Re: Quarantine your infected users spreading malware
----- Original Message Follows ----- From: Gadi Evron <ge@linuxbox.org>
Many ISP's who do care about issues such as worms, infected users "spreading the love", etc. simply do not have the man-power to handle all their infected users' population.
Some who are user/broadband ISP's (not say, tier-1 and tier-2's who would be against it: "don't be the Internet's Firewall") are blocking ports such as 139 and 445 for a long time now, successfully preventing many of their users from becoming infected. This is also an excellent first step for responding to relevant outbreaks and halting their progress.
Philosophy aside, it works. It stops infections. Period.
Back to the philosophy, there are some other solutions as well. Plus, should this even be done?
Oh geez, here we go again... Search the archives and read until you're content. It's a non-thread. This horse isn't only dead, it's not even a grease spot on the road any more. :-( scott
Scott Weeks wrote:
----- Original Message Follows ----- From: Gadi Evron <ge@linuxbox.org>
Many ISP's who do care about issues such as worms, infected users "spreading the love", etc. simply do not have the man-power to handle all their infected users' population.
Some who are user/broadband ISP's (not say, tier-1 and tier-2's who would be against it: "don't be the Internet's Firewall") are blocking ports such as 139 and 445 for a long time now, successfully preventing many of their users from becoming infected. This is also an excellent first step for responding to relevant outbreaks and halting their progress.
Philosophy aside, it works. It stops infections. Period.
Back to the philosophy, there are some other solutions as well. Plus, should this even be done?
Oh geez, here we go again... Search the archives and read until you're content. It's a non-thread. This horse isn't only dead, it's not even a grease spot on the road any more. :-(
I quite agree, which is why I trived to cover the philosophical part from both sides. Now, how about some solutions that came about since our last discussion that was nothing BUT philosophy?
And I have a solution for bad drivers; required all manufacturers to fix the steering wheel so that acknowledged "bad" drivers cannot turn the wheel to make turns, change lanes, etc. Or perhaps limit the mph to 35 max and deny them access to freeways. ISPs should not police users, just like auto manufacturers should not police drivers. That is what driver's licenses are for. IMHO, a user should have to demonstrate a minimum amount of expertise and have a up-to-date AV, anti-spyware and firewall solution for their PCs. Drivers are required to have licenses, registration and insurance in order to drive said vehicle, why not something similar for PCs. You would have to get the whole world to agree on that one, so it may be difficult to implement. But the US,EU, Japan, Australia should take the lead and implement something like this. Ed Ray
ISPs hold the relevent data to contact the users. This needs a feedback loop, in that ISPs need to know which traffic leaving their networks is misbehaviour somewhere else. Between firewall logs, IDS logs, netflow headers, apache logs, whatever. It's all there. It just needs to be used. - billn On Mon, 20 Feb 2006, Edward W. Ray wrote:
And I have a solution for bad drivers; required all manufacturers to fix the steering wheel so that acknowledged "bad" drivers cannot turn the wheel to make turns, change lanes, etc. Or perhaps limit the mph to 35 max and deny them access to freeways.
ISPs should not police users, just like auto manufacturers should not police drivers. That is what driver's licenses are for.
IMHO, a user should have to demonstrate a minimum amount of expertise and have a up-to-date AV, anti-spyware and firewall solution for their PCs. Drivers are required to have licenses, registration and insurance in order to drive said vehicle, why not something similar for PCs. You would have to get the whole world to agree on that one, so it may be difficult to implement. But the US,EU, Japan, Australia should take the lead and implement something like this.
Ed Ray
Edward W. Ray wrote:
IMHO, a user should have to demonstrate a minimum amount of expertise and have a up-to-date AV, anti-spyware and firewall solution for their PCs.
That is why we have hundreds of millions of bots in the wild. The mostly-user ISP's will have to eventually do something or end up being either regulated, spending more and more and more on tech support and/OR abuse personnel, or written down as blackhat AS's. Some PRODUCTS, PRO and AGAINST links from people on quarantining of infected users, thanks to all those who shared so far! Products so far (haven't tried or verified them myself): http://www.rommon.com/sandbox.html http://www.forescout.com/index.php?url=products§ion=counteract Other: Eric Gauthier's Ethernet-oriented quarantine system (from NANOG in 2003): http://www.nanog.org/mtg-0402/gauthier.html Other choice papers from Jose's blog: http://www.iab.org/documents/docs/2003-10-18-edge-filters.html http://www.csl.sri.com/users/linda/bibs/publications/mmsm2005.pdf http://www.csl.sri.com/papers/sri-csl-2005-03/ http://www.cs.wfu.edu/~fulp/Papers/iiaw05t.pdf http://www.icir.org/vern/worm04/porras.pdf http://www.icir.org/vern/worm04/xiong.pdf http://www.cs.rpi.edu/research/pdf/05-01.pdf Gadi.
