Re: BlackWorm infected IP's reporting
Hi,
On Mi, 2006-01-25 at 03:20 -0500, Martin Hannigan wrote:
Hi.
In the next day or so some of us will cooperate to bring to the attention of all effected AS's information about infected users in their net-space.
That would be "affected".
This will be coordinated with several groups and organizations. Please expect these emails, thanks.
In other words, NANOG is a step child of these and we'll only see the PR? If you're going to keep the mitigations off of NANOG, it's probably safe to keep it all off. We all read newspapers, blogs, and slashdot.
sorry, but i couldn't understand your problem. I think it's just a usefull information, wich AS is infected by a critical worm. Also i relay this information to people, who think this informations are usefull, too.
Ok, perhaps there are people to advertise themselves, but why not? When they invest time in this work, why aren't they allowed to get some kind of approval?
Nah, we already know who those people are. It's more like if you keep predicting a blizzard and I wake up and there was a misting of rain, I keep getting less and less interested in the predictions. It costs real money to get these dances going and unless you're going to give us all the information, please don't bother. The snort SIDS were nice, but as far as I am concerned, IL-CERT is not a trusted source. The third story about this horrrible worm: http://www.commentwire.com/article_news.asp?guid=20856A5C-3952-4F2C-913A-1E9... If I don't see SANS running around with their capes off, I don't really pay too much attention. The last one wasn't a big hit like they thought, but they do good work. I "trust" them more than I trust IL-CERT telling North Americans to drop our hotdogs, turn off our football, and get ready for "worms". I'd hope to see US-CERT continue making progress and telling North Americans when to worry. The work everyone is doing is fantastic, but it's pretty clear trust is being ignored and while we're ont he subject proper delivery of files with checksums etc. It ain't happening anymore. -M<
Serious answers: (much like your 'serious questions'):
If I don't see SANS running around with their capes off, I don't
http://isc.sans.org/blackworm Further, our reports lead to a SANS ISC temporary URL's for each AS.
really pay too much attention. The last one wasn't a big hit like they thought, but they do good work. I "trust" them more than I trust IL-CERT telling North Americans to drop our hotdogs, turn
I don't work for IL-CERT (which is actually the GOV cert, not IL-CERT), except in an advisory capacity volunteer-base now. I.e., I am a civilian now.
off our football, and get ready for "worms". I'd hope to see US-CERT continue making progress and telling North Americans when to worry.
US-CERT is kept in the loop every step of the way, as is the FBI, Secret Service and a lot of others who contribute from their time and effort. We can all criticize others, it's easy. How about you start pulling your own weight instead of causing havoc non-stop? Is this some sort of VeriSign plot or did you come up with it all on your own?
The work everyone is doing is fantastic, but it's pretty clear trust is being ignored
I am not one to keep my mouth shut. I am also not one to answer idi.. err, donkies. Still, I kept quiet about you for a long time, as ignoring trolls is usually the best way of handling them. I am often "emotional", straight-forward and tactless, i.e. == rude for some people, which is why I try and speak differently to non-Israelies. Unlike you, I don't impede progress or pick personal fights as a regular day-to-day sport. As the mods say nothing to you for a long time now, I suppose your kind of behavior is fair game. So... Are you going to stop being a troll about everything "IL-CERT" does, I do or anyone else except for you does? What is it you do again? Anything what-so-ever? Or is it just: pick up on someone and act the a**-h*le so that you can gain respect in the quick and dirty route, because some tech is in there and you act like someone who is authoritative in writing? Use flame techniques such as quote only portions of the text, reply to something a tad bit different than what was written or ignore some of what the other guy said? Anything else? Last time that resulted in harming a big operational forum with one of the mods quitting (who also just HAPPENED to be an Israeli). You should be ashamed. Luckily it usually ends with only flame wars. You use your own name rather than VeriSign's in everything yet are not afraid to speak openly for VeriSign when it suits you. What is it you do on nanog? I've had enough. I knew it was a mistake to quit ignoring you and it probably is a mistake to reply to you, but your personal attacks can't go on, even under the mask of "concern". Have the GUTS to come out and say what you want, or is it just flaming? Some of us work day and night on local operational issues, others work day and night on the survivability of the Internet itself. And you? Google the wikipedia entry for "STFU". Gadi.
Serious answers: (much like your 'serious questions'):
If I don't see SANS running around with their capes off, I don't
http://isc.sans.org/blackworm Further, our reports lead to a SANS ISC temporary URL's for each AS.
The last time SANS felt something was so serious they needed all of NANOG to dance, they came out and said so. That's their handlers diary. I read it. A lot of people read it. It's well balanced and usually on target. Just like that. It's not alarmist. It seems fairly certain that as long as Symantec et. al. do their thing, we will be able to watch the superbowl in peace.
I don't work for IL-CERT (which is actually the GOV cert, not IL-CERT), except in an advisory capacity volunteer-base now. I.e., I am a civilian now.
