Back to the main page

Mailing List Logs for ShadowRN

Message no. 1
From: crowley@*********.ch (Michael Schmidt)
Subject: Multi-decker runs and security tally
Date: Wed, 27 Oct 2004 11:55:38 +0200
Hallo!

Has anybody a good idea or rules reference for the handling of the
security tally, when there are multiple illegal icons on one host?

Rules always refer to "the decker's security tally", but it doesn't feel
right, to keep a separate sec tally for every decker. It may be ok for
IC, but if a host goes to alarm status, it's the complete host, not just
the surrounding of the decker.


--
This is free space. Good ideas for a sig are welcome.
Contact:
aim: drawentasqad | icq: 196218950
!jabber: timothyryan@******.ccc.de!
Message no. 2
From: lericson20@*******.net (lericson20@*******.net)
Subject: Multi-decker runs and security tally
Date: Wed, 27 Oct 2004 12:49:40 +0000
---------------------- multipart/alternative attachment
I would say that the security tally for all illegal icons are added to the same total.
That security tally is to reflect unusual activity happening on the host, not unusual
activity by a single icon.

Raise enough red flags and the system is going to start interrogating everything that
happens more carefully.

----
Lars Ericson
lericson20@*******.net
"A noble heart embiggens
the smallest man." -- Jebediah Springfield

-------------- Original message --------------

> Hallo!
>
> Has anybody a good idea or rules reference for the handling of the
> security tally, when there are multiple illegal icons on one host?
>
> Rules always refer to "the decker's security tally", but it doesn't feel
> right, to keep a separate sec tally for every decker. It may be ok for
> IC, but if a host goes to alarm status, it's the complete host, not just
> the surrounding of the decker.
>
>
> --
> This is free space. Good ideas for a sig are welcome.
> Contact:
> aim: drawentasqad | icq: 196218950
> !jabber: timothyryan@******.ccc.de!
---------------------- multipart/alternative attachment
An HTML attachment was scrubbed...
URL: http://warthog.dumpshock.com/pipermail/shadowrn/attachments/30c93c92/attachment.htm

---------------------- multipart/alternative attachment--
Message no. 3
From: graht1@*****.com (Graht)
Subject: Multi-decker runs and security tally
Date: Wed, 27 Oct 2004 09:28:12 -0600
On Wed, 27 Oct 2004 12:49:40 +0000, lericson20@*******.net
<lericson20@*******.net> wrote:
> > Hallo!
> >
> > Has anybody a good idea or rules reference for the handling of the
> > security tally, when there are multiple illegal icons on one host?
> >
> > Rules always refer to "the decker's security tally", but it doesn't
feel
> > right, to keep a separate sec tally for every decker. It may be ok for
> > IC, but if a host goes to alarm status, it's the complete host, not just
> > the surrounding of the decker.
>
> I would say that the security tally for all illegal icons are added to the
> same total. That security tally is to reflect unusual activity happening on
> the host, not unusual activity by a single icon.
>
> Raise enough red flags and the system is going to start interrogating
> everything that happens more carefully.

<admin> Lars, please place your replies below/after quoted text ;) </admin>

I remember posting about this right after the security tally rules
were introduced. I thought it would be a fun evil gm trick to play on
a PC decker to have them in a system when some newbie hacker hits the
system and starts jacking up the security tally.

But, consider this: if the entire system starts going scrutinizing
everything that's going to severly tax system resources, and keep in
mind that the system's real purpose is to perform work for it's users.
Imagine everyone in the building calling tech support because
everything is slowing down, all because the CEO's secretary mispelled
her password three times in a row (gotta love that caps lock key) and
jacked up the security tally for the entire system and now it's
performing a security scan of every hard disk.

In reality, that's not how it works. The system flags the individual
user and keeps an eye on them. If the secretary keeps entering the
wrong password, then the system will make a note that someone else
might be trying to use her user id and keep an eye on it for more
offending events (or send an email to the sysop who can then call the
secretary to find out what's going on). It won't consume valuable
resources by keeping an eye on every single user in the system.

IMHO the security tally should be applied to individual users. If a
user starts doing something they aren't supposed to do, then the host
will react to that user and that user only. If there's another decker
in the system and he's successfully spoofing the host, then his tally
will remain low. The only time one decker can affect another is if
the first decker racks his tally to the point where the host shuts
down because it hasn't been able to stop him (which is a perfectly
viable egm trick ;).

