y much like themselves then it might help remove some
> > of the "yeah I've heard of that but it will never happen to me"
> > mindset that we all regrettably can fall into.
>
> You could also consider creating another mailing list. Perhaps
> "security@??? <mailto:security@bitfolk.com>" or
> "compromise@??? <mailto:compromise@bitfolk.com>"?
>
> Whether you do this or use users@, I would definitely be interested,
> even though most of these won't affect me[1].
>
> > It might look something like this:
> >
> > Today at around 04:30 we became aware of a customer VPS
> > initiating an abnormal amount of outbound SSH connections (~200
> > per second). The VPS's network access was suspended and customer
> > contacted.
> >
> > It was later determined that a user account on the VPS had been
> > accessed starting 3 days ago, via an SSH dictionary attack. The
> > attacker installed another copy of the SSH dictionary attack
> > software and set it going. We do not believe that root access
> > was obtained.
>
> > The amount of detail would vary because we may only become aware of
> > a compromise when the customer's VPS itself starts perpetrating
> > abusive activity, and then we rely on the customer to investigate
> > why that is.
>
> Of course.
>
> > No identifying information regarding the affected customer would be
> > shared. We already share non-identifying information similar to the
> > above to peers within the industry to aid deterrence and detection
> > of future abuses.
>
> Of course :)
>
> > Would this sort of posting be welcomed or would it be unwelcome
> > noise? If the consensus is that it would be unwelcome noise then I
> > may create a new list specifically for it, but I would rather not do
> > so as then that is just another list that we have to raise awareness
> > of.
>
> I would welcome it.
>
> > https://lists.bitfolk.com/mailman/listinfo/announce
> > http://lists.bitfolk.com/lurker/list/announce.html
> >
> > (just 19 threads this year)
>
> Heh. Even our company's announce lists have got 100s of mails this
> year.
> Some 1000s.
>
>
> [1] I allow incoming :1194UDP (openvpn) and :80TCP(web) publicly on my
> vps. Without the static openvpn key you can't do anything but
> browse the
> single domain hosted on it. All other access happen via a VPN tunnel.
>
> That said every service is still secured as if it was public (SSH only
> via authorized_keys, etc). So even if openvpn gets compromised you
> still
> need to get through that.
>
>
> _______________________________________________
> users mailing list
> users@??? <mailto:users@lists.bitfolk.com>
> https://lists.bitfolk.com/mailman/listinfo/users
>
>
>
>
> --
> Keith Williams
> www.PhilsArt.co.uk <http://www.PhilsArt.co.uk>
> "Time is an illusion. Lunchtime doubly so." Douglas Adams
> He's done it again! www.justgiving.com/France-The-Wrong-Way
> <http://www.justgiving.com/France-The-Wrong-Way>
> Tailor Made English www.tmenglish.org <http://www.tmenglish.org>
>
>
>
> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users
--------------030303090607050404090900
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">I think the users@ list is sufficiently
low volume and the compromise rate is (I hope) sufficiently low
that users@ would be the best place to do this. If there ends up
being enough traffic to warrant a separate mailing list (heaven
forbid), I suggest an announcement on users@ and the discussion
continuing on a separate list would be the way to go.<br>
<br>
--<br>
Phil<br>
<br>
On 07/12/2012 07:43, Keith Williams wrote:<br>
</div>
<blockquote
cite="mid:CAMe3QpPZGMo52XGAPHEfAROtLzyf_j1O2sqs53F0Ma7z=Uh13w@???"
type="cite">Great idea
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On 7 December 2012 06:05, Peet Grobler
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:peet@peet.za.net" target="_blank">peet@???</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On 2012/12/07 4:19 AM, Andy Smith wrote:<br>
> I was thinking that if customers saw how often these
things happen<br>
> to people very much like themselves then it might
help remove some<br>
> of the "yeah I've heard of that but it will never
happen to me"<br>
> mindset that we all regrettably can fall into.<br>
<br>
</div>
You could also consider creating another mailing list.
