[Operational] Internet Police
My question is what architectural recommendations will you make to your employer if/when the US Govt compels our employers to accept our role as the "front lines of this "cyberwar"? I figure once someone with a relevant degree of influence in the govts realizes that the "cyberwar" is between content/service controllers and eyeballs. With involuntary and voluntary botnets as the weapons of "the eyeballs", relying exclusively on a line of defense near to the content (services) leaves a great expanse of "battlefield". I would expect the content/service controllers to look for means to move the battleline as close to the eyeballs as possible (this community) So... if/when our employers are unable to resist the US Govt's demand that we "join in the national defense", wouldn't this community be the ones asked to guard the border? Assuming the govt won't send federal agents into each of our NOCs, won't our employers ask us "what can we do?" If inspecting and correlating every single packet/flow for attack signatures is not feasible (on scale), are there name/address registration/resolution measures that could effectively lock-down the edge? ...will we look toward China/Saudi Arabia/etc for lessons learned in there 'great firewalls' to develop a distributed version where central control pushes policy out to the edge (into the private networks that currently provide the dreaded "low barrier for entry")? Obviously the environment is created by layers 8/9, but I'm interested in the layer 1-7 solutions that the community would consider/recommend. -Michael
How is "what to block" identified? ...by content key words? ..traffic profiles / signatures? Deny all, unless flow (addresses/protocol/port) is pre-approved / registered? What does the technical solution look like? Any solutions to maintain some semblance of freedom? On Thu, Dec 9, 2010 at 1:25 PM, Jack Bates <jbates@brightok.net> wrote:
On 12/9/2010 12:19 PM, Michael Smith wrote:
So... if/when our employers are unable to resist the US Govt's demand that we "join in the national defense", wouldn't this community be the ones asked to guard the border?
CALEA
done
On 12/9/2010 12:31 PM, Michael Smith wrote:
How is "what to block" identified? ...by content key words? ..traffic profiles / signatures? Deny all, unless flow (addresses/protocol/port) is pre-approved / registered?
CALEA doesn't provide block. It provides full data dumps to the authorities. It's up to them to analyze, prove illegality, and seek warrants. A single CALEA tap on a bot, for example, could provide the government with a bot controller, or with details of what a specific bot is doing. A tap on the controller itself could show the large number of bots and their location, or provide the next step in backtracking the connection to the person using the controller. On and On. Is it ideal? No. Is it possible to do within current law, until it crosses international boundaries, but even then there is some amount of recourse. The law is designed to track down and prosecute people, not stop malicious activity. In order for the law to try and stop malicious activities (digital or real), it must place constraints on our freedoms. See TSA/Airport Security. Jack
On Dec 9, 2010, at 10:44 AM, Jack Bates wrote:
[CALEA] is designed to track down and prosecute people, not stop malicious activity.
Right.
In order for the law to try and stop malicious activities (digital or real), it must place constraints on our freedoms. See TSA/Airport Security.
Or, more relevant to NANOG, see COICA (http://www.gpo.gov/fdsys/pkg/BILLS-111s3804rs/pdf/BILLS-111s3804rs.pdf). Regards, -drc
Let's put it this way. 1. If you host government agencies, provide connectivity to say a nuclear power plant or an army base, or a bank or .. .. - you'd certainly work with your customers to meet their security requirements. 2. If you are a service provider serving up DSL - why then, there are some governments (say Australia) that have blacklists of child porn sites - and I think Interpol came up with something similar too. And yes there's CALEA and a few other such things .. not much more that's new. Separating rhetoric and military metaphors will help you see this a lot more clearly. As will not dismissing the entire idea with contempt. As a service provider for anything at all, you'll see your share of attacks. Whether coordinated by 4chan or by comrade joe chan shouldnt really matter, except at the level where you work with law enforcement etc to coordinate a response that goes beyond the technical. [And ALL responses to these are not going to restrict themselves to being solvable by technical means]. --srs On Fri, Dec 10, 2010 at 12:01 AM, Michael Smith <michael@hmsjr.com> wrote:
How is "what to block" identified? ...by content key words? ..traffic profiles / signatures? Deny all, unless flow (addresses/protocol/port) is pre-approved / registered?
