True Tim a scan is just a scan, and who cares. But some of the scans
recorded are looking for a Trojan and these should be reported. I
have no mercy on those scans because they are basically criminal.
Regular scans who cares. So if we limit reporting to the "illegal"
scans I think that will avoid the concerns about a police state. I
would not want an overbearing nanny or police state.
----- Original Message -----
From: "Tim Sailer" <[EMAIL PROTECTED]>
To: "Michael E. Cummins" <[EMAIL PROTECTED]>
Cc: "EXT-Springer, Aaron C" <[EMAIL PROTECTED]>;
"Firewalls Mailing List" <[EMAIL PROTECTED]>
Sent: Friday, February 18, 2000 1:45 PM
Subject: Re: Someone is scanning me
On Fri, Feb 18, 2000 at 01:27:34PM -0500, Michael E. Cummins wrote:
> > -----Original Message-----
> > From: EXT-Springer, Aaron C
[mailto:[EMAIL PROTECTED]]
> > I think that a scan is just a scan, I would hate to have it come
> > to the point where doing a scan on somebody gets your ISP account
> > revoked. This country is turning into a police state as it is.
> > I can see a future where any kind of probing is deemed illegal by
> > the Gestapo. In the UK if you don't give up your crypto keys
> > when the Gov. asks, you go to jail. The day may come when having
> > strobe or nmap on your machine is illegal..
> >
> > If they do more than a scan then, hey give it to `em...
>
> The more I think about it, the more I am questioning my initial zeal
in
> spanking this fellow. I think that you have a valid point, but I am
still
> uncomfortable with what appears to me to be a script kiddy scanning
a broad
> number of addresses looking quite specifically for Trojan infected
machines.
A scan just doesn't "happen". It's done for a reason. Nothing is
illegal
about walking down your block, and knocking on all the doors, but I
bet
you'd get someone pissed off enough to call the police, and they would
make you leave.
> I myself have a fear of the way some of our legislators are looking
at
> "cyber crime", "cryptology" and various other internet related
issues.
> Keeping the discussion list-specific, as an operator of numerous
> firewalls...
>
> What is our responsibility to this?
>
> Do we wait for the attacker to "breach" before reacting? Or do we
try to
> determine on a case by case basis what the intent of the anomaly
was? I
> have always favored preventive action over corrective, but I am
trying to
> find a happy balance here between ethics, logistics and behavioral
> precedents that I will pass on to my employees.
We employ 'threat assessment'. We don't act on every probe (over 200
yesterday), but if it happens more that 1 time, we lock them out at
the
router. I don't wait for the problem to occur.
> Some of us cannot deal with the number of probes received per day,
it would
> be a logistic impossibility. (Luckily, I am not one of these.
Currently, I
> co-locate servers and pay for the services.) Thus, I can understand
a
> policy based on "Well, what did they actually get away with?"
>
> Or is that too lax?
It all depends on your policy.
> If we find ourselves with the time and the resources, do we have the
> obligation to swat the flies? Am I correct in perceiving that the
majority
> of intrusions today are from people that actually have little
knowledge of
> the principles their downloaded tools are based upon - and a bit too
much
> time on their hands?
>
> In my case, I just shared my logfiles with the German ISP that we
assumed
> the port scanning originated from. I stressed that no damage was
done, and
> no successful breach took place. I just alerted them that the event
took
> place, as a courtesy to them. At least, that truly is the spirit I
sent it
> in after thinking about everything a few times.
This may be enough in your situation. We are actually required,
depending on
how you read the rules we have to follow, to report *all* attempts to
CIAC.
Looking at the weekly reports they generate, some sites actually do.
Most
of these things are simply an annoyance, and not even a threat, no
less an
incident.
Tim
--
(work) [EMAIL PROTECTED] / (home) [EMAIL PROTECTED] -
http://www.buoy.com/~tps
Lord, grant me the serenity to accept the things I cannot change,
the courage to change the things I can, and the wisdom to hide the
bodies of the people I had to kill because they pissed me off -
Anon.
** Disclaimer: My views/comments/beliefs, as strange as they are, are
my own.**
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
