dance with terms & conditions), knowing full-well that they =
actually want what they're signing-up for rather than facing the =
daunting single tick box which gives the user "all or nothing".
On 7 Dec 2012, at 02:19, Andy Smith <andy@???> wrote:
> So I was contemplating posting an email thread to this ("users")
> list every time we become aware of a customer compromise, and I was
> wondering what you thought of that idea.
From lozsui@??? Fri Dec 07 13:09:28 2012
Received: from mail-la0-f48.google.com ([209.85.215.48])
by mail.bitfolk.com with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16)
(Exim 4.72) (envelope-from <lozsui@???>) id 1TgxgF-0003A9-8d
for users@???; Fri, 07 Dec 2012 13:09:28 +0000
Received: by mail-la0-f48.google.com with SMTP id m13so430680lah.21
for <users@???>; Fri, 07 Dec 2012 05:09:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=mime-version:reply-to:sender:in-reply-to:references:date
:x-google-sender-auth:message-id:subject:from:to:content-type;
bh=aFB/c74vsYVY3GhYw3NxZmeOzY6w97eRzS2FLCMplDc=;
b=fCTmwtpc9vye0m5fQDbjMzEVgocu3FjBKJZrzfcmwKrPIurWnRiR72nlcas18ao9CM
TezB15Ul0tevWLDP/iExkEWOjwfyruuvYJ6qXyZTuItXXeTFnHN1Pnu9edQffMN7FG7x
m3KJz2wN3ZxkF1s0oIxw+TLXzgpagD9R9pjHceYj1upapZxBNmHD2MvAmPuFZPWLTIxf
4bJWI5yHFkuS4N+qKFm678M0xjSJtdo/lEl7dwPx61+3JnSdNLKDdbmNk4ftaQz1xGqk
30wwtzx0PgqMlHqa08s4WCkr6tZAlWCytqwEaqzwWp5b1pFxHClrt7Mc7/5MkUbf/ZSM
QhYA==
MIME-Version: 1.0
Received: by 10.152.46.161 with SMTP id w1mr5377995lam.27.1354885760769; Fri,
07 Dec 2012 05:09:20 -0800 (PST)
Sender: lozsui@???
Received: by 10.114.26.4 with HTTP; Fri, 7 Dec 2012 05:09:20 -0800 (PST)
In-Reply-To: <20121207021942.GT3867@???>
References: <20121207021942.GT3867@???>
Date: Fri, 7 Dec 2012 14:09:20 +0100
X-Google-Sender-Auth: 2jW0Oepj8zYxLvWffusMPy0Uft8
Message-ID: <CAMNQtb5hBZLRafo+1TNWpu6SSXfxeSwBGLP+XU=6cGpA=NEArA@???>
From: =?UTF-8?Q?Samuel_B=C3=A4chler?= <baechler@???>
To: users@???
Content-Type: multipart/alternative; boundary=bcaec55408907b5fe504d042ecc2
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Fri,
07 Dec 2012 13:09:27 +0000
X-SA-Exim-Connect-IP: 209.85.215.48
X-SA-Exim-Mail-From: lozsui@???
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
spamd0.lon.bitfolk.com
X-Spam-Level:
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Status: No, score=-0.7 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
HTML_MESSAGE, RCVD_IN_DNSWL_LOW,
SPF_PASS shortcircuit=no autolearn=disabled version=3.3.1
X-Spam-Report: * -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at
http://www.dnswl.org/, low * trust
* [209.85.215.48 listed in list.dnswl.org]
* -0.0 SPF_PASS SPF: sender matches SPF record
* 0.0 HTML_MESSAGE BODY: HTML included in message
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:51:10 +0000)
X-SA-Exim-Scanned: Yes (on mail.bitfolk.com)
Subject: Re: [bitfolk] Proposal: Security incidents postings
X-BeenThere: users@???
X-Mailman-Version: 2.1.13
Precedence: list
Reply-To: baechler@???
List-Id: Users of BitFolk hosting <users.lists.bitfolk.com>
List-Unsubscribe: <https://lists.bitfolk.com/mailman/options/users>,
<mailto:users-request@lists.bitfolk.com?subject=unsubscribe>
List-Archive: <http://lists.bitfolk.com/lurker/list/users.html>
List-Post: <mailto:users@lists.bitfolk.com>
List-Help: <mailto:users-request@lists.bitfolk.com?subject=help>
List-Subscribe: <https://lists.bitfolk.com/mailman/listinfo/users>,
<mailto:users-request@lists.bitfolk.com?subject=subscribe>
X-List-Received-Date: Fri, 07 Dec 2012 13:09:28 -0000
--bcaec55408907b5fe504d042ecc2
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
I am ok with that kind of information.
Cheers
S=C3=A4mi
2012/12/7 Andy Smith <andy@???>
> Hello,
>
> From time to time BitFolk customer VPSes occasionally become subject
> to various kinds of compromise. Frustratingly, the kinds of
> compromise encountered are generally the result of run of the mill,
> completely preventable and unremarkable root causes.
>
> I would like to find a way to raise awareness of these very simple
> security concerns amongst the customer base, in order to hopefully
> cut down on how often they happen.
>
> I was thinking that if customers saw how often these things happen
> to people very much like themselves then it might help remove some
> of the "yeah I've heard of that but it will never happen to me"
> mindset that we all regrettably can fall into.
>
> So I was contemplating posting an email thread to this ("users")
> list every time we become aware of a customer compromise, and I was
> wondering what you thought of that idea.
>
> It might look something like this:
>
> Today at around 04:30 we became aware of a customer VPS
> initiating an abnormal amount of outbound SSH connections (~200
> per second). The VPS's network access was suspended and customer
> contacted.
>
> It was later determined that a user account on the VPS had been
> accessed starting 3 days ago, via an SSH dictionary attack. The
> attacker installed another copy of the SSH dictionary attack
> software and set it going. We do not believe that root access
> was obtained.
>
> The amount of detail would vary because we may only become aware of
> a compromise when the customer's VPS itself starts perpetrating
> abusive activity, and then we rely on the customer to investigate
> why that is.
>
> If the customer is unable/unwilling to do this then we may never
> know why their VPS began misbehaving. We don't examine customer data
> unless given permission to do so, and even then this is often too
> time-consuming to undertake on an unpaid basis. I would consider the
> above an example of the maximum amount of detail we would go into.
>
> No identifying information regarding the affected customer would be
> shared. We already share non-identifying information similar to the
> above to peers within the industry to aid deterrence and detection
> of future abuses.
>
> Would this sort of posting be welcomed or would it be unwelcome
> noise? If the consensus is that it would be unwelcome noise then I
> may create a new list specifically for it, but I would rather not do
> so as then that is just another list that we have to raise awareness
> of.
>
> Please also note that those with an extremely low tolerance for
> email noise may wish to quit this list and instead join the
> "announce" list, as it contains only announcements from BitFolk with
> no customer discussion whatsoever:
>
> https://lists.bitfolk.com/mailman/listinfo/announce
> http://lists.bitfolk.com/lurker/list/announce.html
>
> (just 19 threads this year)
>
> Thoughts?
>
> Cheers,
> Andy
>
> --
> http://bitfolk.com/ -- No-nonsense VPS hosting
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEAREDAAYFAlDBUj4ACgkQIJm2TL8VSQsqvACgwIgInU6KIOtadzOhGfxJbzq2
> IMwAoKpBPCQW2HYD1Dgs6RPF38QNycai
> =3Dxqsl
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users
>
>
--=20
Samuel B=C3=A4chler
Obere Bl=C3=A4sistrasse 1
8049 Z=C3=BCrich
Web: boeser.ch
Tel: +41(0)43 817 46 28
Mob: +41(0)79 478 49 42
--bcaec55408907b5fe504d042ecc2
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
I am ok with that kind of information.<div><br></div><div>Cheers</div><div>=
<br></div><div>S=C3=A4mi<br><br><div class=3D"gmail_quote">2012/12/7 Andy S=
mith <span dir=3D"ltr"><<a href=3D"
mailto:andy@bitfolk.com" target=3D"_b=
lank">andy@???</a>></span><br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">Hello,<br>
<br>
>From time to time BitFolk customer VPSes occasionally become subject<br>
to various kinds of compromise. Frustratingly, the kinds of<br>
compromise encountered are generally the result of run of the mill,<br>
completely preventable and unremarkable root causes.<br>
<br>
I would like to find a way to raise awareness of these very simple<br>
security concerns amongst the customer base, in order to hopefully<br>
cut down on how often they happen.<br>
<br>
I was thinking that if customers saw how often these things happen<br>
to people very much like themselves then it might help remove some<br>
of the "yeah I've heard of that but it will never happen to me&quo=
t;<br>
mindset that we all regrettably can fall into.<br>
<br>
So I was contemplating posting an email thread to this ("users")<=
br>
list every time we become aware of a customer compromise, and I was<br>
wondering what you thought of that idea.<br>
<br>
It might look something like this:<br>
<br>
=C2=A0 =C2=A0 Today at around 04:30 we became aware of a customer VPS<br>
=C2=A0 =C2=A0 initiating an abnormal amount of outbound SSH connections (~2=
00<br>
=C2=A0 =C2=A0 per second). The VPS's network access was suspended and c=
ustomer<br>
=C2=A0 =C2=A0 contacted.<br>
<br>
=C2=A0 =C2=A0 It was later determined that a user account on the VPS had be=
en<br>
=C2=A0 =C2=A0 accessed starting 3 days ago, via an SSH dictionary attack. T=
he<br>
=C2=A0 =C2=A0 attacker installed another copy of the SSH dictionary attack<=
br>
=C2=A0 =C2=A0 software and set it going. We do not believe that root access=
<br>
=C2=A0 =C2=A0 was obtained.<br>
<br>
The amount of detail would vary because we may only become aware of<br>
a compromise when the customer's VPS itself starts perpetrating<br>
abusive activity, and then we rely on the customer to investigate<br>
why that is.<br>
<br>
If the customer is unable/unwilling to do this then we may never<br>
know why their VPS began misbehaving. We don't examine customer data<br=
>
unless given permission to do so, and even then this is often too<br>
time-consuming to undertake on an unpaid basis. I would consider the<br>
above an example of the maximum amount of detail we would go into.<br>
<br>
No identifying information regarding the affected customer would be<br>
shared. We already share non-identifying information similar to the<br>
above to peers within the industry to aid deterrence and detection<br>
of future abuses.<br>
<br>
Would this sort of posting be welcomed or would it be unwelcome<br>
noise? If the consensus is that it would be unwelcome noise then I<br>
may create a new list specifically for it, but I would rather not do<br>
so as then that is just another list that we have to raise awareness<br>
of.<br>
<br>
Please also note that those with an extremely low tolerance for<br>
email noise may wish to quit this list and instead join the<br>