Congratulations.
off our football, and get ready for "worms". I'd hope to see US-CERT continue making progress and telling North Americans when to worry.
US-CERT is kept in the loop every step of the way, as is the FBI, Secret Service and a lot of others who contribute from their time and effort. We can all criticize others, it's easy. How about you start pulling your own weight instead of causing havoc non-stop?
I'm glad to hear that, as many times as you state it. Thank you. Trust isn't havoc. Your loose cannon response is an excellent reason why we should be skeptical. My point was around trust and who we should and shouldn't. There are a lot of characters out there doing things that are helpful, but that doesn't mean we should trust them. I don't think that North American Network operators should trust you and my reason why is that I had at one point asked you to disclose how you were collecting information you wanted me to rely on and you refused. My dis-trust is not personal. There are now other reasons that I'd prefer to not have to disclose here as it does nothing to further the conversation. As far as my contribution goes, I'm making it. I read, observe, discuss, and comment. I'm sorry if you feel particularly targeted or flamed. It is not intentional. What would you like me to do to make it better for you? A good example of the interaction I describe is when you were first posting the bot reports and there was discussion. They changed and they were quite ok and I believe I commented to the same. Perhaps my typing style is irritating? I apologize. As far as general security goes, I do not trust DA, NSP-SEC, or many others as the final authoritative source on anything. There are some people I trust more than others, Thomas, Bellovin, Bush, etc., and then there are the people I can't trust i.e. the IRC'ers, etc.
Is this some sort of VeriSign plot or did you come up with it all on your own?
I think I'll watch "White Noise" on the DVD now. Admins: Clearly, a personal attack and I'd like the AUP enforced please. -M<
Martin Hannigan wrote:
Admins: Clearly, a personal attack and I'd like the AUP enforced please.
Clearly, exactly what you've been trying to get me to do for a long time, to get me off NANOG, well... I finally decided to comply. Admins: I will answer any call to leave.. Also, I'd like for Martin to see this AUP enforced on his continual attacks on me and many others on-list, regardless of my reply to him. Thanks.
On Wed, 25 Jan 2006, Gadi Evron wrote:
Martin Hannigan wrote:
Admins: Clearly, a personal attack and I'd like the AUP enforced please.
Clearly, exactly what you've been trying to get me to do for a long time, to get me off NANOG, well... I finally decided to comply.
Admins: I will answer any call to leave.. Also, I'd like for Martin to see this AUP enforced on his continual attacks on me and many others on-list, regardless of my reply to him.
I personally do not want to see either Gadi or Martin leave - both have been good contributors on this list and this grudge they got against each other should be settled offline with both of them self-enforcing and not replying to the other one again on the list (so as to not provoke again). -- William Leibzon Elan Networks william@elan.net
On 25-Jan-2006, at 16:12, william(at)elan.net wrote:
On Wed, 25 Jan 2006, Gadi Evron wrote:
Martin Hannigan wrote:
Admins: Clearly, a personal attack and I'd like the AUP enforced please.
Clearly, exactly what you've been trying to get me to do for a long time, to get me off NANOG, well... I finally decided to comply.
Admins: I will answer any call to leave.. Also, I'd like for Martin to see this AUP enforced on his continual attacks on me and many others on-list, regardless of my reply to him.
I personally do not want to see either Gadi or Martin leave - both have been good contributors on this list and this grudge they got against each other should be settled offline with both of them self- enforcing and not replying to the other one again on the list (so as to not provoke again).
The NANOG list administrators can be reached at nanog- admin@nanog.org. That is almost certainly a better place to send comments related to the AUP than the this list. (I would have kept this comment to private mail except that it seems possible that a public discussion about the merits of particular subscribers is about to unfold here, which would be a shame.) Joe
On Wed, 25 Jan 2006, Joe Abley wrote:
The NANOG list administrators can be reached at nanog-admin@nanog.org. That is almost certainly a better place to send comments related to the AUP than the this list.
(I would have kept this comment to private mail except that it seems possible that a public discussion about the merits of particular subscribers is about to unfold here, which would be a shame.)
Agreed. All: *PLEASE* let this thread die. Allowing it to continue serves no constructive purpose whatsoever. jms
Martin is the 21st century version of Jim Fleming and Jeff Williams. He entertains us with his hyperbole.
i don't know if i'd go THAT far. none of those (fleming, williams, hannigan) entertains me with their nanog posts. (and neither does gadi.) with usenet gone, we just don't teach our kids entertainment-level hyperbole any more. -- Paul Vixie
Martin is the 21st century version of Jim Fleming and Jeff Williams. He entertains us with his hyperbole.
i don't know if i'd go THAT far. none of those (fleming, williams, hannigan) entertains me with their nanog posts. (and neither does gadi.) with usenet gone, we just don't teach our kids entertainment-level hyperbole any more.
