Hi Paul, Others have also pointed this out or danced around the subject in private emails to me. My idea isn't to get rid of the "help what do I do" messages. My intention is to short circuit the discussion that goes as follows, and jump to the point that people can actually get their teeth into it. -==-=-=-=-=-=-=-=-=- Message 1 -> "Help I think I'm owned, what do I do" Response 1(x 10 people) -> "What operating system, what services, what makes you think you are owned" Message 2 -> "I'm running Windows 2000 Server, IIS, Telnet, SQL Server, Windows Media Services. My router light is lit almost continually." Response 2(x 5 people) -> "What network connections are open" Message 3 -> "Huh" Response 3 -> "go to <insert site> download <tool> and post output. Message 4 -> "Never mind, it was my p2p application, I didn't realize Iwas sharing something" or Message 4 -> "It says something about <badbinary>.exe" and google doesn't have anything about that. =-=-=-=-=-=-=-=-=-=- My concern is not that we are getting people asking for help, or even that we are getting "simple" questions. In fact I think that this is good, after all, for those of us who have been in the game long enough, we know that there is evolution in bot development, maliciuos behaviour, and vulnerable programs etc. Rather what I think is that the initial forensics or information discovery is not done, and I either walk them through it via "reject" messages (somewhat time consuming), allow the post, or point them to a number of external sites. The discussion of actual break-ins is good, but there are far to many times when the simple use of fport, netstat, or tcpdump shows that it's not a problem at all. I guess that my feeling is that too much of the list is dedicated to instructions on how to gather more information about standard processes, rather than discussion of how to detect the non-standard/malicious processes, or discussion about the evolution of these techniques, or best practices to help defend or detect against this. I don't want to limit the asking of questions, but rather, I would like to get a bare minimum of information included before something is posted. In my example, that would have eliminated 4-5 messages in the exchange. That 4-5 messages is pretty similar each time. Wow, this turned longer than I anticipated. D On Tue, 8 Jul 2003, Paul J. Morris wrote: > Let me offer an argument for not rejecting the "help, what do I do" > messages out of hand. One of the useful educational aspects of this > list for me has been watching the posted responses to such messages. > You are quite right that the responses that come back from posters to > questions from the list are often not very informative. However, the > questions that members of the list ask in and of themselves can be quite > valuble. Different questions about a vauge problem can communicate a lot > about how people who work on incident response approach problems and > some of the differences in opinion between members of the community. > Reducing the number of information poor postings on the list might > well be a very good thing, but consider that there might be some value > to such postings. > ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Jul 09 2003 - 12:08:17 PDT