Re: [Openpacket-devel] OpenPacket.org RC1
Brought to you by:
crazy_j,
taosecurity
Menu
▾
▴
Re: [Openpacket-devel] OpenPacket.org RC1
|
From: Richard B. <tao...@gm...> - 2008-01-09 04:01:27
|
On Jan 8, 2008 9:49 PM, James Pleger <jp...@gm...> wrote: > Sorry to quote, but: > > "OpenPacket.org moderators will not be responsible for anonymizing traces. > It's too much of a burden in many ways." > > I think the discussion about anonymization is kind of dead and while you > have a bunch of very good points, it is up to the user to determine what > kind of anonymization of the pcaps... I think a disclaimer on the site is > sufficient, and I was merely throwing it out there as a "Nifty feature" type > of request. I think that a howto that is well written would work great as a > substitute to this type of functionality. I may throw together a small > script that could anonymize things inside the IP header, for myself and any > other people that are interested in it. I personally don't care about > anything in layer 7 :P > > Thanks to everyone for their thoughts. I agree with Aaron's points. However, I see James' point too. If someone wants to upload a trace that has been anonymized to whatever degree they like, that is fine by me. I recommend reading the Trace Restrictions section here: http://openpacket.sourceforge.net/openpacket_req_doc_draft_21jul06.pdf I should have said that scrubbing was OPTIONAL, not a way to "clean" sensitive data so it could be published. I don't think I phrased what I meant very well: "If necessary, traffic captured on production networks will be scrubbed to obscure any identifying characteristics, such as source and/or destination IP addresses. OpenPacket.org reserves the right to make these scrubbing decisions and actions." This is the overriding principle: "The traffic does not contain any proprietary or sensitive information that the submitting enterprise would not want published." OpenPacket.org moderators absolutely will NOT publish traces that, using our best judgment, contain data we feel should not be published. If we receive legitimate complaints the trace will be removed immediately. If you operate a private test lab and capture worm traffic or whatever else, I don't see the need to attempt obfuscation. If you operate a honeynet, and you want to try to remove information identifying your honeynet IPs, scrub away. If you want to rip out all layer 7 data, that's fine. Some people might like it, others not. If you really want to provide production traffic that contains your users IM conversations, our moderators will reject it. Thank you, Richard |