--
-Graht
Message no. 4
From: zebulingod@*******.net (Zebulin)
Subject: Multi-decker runs and security tally
Date: Wed, 27 Oct 2004 09:58:00 -0700
Graht wrote:
>
> In reality, that's not how it works. The system flags the
> individual user and keeps an eye on them. If the secretary
> keeps entering the wrong password, then the system will make
> a note that someone else might be trying to use her user id
> and keep an eye on it for more offending events (or send an
> email to the sysop who can then call the secretary to find
> out what's going on). It won't consume valuable resources by
> keeping an eye on every single user in the system.
>
> IMHO the security tally should be applied to individual
> users. If a user starts doing something they aren't supposed
> to do, then the host will react to that user and that user
> only. If there's another decker in the system and he's
> successfully spoofing the host, then his tally will remain
> low. The only time one decker can affect another is if the
> first decker racks his tally to the point where the host
> shuts down because it hasn't been able to stop him (which is
> a perfectly viable egm trick ;).
>

I would agree on what you say except in the case of Passive and Active
alerts. These are host-wide events, and they would affect everyone logged
in. So while you can keep individual security tallies, when the host goes
into an alert, everyone on board will notice.

That's how I'd play it, anyway.

Zeb
Message no. 5
From: me@******.net (Hexren)
Subject: Multi-decker runs and security tally
Date: Wed, 27 Oct 2004 19:01:47 +0200
Z> Graht wrote:
>>
>> In reality, that's not how it works. The system flags the
>> individual user and keeps an eye on them. If the secretary
>> keeps entering the wrong password, then the system will make
>> a note that someone else might be trying to use her user id
>> and keep an eye on it for more offending events (or send an
>> email to the sysop who can then call the secretary to find
>> out what's going on). It won't consume valuable resources by
>> keeping an eye on every single user in the system.
>>
>> IMHO the security tally should be applied to individual
>> users. If a user starts doing something they aren't supposed
>> to do, then the host will react to that user and that user
>> only. If there's another decker in the system and he's
>> successfully spoofing the host, then his tally will remain
>> low. The only time one decker can affect another is if the
>> first decker racks his tally to the point where the host
>> shuts down because it hasn't been able to stop him (which is
>> a perfectly viable egm trick ;).
>>

Z> I would agree on what you say except in the case of Passive and Active
Z> alerts. These are host-wide events, and they would affect everyone logged
Z> in. So while you can keep individual security tallies, when the host goes
Z> into an alert, everyone on board will notice.

Z> That's how I'd play it, anyway.

Z> Zeb


---------------------------------------------

there're some thing I can think of a host could to that affectes
everybody. System policies regarding failed logins for example coud be
changed after somebody has filed to enter his pass 3 times. Or
loglevels could be adjusted so that the host gains more info after it
has detected somthing spooky.

Hexren
Message no. 6
From: korishinzo@*****.com (Ice Heart)
Subject: Multi-decker runs and security tally
Date: Wed, 27 Oct 2004 12:35:37 -0700 (PDT)
--- Hexren <me@******.net> wrote:

> Z> Graht wrote:
> >>
> >> In reality, that's not how it works. The system flags the
> >> individual user and keeps an eye on them. If the secretary
> >> keeps entering the wrong password, then the system will make
> >> a note that someone else might be trying to use her user id
> >> and keep an eye on it for more offending events (or send an
> >> email to the sysop who can then call the secretary to find
> >> out what's going on). It won't consume valuable resources by
> >> keeping an eye on every single user in the system.
> >>
> >> IMHO the security tally should be applied to individual
> >> users. If a user starts doing something they aren't supposed
> >> to do, then the host will react to that user and that user
> >> only. If there's another decker in the system and he's
> >> successfully spoofing the host, then his tally will remain
> >> low. The only time one decker can affect another is if the
> >> first decker racks his tally to the point where the host
> >> shuts down because it hasn't been able to stop him (which is
> >> a perfectly viable egm trick ;).
> >>
>
> Z> I would agree on what you say except in the case of Passive and
> Active
> Z> alerts. These are host-wide events, and they would affect
> everyone logged
> Z> in. So while you can keep individual security tallies, when the
> host goes
> Z> into an alert, everyone on board will notice.
>
> Z> That's how I'd play it, anyway.
>
> Z> Zeb
>
>
> ---------------------------------------------
>
> there're some thing I can think of a host could to that affectes
> everybody. System policies regarding failed logins for example coud
> be
> changed after somebody has filed to enter his pass 3 times. Or
> loglevels could be adjusted so that the host gains more info after
> it
> has detected somthing spooky.
>
> Hexren

