Dave, David Reed is right on the money in terms of the false positive issue. Actually, the "more hay" methodology has been shown to be ineffective in other, related fields, and even worse has been shown to be an effective tool for _evading_ detection. Simply put, it is relatively easy for an attacker to determine the kinds of things that trigger alerts, and to flood the detection system with those types of events. Intrustion detection systems on networks are classic cases in point: they are so overwhelmeed by false positives that in very short order the people monitoring the systems stop paying attention. A "boy who cried wolf" problem, exacerbated by the fact that the marginal cost of creating a false positive is many orders of magnitude less than the cost of responsing to one. Ultimately, the IDS systems end up being used either (a) to show uninformed management that "we're doing something", and/or (b) as part of the forensic process _after_ a breach has occurred to try to see if the attacker left any useful footprints (hint: the answer is "no"). There's a trend to watch for, as well. The follow-on technology to IDS, optimistically referred to as Intrusion Prevention Systems, has been touted as a tool to actually stop attacks in progress. Essentially, it's a combination of detection capability coupled with 'drop the connection' capability. It came into existence because security people thought it would be cool, and because customers were complaining about the overload on human resources that the IDS technologies imposed. The theory was that technology could operate with sufficient speed to prevent bad things from happening. The real world response (as noted in a recent Network World review of IPS) has been that the systems are getting deployed, but without the 'P' feature enabled. It seems that users are not willing to take the risk of shutting off a good connection (the 99.9999% case) in order to prevent an attack (the 0.0001% case). But I expect that the next layer of proposals out of the NSA data mining mess will be to create and deploy some magic system that can operate at the speed of the technology being monitored. <Insert massive (unsuccessful) budget here.> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Ben Franklin, ~1784 --Ridge -----Original Message----- From: David Farber [mailto:dave@farber.net] Sent: Thursday, December 22, 2005 3:40 PM To: Ip Ip Subject: worth reading -- loophole in FISA? Begin forwarded message: