Re: Security v. Privacy (was Re: Is there anything that actuallygets users to fix their computers?)
On Sun, 5 Oct 2003, Jamie Reid wrote:
While we were fighting blaster/nachi and others, we relied heavily on IDS's to generate alerts for the worms, then we disabled their network access and called them. Generic viruses are not an ISP's problem, but a worm is something that affects the prviders infrastructure, and is therefore a network operators business.
Did the users actually believe you when you told them their computer had a worm? How many times did you disable the same user's network access because they didn't actually fix their computer but told you it was fixed? But I have a really important document that has to be sent right now, and I can't wait to fix the computer.
<quote who="Sean Donelan">
Did the users actually believe you when you told them their computer had a worm?
Ours did. They knew there was a worm "going around." This was all happening around the time of freshmen "move-in" so lots of parents were around. It was more difficult to convince some parents that despite the fact that their kid's new laptop just came out of the box and onto the network it was already infected.[*]
How many times did you disable the same user's network access because they didn't actually fix their computer but told you it was fixed?
Just once, if they weren't patched they were automatically turned down again. (automated, not human processing)
But I have a really important document that has to be sent right now, and I can't wait to fix the computer.
Three things to solve: pencil, paper, skateboard/rollerblades/feet. :) -davidu [*] There was unfortunately a couple of flaws in our handling of the blaster worm. We have an unroutable DHCP'd zone on our network which was leaving room for new users to be infected. They would be unable to get a valid IP but clean machines on the unroutable network could be infected. If our monitoring was at the switch level as opposed to the DHCP level this would not have occured. Lesson learned (well, probably not, but learned for me at least). :( ---------------------------------------------------- David A. Ulevitch Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net ----------------------------------------------------
On Sun, 5 Oct 2003, David A. Ulevitch wrote:
How many times did you disable the same user's network access because they didn't actually fix their computer but told you it was fixed?
Just once, if they weren't patched they were automatically turned down again. (automated, not human processing)
Forever? So the student can never use the university network again for as long as he or she remains at the school? Even if he or she promises the computer is really fixed this time?
<quote who="Sean Donelan">
On Sun, 5 Oct 2003, David A. Ulevitch wrote:
How many times did you disable the same user's network access because they didn't actually fix their computer but told you it was fixed?
Just once, if they weren't patched they were automatically turned down again. (automated, not human processing)
Forever? So the student can never use the university network again for as long as he or she remains at the school? Even if he or she promises the computer is really fixed this time?
Every dorm has a "residential computer consultant" who can throw the student's MAC_ADDR into a form and have it removed from the blocks. Doing this let's them get a routable IP address again. If they are still spewing traffic or other ungoodness they are blocked within a couple minutes. The students *want* to get their machines fixed when the realize thay lying about fixing it doesn't work. -davidu
---------------------------------------------------- David A. Ulevitch Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net ----------------------------------------------------
participants (2)
-
David A. Ulevitch -
Sean Donelan