[H-GEN] About online security of our systems

Arjen Lentz arjen at mysql.com
Wed Mar 20 23:37:54 EST 2002


[ Humbug *General* list - semi-serious discussions about Humbug and  ]
[ Unix-related topics.  Please observe the list's charter.           ]
[ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]

Hi Bradley, et al,

> On Thu, 21 Mar 2002, Nikolai Lusan wrote:
> > You also might find all your data missing and your username/passwords
> > emailed to a large spam list. A few years back a young humbug member had
> > an out of date sendmail that got hacked - he only had his partion tables
> > deleted but that was scary enough.

On Thu, 2002-03-21 at 12:36, Bradley Marshall wrote:
> You might also find yourself talking to the authorities
> when they track back the hackers who have used your box to
> break into other boxes.

Interestingly, I found myself talking to a security dude from Optus at Home
early last week, after they had disconnected me for excessive traffic.

The cause of this was in fact an incoming DoS attack on my system, which
I had already informed them about AND had changed my network card so I'd
be certain to get a different IP with DHCP.

Optus at Home's corporate opinion for attacks is that they are ALWAYS
caused (somehow) by the person who is attacked. Not "sometimes", not
"often", but ALWAYS. Analogy: if you get robbed or raped on the street,
you must have caused it!

And even though the blame is defaulted to the customer, Optus does
insist that you contact them immediately in case something like this
happens. So you are expected to turn yourself in, fully aware of the
fact that the blame will immediately be placed squarely with you.
I pulled them up on that one 'cos they said it was in the AUP and I
informed them it wasn't (I won't be surprised if it gets added now.)
(as noted, I *had* in fact informed them about the attack, only they
felt I hadn't done so fast enough.)
Anyway, it makes perfect sense to me to call my ISP in case of a DoS
attack. However, I would appreciate not being thrown "in jail" myself
for being the victim of the crime. That kind of maltreatment reduces my
willingness to help my ISP, as you might understand ;-)

Yes, Optus disconnects your service pending the investigation. Also in
my case, even though they were quite aware that I already had a
different IP address on their network, AND I had sent them a trace
giving details about the attack and where it came from. So disconnecting
me served no technical, security or any other purpose. It just hindered
me by losing my Internet service for most of the day.
I was reconnected late in the afternoon, so that is good and horay to
Optus for that, but.... they made it quite clear that this was like a
"favour" to me. So, with this and the above experience, I still feel ...
screwed.

If it ever happens again, I won't be so lucky. They'll disconnect me and
it'll stay that way. Because they don't believe it can just happen.
Ohwell.

I think I was also fairly "lucky" because the attack did not affect my
system at all, I only happened to notice increased traffic by the led on
the cable modem (and that's only because Motorola's SURFboard has a case
to put on the desktop, but it's lucky I didn't shove it under the desk
anyway). Then, I am experienced enough to check the traffic on my eth
ports, do a tcpdump, and so on.

An average user would have had no idea what was going on, yet they would
have been disconnected, called by Optus, and accused of having excessive
traffic. What would they respond?

If that average user had been running Windows, their system surely would
have crashed, and crashed again a while after reboot. They wouldn't have
known what was happening.


The whole thing goes against my ideas about common sense and "justice".
I've worked for ISPs in Holland and the UK, and in my experience they
don't even flinch over these things. Opon being informed (or finding out
themselves) they might block the source IP for a while, to at least keep
the traffic off their local net. But they certainly don't disconnect
their customer. It makes no sense at all.


Regards,
Arjen.



--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.



More information about the General mailing list