[Discussion] Discussion Digest, Vol 1, Issue 14

David Glosser david.glosser at gmail.com
Tue Oct 21 20:23:26 UTC 2008


I think an open API is the way to go, and personally I can't see
Granny wanting to pay an extra $10 or whatever. I don't think telling
her "but this new router has a next intrusion detection engine with
intelligent data sharing capabilities" will impress her.

As it is, most users think "popup blocker" and protection are the
same... "I already have a popup blocker, why do I need to buy more
software?"

On Tue, Oct 21, 2008 at 2:51 PM, Jeremy <jeremy at sudosecure.net> wrote:
> Do we really have to build and worry about the vendors and work out
> their issues for them?  What I could see happening is if this project
> truly builds the next intrusion detection engine with all of the
> intelligent data sharing capabilities as discussed on this list, that
> vendors will be stumbling over themselves to tap into this "cloud" of
> information and will work their own issues out.  If you build it they
> will come, is my take on this.  As long as you provide some sort of
> open API and/or control structure into your "cloud" then I think this
> project will have done their part.
>
> --jeremy
>
> On Tue, Oct 21, 2008 at 1:42 PM, David Glosser <david.glosser at gmail.com> wrote:
>> >From this article
>> (http://www.networkworld.com/net.worker/columnists/2004/0329wolf.html)
>> back in 2004,
>>
>> granny's home router is:
>> Linksys - 33%
>> Netgear 12%
>> D-Link 12%
>>
>> then there's Belkin,  Buffalo, and everyone else. And dozens of
>> models, with probably as many firmware versions out there.
>>
>>
>> So, for Granny (home user),  reputational data could be pushed
>> (pulled?) at the following chokepoints:
>>
>> Browser -- OS -- home router -- ISP -----> Internet
>>
>> Some of these locations already have products (such as Browser-based
>> WOT & siteadvisor, OS antivirus, etc, which work with varying degrees
>> of effectiveness) and some don't...
>>
>>
>>
>>
>>
>> On Tue, Oct 21, 2008 at 2:05 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:
>>> So who are the major vendors we try to talk to? What are the OS's we'd
>>> need to hit?
>>>
>>> These things still running stuff like vxworks?
>>>
>>> Or do we figure out a dns lookup kind of thing?
>>>
>>> Anyone have contacts within the industry?
>>>
>>> Matt
>>>
>>> James McQuaid wrote:
>>>> Concur.  Pushing reputational data to home users (with no interaction
>>>> required by the home user) offers opportunities.  WOT and the paid
>>>> version of SiteAdvisor are attempting to do this in the browser, but
>>>> require some user interaction.
>>>>
>>>> There are hundreds of thousands of misconfigured, compromised and
>>>> ineffective home routers out there.  If we could work with the
>>>> manufacturers, it might be possible to return these devices to
>>>> productive use.
>>>>
>>>>
>>>>> Or do we go with just pushing reputational data to the home user? What I
>>>>> mean is if we build this engine to generate and act upon IP reputation
>>>>> data could we know enough about the Internet collectively to simply push
>>>>> a blacklist to the home user's router/firewall?
>>>>>
>>>>> On the more sophisticated devices where software could be installed
>>>>> maybe it does run a stripped down detection engine and help feed IP data
>>>>> back to the group. But overall it's still primarily benefiting only from
>>>>> the blacklisting and whitelisting of the whole?
>>>>>
>>>>> How many false positives would we encounter that might actually affect a
>>>>> home user?
>>>>
>>>> We can take steps to ensure that this is not a big issue.
>>>>
>>>>
>>>>
>>>>> I think it'd be a very interesting day if we were to have essentially a
>>>>> Spamhaus/SURBL for IPs, thus pushing the bad guys to have to be even
>>>>> more IP mobile than they are now.
>>>>>
>>>>> Take atrivo/intercare/mccolo for example. Infested with crap, and have
>>>>> been for years. But since they can't really be blocked on the backbone
>>>>> home users still hit the same scam AV sites, give their credit card
>>>>> info, and get screwed. We know the sites are there, the registrars won't
>>>>> take them down, the ISP is colluding with the bad guys so they'll stay
>>>>> online. What can we do? (besides scream to our representatives for more
>>>>> effective laws)
>>>>>
>>>>> We can block those bad IPs at the home user's level. That'll make them
>>>>> start moving of course, just like bots being used to spam until they're
>>>>> listed. So we have to be able to immediately move quickly with the.
>>>>
>>>> Shut them out in real time with multiple daily updates; most of the
>>>> data would not change, so the diff would usually be a very small file.
>>>>
>>>>
>>>>> What does everyone think there? The basic idea being to use a normal
>>>>> engine model by most security pro's to feed IP reputation into a global
>>>>> database, and then the home user gets some sort of very basic tool or
>>>>> button they can click on to benefit from that data? Maybe even feed back
>>>>> to us.
>>>>>
>>>>> Matt
>>>>>
>>>>
>>>>> --
>>>>> --------------------------------------------
>>>>> Matthew Jonkman
>>>>> Emerging Threats
>>>>> Phone 765-429-0398
>>>>> Fax 312-264-0205
>>>>> http://www.emergingthreats.net
>>>>> --------------------------------------------
>>>>>
>>>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>>>
>>>>>
>>>>
>>>
>>> --
>>> --------------------------------------------
>>> Matthew Jonkman
>>> Emerging Threats
>>> Phone 765-429-0398
>>> Fax 312-264-0205
>>> http://www.emergingthreats.net
>>> --------------------------------------------
>>>
>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>
>>>
>>> _______________________________________________
>>> Discussion mailing list
>>> Discussion at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>>>
>> _______________________________________________
>> Discussion mailing list
>> Discussion at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>



More information about the Discussion mailing list