What does the technical solution look like?
Any solutions to maintain some semblance of freedom?
-- Suresh Ramasubramanian (ops.lists@gmail.com)
And if I ever find the genius who came up with the "we are not the internet police" meme ... On Fri, Dec 10, 2010 at 12:19 AM, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
Let's put it this way.
1. If you host government agencies, provide connectivity to say a nuclear power plant or an army base, or a bank or .. .. - you'd certainly work with your customers to meet their security requirements.
2. If you are a service provider serving up DSL - why then, there are some governments (say Australia) that have blacklists of child porn sites - and I think Interpol came up with something similar too. And yes there's CALEA and a few other such things .. not much more that's new.
Separating rhetoric and military metaphors will help you see this a lot more clearly. As will not dismissing the entire idea with contempt.
As a service provider for anything at all, you'll see your share of attacks.
Whether coordinated by 4chan or by comrade joe chan shouldnt really matter, except at the level where you work with law enforcement etc to coordinate a response that goes beyond the technical. [And ALL responses to these are not going to restrict themselves to being solvable by technical means].
--srs
On Fri, Dec 10, 2010 at 12:01 AM, Michael Smith <michael@hmsjr.com> wrote:
How is "what to block" identified? ...by content key words? ..traffic profiles / signatures? Deny all, unless flow (addresses/protocol/port) is pre-approved / registered?
What does the technical solution look like?
Any solutions to maintain some semblance of freedom?
-- Suresh Ramasubramanian (ops.lists@gmail.com)
-- Suresh Ramasubramanian (ops.lists@gmail.com)
On Fri, Dec 10, 2010 at 12:42 AM, Randy Bush <randy@psg.com> wrote:
And if I ever find the genius who came up with the "we are not the internet police" meme ...
he died over a decade ago
All due respect to him, but I didnt want to kick his teeth in or anything, merely ask if he'd like to reconsider it, given the new security threats we all face that have outdated that meme. -- Suresh Ramasubramanian (ops.lists@gmail.com)
On Thu, Dec 9, 2010 at 1:12 PM, Randy Bush <randy@psg.com> wrote:
And if I ever find the genius who came up with the "we are not the internet police" meme ...
he died over a decade ago
He also said "The Internet works because a lot of people cooperate to do things together" Remove the "together" and there is no Internet. -J
On Dec 10, 2010, at 1:19 AM, Michael Smith wrote:
"front lines of this "cyberwar"?
Warfare isn't the correct metaphor. Espionage/covert action is the correct metaphor. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Sell your computer and buy a guitar.
On Thu, Dec 09, 2010 at 06:26:30PM +0000, Dobbins, Roland wrote:
On Dec 10, 2010, at 1:19 AM, Michael Smith wrote:
"front lines of this "cyberwar"?
Warfare isn't the correct metaphor.
Espionage/covert action is the correct metaphor.
"Low intensity conflict" may be more correct. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin
mikea <mikea@mikea.ath.cx> writes:
On Thu, Dec 09, 2010 at 06:26:30PM +0000, Dobbins, Roland wrote:
On Dec 10, 2010, at 1:19 AM, Michael Smith wrote:
"front lines of this "cyberwar"?
Warfare isn't the correct metaphor.
Espionage/covert action is the correct metaphor.
"Low intensity conflict" may be more correct.
For the past several years I've felt that "cyber-intifada" was the proper trope, but so far it has failed to grow legs. -r
On Dec 10, 2010, at 10:01 AM, Robert E. Seastrom wrote:
"cyber-intifada" was the proper trope, but so far it has failed to grow legs.
The problem is that non-ironic use of the appellation 'cyber-' is generally inversely proportional to actual clue, so it should be avoided at all costs. ;> ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Sell your computer and buy a guitar.
Butlerian Jihad. -Bill On Dec 9, 2010, at 19:02, "Robert E. Seastrom" <rs@seastrom.com> wrote:
mikea <mikea@mikea.ath.cx> writes:
On Thu, Dec 09, 2010 at 06:26:30PM +0000, Dobbins, Roland wrote:
On Dec 10, 2010, at 1:19 AM, Michael Smith wrote:
"front lines of this "cyberwar"?
