Hi...I'm actually the developer of myNetWatchman.
First of all...to address the initial question on the saftey of submitting firewall logs:
Participating in our sensor network involves running either a native Windows application or Perl script. Everyone should exercise due-diligence when considering any native app as your are potentially granting access to your system.
That said, my users will vouch that my app is trustworthy and it only uploads what it says it uploads...firewall log data. Several have also independently validated this using packet sniffers. I've also tried to make it very clear exactly what information is collected and how privacy is maintained in our Privacy Policy.
Really the only information that is sensitive is the agent's IP address. This is exactly why we mask the agent IP address (e.g. 100.100.X.X) on all publically viewable pages AND in the alert email we send to ISPs.
To address a few other comments:
1) "not very cluefull..."
Agreed...this is NOT a refined site.
My user interface and presentation are ugly.
Intensive queries can timeout (I'm working on this)
This is a grassroots effort run by ONE full-time person (ME) and a very small group of volunteers.
Despite this we successfully process over 100,000 log events/day, identify 10,000 suspect IPs/day, and send 1,000-2,000 email alerts notifying people that their boxes have probably been hacked.
Given my limited resources, I think this is pretty impressive.
2) What do I get in return?
Someone mentioned that they don't really get anything for participating.
Yes, my primary goal is actually help those that have been hacked.
However, participants benefit in several key ways:
a) Knowing that you're helping alert others of compromises
b) Personal reports that show your event data aggregated with thousands of other firewalls around the world. This adds global perspective to your firewall logs...now you can tell how many other people have seen the same activity
c) Automated escalation to responsible ISP or sysadmin...and full disclosure of progress and ISP responses. We almost completely elminate the need to do manual backtracing and incident escalation, saving many of our participants *hours* per month.
I hope that I'm not sounding defensive...I welcome the criticism...I know I have a lot to improve on.
I also wholeheartedly agree that you definitely need to exercise caution when considering to participate in my system or others like it (Dshield, ARIS, etc..)
I invite anyone to talk to our participants directly on our newserver (news.mynetwatchman.com) or analyze our app for yourselves.
Regards,
Lawrence Baldwin
President
myNetWatchman.com
+1.678.624.0924
Slashdot Mirror
Thanks for the heads up on the "vision" page.
I've had completely rewritten all of the reports that this page uses, however, I completely forgot to update this page to the new versions.
The should all work now.
http://www.mynetwatchman.com/vision.htm
Hi...I'm actually the developer of myNetWatchman. First of all...to address the initial question on the saftey of submitting firewall logs: Participating in our sensor network involves running either a native Windows application or Perl script. Everyone should exercise due-diligence when considering any native app as your are potentially granting access to your system. That said, my users will vouch that my app is trustworthy and it only uploads what it says it uploads...firewall log data. Several have also independently validated this using packet sniffers. I've also tried to make it very clear exactly what information is collected and how privacy is maintained in our Privacy Policy. Really the only information that is sensitive is the agent's IP address. This is exactly why we mask the agent IP address (e.g. 100.100.X.X) on all publically viewable pages AND in the alert email we send to ISPs. To address a few other comments: 1) "not very cluefull ..."
Agreed...this is NOT a refined site.
My user interface and presentation are ugly.
Intensive queries can timeout (I'm working on this)
This is a grassroots effort run by ONE full-time person (ME) and a very small group of volunteers.
Despite this we successfully process over 100,000 log events/day, identify 10,000 suspect IPs/day, and send 1,000-2,000 email alerts notifying people that their boxes have probably been hacked.
Given my limited resources, I think this is pretty impressive.
2) What do I get in return?
Someone mentioned that they don't really get anything for participating.
Yes, my primary goal is actually help those that have been hacked.
However, participants benefit in several key ways:
a) Knowing that you're helping alert others of compromises
b) Personal reports that show your event data aggregated with thousands of other firewalls around the world. This adds global perspective to your firewall logs...now you can tell how many other people have seen the same activity
c) Automated escalation to responsible ISP or sysadmin...and full disclosure of progress and ISP responses. We almost completely elminate the need to do manual backtracing and incident escalation, saving many of our participants *hours* per month.
I hope that I'm not sounding defensive...I welcome the criticism...I know I have a lot to improve on.
I also wholeheartedly agree that you definitely need to exercise caution when considering to participate in my system or others like it (Dshield, ARIS, etc..)
I invite anyone to talk to our participants directly on our newserver (news.mynetwatchman.com) or analyze our app for yourselves.
Regards,
Lawrence Baldwin
President
myNetWatchman.com
+1.678.624.0924