I think the users@ list is sufficiently low volume and the compromise rate is (I hope) sufficiently low that users@ would be the best place to do this. If there ends up being enough traffic to warrant a separate mailing list (heaven forbid), I suggest an announcement on users@ and the discussion continuing on a separate list would be the way to go.

--
Phil

On 07/12/2012 07:43, Keith Williams wrote:
Great idea


On 7 December 2012 06:05, Peet Grobler <peet@peet.za.net> wrote:
On 2012/12/07 4:19 AM, Andy Smith wrote:
> I was thinking that if customers saw how often these things happen
> to people very much like themselves then it might help remove some
> of the "yeah I've heard of that but it will never happen to me"
> mindset that we all regrettably can fall into.

You could also consider creating another mailing list. Perhaps
"security@bitfolk.com" or "compromise@bitfolk.com"?

Whether you do this or use users@, I would definitely be interested,
even though most of these won't affect me[1].

> It might look something like this:
>
>     Today at around 04:30 we became aware of a customer VPS
>     initiating an abnormal amount of outbound SSH connections (~200
>     per second). The VPS's network access was suspended and customer
>     contacted.
>
>     It was later determined that a user account on the VPS had been
>     accessed starting 3 days ago, via an SSH dictionary attack. The
>     attacker installed another copy of the SSH dictionary attack
>     software and set it going. We do not believe that root access
>     was obtained.

> The amount of detail would vary because we may only become aware of
> a compromise when the customer's VPS itself starts perpetrating
> abusive activity, and then we rely on the customer to investigate
> why that is.

Of course.

> No identifying information regarding the affected customer would be
> shared. We already share non-identifying information similar to the
> above to peers within the industry to aid deterrence and detection
> of future abuses.

Of course :)

> Would this sort of posting be welcomed or would it be unwelcome
> noise? If the consensus is that it would be unwelcome noise then I
> may create a new list specifically for it, but I would rather not do
> so as then that is just another list that we have to raise awareness
> of.

I would welcome it.

>     https://lists.bitfolk.com/mailman/listinfo/announce
>     http://lists.bitfolk.com/lurker/list/announce.html
>
> (just 19 threads this year)

Heh. Even our company's announce lists have got 100s of mails this year.
Some 1000s.


[1] I allow incoming :1194UDP (openvpn) and :80TCP(web) publicly on my
vps. Without the static openvpn key you can't do anything but browse the
single domain hosted on it. All other access happen via a VPN tunnel.

That said every service is still secured as if it was public (SSH only
via authorized_keys, etc). So even if openvpn gets compromised you still
need to get through that.


_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users




--
Keith Williams
 
www.PhilsArt.co.uk
 
"Time is an illusion. Lunchtime doubly so." Douglas Adams
 
He's done it again! www.justgiving.com/France-The-Wrong-Way
 
Tailor Made English   www.tmenglish.org
 
 



_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users