Rich Kulawiec wrote:
On Sun, Feb 14, 2010 at 03:51:44PM -0800, Michael Thomas wrote:
Why is "security policy" different than "crown jewels"? If they own my
machine, they can tar up a svn checkout of the crown jewels and do
immeasurably more harm than shipping bogus anti spam reports.
Perhaps, but (a) that would be far more difficult to automate
(b) it might or might not serve their purposes (c) it would have
limited impact.
Yeahbut, this is all about work/reward on the part of the bad guys.
That and it might be *good* for them to start trying to game AS
reporting stuff: if the backend started looking for those patterns,
they'd probably stick out like a sore thumb, and you could put the
machine in the penalty box.
I'm sure that SOME of their attempts to game these would be sufficiently
heavy-handed as to stick out like a sore thumb. I'm equally certain
that some of them would not. Don't underestimate the enemy's intelligence,
diligence, or guile.
I'm not. That's why we need to keep some perspective about these kinds
of things.
They could spend their time crafting a Stealth Antispam Report Bomber,
or they could...
hack something up to steal a company's crown jewels with their army of
owned machines.
Or any number of other things that we've not even considered. Looking
too far down this
decision tree is perilous because while we get stovepiped into
categories (i'm an AS d00d!)
happily lopping off all of the other threats branches since it's not our
job, the bad guys aren't so
constrained.
From that standpoint, you're already completely hosed if you have owned
machines on your
net. Them gaming an AS reporting mechanism is the *least* of your worries.
Mike
---Rsk
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg