I think the users@ list is sufficiently low volume and the compromise
rate is (I hope) sufficiently low that users@ would be the best place to
do this. If there ends up being enough traffic to warrant a separate
mailing list (heaven forbid), I suggest an announcement on users@ and
the discussion continuing on a separate list would be the way to go.
--
Phil
On 07/12/2012 07:43, Keith Williams wrote:
> Great idea
>
>
> On 7 December 2012 06:05, Peet Grobler <peet@???
> <mailto:peet@peet.za.net>> wrote:
>
> On 2012/12/07 4:19 AM, Andy Smith wrote:
> > I was thinking that if customers saw how often these things happen
> > to people very much like themselves then it might help remove some
> > of the "yeah I've heard of that but it will never happen to me"
> > mindset that we all regrettably can fall into.
>
> You could also consider creating another mailing list. Perhaps
> "security@??? <mailto:security@bitfolk.com>" or
> "compromise@??? <mailto:compromise@bitfolk.com>"?
>
> Whether you do this or use users@, I would definitely be interested,
> even though most of these won't affect me[1].
>
> > It might look something like this:
> >
> > Today at around 04:30 we became aware of a customer VPS
> > initiating an abnormal amount of outbound SSH connections (~200
> > per second). The VPS's network access was suspended and customer
> > contacted.
> >
> > It was later determined that a user account on the VPS had been
> > accessed starting 3 days ago, via an SSH dictionary attack. The
> > attacker installed another copy of the SSH dictionary attack
> > software and set it going. We do not believe that root access
> > was obtained.
>
> > The amount of detail would vary because we may only become aware of
> > a compromise when the customer's VPS itself starts perpetrating
> > abusive activity, and then we rely on the customer to investigate
> > why that is.
>
> Of course.
>
> > No identifying information regarding the affected customer would be
> > shared. We already share non-identifying information similar to the
> > above to peers within the industry to aid deterrence and detection
> > of future abuses.
>
> Of course :)
>
> > Would this sort of posting be welcomed or would it be unwelcome
> > noise? If the consensus is that it would be unwelcome noise then I
> > may create a new list specifically for it, but I would rather not do
> > so as then that is just another list that we have to raise awareness
> > of.
>
> I would welcome it.
>
> > https://lists.bitfolk.com/mailman/listinfo/announce
> > http://lists.bitfolk.com/lurker/list/announce.html
> >
> > (just 19 threads this year)
>
> Heh. Even our company's announce lists have got 100s of mails this
> year.
> Some 1000s.
>
>
> [1] I allow incoming :1194UDP (openvpn) and :80TCP(web) publicly on my
> vps. Without the static openvpn key you can't do anything but
> browse the
> single domain hosted on it. All other access happen via a VPN tunnel.
>
> That said every service is still secured as if it was public (SSH only
> via authorized_keys, etc). So even if openvpn gets compromised you
> still
> need to get through that.
>
>
> _______________________________________________
> users mailing list
> users@??? <mailto:users@lists.bitfolk.com>
> https://lists.bitfolk.com/mailman/listinfo/users
>
>
>
>
> --
> Keith Williams
> www.PhilsArt.co.uk <http://www.PhilsArt.co.uk>
> "Time is an illusion. Lunchtime doubly so." Douglas Adams
> He's done it again! www.justgiving.com/France-The-Wrong-Way
> <http://www.justgiving.com/France-The-Wrong-Way>
> Tailor Made English www.tmenglish.org <http://www.tmenglish.org>
>
>
>
> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users
