Don’t ask for my opinion if you aren’t prepared to hear it.

Rant,Security

Last weekend I wrote a post in response to one of Richard Bejtlich’s posts on his blog, in which he actively requested input and anticipated getting disagreeable opinions. I have just such an opinion and expressed it both on my blog and his.

Unfortunately the whole ordeal has gotten quite confused and its started to turn into a tit for tat about who misunderstood whom. My point was and still is that if you’re going to explain something with an example, it matters tremendously that you use a relevant example if you want to clearly state your point. When you go to a auto racing driving school, the instructors don’t put you in a pinto and say ‘while you’re trying to learn the process of driving a fast car, you also have to imagine yourself driving a fast car.’

When you go to firearm classes to learn to shoot a real firearm, they don’t hand you a pop gun and say ‘this is what its like to fire a real weapon, you just have to imagine its a real gun.’

And when you have a blog and you request other’s opinions, you shouldn’t get bent out of shape when someone’s opinion doesn’t align with yours.

For the record and for both of my regular readers (lol) who might be following comments on Richard’s blog as well, I want to make it clear that:

  1. I have always been a huge proponent of logging and monitoring. I even stated as such in my counter post to Richard. He just failed to read that part.
  2. The lion’s share of your energy and focus should be on prevention and mitigation. I understand that you can’t prevent everything. I understand that things get through the defenses. For those cases, logging sheds needful light on the subject. And by all means, use NSM to analyze that data, as I said originally, NSM is successful and thorough. Did he even read my post?!.

For more information about this topic

  • No Related Post

posted by Michael on 01.29.07 @ 10:37 am | 5 Comments

I agree this is going nowhere because you don’t seem to understand the problems with posting data that you would like to see. Do you think I am going to post an example showing a real compromise? Do you think that has ever happened to systems for which I am free to release data? Maybe if I were monitoring a purely research-oriented honeynet I could show an example you would prefer. I asked for commentary and I’m glad to receive it, but I’m not going to validate criticism that requires me to expose sensitive data in a public forum.

By Richard Bejtlich on 01.29.07 11:26 am

I agree this is going nowhere because you don’t seem to understand the problems with posting data that you would like to see.

On your blog, in a comment I stated the following:

It would have been better to provide fictional data or even a staged attack to better demonstrate the process.

(emphasis added after the fact)

I’m not arguing for real-world data, just a better example, period.

But I’m not going to validate criticism that requires me to expose sensitive data in a public forum.

There are several ways you can provide an example that don’t require you to reveal sensitive data. Hell, you could have just used the data from Schmoocon 2006.

By Michael on 01.29.07 12:10 pm

I don’t understand why you wouldn’t post a real compromise. Most of the compromises that are being actively used for botting computers nowadays are old (6months to 2 years). Posting that compromise or one like it will not harm the current atmosphere of the internet, it might even show people that old compromises and exploits still work.

By Luke on 01.29.07 12:36 pm

Honestly, I don’t think using a different example would of mattered. I have an old capture on my demo server (not even sure where I got it) where the user exploits dtspcd and opens a shell on port 1524 (ingreslock). The user downloads a nice rootkit and has a good time owning the system. Would that have made a difference in your response? Or would of you still responded making a point that you would of never let external systems have access to port 6112 or 1524 through the firewall?

What if I showed data where user X opened a malicious attachment that installed a trojan that connected to some IRC server on port 55511 and then started scanning for the latest Symantec AV vulnerability? I expect you can show me plenty of ways that it could of been prevented too.

What I am trying to get at here, is while you think the example Rich gave was a poor one, it doesn’t really matter. Any example that one gives, we all could come up with a million ways to prevent it. That wasn’t the issue Rich was trying to address. The point is prevention isn’t 100%. One can only tyr to resist. NSM is a process you implement so you can react when resisting fails.

Now that I reread all of this, I can’t even really figure out what the difference of opinion is (or should be). Is it you think that less time and effort should be spent monitoring?

By Bamm Visscher on 01.29.07 4:48 pm

I’d rather pour gasoline in my eyes than explain everything again.

You guys keep on keepin’ on with NSM. It works. If only it could be explained better, everyone else might catch on.

By Michael on 01.30.07 7:55 am

RSS feed for comments on this post. TrackBack URI