Corrections to MSNBC article

• The 47 agent, or "zombie", computers mentioned in the analysis of mstream were not at a single University. They were located at many different sites.

  The handlers and at least one agent were found at unnamed (in the analysis) Universities.

  From this, it might have seemed like this was all occuring at just one site. It involved many sites.

• It is only known for sure that one of the networks that hosted an attacking agent used RFC 2267 egress filtering. Other sites may not be filtering, which would have made the attacks a success, but with a smaller than anticipated impact.

• Using RFC 2267 egress filtering solves the problem of forged packets making it harder for victims to trace where the packets are coming from, but as pointed out in the article and the analysis, it can make it harder for the agent (or "attacking", from the victim's perspective) site to tell when an attack is occuring and to gather necessary data to identify the system waging the attack.

  I am not trying to say sites shouldn't do egress filtering. On the contrary, I am just trying to say that they should filter, but they can't stop there and say they have "solved the problem." They have only solved one problem for one class of attacks, and it comes at a price. It also does nothing to prevent that site's systems from being used to host attacking agents, and other tools (like stacheldraht and TFN2K) can get past these same egress filters.

• There were three other researchers who contributed significantly to the analysis (George Weaver, Sven Dietrich, and Neil Long), and Andrew Korty of Indiana University also gathered evidence used in the analysis. I think I am being named soley in news stories because I was the lead author and posted the results of our work, but I did not do the entire analysis in two weeks by myself. This was a group effort and they all deserve credit, too.