Edward W. Ray wrote:
IMHO, a user should have to demonstrate a minimum amount of expertise and have a up-to-date AV, anti-spyware and firewall solution for their PCs.
The mostly-user ISP's will have to eventually do something or end up being either regulated, spending more and more and more on tech support and/OR abuse personnel, or written down as blackhat AS's.
Gadi.
if i may <feedtroll> to borrow a bit more from the "licensed to net" analogy... are vendors being let off scott free and leaving the burden of responsibility to the consumer? ISPs are the roads (likley toll) and they should not be forced to create barriers, speed bumps, and control mthods for poor drivers who are sold crap for vechiles. wht is the mean-time-to-infection for a stock windows XP system when plugged intot he net?... 2-5minutes? you can't get patches down that fast. i'm begining to think that botnet like structures are in fac t the wave of the future. ... and instead of trying to irradicate them, we should be looking at ways to use botnet like structures for adding value to an increasingly more connected mesh of devices. ... of course YMMV - but i'm not persuaded that botnet.hivemind constructs are -NOT- inherently evil... they can be turned that way, but if there is a value to such things, we ought to be able to use them for our own purposes. </feedtroll> --bill (who really has better things todo, but slugs are still in bed...)
Hey, Bill. ] wht is the mean-time-to-infection for a stock windows XP system ] when plugged intot he net?... 2-5minutes? you can't get patches ] down that fast. The same case can be made for Linux and Unix-based web servers with vulnerable PHP-based tools. There's also a large number of poorly configured devices such as routers with easily guessed passwords, overly permissive DNS name servers, etc. It's not simply a Windows problem. Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
On Mon, 20 Feb 2006, Rob Thomas wrote:
Hey, Bill.
] wht is the mean-time-to-infection for a stock windows XP system ] when plugged intot he net?... 2-5minutes? you can't get patches ] down that fast.
The same case can be made for Linux and Unix-based web servers with vulnerable PHP-based tools. There's also a large number of poorly configured devices such as routers with easily guessed passwords, overly permissive DNS name servers, etc.
It's not simply a Windows problem.
it's also not just a 'i got infected over the net' problem... where is that sean when you need his nifty stats :) Something about no matter what you filter grandpa-jones will find a way to click on the nekkid jiffs of Anna Kournikova again :( anyway, someone mentioned the rafts of posts in the archives, it'd be nice if this was all just referred there :(
Christopher L. Morrow wrote:
it's also not just a 'i got infected over the net' problem... where is that sean when you need his nifty stats :) Something about no matter what you filter grandpa-jones will find a way to click on the nekkid jiffs of Anna Kournikova again :(
anyway, someone mentioned the rafts of posts in the archives, it'd be nice if this was all just referred there :(
I quite agree, unless other solutions can be presented, and indeed, 2 new ones have so far. The philosophical discussion aside (latest one can be found under "zotob port 445 nanog" on Google), presenting some new technologies that shows this *can* be done changes the picture. I believe it was actually Randy Bush's idea in that last thread, to use such software. Gadi.
On Tue, 21 Feb 2006 04:15:25 +0200, Gadi Evron said:
The philosophical discussion aside (latest one can be found under "zotob port 445 nanog" on Google), presenting some new technologies that shows this *can* be done changes the picture.
OK. The tech exists, or can be made to exist. The unanswered question is still "How do you get a disinterested ISP to be interested in it?" The horse has been led. Now make him drink the kook-aid.
On Tue 21 Feb 2006 (04:15 +0200), Gadi Evron wrote:
Christopher L. Morrow wrote:
it's also not just a 'i got infected over the net' problem... where is that sean when you need his nifty stats :) Something about no matter what you filter grandpa-jones will find a way to click on the nekkid jiffs of Anna Kournikova again :(
anyway, someone mentioned the rafts of posts in the archives, it'd be nice if this was all just referred there :(
I quite agree, unless other solutions can be presented, and indeed, 2 new ones have so far.
