[Dshield] Is DShield Dead?

Chris Brenton cbrenton at chrisbrenton.org
Mon Jun 20 11:10:00 GMT 2005

On Sun, 2005-06-19 at 22:25, Al Reust wrote:
> Scrap as I drag out the Soap Box, as security no longer seems to be 
> happening here.

WAHOOO! A soap box being dragged out and its not me on top of it. ;-)

I do not work for DShield and/or SANS and never have. I do however
contract for SANS to author course material and teach at conferences. I
do not represent either organization and make no claim to.

> My day consists of...

The same stuff most of us go through. In the SANS 502 track I have a
little speech about "If you are here you are obsessive compulsive but
that's not necessarily a bad thing" that I do. Pretty much mirrors your

> As I sit here and look at what has transpired in the DShield list in the 
> 20/30 days I see very little.

I have not kept score, but it does *seem* like the S/N ratio is a little
higher than it used to be. This thread is probably a good example. We
saw this on the intrusion list at incidents.org where the S/N got so
high people started bailing. I would hate to see that happen here.
Perhaps its time to spawn a dishied-admin/advocate/info or similar list
so this type of thing can be off loaded there. 

>  Ever since it was unofficially announced that 
> DShield went "commercial." There has been very little other than complaints 
> that logging which still does not work (over two months now).

Hummm. I'm not aware of any corporate structure change within DShield.
Its still partially backed by SANS and partially backed by community
involvement. There have been some changes over time (like the banner ads
at the end of the e-mails) but evolution is a fact of life. Its still
mostly driven by Johannes over working himself. Personally I have a lot
of respect for the guy not only for what he knows, but for how much he
has given to the security community. You would be hard pressed to find
anyone else in this industry who has given up as much of their free time
to helping us all out. Johannes gets very little of the credit he
actually deserves.

> We have the 
> Handlers Diary that provides more information about what is happening than 
> what shows up in the list.

This is easy to fix, contribute. If there is something going on in the
industry that you feel needs to be discussed, start a thread on it. One
thing which is cool about this list is that general security discussions
are permitted. Its not just limited to talk about Dshield. If you see a
hole, plug it by asking a question or starting an FYI thread.

> "Names" I used to see talking here are now talking in other lists.

Again, things evolve, change, move around. Its a fact of life. Refer to
your job description, and its not uncommon for folks to get burned out.
I myself used to post on different lists quite a lot, took a break, and
I'm just getting back into it. 

> Why did DShield decide to not tell "us" that they went commercial, was this 
> an oversight?

Speaking for just myself here, I'm hard pressed to feel like
Johannes/DShield owes me anything. If I look at what I have put into the
entity Vs. what I have received back, I'm the clear winner. I too have
used information off of this site to help me work more effectively and
be better at my job. 

> At this point I feel that most felt that the efforts of many 
> individuals (who helped them gain status) have been insulted.

Again, speaking only for myself (someone who has contributed to DShield
but granted very little compared to Johannes and many others) I'm not
sure how "insulted" works into the picture. I recognize that Johannes
has done a lot for the community and that his heart is in the right
place. I also realize that I don't know as much about whats going on
behind he scenes as he does, and that he is doing the best he can with
what he has to work with, So I guess for me its a matter of whether you
trust him or not. Given what he has done for us so far I trust the guy.

> Has the Community lost confidence in DShield?

Here's the question that caused me to hit the "Re:" button in the first
place. ;-) I don't think this is a problem with DShield, so much as a
problem with the industry in general. Five years ago you saw the white
hat side being *far* more proactive in addressing what ails us. This has
tapered off over the last few years, I *think* out of frustration and
burn out. So this is not just happening here, its happening all over.
Kind of scary as attacks are getting far more coordinated and
sophisticated than they used to be. Am I implying we are losing the
security war? I think we take three steps forward and two steps back.
For example you see a lot more sites at least having some semblance of
perimeter security than you used to. Unfortunately you are also seeing a
lot more tools specifically designed to breech a perimeter so basic
security is not nearly enough anymore.

> Has going "commercial" caused to DShield to lose the trust of those that 
> felt it was a very worthwhile area to converse?

Again, I don't claim to speak for the entire community. I can only speak
for myself. Having half a clue about what it takes to pull together what
Johannes has assembled, I am extremely thankful he's on our side and has
provided this level of community exchange of information.

> Have the "new" duties of Johannes; caused things that used to happen, here 
> not happen?

Please don't take this the wrong way, but this question kind of bugs me.
It kind of implies that Johannes is responsible to the community or
"owes us" something. If you were to ask him face to face, I'm sure he
would tell you that he is. From an outsider's perspective however I have
to go back to that "I've taken more away from DShield than I've put into
it". With this in mind I'm hard pressed to feel like he owes me
anything. Is Johannes busy? Absolutely. Is he rolling in the money from
DShield? I'm hard pressed to believe that he's not still contributing
out of his own pocket. 

> Does Dshield plan to correct all this and invite those professionals back?

I don't speak for Johannes so I'll let him flag this one. My guess is
he's working as hard as he can to keep the system stable and add in

> Are the Handlers that once used to be "volunteers" being compensated for 
> their efforts?

I'm no longer a handler so I can't answer this but I'm guessing "no". I
did it for three years myself and did it to help the community, not try
and extract some form of compensation. I was paid in the percentage of
the Internet I helped to secure. To me that was worth far more. Knowing
some of the handlers personally, I'm guessing they have similar

> IF DShield receives monetary gain from information posted via the list of 
> the log submissions, what plan for acknowledgement are in place or will be 
> constructed.

OK, let's turn this around. You mentioned that you use DShield as a
source of info to better execute your job. What level of acknowledgment
and/or compensation do you have in place for that? I don't mean to sound
like a jerk with that comment, but its a two way street. The difference
is that most of us post logs and/or contribute info when we have it
available. Its Johannes and crew that deal with figuring out which small
portions of it actually mean something every day, all day long. They
also deal with bandwidth issues, hardware issues, and a host of other
problems that for the most part are pretty invisible to all of us.

> Please review what is happening in the world and look at which "alerts" 
> have not been posted in this list.  Since 5/18/2005 there have been 5/7 
> items posted that have any relevance...

I'll admit the S/N seems higher as of late, but not that high. Just in
the last week I've saved 4 different topic threads with some useful
info. Heck Fergie posts more than that on a regular basis. ;-)

> Most of the traffic is that DShield 
> is not correctly processing information (logs) that helped them go commercial.

Agreed this has been pretty high. Again, maybe its time to spawn an
administration list so they don't show up here.

> I fully expect Deb to answer as she seems to be Johannes voice over the 
> last couple of months. Thank You Deb!

Well I'm not Deb but hopefully I've given you a different perspective.
If you feel like something is missing, get in and fill the gap rather
than complain that wondering why someone else is not doing it.


More information about the list mailing list