frequent in certain regions, people can determine which networks might be missing certain patches? Or parts of the world?
  • another site that is related...but not as full featured is this [dshield.org]

Last yeer I kudn't spel Engineer. Now I are won.

Working...