This incident was investigated by a team of two people. Their years of experience is outlined in Table 5. Assuming an hourly wage of $33.65 ($70,000/yr) for both investigators, Table 4 shows the cost calculations. The total incident cost amounts to $2132.07.
Table 4. Incident Costs
| Hours | Cost | Total | +15% | -15% | |
|---|---|---|---|---|---|
| Bo Adler | 35.4 | 33.65 | $1,191.21 | $1,369.89 | $1,012.53 |
| Brad Threatt | 14.1 | 33.65 | $474.47 | $545.64 | $403.30 |
| Subtotal | $1665.68 | $1915.53 | $1415.83 | ||
| Benefits (28%) | $466.39 | $536.35 | $396.43 | ||
| Total | $2132.07 | $2451.88 | $1812.26 |
Table 5. Experience Table
| Investigator | Field | Years | Comments |
|---|---|---|---|
| Bo Adler | Programming | 9 years out of college | This was a difficult question, because I've been programming since childhood and it wasn't clear at what point it counts as "real". The first time I programmed in something besides BASIC or 6502 Assembly was 1984. |
| System Administration | 13 | "On the job training." | |
| Security | 4 | I've been dealing with attacks and intrusions since 1990, but it's been sporadic and somewhat informal. More recently, I've taken it up as a hobby and worked on a few security related projects. | |
| Brad Threatt | Programming | 10 years since college | Like Bo, I have a lot of childhood programming experience, mostly BASIC and 6502 and Z80 machine coding. I didn't get out of that ghetto until 1989, and since then I've mostly walked from C to C++ to Java. |
| System Administration | 10 years | Most of my sysadmin experience has been in managing my own box and a few larger test networks. | |
| Security | 4 years | Previously, most of my interest had been in cryptographic tools, but these days I'm developing an interest in forensics. |
Table 6. Timecard for Bo Adler
| Time | Description |
|---|---|
| 3.5 hrs | Preparation pre-May 6th. Setup skeleton SGML file for response, created build system and timestamping script, and administrative email with team. |
| 3.6 hrs | Investigation into Q1. |
| 2.5 hrs | Editing of analysis for Q1. |
| 8.25 hrs | Worked on improving decompilation output from REC. Created sendraw.c to generate packets. |
| 8.5 hrs | Further worked on improving decompilation output from REC. Developed sendcmd.c and sniffer. |
| 9 hrs | Final push to write up answers, and edit all files for improved clarity (hopefully!). |
Table 7. Timecard for Brad Threatt
| Time | Description |
|---|---|
| 4 hours 30 minutes | Research on decompilation, attempts at using dcc to decompile single functions in Linux. |
| 90 minutes | Obtaining a suitable libc, installing and running fenris's dress. |
| 30 minutes | Writing up REC use, research and write-up on similar exploits. Writing up the use of fenris. |
| 2 hours 24 minutes | Creating the advisory and a first attempt at the executive summary |
| 5 hours 12 minutes | Attempts to interpret the assembly code in the switch statement. |
| <<< Previous | Home | |
| Answers |