[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Re: Reacting to a server compromise
- To: booger@unixclan.net
- Subject: Re: [Full-Disclosure] Re: Reacting to a server compromise
- From: "Darren Reed" <avalon@caligula.anu.edu.au>
- Date: Mon, 4 Aug 2003 15:03:36 -0700
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.0.6336.0">
<TITLE>Re: [Full-Disclosure] Re: Reacting to a server compromise</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>Ok, you can have a go at Ron, I won't begrudge you that, but if you're<BR>
going to pick on someone who is trying to actively do something to address<BR>
something that is a real problem with system administration today then<BR>
unless you are being a part of solving something else (and are willing<BR>
to come out from behind your mask of anonymity) you've got no grounds<BR>
for belittling others who do.<BR>
<BR>
In some mail from security snot, sie said:<BR>
><BR>
> Tina Bird isn't much of a security expert, she's a belly dancer. What she<BR>
> likes to do is read generated logs (ie syslog and whatnot) and pretend<BR>
> that leaves sufficient information for a reliable audit trail.<BR>
<BR>
That really doesn't do justive to what she's trying to achieve and I'm not<BR>
sure that generating a reliable audit trail is the primary focus of it.<BR>
<BR>
The fundamental problem she's trying to address, at present, is the large<BR>
number of unfortunately disparate sources of log information that are<BR>
present in just as many formats. This is a real problem and it needs to<BR>
be addressed sooner, rather than later, primarily for the benefit of<BR>
systems administrators so they can get a clear understanding of what all<BR>
their systems are doing and in a concise manner rather than spending<BR>
time manually collecting information or piecing together scripts to try<BR>
and massage all the input correctly.<BR>
<BR>
I don't think I've ever seen her portray herself as a security expert,<BR>
however, the topic of loging information collection, analysis and<BR>
management (which is what she is concerned about) does assist in<BR>
security matters when it comes to a post-mortem analysis of a system.<BR>
<BR>
Under the right circumstances, generated logs can generate information<BR>
that can be considered relable and be used as part of an audit trail<BR>
but it's more involved than "see, this is my log." If you (or anyone<BR>
else) wants to know more, go get some lessons from a 'big 5' auditing<BR>
company or similar.<BR>
<BR>
Maybe you should give your modem to your mommy, go back to your room<BR>
and ask your mommy to let you out when you can show the world you've<BR>
got more to offer than just petty insults.<BR>
<BR>
Darren<BR>
_______________________________________________<BR>
Full-Disclosure - We believe in it.<BR>
Charter: <A HREF="http://lists.netsys.com/full-disclosure-charter.html";>http://lists.netsys.com/full-disclosure-charter.html</A><BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>