I'm not sure whether to take that as a compliment or an insult, but I noticed you did forget to say "My employer said" so at least it's probably not actionable by any latigous, animal crackers. And in all my years running news, I never came cross fleming or williams so I wouldn't know. Someone called me and made a Denniger and an Auerbach reference. I like both Karls so I'll take that as a compliment. Regardless, it's good to be alive for another day on the Internet becayse that's all it is - another day on the Internet. Best, -M<
On Thu, 26 Jan 2006, Martin Hannigan wrote:
And in all my years running news, I never came cross fleming or williams so I wouldn't know. Someone called me and made a Denniger and an Auerbach reference.
Whoa. What ever happened to Karl Denninger anyway? --matt@snark.net------------------------------------------<darwin>< The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
On Thu, 26 Jan 2006, Matt Ghali wrote:
On Thu, 26 Jan 2006, Martin Hannigan wrote:
And in all my years running news, I never came cross fleming or williams so I wouldn't know. Someone called me and made a Denniger and an Auerbach reference.
Whoa. What ever happened to Karl Denninger anyway?
http://genesis3.blogspot.com/ Chris -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Chris Owen ~ Garden City (620) 275-1900 ~ Lottery (noun): President ~ Wichita (316) 858-3000 ~ A stupidity tax Hubris Communications Inc ~ www.hubris.net ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Thu, 26 Jan 2006, Chris Owen wrote:
On Thu, 26 Jan 2006, Matt Ghali wrote:
Whoa. What ever happened to Karl Denninger anyway?
Now I really wish I hadn't asked. matto --matt@snark.net------------------------------------------<darwin>< The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
Matt Ghali wrote:
On Thu, 26 Jan 2006, Martin Hannigan wrote:
And in all my years running news, I never came cross fleming or williams so I wouldn't know. Someone called me and made a Denniger and an Auerbach reference.
Whoa. What ever happened to Karl Denninger anyway?
Oh wow... MCSNet. I used to work at a local competing ISP and have "fond" memories of those days. Google shows http://www.denninger.net/ .
On Wed, 25 Jan 2006, Martin Hannigan wrote:
us all the information, please don't bother. The snort SIDS were nice, but as far as I am concerned, IL-CERT is not a trusted source.
Just so people don't get confused: IL-CERT has nothing to do with what Gadi posted and I don't seem to remember that Gadi included any mention of IL-CERT in his postings. In addition, if anyone has any problems with the trustworthiness of IL-CERT (Israeli Academic CERT) as listed on FIRST: http://www.first.org/about/organization/teams/index.html then they should raise that issue with the FIRST secretariat and on the FIRST mailing lists where we can counter any claims to the otherwise. Hank Nussbacher ILAN-CERT representative IUCC
On Wed, 25 Jan 2006, Martin Hannigan wrote:
us all the information, please don't bother. The snort SIDS were nice, but as far as I am concerned, IL-CERT is not a trusted source.
Just so people don't get confused: IL-CERT has nothing to do with what Gadi posted and I don't seem to remember that Gadi included any mention of IL-CERT in his postings. In addition, if anyone has any problems with the trustworthiness of IL-CERT (Israeli Academic CERT) as listed on FIRST: http://www.first.org/about/organization/teams/index.html then they should raise that issue with the FIRST secretariat and on the FIRST mailing lists where we can counter any claims to the otherwise.
This is a professional network managers/operators list. As the manager of a Gov't CERT, you can't walk away from your comments posting from a vanity domain. This isn't a random discussion list. At least it didn't used to be. FIRST knows how to get ahold of me if they need to. I'm reachable. If any FIRST secretariat would like to discuss trust, they can also subscribe here. We're free, and open. Thanks, -M<
At 01:46 AM 26-01-06 -0500, Martin Hannigan wrote:
On Wed, 25 Jan 2006, Martin Hannigan wrote:
us all the information, please don't bother. The snort SIDS were nice, but as far as I am concerned, IL-CERT is not a trusted source.
Just so people don't get confused: IL-CERT has nothing to do with what Gadi posted and I don't seem to remember that Gadi included any mention of IL-CERT in his postings. In addition, if anyone has any problems with the trustworthiness of IL-CERT (Israeli Academic CERT) as listed on FIRST: http://www.first.org/about/organization/teams/index.html then they should raise that issue with the FIRST secretariat and on the FIRST mailing lists where we can counter any claims to the otherwise.
This is a professional network managers/operators list. As the manager of a Gov't CERT, you can't walk away from your comments posting from a vanity domain. This isn't a random discussion list. At least it didn't used to be.
You are clearly confused. I am not the manager of a Gov't CERT. I am a member of the academic CERT group. The domain I am posting from is not a vanity domain - it is the organization I represent here - iucc.ac.il (Israel Academic Compution Center). Nothing at all related to the Israeli Gov't. -Hank
participants (11)
-
Chris Owen
-
Gadi Evron
-
Hank Nussbacher
-
Joe Abley
-
Justin M. Streiner
-
Martin Hannigan
-
Matt Ghali
-
matthew zeier
-
Michael.Dillonļ¼ btradianz.com
-
Paul Vixie
-
william(at)elan.net