Exodus Customer Security

Adam_Rothschild3 · November 17, 1998, 7:43pm

FYI-

"There was something with one of our customers, however it was a customer
machine, and as such, we aren't at liberty to discuss the issue unless
they specifically allow us to."
- quoth Exodus

So, in other words, they can't discuss abuse issues with the victim,
unless the *offender* (client) gives them permission to?
I'll sleep much better tonight knowing this.

Bret_McDanel · November 17, 1998, 9:46pm

---Reply on mail from Adam Rothschild about Exodus Customer Security

FYI-

"There was something with one of our customers, however it was a customer
machine, and as such, we aren't at liberty to discuss the issue unless
they specifically allow us to."
- quoth Exodus

So, in other words, they can't discuss abuse issues with the victim,
unless the *offender* (client) gives them permission to?
I'll sleep much better tonight knowing this.

I dont have much of a problem with this policy, if law enforcement calls,
they will proly give out the info, if joe blow calls and claims to be a
victim, they have a hard time to prove that joe blow is really a victim,
so they either have to spend payroll $$ on people proving that joe really
is a victim, OR give out info to joe when he may not be a victim (thus
increasing exposure to their customer)..

It wouldnt be that difficult to fake some logs to get info on a certain
customer for whatever reason.. If they have this policy, it protect
exodus from libaility, espically if one of their clients got broken into
and an attack was launched from there (how many companies would see a fall
in their stock or a loss of consumer confidence if the fact they got
broken into was made public??)

It seems to be known that in this instance people were breaking into boxes
and using those boxes as launching pads, what is to say that the exodus
box wasnt also a launching pad? to say that the offender was the client,
may be a bit harsh..

I think I am done ranting for now

Alex_P_Rudnev · November 18, 1998, 11:11am

It's 100% true!!

It seems to be known that in this instance people were breaking into boxes
and using those boxes as launching pads, what is to say that the exodus
box wasnt also a launching pad? to say that the offender was the client,
may be a bit harsh..

Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)

Richard_Irving1 · November 18, 1998, 1:27pm

Ask yourself this:
Can you (as an NSP) guarantee me
that *none* of your boxes,
or *customer* boxes, have been infected ?

"He who is without sin (and an *NSP*, as is Exodus),
cast the first stone."

Now, the High Priests of Exodus were, perhaps, a little hard to
reach.. But, I heard they were in meeting, trying to ascertain
how many angels can dance on the head of a pin......

:\

Alex P. Rudnev wrote:

Adam_Rothschild3 · November 18, 1998, 1:53pm

That's a bit extreme, and should not be expected of any NSP.

All I want is, when such obvious and widespread abuse is coming from their
(Exodus's) customers, they step in and do *something* (that something
being contacting the customer, and severing connectivity if the problems
do not cease in a reasonable amount of time), rather than just ignoring
this entirely. Am I being too idealistic here?

I guess this is more an issue of NSP policy/responsibility/expectations
than of Exodus suckage...

Alex_P_Rudnev · November 18, 1998, 2:04pm

You are wrong.

All I want is, when such obvious and widespread abuse is coming from their
(Exodus's) customers, they step in and do *something* (that something

^^^^^^^^^ - should be BOXES!

It's a matter.

Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)

snoble · November 18, 1998, 5:58pm

Hello,

Lets go through this...

All I want is, when such obvious and widespread abuse is coming from their
(Exodus's) customers, they step in and do *something* (that something
being contacting the customer, and severing connectivity if the problems
do not cease in a reasonable amount of time), rather than just ignoring
this entirely. Am I being too idealistic here?

Lets see.. you don't count hours of time put in by the NOC and the Engineering
teams to assemble logs, consult other parts of the company, contact the
customer and get permission to disconnect his machine doing something? I'm
trying to figure out exactly what you want, and I'm having a lot of trouble.

Its been VERY clearly stated here that the machine was offline reletivly soon
after the first contact was made to the Exodus NOC, I guess you think this is
magic, the machine simply disconnected itself and the problem resolved?

Exodus will not reveal anything else about this situation, just like they
would not reveal anything else if this had been you, or any other customer
who had been compromized. If the customer feels the need to comment, that is
fine.

The fact of the matter is, I've been on the other side of WAY TOO MANY attacks
to think that Exodus did nothing. The sheer number of compromized machines on
the Internet at this time is mind boggling. I personally easily shut down 10
to 20 machines a week, on my own time, by contacting and educating system
admins. But there are machines that have been compromized for months and are
STILL active, now THAT I would call not doing something.

I'm noticing you are not commenting on the other machines that are/were hitting
you, maybe its time to turn to an operational view on these postings and talk
about how well those are/have been handled. I'd like to see exactly how
responsive everyone else is, and if you have been able to get machines shut
down in less then 3 hours.