Nope. I handle computer security for our company, and I can back
Graht up on this one. Security alerts from one user will not effect
other users. It would be grossly ineffient to have the system do so.
That is why after x number of tries, Ms. So-and-so's login is simply
disabled until a sysad resets it. With a decker, repeated incorrect
logins are not even the issue. Instead, you look for things like
something calling itself LPT3 (a printer) sitting on a port where it
should not be, broadcasting on the network, and not showing up in any
task queues. A little more digging and you find that said device is
actually an executable, owned by root. Wait... why is root running
something and saying it is something else, and suppressing any logs
of its activity? Ultimately, a good hack is not ever discovered by
automated processes like virus scans, firewalls, and the like
(Intrusion Countermeasures). A good hack is found and dealt with by
a person (security decker). A smart network security staffer does
not respond by immediately blowing away said intrusion either. You
quarantine the anomaly, minimizing the damage it can do, hopefully
without the hack(er) even realizing it has happened. Then you trace
the thing, find its source and its purpose if you can. All of this
takes place without the average user ever realizing a thing. The
network is not suddenly slowed or shutdown, nor is access suddenly
more restricted. The whole point of paying for expensive security
software and security personnel is so your network stays live while
security threats are dealt with.

So, Security Tallies, even Passive/Active Alerts, should only apply
to an individual anomaly (decker/frame/etc). In fact, I do not even
run a 'host shutdown' as a reboot of the actual server. Instead,
certain network services are disrupted as the service/services the
system believes corrupted are stopped and restarted (dumping the
decker and anything else utilizing those ports). The biggest threat
to a PC decker is security deckers, who consider system invasions a
delightful distraction from clearing bad print jobs and resetting
some idiot user's password.

======Korishinzo
--evil (SysAdmin) GM




__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail
Message no. 7
From: me@******.net (Hexren)
Subject: Multi-decker runs and security tally
Date: Wed, 27 Oct 2004 22:06:04 +0200
>> Hexren

IH> Nope. I handle computer security for our company, and I can back
IH> Graht up on this one. Security alerts from one user will not effect
IH> other users. It would be grossly ineffient to have the system do so.
IH> the thing, find its source and its purpose if you can. All of this
IH> takes place without the average user ever realizing a thing. The
IH> network is not suddenly slowed or shutdown, nor is access suddenly
IH> more restricted. The whole point of paying for expensive security
IH> software and security personnel is so your network stays live while
IH> security threats are dealt with.

IH> So, Security Tallies, even Passive/Active Alerts, should only apply
IH> to an individual anomaly (decker/frame/etc). In fact, I do not even
IH> run a 'host shutdown' as a reboot of the actual server. Instead,
IH> certain network services are disrupted as the service/services the
IH> system believes corrupted are stopped and restarted (dumping the
IH> decker and anything else utilizing those ports). The biggest threat
IH> to a PC decker is security deckers, who consider system invasions a
IH> delightful distraction from clearing bad print jobs and resetting
IH> some idiot user's password.

IH> ======IH> Korishinzo
IH> --evil (SysAdmin) GM


---------------------------------------------

Maybe I used the wrong wording, I did not meant to imply that what I
said is commonplace today but that it is a possibility, which and I
agree there with you is mostly not realised because of the drag down
effect that would have on normal operations.
But maybe that is done in another way in 2053 :)

Greetings
Hexren

Further Reading

If you enjoyed reading about Multi-decker runs and security tally, you may also be interested in:

Disclaimer

These messages were posted a long time ago on a mailing list far, far away. The copyright to their contents probably lies with the original authors of the individual messages, but since they were published in an electronic forum that anyone could subscribe to, and the logs were available to subscribers and most likely non-subscribers as well, it's felt that re-publishing them here is a kind of public service.