Warfare isn't the correct metaphor.
Espionage/covert action is the correct metaphor.
"Low intensity conflict" may be more correct.
For the past several years I've felt that "cyber-intifada" was the proper trope, but so far it has failed to grow legs.
-r
On Thursday, December 09, 2010 01:26:30 pm Dobbins, Roland wrote:
On Dec 10, 2010, at 1:19 AM, Michael Smith wrote:
"front lines of this "cyberwar"? Warfare isn't the correct metaphor.
Espionage/covert action is the correct metaphor.
In reality DoS threats/execution of those threats/ 'pwning' / website vandalism are all forms of terrorism. An easily pronounceable version with a 'net-' 'e-' or even 'cyber-' prefix..... is difficult.
On 12/10/2010 11:08 AM, Lamar Owen wrote:
In reality DoS threats/execution of those threats/ 'pwning' / website vandalism are all forms of terrorism. An easily pronounceable version with a 'net-' 'e-' or even 'cyber-' prefix..... is difficult.
I thought "e-*" was so yesterday, wouldn't this be "i-*" or to be more complete "i-* 2.0" -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
On Fri, Dec 10, 2010 at 10:08 AM, Lamar Owen <lowen@pari.edu> wrote:
On Thursday, December 09, 2010 01:26:30 pm Dobbins, Roland wrote:
On Dec 10, 2010, at 1:19 AM, Michael Smith wrote:
"front lines of this "cyberwar"? Warfare isn't the correct metaphor.
Espionage/covert action is the correct metaphor.
In reality DoS threats/execution of those threats/ 'pwning' / website vandalism are all forms of terrorism. An easily pronounceable version with a 'net-' 'e-' or even 'cyber-' prefix..... is difficult.
Terrorism? Hell, I guess you're right since the definition of "terrorism" seems to extend to anything remotely criminal and scary. Especially if more than one person is involved. I bet the old school terrorists who believed terrorism required massive panic are quite disturbed by this lowered bar for success. I think thats a lot of undue credit given to basic criminal behavior and watching the boogieman come out because the perpetrators either can't be stopped or the reality that SPs apparently don't care to stop it. To the folks out there that presently work for an SP, if someone called you (or the relevant department) and gave you a list of end-user IPs that were DDoSing this person/entity, how long would you take to verify and stop the end user's stream of crap? Furthermore, what is the actual incentive to do something about it? -- William McCall
On 12/10/2010 10:44 AM, William McCall wrote:
To the folks out there that presently work for an SP, if someone called you (or the relevant department) and gave you a list of end-user IPs that were DDoSing this person/entity, how long would you take to verify and stop the end user's stream of crap? Furthermore, what is the actual incentive to do something about it?
It falls under standard abuse role, though if the destination just wants a filter or their IP nullrouted, that is usually accommodated immediately. Jack
From: William McCall Sent: Friday, December 10, 2010 8:45 AM To: Lamar Owen Cc: nanog@nanog.org Subject: Re: [Operational] Internet Police
To the folks out there that presently work for an SP, if someone called you (or the relevant department) and gave you a list of end-user IPs that were DDoSing this person/entity, how long would you take to verify and stop the end user's stream of crap? Furthermore, what is the actual incentive to do something about it?
The behavior is no different than a street gang who would attempt to influence the behavior of a local merchant by threatening damage to the store. In the case of internet operations, we seem to tolerate the behavior or simply assume little can be done so many don't even try. If an ISP were to actively disconnect clients who were infected with a bot (intentionally infected or not), the end users themselves might be a little more vigilant at keeping their systems free of them. *But* any ISP doing that would also have to be prepared to invest some effort in trying to help absolutely clueless people (in many cases) remove these bots from their systems. It can quickly become a huge time swamp.
On 12/10/2010 11:45 AM, George Bonser wrote:
If an ISP were to actively disconnect clients who were infected with a bot (intentionally infected or not), the end users themselves might be a little more vigilant at keeping their systems free of them.*But* any ISP doing that would also have to be prepared to invest some effort in trying to help absolutely clueless people (in many cases) remove these bots from their systems.
Works well for the most part, and if they are clueless, they can seek professional help from a computer tech. Jack
On 12/10/2010 07:45 AM, George Bonser wrote:
From: William McCall Sent: Friday, December 10, 2010 8:45 AM To: Lamar Owen Cc: nanog@nanog.org Subject: Re: [Operational] Internet Police
To the folks out there that presently work for an SP, if someone called you (or the relevant department) and gave you a list of end-user IPs that were DDoSing this person/entity, how long would you take to verify and stop the end user's stream of crap? Furthermore, what is the actual incentive to do something about it? The behavior is no different than a street gang who would attempt to influence the behavior of a local merchant by threatening damage to the store. In the case of internet operations, we seem to tolerate the behavior or simply assume little can be done so many don't even try. If an ISP were to actively disconnect clients who were infected with a bot (intentionally infected or not), the end users themselves might be a little more vigilant at keeping their systems free of them. *But* any ISP doing that would also have to be prepared to invest some effort in trying to help absolutely clueless people (in many cases) remove these bots from their systems. It can quickly become a huge time swamp.
Not to mention the risk of lost business for customers that just can't be bothered to fix broken machines. Paul
Not to mention the risk of lost business for customers that just can't be bothered to fix broken machines.
Paul
That supposes that another ISP would accept their bot-infected machine. It would require some cooperation among the providers. And should some ISP get the reputation of being a bot-haven, then maybe their customers might notice connectivity issues.
On 12/10/2010 07:59 AM, George Bonser wrote:
Not to mention the risk of lost business for customers that just can't be bothered to fix broken machines.
Paul
That supposes that another ISP would accept their bot-infected machine. It would require some cooperation among the providers. And should some ISP get the reputation of being a bot-haven, then maybe their customers might notice connectivity issues.
Unless you can get every company to sign up to an agreement it will never work. Even then you'll still find unscrupulous companies that are far more interested in revenue than reputation. There are a number of hosting companies I'm sure most network professionals are aware of that are regular bases for C'n'C servers.
On 12/10/2010 12:07 PM, Paul Graydon wrote:
Unless you can get every company to sign up to an agreement it will never work. Even then you'll still find unscrupulous companies that are far more interested in revenue than reputation. There are a number of hosting companies I'm sure most network professionals are aware of that are regular bases for C'n'C servers.
Why does it matter? If a customer isn't going to run a clean system, why would you want them on your network? Commodity customers are quick shutoffs, while businesses often have valid contacts to work with to resolve the issue without a full cutoff. If they go to the competition, it's one less problem for me to deal with in the future (as repeat offenses are not uncommon). MOST of the customers I suspend service due to bots/spam/etc are happy with the service (once they realize the pretty locks on their web browser don't secure their communications from infections). Jack
On 10/12/10 8:08 AM, Lamar Owen wrote:
On Thursday, December 09, 2010 01:26:30 pm Dobbins, Roland wrote:
On Dec 10, 2010, at 1:19 AM, Michael Smith wrote:
"front lines of this "cyberwar"? Warfare isn't the correct metaphor. Espionage/covert action is the correct metaphor. In reality DoS threats/execution of those threats/ 'pwning' / website vandalism are all forms of terrorism.
No one was "terrorized" because they couldn't reach MasterCard or because MasterCard's website was defaced. Vandalism doesn't even begin to equate to terrorism. You demean everyone who has been impacted by true terrorism by trying to equate these relatively trivial events with the real events of terrorism. We *really* don't need Homeland Security and TSA deciding that cyber-vandalism falls into the realm of terrorism and thus comes under their purview to "protect us against". Their security theater at the airport is too much already, I can't begin to imagine how badly they could screw it up if they had a mandate to implement similar "protective" processes on the internet. jc
On Fri, Dec 10, 2010 at 11:46 AM, JC Dill <jcdill.lists@gmail.com>
We *really* don't need Homeland Security and TSA deciding that cyber-vandalism falls into the realm of terrorism and thus comes under their purview to "protect us against". Their security theater at the airport is too much already, I can't begin to imagine how badly they could screw it up if they had a mandate to implement similar "protective" processes on the internet.
jc
Now, we're getting to the original question. If the Federal Govt decides that state secrets and ability to conduct commerce raise this to the level of a "global guerrilla war", we can all laugh it off for its absurity, but I'm curious what architectural and operational decisions will be if we are *ordered* to consider what options are available... ..or... would it simply be a NSA/DoD appliance that we're all required to place in-line....?...
On Friday, December 10, 2010 11:46:43 am JC Dill wrote:
On 10/12/10 8:08 AM, Lamar Owen wrote:
In reality DoS threats/execution of those threats/ 'pwning' / website vandalism are all forms of terrorism.
No one was "terrorized" because they couldn't reach MasterCard or because MasterCard's website was defaced. Vandalism doesn't even begin to equate to terrorism. You demean everyone who has been impacted by true terrorism by trying to equate these relatively trivial events with the real events of terrorism.
As I sat deciding on the words to use before hitting send, that, even though the word terrorism is emotionally and politically charged, that it is an accurate, if vague, term, especially in the age of identity theft. And I say that having family members that have been impacted directly by terrorism, so I certainly am not intending to demean anyone, and I did carefully consider that some might consider it a demeaning statement. But the fact of the matter is that website defacement and DDoS can cause loss of income or even worse, depending upon the exact content of the defacement and the exact nature of the DDoS. Identity theft can cause loss of life due to the stress of mopping up afterwards. If your employer's bottom line is negatively impacted by a website defacement or by DoS, your job itself could be negatively impacted. Just because it's on the web or in e-mail or whatnot (I'm really resisting the c*space metaphor here) doesn't mean dire real-world consequences can't be felt.
On Fri, 10 Dec 2010 12:14:20 EST, Lamar Owen said:
Identity theft can cause loss of life due to the stress of mopping up afterwards.
Oh, give me a *break*. This is well off the end of the slippery slope. My car got totaled in a rear-end collision a few weeks ago. If I get so stressed dealing with my insurance company that I die of a heart attack, does that mean the guy who ran into me is guilty of murder? And for bonus points, is he guilty of *attempted* murder if I *don't* have a heart attack? No - in most jurisdictions, if I expire of a heart attack as an unforseen and unpredictable *direct* result of somebody's actions, that would maybe be manslaughter, not murder. And death during "mopping up afterwards" is *so* convoluted I don't think you could even get a win in a civil trial, where the standards of evidence are a lot lower than in criminal cases. Similarly, identity theft isn't committed with the *intent* that people will keel over - that's an unforeseeable and unpredictable result. On the other hand, *real* terrorism usually involved the *intent* that you're going to have some very messy corpses and/or fragments thereof. Let me know when you have a documented case of a DDoS launched with the *intent* of causing dead bodies in the street for the 6PM news crews, so that the populace is in fact terrrified.
On Fri, 10 Dec 2010 11:08:00 EST, Lamar Owen said:
In reality DoS threats/execution of those threats/ 'pwning' / website vandalism are all forms of terrorism.
Let's not dilute the meaning of terrorism to the point where graffiti, cyber or otherwise, is classifed as terrorism. The USA Patriot act says: "activities that (A) involve acts dangerous to human life that are a violation of the criminal laws of the U.S. or of any state, that (B) appear to be intended (i) to intimidate or coerce a civilian population, (ii) to influence the policy of a government by intimidation or coercion, or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping, and (C) occur primarily within the territorial jurisdiction of the U.S." I don't think Joe SIxpack felt intimidated or coerced by a few DDoS attacks, nor did it seem to do much to change official US policy (mostly because the guys in DC are running around like the Headless Horsechicken trying to figure out what our policy *IS*). And it's the rare DDoS that becomes an act "dangerous to human life". I believe the word you wanted was "hooliganism". And we have a legal system that has about 3,000 years of experience in dealing with *that*, thank you very much.
On 12/10/2010 11:06 AM, Valdis.Kletnieks@vt.edu wrote:
The USA Patriot act says: "activities that (A) involve acts dangerous to human life that are a violation of the criminal laws of the U.S. or of any state, that (B) appear to be intended (i) to intimidate or coerce a civilian population, (ii) to influence the policy of a government by intimidation or coercion, or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping, and (C) occur primarily within the territorial jurisdiction of the U.S."
At most, B ii applies, but if I'm not mistaken, A, B, and C must all occur by that statute (the giveaway is C, as it doesn't make sense as a single condition). The Patriot act seems to discount foreign terrorism (unsurprising), but even going by A and B, the DDOS would have to be dangerous to human life and be illegal by US/state law, in addition to intimidating (which purposefully being dangerous to human life definitely falls under intimidation). So attacking infrastructure (effecting traffic lights, power, air traffic control systems, etc) would fall under terrorism (regardless of attack mechanism). I don't think one could constitute the inability to sell a product or process a payment as life threatening. Those acts fall under other legal definitions. Jack
On 12/10/2010 11:37 AM, Jack Bates wrote:
assassination, or kidnapping, and (C) occur primarily within the
At most, B ii applies, but if I'm not mistaken, A, B, and C must all occur by that statute (the giveaway is C, as it doesn't make sense as a single condition).
err, or one could just go by the use of "and". head. desk. Jack
On 12/10/10 9:06 AM, Valdis.Kletnieks@vt.edu wrote:
On Fri, 10 Dec 2010 11:08:00 EST, Lamar Owen said:
I believe the word you wanted was "hooliganism". And we have a legal system that has about 3,000 years of experience in dealing with *that*, thank you very much.
The code of hamurabi or ur-nammu would probably cut off your hand or require the payment of several minas of silver. The failure isn't one of the legal system not having the tools to prosecute this sort of activity, it's the failure to effectively police it. Other attractive nusances the cause economic damage such as graffiti and antisocial behavior(of which much of this dos activity clearly is) have been around longer than the code of ur-nammu and we haven't solved them yet either.
check the agreed maintenance windows as defined in the (SLA)section Maintenance Plans - etc ----- Original Message ---- From: Joel Jaeggli <joelja@bogus.com> To: Valdis.Kletnieks@vt.edu Cc: nanog@nanog.org Sent: Fri, December 10, 2010 6:48:41 PM Subject: Re: [Operational] Internet Police On 12/10/10 9:06 AM, Valdis.Kletnieks@vt.edu wrote:
On Fri, 10 Dec 2010 11:08:00 EST, Lamar Owen said:
I believe the word you wanted was "hooliganism". And we have a legal system that has about 3,000 years of experience in dealing with *that*, thank you very much.
The code of hamurabi or ur-nammu would probably cut off your hand or require the payment of several minas of silver. The failure isn't one of the legal system not having the tools to prosecute this sort of activity, it's the failure to effectively police it. Other attractive nusances the cause economic damage such as graffiti and antisocial behavior(of which much of this dos activity clearly is) have been around longer than the code of ur-nammu and we haven't solved them yet either.
Obviously the environment is created by layers 8/9, but I'm interested in the layer 1-7 solutions that the community would consider/recommend.
BGP blackhole communities is a good way to push the problem upstream, assuming your provider will agree to it. In theory, that could also work on a larger scale, but it becomes a matter of trust (as has been discussed many times before .. "just because *you* say it's bad, doesn't make it so"). Cheers, Michael Holstein Cleveland State University
On Dec 9, 2010, at 10:19 AM, Michael Smith wrote:
My question is what architectural recommendations will you make to your employer if/when the US Govt compels our employers to accept our role as the "front lines of this "cyberwar"?
I figure once someone with a relevant degree of influence in the govts realizes that the "cyberwar" is between content/service controllers and eyeballs. With involuntary and voluntary botnets as the weapons of "the eyeballs", relying exclusively on a line of defense near to the content (services) leaves a great expanse of "battlefield". I would expect the content/service controllers to look for means to move the battleline as close to the eyeballs as possible (this community) So... if/when our employers are unable to resist the US Govt's demand that we "join in the national defense", wouldn't this community be the ones asked to guard the border?
Assuming the govt won't send federal agents into each of our NOCs, won't our employers ask us "what can we do?"
If inspecting and correlating every single packet/flow for attack signatures is not feasible (on scale), are there name/address registration/resolution measures that could effectively lock-down the edge? ...will we look toward China/Saudi Arabia/etc for lessons learned in there 'great firewalls' to develop a distributed version where central control pushes policy out to the edge (into the private networks that currently provide the dreaded "low barrier for entry")?
Obviously the environment is created by layers 8/9, but I'm interested in the layer 1-7 solutions that the community would consider/recommend.
-Michael
In my ever-so-humble opinion, this is not primarily about copyrighted material; it is primarily about content control. Go to any country in the world; they have something they wish wasn't available on the net. It might be child pornography, pornography in general by some definition of that term or lack thereof, journalist reports regarding their country or certain events in their country, paparazzi photos of their leaders or their consorts, or comments or comics featuring important religious figures or violating local social norms (did you know that DSLRs are illegal in Kuwait unless one is a registered journalist?). The UN Al Qua'da Task Force would like to block all files that originate from Al Qua'da. During the US 2004 presidential elections, one of the candidates suggested using CleanFeed to suppress information about dog racing. It might be COICA, HADOPI, or some municipal court judge who has no idea what he is asking but makes a decree that <something> should go away. They are all, at the end of the say, talking about the same thing: "we don't care what other countries or other people think; in our country, <something> should not be available on the Internet." Which is to say that they think that they should be in control of some bit of content. Content control, which they might well decry when others do it and respond very poorly when you point out their own actions. I would note that in many cases similar laws already exist in the various countries' legal systems. For some reason, rather than enforcing the existing law of the land, they feel compelled to make a new law that is specific to the Internet. I asked a lawyer advocating yet another such a law about this once, trying to find out why she thought that was necessary. Her response was that the existing law of the land had been found in court after court and jurisdiction over jurisdiction to be unimplementable and unenforceable; a certain famous statement about the definition of obscenity comes to mind, and very appropriately. "If I have the law, it gives me one more chance to argue the case in court". A case she freely admitted that she would very likely lose. If your boss comes to you and asks you to be part of it, my suggestion (I am not a lawyer, and this is not legal advice) would be to first ask him whether he has a court order. If you are obligated to comply, you are obligated to comply. But in any event, I would suggest that he read http://www.washingtonpost.com/wp-dyn/content/article/2010/12/08/AR2010120804.... I suspect we will be reading similar articles about some 70 sites that have been taken down recently, and in some cases they may take whoever-did-it to court and win a judgement. The Internet routes around failure, and people who think they can control content are notorious for failing. That's not a political viewpoint; some of those things that folks would like to go away probably should. From a very pragmatic and practical perspective, any technical mechanism that has been proposed is trivially defeated. The first implementers of DKIM were the spammers. What does CleanFeed do with https or encrypted BitTorrent? DNS Blocking is very interesting in a DNSSEC world, and is trivially overcome by purchasing a name in another TLD - or a thousand of them. Null routes block access to specific addresses; move the content, and the null route is a waste of bits. Look at how successful we have been in erasing botnets from our memory, or viruses, or spam. The way to address these things is not to childishly wish there was a magic silver bullet that would make the problem go away. If it's against the law, and in most cases the content that folks want to control is, go arrest the guy. That's not to say that you couldn't use technologies like CleanFeed or Lawful Intercept, if you use them lawfully, to gather forensic evidence. But that's a far cry from pretending to make the content go away.
Once upon a time, Fred Baker <fred@cisco.com> said:
did you know that DSLRs are illegal in Kuwait unless one is a registered journalist?
Did you know that they are not? http://thenextweb.com/me/2010/11/30/kuwait-dslr-ban-does-not-exist-after-all... This is like the people attacking EasyDNS because they took wikileaks.org down. Oops, except it wasn't, it was EveryDNS. I read it on the Internet so it must be true! -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
participants (23)
-
Bill Woodcock -
Chris Adams -
David Conrad -
Dobbins, Roland -
Fred Baker -
George Bonser -
isabel dias -
J. Oquendo -
Jack Bates -
JC Dill -
Joel Jaeggli -
Jorge Amodio -
Lamar Owen -
Michael Holstein -
Michael Smith -
Michael Smith -
mikea -
Paul Graydon -
Randy Bush -
Robert E. Seastrom -
Suresh Ramasubramanian -
Valdis.Kletnieks@vt.edu -
William McCall