This post had a personal info. I have removed it as I think it is irrelevant to the point I’m trying to make. Let’s just call him “Rick”. A user on a domain I maintain forwarded me an email from Rick explaining why his anti-spam swallowed the email, I replied with a set of challenges to his anti-spam’s filter effectiveness, as well as question the validity of the reasons behind it. Let’s be charitable and just say he did not seem to be open to discuss the matter.
Personal manners aside, this does bring up the greater question of arbitrary spam filters (arguably the worst ill effect spam had on the Internet) and standards conformance.
following up on that strange title, isoi 3 (internet security operations and intelligence), a workshop for do-ers who work on the security of the internet and its users, is happening monday and tuesday in washington, dc.
this time around we have even more government participation (we’re in dc, duh), but a bit less from academia (who can try and look at long term solutions), rather than just us security researchers, and operators (who respond, contain and mitigate incidents).
i am very pleased with our progress on encouraging global cooperation, and getting more industry information sharing going. i am also happy we are moving from “just” good-will based relationships to the physical world with our efforts, being able to take things to the next level with world-wide operational task forces and, indeed, affecting change.
if you are interested in this realm of internet security operations, take a look at isoi 3’s schedule, and perhaps submit something for the next workshop.
some reporters are somewhat annoyed that entrance is barred to them, but i hope they’d understand that although we make things public whenever we can as full disclosure is a strong weapon in the fight against cyber crime, folks can not share as openly when they have to be on their toes all the time.
the third isoi is here because after dhs ended up unable to host it, sponsors emerged who were happy to assist:
it’s going to be an interesting next week here at the swamp. atendees better show up with their two forms of id.
In the situation when Skype’s explanation written on 20th Aug, Microsoft’s response written on Monday too and Skype’s clarification written today, 21th Aug exist it’s time to share word with a short summary:
Why the security community reacted like it reacted?
1. Microsoft has released monthly security updates since January 2004
2. There was three critical MS patches in July, and four critical in June
3. Only four August critical patches included a mandatory reboot
4. Critical patch (MS07-044) for code execution issue in Excel needs no reboot
5. Critical patch (MS07-050) for VML needs reboot only if files in use
6. SecurityLab.ru released public Skype Network Remote DoS Exploit on 17th Aug
7. There was new Skype for Windows version 220.127.116.11 out on 17th Aug
8. A lot of home users go to Microsoft Update on Tuesday, not on Thursday…
Do we need more reasons? No. Boys and girls at Skype, please share information that you are aware of public PoC, what the new bugfix release fixes etc.
But the good news: Villu Arak of Skype states that their “bug has been squashed.” And
The parameters of the P2P network have been tuned to be smarter…
Fine, because there are Black Tuesday patches in the future too! 😉
i posted a column on eweek on what critical infrastructure means, looking back at the estonia incident.
they edited out some of what i had to say on home computers and their impact as a critical infrasrtcuture, but hey, word limitations.
syngress was kind enough to allow me to post the chapter i wrote for botnets: the killer web application here as a free sample.
it is the third chapter in the book, and requires some prior knowledge of what a botnet c&c (command and control) is. it is basic, short, and to my belief covers quite a bit. it had to be short, as i had just 5 days to write it while doing other things, and not planning on any writing, but it is pretty good in my completely unbiased opinion. 😉
you can download it from this link:
for the full book, you would need to spend the cash.
cfp: isoi iii (a da workshop)
cfp information and current speakers below.
isoi 3 (internet security operations and intelligence) will be held in
washington dc this august the 27th, 28th.
this time around the folks at us-cert (department of homeland security –
dhs) are hosting. sunbelt software is running the after-party dinner.
if you haven’t rsvp’d yet, please do so soon. although we have 240 seats, we are running out of space.
a web page for isoi 3 can be found at: http://isotf.org/isoi3.html
27th, 28th august, 2007
washington dc –
aed conference center:
registration via firstname.lastname@example.org is mandatory, no cost attached to attending. check if you apply for a seat in our web page.
this is the official cfp for isoi 3. main subjects include: fastflux, fraud, ddos, botnets. other subjects relating to internet security operations are also welcome.
some of our current speakers as you can see below lecture on anything from estonia’s “war” to current web 2.0 threats in-the-wild.
please email email@example.com as soon as possible to submit a proposal. i will gather them and give them to our committee (jeff moss) for review.
current speakers (before committee decision)
roger thompson (exp labs
– google adwords .. .the dangers of dealing with the russian mafia
barry raveendran greene (cisco)
– what you should be asking me as a routing vendor
john lacour (mark monitor)
– vulnerabilities used to hack sites for phishing
– using xss to track phishers
dan hubbard (websense)
– mpack and honeyjax (web 2.0 honeypots)
– fastflux: operational update
william salusky (aol)
– the spammer evolves – migration to webmail
hillar aarelaid (estonian cert)
– incident response during the recent attack
Sun Shine (beyond security)
– strategic lessons from the estonian “first internet war”
jose nazarijo (arbor)
– botnet statistics from the estonian attack
andrew fried (treasury department)
– phishing and the irs – new methods
danny mcpherson (arbor)
people have been wondering why i’ve been keeping quiet on this issue, especially since i was right there helping out.
a lot of people had information to share and emotions to get out of the way. also, it was really not my place reply on this – with all the work done by the estonians, my contributions were secondary. mr. alexander harrowell discussed this with me off mailing lists, and our discussions are public on his blog. information from bill woodcock on nanog was also sound.
as to what actually happened over there, more information should become available soon and i will send it here. i keep getting stuck when trying to write the post-mortem and attack/defense analysis as i keep hitting a stone wall i did not expect: strategy. suggestions for the future is also a part of that document, so i will speed it up with a more down-to-earth technical analysis (which is what i promised cert-ee).
in the past i’ve been able to consider information warfare as a part of a larger strategy, utilizing it as a weapon. i was able to think of impact and tools, not to mention (mostly) disconnected attacks and defenses.
i keep seeing strategy for the use in information warfare battles as i write this document on what happened in estonia, and i believe i need more time to explore this against my previous take on the issue, as well as take a look at some classics such as clausewitz, as posh as
it may sound.