[Dshield] Question on appropriate university research

[Tom]

At 9:20 AM -0400 9/18/07, Paul Melson wrote:
>  > Don't you think that this is at best ill advised without contacting the IP
>block owners? Further what they're
>>  trying to sample is not what they are sampling but thats another story.
>
>Can you elaborate on this point?

What I was told is that they are scan to determine stats on ssh, 
login types, and how often authentication is updated (to do this they 
do repeat scans).

Well, to me they are measuring a population they can't characterize 
for statistical purposes and there stats will inherently be suspect.

1st they know nothing about the distribution of machines on the /8 
they selected.

2nd with many various groups sharing of attacks and subscribers 
updating their firewalls, they have no idea if they're unable to 
connect is because of firewall updates or because the machine isn't 
using SSH.

3rd many admins have moved their SSH port to other ports just to keep 
SSH portscan bot traffic away so lack of connect does not say 
anything about whether SSH is being used.

4th we and many others have SSH honeypots to identify attacking IPs 
and scanning these not only pollute their stats but also cause them 
to be blackholed by many.

5th when I complained to CMU the "researcher" immediately stated he 
would remove our IPs (I am still waiting) from his scan and his data 
base which would seem to remove from the statistical calculations 
those host owners that actually monitor and worry about their systems 
security which seemingly will skew their analysis to to dumber.

I guess I could go on but it seems to me an academic effort to make 
SSH more secure for the masses doesn't need to scan the internet to 
proceed and .  Further, its awfully dumbing down a PhD if a PhD 
candidate has to oly run a scan as described above and gen some stats 
for a PhD.

Just my 2cents.

Tom