Re: Counting tells you if you are making progress

On Wed, 21 Feb 2007, Todd Vierling wrote:
> I'd say it's severely biased in the overestimation
direction -- but
> that's not to say it isn't a problem, because zombies
Suck.

People with access to the ppp, dhcp or nat logs for a
network can de-dup the 
counts based on IP addresses to come up with better surveys
of infected 
computers.  They can further correlate the reports with
contact
with the computer owners of how many computers were found
with known or unknown 
malware. But we rarely hear data from them.

Although I disagree with some of the survey counts, finding
zombies isn't 
a problem.  Figuring out if a computer is actually fixed and
stays fixed 
is still the problem.  Sometimes it feels like an episode of
"House." 
Except House wraps up the case in 60 minutes.

On 2/22/07, Sean Donelan <seandonelan.com> wrote:
> On Wed, 21 Feb 2007, Todd Vierling wrote:
> > I'd say it's severely biased in the overestimation
direction -- but
> > that's not to say it isn't a problem, because
zombies Suck.
>
> People with access to the ppp, dhcp or nat logs for a
network can de-dup the
> counts based on IP addresses to come up with better
surveys of infected
> computers.  They can further correlate the reports with
contact
> with the computer owners of how many computers were
found with known or unknown
> malware. But we rarely hear data from them.

Because this is a circular problem:  such providers want to
deny the
problem until there's a sufficient number, and once they
take notice,
the de-dup ... reduces the number.

This isn't a technology problem, it's a *business approach*
problem.

But now I'm straying OT.

-- 
-- Todd Vierling <tvduh.org> <tvpobox.com> <toddvierling.name>