The philosophical discussion aside (latest one can be found under "zotob port 445 nanog" on Google), presenting some new technologies that shows this *can* be done changes the picture.
http://www.quarantainenet.nl/ It works, we use it. It cuts down on support calls, customers generally react well to it and, at least when using Juniper core routers, it's not too intrusive in the network and will scale to pretty large networks of users. -- Jim Segrave jes@nl.demon.net
At 12:26 PM +0100 2/21/06, Jim Segrave wrote:
The philosophical discussion aside (latest one can be found under "zotob port 445 nanog" on Google), presenting some new technologies that shows this *can* be done changes the picture.
From the web site: "Only a selected set of web sites will remain available, for example Microsoft update and the websites of several anti-virus software companies. The quarantine server tells users what is going on and how this problem can be resolved."
One hopes that the Apple web site and online credit form is included in the list... ;-) /John
At 7:45 AM -0500 2/21/06, John Curran wrote:
From the web site: "Only a selected set of web sites will remain available, for example Microsoft update and the websites of several anti-virus software companies. The quarantine server tells users what is going on and how this problem can be resolved."
One hopes that the Apple web site and online credit form is included in the list... ;-)
Alright, in fairness to MSFT, a pointer to Vista/Longhorn (once available) and instructions to only enter your Admin password during bona fide sw installations would also go a long way towards preventing recurrence... :-) /John
On Tue 21 Feb 2006 (08:45 -0500), John Curran wrote:
At 7:45 AM -0500 2/21/06, John Curran wrote:
From the web site: "Only a selected set of web sites will remain available, for example Microsoft update and the websites of several anti-virus software companies. The quarantine server tells users what is going on and how this problem can be resolved."
One hopes that the Apple web site and online credit form is included in the list... ;-)
Alright, in fairness to MSFT, a pointer to Vista/Longhorn (once available) and instructions to only enter your Admin password during bona fide sw installations would also go a long way towards preventing recurrence... :-)
We have added mutlple sites, including on-line banking sites which are appropriate to the Netherlands to the list of reachable sites (we also use this to encourage paying your bills as well as getting people to fix their machines) -- Jim Segrave jes@nl.demon.net
On Tue, 21 Feb 2006, Christopher L. Morrow wrote:
it's also not just a 'i got infected over the net' problem... where is that sean when you need his nifty stats :) Something about no matter what you filter grandpa-jones will find a way to click on the nekkid jiffs of Anna Kournikova again :(
Give me (or CAIDA) permission to peak inside your networks and I'm sure there are lots of nifty stats we could anonymize :) The big mystery for me has always been the computers that are infected BEFORE they are connected to the network for the first time (according to their owners). Its never repeatable, and never provable, but the computer owner swears it happened. In any case, the home computer is owned by the home user, not the ISP or an employer or a media company. If you make something attractive enough to the user, he will find a way to get it on his computer no matter how many roadblocks you try to put in the way. An ISP blocking one virus or worm doesn't change the end result. Time after time I've watched, the computers eventually get infected anyway. Although it may appear to take longer or your NIDS may not pick up the final signature. Look at Adlex, Motive, Arbor, ISS, Microsoft and other vendors for ideas I've used over several years and they are now selling. On the other hand, the number of infected computers never seems to spiral out of control. I've been wondering, instead of trying to figure out why some computers get infected, should we be trying to figure out why most computers don't become infected?
Sean Donelan wrote:
On Tue, 21 Feb 2006, Christopher L. Morrow wrote:
it's also not just a 'i got infected over the net' problem... where is that sean when you need his nifty stats :) Something about no matter what you filter grandpa-jones will find a way to click on the nekkid jiffs of Anna Kournikova again :(
Give me (or CAIDA) permission to peak inside your networks and I'm sure there are lots of nifty stats we could anonymize :)
The big mystery for me has always been the computers that are infected BEFORE they are connected to the network for the first time (according to their owners). Its never repeatable, and never provable, but the computer owner swears it happened. In any case, the home computer is owned by the home user, not the ISP or an employer or a media company. If you make something attractive enough to the user, he will find a way to get it on his computer no matter how many roadblocks you try to put in the way.
