[Discussion] What are we making? - Target User

Sun Oct 19 16:43:00 UTC 2008

The home router plugin seems like a great idea.  That way the majority
of people would be able to use existing hardware they have and not
have to buy a separate machine just to put in between them and the
internet.  This wouldn't be the full product in my mind, just a small
firmware upgrade like DDWRT or something like that.  But it would be
highly configurable with options such as remote logging back to your
machine.

-Josh

On Sun, Oct 19, 2008 at 12:32 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:
> Splitting to s second thread as there are many good ideas here:
>
> Rob, grandpa of Ryan, Trevor, Devon & Hannah wrote:
>> However, given the current computing environment, I think it would be relatively
>> easy to make a case that such a device is not going to do all that much good.  That
>> a more accessible device, intended for "Grannyx" users, would actually do more to
>> protect the infrastructure.  After all, it isn't major nodes on the net that make up
>> botnets, it's the little guys.  Protect them, and you reduce the threat.  This is the
>> "low hanging fruit" for the blackhats, so protecting that crop is going to give us
>> the greatest benefit for the commitment of resources.
>
> Very well put. We've always left the home user to fend for themselves
> because it's just too complicated to run IDS unless you're a security
> professional. Thus in the botnet world we chase command and control
> servers and leave the bots infected. Not the best approach.
>
> So if we were to make this tool capable of being run "out of the box" as
> a simple install and it'll do the rest on it's own, what would that mean?
>
> Would we need it to run on a WRTG style router OS?
>
> Would we need to approach the home router makers about a plugin?
>
> Would we want to go desktop stuff? (not my preference as the fox can't
> be trusted to watch the henhouse IMHO)
>
> Or do we go with just pushing reputational data to the home user? What I
> mean is if we build this engine to generate and act upon IP reputation
> data could we know enough about the Internet collectively to simply push
> a blacklist to the home user's router/firewall?
>
> On the more sophisticated devices where software could be installed
> maybe it does run a stripped down detection engine and help feed IP data
> back to the group. But overall it's still primarily benefiting only from
> the blacklisting and whitelisting of the whole?
>
> How many false positives would we encounter that might actually affect a
> home user?
>
> I think it'd be a very interesting day if we were to have essentially a
> Spamhaus/SURBL for IPs, thus pushing the bad guys to have to be even
> more IP mobile than they are now.
>
> Take atrivo/intercare/mccolo for example. Infested with crap, and have
> been for years. But since they can't really be blocked on the backbone
> home users still hit the same scam AV sites, give their credit card
> info, and get screwed. We know the sites are there, the registrars won't
> take them down, the ISP is colluding with the bad guys so they'll stay
> online. What can we do? (besides scream to our representatives for more
> effective laws)
>
> We can block those bad IPs at the home user's level. That'll make them
> start moving of course, just like bots being used to spam until they're
> listed. So we have to be able to immediately move quickly with the.
>
> What does everyone think there? The basic idea being to use a normal
> engine model by most security pro's to feed IP reputation into a global
> database, and then the home user gets some sort of very basic tool or
> button they can click on to benefit from that data? Maybe even feed back
> to us.
>
>
>
>> In terms of my recommendation of a paran-o-meter, it makes a difference.
>> Actually, I see huge debates over initial settings: do we keep it low to keep from
>> crying wolf, or keep it high to keep people as safe as possible.  But one thing that
>> should be done is make the paranoia settings not-quite-obvious up front, so that
>> somebody needs to know a little about the implications before they start fiddling
>> with settings.
>>
>> Heck, if it's a professional device, we don't need to worry about the interface at
>> all.  If it's for Granny, we definitely do.
>
> Agreed. I don't think we can satisfy any of the needs of either granny
> or us in the same tool. It'd either be too dumbed down for us, or too
> complex for granny. I don't see any middle ground personally.
>
> I like the home router plugin thing though. If it could feed back to us
> what IPs it was blocking we'd learn a lot!
>
> Matt
>
>>
>> It also makes a difference in terms of the technology to be included.  If it is for
>> professionals, we can throw in everything.  If for Granny, we need to make a
>> careful choice about maximum protection for minimum performance drain.
>>
>> ======================  (quote inserted randomly by Pegasus Mailer)
>> rslade at vcn.bc.ca     slade at victoria.tc.ca     rslade at computercrime.org
>>         I'm getting so absent-minded that sometimes in the middle of
>> victoria.tc.ca/techrev/rms.htm blogs.securiteam.com/index.php/archives/author/p1/
>> _______________________________________________
>> Discussion mailing list
>> Discussion at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>