On Fri, 10 Mar 2000, Kelly J. Cooper wrote:
People who coordinate these kinds of consortia do so on a practically full-time basis if they want to get anything done.
Having sat on the board of such an organization, I know this full well. I've also come to realize that this is because many such organizations attempt to do far too many things.
If a specific ISP sponsors the group, what's to stop the rest of the world from accusing that ISP of bias?
I wasn't suggesting any one ISP sponsor such an entity by itself.
Same issue with a vendor. The problems of anti-trust are very serious in this arena.
That is entirely dependent on the scope of the organization, how it is formed, and how it behaves in operation.
If you have an elected board doing volunteer work and meeting on a periodic basis to discuss security, you suffer from the same problem of resources without someone more dedicated to sheparding the process along.
What I've suggested is a much narrower focus initially: creating workable communication/procedures protocols for NOC<->NOC event handling. That's it. Effective communication and event handling is what is needed most IMO, and that which is completely lacking among providers. Having these things would have served to both greatly decrease the length and severity of the recent round of attacks, and more importantly may have significantly aided attempts to track down the perpetrator. People are going to continue to run insecure boxes/networks. People are going to continue to author insecure code. It's a fact of life. It's not a problem that is going to be solved in the short or mid-term by anyone. That is why I feel so strongly that working on a problem where there is a reasonable chance of solving it(communication) is of much greater benefit to the community at large. It certainly is a better expenditure of my time which is a rare commodity and not something I am eager to waste.
All the groups suffer from the same problems - they slack off, lose funding, re-invent themselves, start some new subgroup, try to drum up interest, etc. Because sustained volunteer work is HARD. If you don't think it's hard, then you don't have enough to do.
Again, like you, I've been there. I know all too well the difficulties surrounding volunteer labor in this arena. However as I stated above, I believe this is due to a scoping issue. Trying to be the "all-singing all-dancing organization" is what leads to these failures. As an example of a relatively successful community-based effort take a look at the RBL. It has maintained a fairly narrow focus, and succeded on that basis. It should serve as evidence that carefully scoped organizations *can* succeed.
This cycle is old. I know I'm bored with it.
So now what?
That's up to you.
How do you propose to cull the wheat from the chaff?
By doing what I've already done: ask that those among us who are willing to put their money where their mouths are do so. It is seemingly damn near the quickest way of shutting up the uncommitted.
Because if it was just as easy as kicking in a few bucks to yet another consortium, I'd do it in a heartbeat.
That of course isn't enough. The only way that these things are going to get fixed is if people care enough to do so. I'm not holding my breath.... /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Greenwell Earth is a single point of failure. \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/