An ISP blocking one virus or worm doesn't change the end result. Time after time I've watched, the computers eventually get infected anyway. Although it may appear to take longer or your NIDS may not pick up the final signature. Look at Adlex, Motive, Arbor, ISS, Microsoft and other vendors for ideas I've used over several years and they are now selling.
On the other hand, the number of infected computers never seems to spiral out of control. I've been wondering, instead of trying to figure out why some computers get infected, should we be trying to figure out why most computers don't become infected?
Comment only on last paragraph: Many *home* computers do, quite a few *corporate* do as well, in my experience. Even if they didn't the numbers we face are significant enough. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.
On Mon, 20 Feb 2006 23:54:38 EST, Sean Donelan said:
On the other hand, the number of infected computers never seems to spiral out of control. I've been wondering, instead of trying to figure out why some computers get infected, should we be trying to figure out why most computers don't become infected?
I've seen more than one estimate that most computers *are* infected by at least one piece of malware/spyware/etc, (including numbers as high as 90%) and if the site that was tracking 1M new zombies/day is to be believed, they *are* spiraling out of control. And when a significant fraction of all new computers are bought as a virus/worm control method, things *are* out of control: http://www.nytimes.com/2005/07/17/technology/17spy.html?ei=5090&en=5b2b6783f66a7422&ex=1279252800&adxnnl=1&partner=rssuserland&emc=rss&adxnnlx=1121859260-edx1SJD7lWy7D6PMipItjw I suspect that in fact, a *lot* of computers have crud on them, but people's expectations have dropped - as long as the virus doesn't actually kill the host, it's tolerated. If Aunt Matilda is avoiding all this stuff, the most likely reason that Aunt Matilda doesn't get more crudware on her system is because she wouldn't be caught dead visiting non-reputable websites that you're likely to get caught in a drive-by fruiting - and none of her friends would either, so she never gets her e-mail address scraped and used as a target... But we already knew that, and there's no good way to leverage it when everybody who *isn't* an Aunt Matilda *does* visit those kind of sites, or knows people who do...
On Tuesday 21 Feb 2006 06:41, you wrote:
I've seen more than one estimate that most computers *are* infected by at least one piece of malware/spyware/etc, (including numbers as high as 90%)
I've seen 95% quoted - certainly my experience if you go looking for malware in recent Windows desktop machines using IE and Outlook it is pretty much a certainty you'll find it. Most of these tools I was using didn't detect the Sony Rootkit, or other malware, so this will always be an underestimate of the true extent of the problem, unless one uses fingerprinting and packet inspection as the tools of choice for malware detection. This is very much a Windows only problem, it doesn't affect desktop users of other systems at all, possibly in part because they lack critical mass, but also because they have more sensible security models. Largely it is an Outlook and IE problem.
Simon Waters wrote:
I've seen 95% quoted - certainly my experience if you go looking for malware in recent Windows desktop machines using IE and Outlook it is pretty much a certainty you'll find it. Most of these tools I was using didn't detect the Sony Rootkit, or other malware, so this will always be an underestimate of the true extent of the problem, unless one uses fingerprinting and packet inspection as the tools of choice for malware detection.
This is very much a Windows only problem, it doesn't affect desktop users of other systems at all, possibly in part because they lack critical mass, but also because they have more sensible security models. Largely it is an Outlook and IE problem.
Hi Simon, this is indeed a Windows problem due to Microsoft being a mono-culture in our desktop world. Still, there are botnets constructed from other OS's as well. Also, C&C servers are mostly *nix machines. Gadi. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.
On Tue, 21 Feb 2006, Gadi Evron wrote:
Hi Simon, this is indeed a Windows problem due to Microsoft being a mono-culture in our desktop world. Still, there are botnets constructed from other OS's as well. Also, C&C servers are mostly *nix machines.
Does 'mostly *nix' hold true of the fast-flux or throwaway technique recently mentioned? Regards, Jess.
Jess Kitchen wrote:
On Tue, 21 Feb 2006, Gadi Evron wrote:
Hi Simon, this is indeed a Windows problem due to Microsoft being a mono-culture in our desktop world. Still, there are botnets constructed from other OS's as well. Also, C&C servers are mostly *nix machines.
Does 'mostly *nix' hold true of the fast-flux or throwaway technique recently mentioned?
That is a very interesting question, and I will have an answer for you, I hope, soon. Gadi.
On Mon, Feb 20, 2006 at 07:49:04PM -0600, Rob Thomas wrote:
Hey, Bill.
] wht is the mean-time-to-infection for a stock windows XP system ] when plugged intot he net?... 2-5minutes? you can't get patches ] down that fast.
The same case can be made for Linux and Unix-based web servers with vulnerable PHP-based tools. There's also a large number of poorly configured devices such as routers with easily guessed passwords, overly permissive DNS name servers, etc.
It's not simply a Windows problem.
Thanks, Rob.
true enough. but "auntie jane" doesn't have linux/unix web server(s) or router(s) (other than the one provided by her ISP and managed by them) and has zero clue about overly permissive <service> machines. me thinks it is a -much- larger pool that gets taken advantage of wiht a much higher threshold of ignorance about problems. --bill
] true enough. but "auntie jane" doesn't have linux/unix web server(s) ] or router(s) (other than the one provided by her ISP and managed by them) ] and has zero clue about overly permissive <service> machines. Agreed. Instead all of her financial records are on those unix web/database servers, or transit through those routers, etc. There's a reason why such devices are popular with the criminals. :( -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
On Tue, Feb 21, 2006 at 12:04:17AM -0600, Rob Thomas wrote:
] true enough. but "auntie jane" doesn't have linux/unix web server(s) ] or router(s) (other than the one provided by her ISP and managed by them) ] and has zero clue about overly permissive <service> machines.
Agreed. Instead all of her financial records are on those unix web/database servers, or transit through those routers, etc. There's a reason why such devices are popular with the criminals. :(
whats the objective? ID theft, fiscal mahem - go for the infrastructure stuff (like you say). lowest visable impact for very high fiscal return. destablize the trust model, perceptions of availability? large zombie packs might be your best bet. (we're not in it for the money, we want social change!)
-- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
Hey, Bill. The vast majority of what I see is based on financial gain. Popping a web+database server, installing a rootkit, and transferring off the day's business transactions is a lot more certain than popping 10K Windows boxes and hoping the users go shopping. Yep, seen it more than once. Check your PHP-based tools, folks. According to the criminals, Internet-wide mayhem would really get in the way of the revenue stream. They need a stable Internet to get the cash. Cleaning out bank accounts is more lucrative than one might suspect. The current record observed by us is approximately US $3M in one take. Most of them are much smaller. That bothers me more, actually. What person with only US $800 to their name has a hope of rapid response to the loss of all their cash? Just to be clear I agree that home users using Windows are at risk for all sorts of nasty things, and they need help. I also didn't want folks to believe that it is a problem related to one OS or demographic. It's a problem of crime, mostly. Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
bmanning@vacation.karoshi.com wrote:
On Mon, Feb 20, 2006 at 07:49:04PM -0600, Rob Thomas wrote:
Hey, Bill.
] wht is the mean-time-to-infection for a stock windows XP system ] when plugged intot he net?... 2-5minutes? you can't get patches ] down that fast.
The same case can be made for Linux and Unix-based web servers with vulnerable PHP-based tools. There's also a large number of poorly configured devices such as routers with easily guessed passwords, overly permissive DNS name servers, etc.
It's not simply a Windows problem.
Thanks, Rob.
true enough. but "auntie jane" doesn't have linux/unix web server(s) or router(s) (other than the one provided by her ISP and managed by them) and has zero clue about overly permissive <service> machines.
me thinks it is a -much- larger pool that gets taken advantage of wiht a much higher threshold of ignorance about problems.
--bill
You described it best, and home users are indeed the problem discussed. However, the amount of insecure routers out there is scary by itself. Rob has a lot more data on that than me and I don't doubt what he said. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.
bmanning@vacation.karoshi.com wrote: Hey Bill,
i'm begining to think that botnet like structures are in fac t the wave of the future. ... and instead of trying to irradicate them, we should be looking at ways to use botnet like structures for adding value to an increasingly more connected mesh of devices. ...
