Lowell Hamilton wrote: > IMHO reporting/publishing unauthorized traffic on your network is > ethical and should be encouraged. [...] There are some lines though. I responded to JLF's original AZIPA posting, but thought I'd send it here as well. No slight to JLF intended, he does PLENTY of good work. These are just my thoughts on this particular scenario. --- cut here --- cut here --- J.Francois wrote: > [...] > Is it ethical to reveal the IP address and attacks of the bad guys > in a public web page? > > Please give me your opinions. > > The Page: http://www.magusnet.com/ids.html Well, since you ARE asking for opinions... Speaking for myself, I would be hesitant to do so, simply because much of what I see listed on your page MAY be the result of an effort to compromise your system, but some may also be the result of inadvertent misconfigurations or outright cluelessness. You label them "bad guys", without (so far as I can tell) necessarily knowing that to be the case. Some of the traffic is obviously unwanted (portscans etc.) but, given that you run a proxy service, I wonder if some might be innocent. For example: (From the logs): > May 1 19:15:15 citadel snort[17047]: MISC-WinGate-8080-Attempt: [Source IP 1]:61008 -> 216.27.171.164:8080 > May 1 19:15:16 citadel snort[17047]: MISC-WinGate-8080-Attempt: [Source IP 1]:61009 -> 216.27.171.164:8080 Your public proxy is on 8081 & 8090. Mistyping the URL by one character (i.e. https://proxy.magusnet.com:8081/-_-http://isc2.org/code.html) creates an entry on the "bad guy" list. You appear to be listing one time offenders in with everyone else as well. > May 1 20:13:36 citadel snort[17047]: IDS159 - PING Microsoft Windows: [Source IP 2] -> 216.27.171.164 > May 2 03:38:42 citadel snort[17047]: IDS159 - PING Microsoft Windows: [Source IP 3] -> 216.27.171.164 Aren't these merely a ping of your public proxy (www.magusnet.com)? You also have the additional ethical question of providing free, public privacy services (sounds odd doesn't it?) while still monitoring and publishing log info. Don't get me wrong, I'm fully aware of your efforts to provide services and your activities both on this list and with PLUG. I RESPECT AND APPLAUD YOU FOR THESE EFFORTS (especially the Teergrube :). It's just that there's the whole perception issue. After reading your instructions on your proxy page, I pinged www.magusnet.com to verify that it's up. I'm now listed on your "bad guy" page. Why am I using an anonymous proxy service? What do I have to hide? Better log my activity somewhere, privacy be damned. Hmm... maybe log those URLs I'm visiting too, just in case. (you get the idea) As part of the (ISC)2 CISSP certification process, I was required to get quite familiar with their published code of ethics (see http://isc2.org/code.html). After reviewing that, I'd say that you definitely have a borderline situation here. It really comes down to what you value more: Individuals' privacy versus alerting others to possible activity by "bad guys". My opinion: I'd suggest perhaps scaling back or filtering what's published on that page. Anything persistently indicating an attempt to subvert the system might warrant attention. However, not everything "wrong" is necessarily "bad", and I'd be inclined to give the benefit of a doubt before labeling someone a "bad guy" in a public forum. You might report some of these activities in a less public forum (as suggested by others in this thread), in the hope that persistent patterns of abuse across multiple systems may be indicative of a deliberate and conscientious effort to subvert systems. I think that would be more worthwhile in the long run, while still allowing proactive management and monitoring of your system. Again, these are my opinions only, and I want to emphasize that JLF is a good guy in my book! - Bob (who just took a job where writing policy on these sorts of things will be required!)