Perhaps<br>
"<a moz-do-not-send="true"
href="mailto:security@bitfolk.com">security@???</a>"
or "<a moz-do-not-send="true"
href="mailto:compromise@bitfolk.com">compromise@???</a>"?<br>
<br>
Whether you do this or use users@, I would definitely be
interested,<br>
even though most of these won't affect me[1].<br>
<div class="im"><br>
> It might look something like this:<br>
><br>
> Today at around 04:30 we became aware of a
customer VPS<br>
> initiating an abnormal amount of outbound SSH
connections (~200<br>
> per second). The VPS's network access was
suspended and customer<br>
> contacted.<br>
><br>
> It was later determined that a user account on
the VPS had been<br>
> accessed starting 3 days ago, via an SSH
dictionary attack. The<br>
> attacker installed another copy of the SSH
dictionary attack<br>
> software and set it going. We do not believe that
root access<br>
> was obtained.<br>
<br>
> The amount of detail would vary because we may only
become aware of<br>
> a compromise when the customer's VPS itself starts
perpetrating<br>
> abusive activity, and then we rely on the customer to
investigate<br>
> why that is.<br>
<br>
</div>
Of course.<br>
<div class="im"><br>
> No identifying information regarding the affected
customer would be<br>
> shared. We already share non-identifying information
similar to the<br>
> above to peers within the industry to aid deterrence
and detection<br>
> of future abuses.<br>
<br>
</div>
Of course :)<br>
<div class="im"><br>
> Would this sort of posting be welcomed or would it be
unwelcome<br>
> noise? If the consensus is that it would be unwelcome
noise then I<br>
> may create a new list specifically for it, but I
would rather not do<br>
> so as then that is just another list that we have to
raise awareness<br>
> of.<br>
<br>
</div>
I would welcome it.<br>
<div class="im"><br>
> <a moz-do-not-send="true"
href="https://lists.bitfolk.com/mailman/listinfo/announce"
target="_blank">https://lists.bitfolk.com/mailman/listinfo/announce</a><br>
> <a moz-do-not-send="true"
href="http://lists.bitfolk.com/lurker/list/announce.html"
target="_blank">http://lists.bitfolk.com/lurker/list/announce.html</a><br>
><br>
> (just 19 threads this year)<br>
<br>
</div>
Heh. Even our company's announce lists have got 100s of
mails this year.<br>
Some 1000s.<br>
<br>
<br>
[1] I allow incoming :1194UDP (openvpn) and :80TCP(web)
publicly on my<br>
vps. Without the static openvpn key you can't do anything
but browse the<br>
single domain hosted on it. All other access happen via a
VPN tunnel.<br>
<br>
That said every service is still secured as if it was public
(SSH only<br>
via authorized_keys, etc). So even if openvpn gets
compromised you still<br>
need to get through that.<br>
<br>
<br>
_______________________________________________<br>
users mailing list<br>
<a moz-do-not-send="true"
href="mailto:users@lists.bitfolk.com">users@???</a><br>
<a moz-do-not-send="true"
href="https://lists.bitfolk.com/mailman/listinfo/users"
target="_blank">https://lists.bitfolk.com/mailman/listinfo/users</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>Keith Williams</div>
<div> </div>
<div><a moz-do-not-send="true" href="http://www.PhilsArt.co.uk"
target="_blank">www.PhilsArt.co.uk</a></div>
<div> </div>
<div>"Time is an illusion. Lunchtime doubly so." Douglas Adams</div>
<div> </div>
<div>He's done it again! <a moz-do-not-send="true"
href="http://www.justgiving.com/France-The-Wrong-Way"
target="_blank">www.justgiving.com/France-The-Wrong-Way</a></div>
<div> </div>
<div>Tailor Made English <a moz-do-not-send="true"
href="