I quite agree, you are more than right. Botnets have proven themselves as a very powerful "construct", if that is how we are to call them. You are more than right. And indeed, bots were not originally bad entities on the Internet, numbering in the hundreds of millions, DDoSing, spamming, stealing Aunty Jame's credit card and your identity. No, they are very useful for numerous reasons, just very few of which are IRC channel operating related. Combine them with a distributed environment, and you get very powerful computing engines to do quite a bit of tasks. Point them at a problem, and they will address it as one. Create Akamai, and you will even get some redundancy. I am not saying SETI#Home or Akamai are botnets, but these are some good uses for similar technology, at least in concept. :) The distinction should be made when one speaks of botnets as we know them today, for good. As breaking into a machine in order to fix it, as an example, is in no way different than breaking into it in order to spy on it, use it or destroy it. You may eventually cause these anyway, as; - You don't know how a machine will respond. - You don't know who else may (ab)use your system. - You can't know if you won't get sued. - Etc. This is an on-going ethical and legal debate in botnet fighting circles. If we see a 1 million hosts botnet just waiting to attack, and we can use the back-door to upload an executable and remove the bot, is that OK? Aside to it being illegal, you possibly causing the remote machine to crash, triggering some IDS/entering into a log/getting sued/whatever, you will most likely discover that machine coming back infected yet again, or already a member of 30 other botnets with other malware. We should also remember that when talking of botnets for practical uses, they should probably be addressed as a 'concept' rather than structure. Today's structure looks mostly like a terrorism cell as David Dagon likes to mention, but the structure may vary considerably. Today's IRC based C&C's may be the most prevalent and most useful STILL, but in no way constitute the only way C&C's are run and botnets are constructed. :)
of course YMMV - but i'm not persuaded that botnet.hivemind constructs are -NOT- inherently evil... they can be turned that way, but if there is a value to such things, we ought to be able to use them for our own purposes.
burrowing from you with another analogy... <feedtroll> So is spam. Spam proved itself to be the most efficient way of selling and advertising ever invented. One could say legalizing and regulating it will bring in incredible amount of good taxes for the different governments, as well as then concentrating only on those who creak the law, such as by using botnets, sending kiddie porn, phishing, etc. </feedtroll> Gadi. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.
On 2/20/06, Edward W. Ray <spamjail@mmicman.com> wrote:
ISPs should not police users, just like auto manufacturers should not police drivers. That is what driver's licenses are for.
So the state polices the drivers.. Should the state police the internet as well? And how would that be implemented? The ISP will take the brunt of the operational interference anyways as the "police" have no other way of stopping those drivers. And when Joe Drivers gets busted and banned, he'll make up a new identity to use at ISP B. I tend to agree with Gadi that we, the ISPs, need to do at least some blocking. I don't see it happening anytime soon though. There's still way too many ops out there who take something like this as a challenge to their ablility to operate a network when in fact, it's the users who are the problem. I'd rather open up everything and allow a user 100% unfiltered access, but most users don't know what to do with that and don't take proper precautions. So, for residential users I think that a reasonable filter should be applied. Block stuff like Netbios. Implement spoofing filters. Do whatever you can to "protect" the users without impacting their ability to use the internet. For commercial users, offer simple protection, or make sure they know that they will be help responsible for virus activity sourcing from them. Shut down those ports if they become active. I also like the idea of putting infected users in a quarantine. Alert them via an automated process. Give them access to updates, but prevent them from infecting others. I think this is a more than reasonable expectation from end-users. In fact, I'd be more inclined to use an ISP that has safe-guards like this in place. It might even be worth it to put together a best practices guide that lays out the "minimum" requirements for something like this. (It may even exist.. If so, I'd be interested in reading it if someone would be kind enough to provide a link)
Ed Ray
Go Go Gadget Flame-Retardent Suit! -- Jason 'XenoPhage' Frisvold XenoPhage0@gmail.com
Oh geez, here we go again... Search the archives and read until you're content. It's a non-thread. This horse isn't only dead, it's not even a grease spot on the road any more.
Are you saying that the problem of spreading worms and botnets is fading? Where do you get your data on this? I mean, it's all well and good to express an opinion but if you want to be believed you have to be prepared to back it up with data from another source. --Michael Dillon
participants (15)
-
Bill Nash
-
bmanning@vacation.karoshi.com
-
Christopher L. Morrow
-
Edward W. Ray
-
Gadi Evron
-
Jason Frisvold
-
Jess Kitchen
-
Jim Segrave
-
John Curran
-
Michael.Dillon@btradianz.com
-
Rob Thomas
-
Scott Weeks
-
Sean Donelan
-
Simon Waters
-
Valdis.Kletnieks@vt.edu