"announce" list, as it contains only announcements from BitFolk w=
ith<br>
no customer discussion whatsoever:<br>
<br>
=C2=A0 =C2=A0 <a href=3D"
https://lists.bitfolk.com/mailman/listinfo/announc=
e" target=3D"_blank">
https://lists.bitfolk.com/mailman/listinfo/announce</a=
><br>
=C2=A0 =C2=A0 <a href=3D"
http://lists.bitfolk.com/lurker/list/announce.html=
" target=3D"_blank">
http://lists.bitfolk.com/lurker/list/announce.html</a><=
br>
<br>
(just 19 threads this year)<br>
<br>
Thoughts?<br>
<br>
Cheers,<br>
Andy<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
--<br>
<a href=3D"
http://bitfolk.com/" target=3D"_blank">
http://bitfolk.com/</a> -=
- No-nonsense VPS hosting<br>
</font></span><br>-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.10 (GNU/Linux)<br>
<br>
iEYEAREDAAYFAlDBUj4ACgkQIJm2TL8VSQsqvACgwIgInU6KIOtadzOhGfxJbzq2<br>
IMwAoKpBPCQW2HYD1Dgs6RPF38QNycai<br>
=3Dxqsl<br>
-----END PGP SIGNATURE-----<br>
<br>_______________________________________________<br>
users mailing list<br>
<a href=3D"
mailto:users@lists.bitfolk.com">users@???</a><br>
<a href=3D"
https://lists.bitfolk.com/mailman/listinfo/users" target=3D"_bla=
nk">
https://lists.bitfolk.com/mailman/listinfo/users</a><br>
<br></blockquote></div><br><br clear=3D"all"><div><br></div>-- <br>Samuel B=
=C3=A4chler<br>Obere Bl=C3=A4sistrasse 1<br>8049 Z=C3=BCrich<br><br>Web: <a=
href=3D"
http://boeser.ch">boeser.ch</a><br>Tel:=C2=A0=C2=A0 +41(0)43 817 4=
6 28<br>Mob: +41(0)79 478 49 42<br>
<br>
</div>
--bcaec55408907b5fe504d042ecc2--
From jan@??? Fri Dec 07 13:09:48 2012
Received: from [2001:ba8:1f1:f0ef:216:3eff:fe14:ae03]
(helo=heimdall.henkins.za.net)
by mail.bitfolk.com with esmtp (Exim 4.72)
(envelope-from <jan@???>) id 1Tgxga-0003I9-3C
for users@???; Fri, 07 Dec 2012 13:09:48 +0000
Received: from localhost (localhost [127.0.0.1])
by heimdall.henkins.za.net (Postfix) with ESMTP id 304514D047
for <users@???>; Fri, 7 Dec 2012 13:09:47 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at heimdall.henkins.za.net
Received: from heimdall.henkins.za.net ([127.0.0.1])
by localhost (heimdall.henkins.za.net [127.0.0.1]) (amavisd-new,
port 10024) with ESMTP id r2jA0b0z2xvU for <users@???>;
Fri, 7 Dec 2012 13:09:46 +0000 (GMT)
Received: from secure.henkins.net (balder.henkins.za.net [85.119.83.94])
by heimdall.henkins.za.net (Postfix) with ESMTP id 0703A4C780
for <users@???>; Fri, 7 Dec 2012 13:09:46 +0000 (GMT)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8;
format=flowed
Content-Transfer-Encoding: 7bit
Date: Fri, 07 Dec 2012 13:09:45 +0000
From: jan@???
To: <users@???>
In-Reply-To: <35695F4B-2CC8-42D8-A735-2AC00F60D4FD@???>
References: <20121207021942.GT3867@???>
<35695F4B-2CC8-42D8-A735-2AC00F60D4FD@???>
Message-ID: <55402c96c90831a5113f50866ac54d32@???>
X-Sender: jan@???
User-Agent: Roundcube Webmail/RCMAIL_VERSION
X-bitfolk.com-Metrics-Host-Lookup-Failed: Reverse DNS lookup failed for
2001:ba8:1f1:f0ef:216:3eff:fe14:ae03 (failed)
X-Virus-Scanner: Scanned by ClamAV on mail.bitfolk.com at Fri,
07 Dec 2012 13:09:48 +0000
X-SA-Exim-Connect-IP: 2001:ba8:1f1:f0ef:216:3eff:fe14:ae03
X-SA-Exim-Mail-From: jan@???
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
spamd2.lon.bitfolk.com
X-Spam-Level:
X-Spam-ASN:
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,SHORTCIRCUIT
shortcircuit=ham autolearn=disabled version=3.3.1
X-Spam-Report: * -0.0 SHORTCIRCUIT Not all rules were run,
due to a shortcircuited rule
* -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
X-SA-Exim-Version: 4.2.1 (built Mon, 22 Mar 2010 06:51:10 +0000)
X-SA-Exim-Scanned: Yes (on mail.bitfolk.com)
Subject: Re: [bitfolk] Proposal: Security incidents postings
X-BeenThere: users@???
X-Mailman-Version:
