Dobbins, Roland wrote:
The thorniest issues aren't technology-related, per se; they're legal
exposure (both real and imagined), regulatory concerns (both real and imagined), antitrust concerns (both real and imagined), management/marketing/PR concerns (largely imagined), skillset shortages/concerns (very real), customer perception concerns (both real and imagined), and so forth. Legal issues for a situation like this can easily be resolved however the problem boils down to who is willing to become "case law." There aren't many laws surrounding this topic. Antitrust and regulatory issues too can be trumped when businesses collectively conclude that its for the best interest of everyone. I believe that too many perceive this imaginatory 'brick wall' coming down on them and often take a step back choosing to do nothing then coming back and wondering why they're businesses are now listed on DataLossDB.org. Customer perceptions and concerns very real? I'm curious to know what your perception is. As a customer *somewhere* down the line, if a business slash vendor told me they were working with other businesses to deter/minimize fraud, I'd be all for it. I can think of any situation where I would come around to a grinding halt: E.g.: From Starbucks: "We're working with SEARS to minimize theft/fraud..." me: "OMG No! You better not work to make sure thieves don't get ahold of my data!" I didn't follow that glaringly big "very real." If you mean on the bits side of things... E.g. (myself working at an ITSP) My competitor: "We're working to make an attacker database to defend ourselves from toll-fraudsters, care to join?" ... Me: "No way in hell I'm going to defend myself because you're seeing more attacks. Thanks but no thanks!" Maybe naivete on my part, but I don't see how customers would have issues if the scenario/framework was concisely explained.
The second tier of barriers are those surrounding trust. It's basically a sociological analogue of 'the PKI problem'.
Anyone here not peering, raise your hand?! Sure there will be trust issues, those too can be overcome. A "vetting" process could be implemented and selected individuals can be "voted" in or out. We "trust" NANOG to select the best individual to moderate this list. At the granular level, I don't know anything about the moderator, yet I trust my peers knew enough to give them a vote of confidence. Should I go back and and create a dossier on the moderator or should I trust my peers. I think for the most part it's a "so far so good" situation. Life goes on until otherwise noted.
Technology issues form the third set of barriers. Yes, they're real and they're important, but if we could wiggle our noses a la Elizabeth Montgomery and make all the technology issues go away, the other sets of issues would still preclude any kind of universal solution, for some value of 'solution'.
That's one of the reasons why a lot of people who make sweeping generalizations and recommendations about 'cyber-this' and 'cyber-that' tend not to have a good grasp of even the fundamentals - they aren't the folks who do the actual work, they don't know who does the actual work, and they often don't know anybody who knows somebody who actually does
Here is a semi-universal solution... Throw an N-Byte field into the TCP protocol and label it "dirty" the dirty bit. The dirty bit would be for a combination of a host and or other identifier which came into the radar N amount of times. The dirty bit would automatically get populated into every routing table X amount of time where if a "dirty bit" tried to route traffic from ANYWHERE, after some time, even its own TCP stack wouldn't let it route out. Even the collaboration of about 12 major companies (MS, Cisco, Juniper, Sun, IBM) would likely cut the likelihood of attacks to probably in the teen percentile. the actual work. They often don't even know that actual work is taking place, or what it entails, in the first place, because the actual work takes place out of the limelight. Acknowledged... Still I believe a framework (anti-malicious/pattern-matching/dirty-host) is long overdue. I also believe far too many people take the "NIMBY" approach and make excuses as opposed to solutions. This is seriously evident based on the amount of responses to something which is (I perceive to be) mission critical. Moreso than arguing over the pros and cons of NOT doing anything. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E