Re: For want of a single ethernet card, an airport was lost ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- Steven Haigh <netwiz@crc.id.au> wrote:
On 18/08/2007, at 5:09 PM, Suresh Ramasubramanian wrote:
Wow, one little article, sooo much FUD. This quote really takes the cake:
(((Nothing like that *so far,* that is. But why not dwell on the notion that terrorists can remotely transform the US Customs Service into a weapon against innocent travellers?)))
Oh noes! The terrerists can kill all the airports by installing dodgy network cards in a machine!
They don't even have to touch the hardware. :-) http://www.wired.com/science/discoveries/news/2006/11/72051 - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) wj8DBQFGxyeyq1pz9mNUZTMRAhilAKCAVhfPC3924OkKxorku71NEKJyPwCfUHbj qHKWfdrcn/GBhD8eR3g90Z4= =qtg0 -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
On Sat, 18 Aug 2007 17:09:10 GMT "Paul Ferguson" <fergdawg@netzero.net> wrote:
They don't even have to touch the hardware. :-)
Did you see what the GAO found when they audited the US-VISIT network? The summary is at http://www.washingtonpost.com/wp-dyn/content/article/2007/08/02/AR2007080202...; the full report is at http://www.gao.gov/new.items/d07870.pdf --Steve Bellovin, http://www.cs.columbia.edu/~smb
On 8/18/07, Steven M. Bellovin <smb@cs.columbia.edu> wrote:
Did you see what the GAO found when they audited the US-VISIT network? The summary is at http://www.washingtonpost.com/wp-dyn/content/article/2007/08/02/AR2007080202...; the full report is at http://www.gao.gov/new.items/d07870.pdf
As usual with security, it's a tradeoff between goals, threat models, economics, and competence. While the goals of the system, as identified by the GAO, include a brief phrase about "facilitate legitimate travel and trade", the rest of the report appears to entirely ignore it. It focuses on attackers, and bad guys trying to get in, and the closest the report gets to anything about reliability or business continuity is a bit about preventing attackers from carrying our denial of service attacks. Given the ability of one bad network card to take down the network, and given a set of operational plans that keeps incoming international travelers confined to their airplanes for hours at an airport the size of LAX which handles a lot of connections between international and domestic or other international flights, it appears that the designers of both the technical and operational sides are also ignoring the goal of facilitating legitmate travel and trade. I can't say I'm surprised, either. While treating travellers well probably won't be one of their goals until there's a major change in government philosophy, perhaps they can improve service by anthropomorphizing those evil terrorists named "Father Time", "Murphy", "Router Bugs", and "Bubba the Backhoe Driver". Certainly the operational side didn't have processes for supporting travellers with reasonable-looking papers in the event of a computer failure. About two decades ago there was a network failure that took out all three New York City area airports, caused by one guy with wire cutters who was in the wrong manhole in Newark. If they FAA had a set of dial backup modems at each of the airports, they could have worked around it, but they believed strongly that the shared civilian infrastructure wasn't reliable enough and they needed to have dedicated systems just for air traffic control. ---- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Thus spake "Bill Stewart" <nonobvious@gmail.com>
While the goals of the system, as identified by the GAO, include a brief phrase about "facilitate legitimate travel and trade", the rest of the report appears to entirely ignore it. ... it appears that the designers of both the technical and operational sides are also ignoring the goal of facilitating legitmate travel and trade. ... Certainly the operational side didn't have processes for supporting travellers with reasonable-looking papers in the event of a computer failure.
The problem is that if you have a second path of entry with lesser security protocols, attackers will find a way to get themselves onto that path. For instance, imagine the terrorists have papers that look legit but they know won't pass computer cross-references; any time they want to come in, they would just disrupt the computer network and force the agents to rely on the papers alone. That's why people get stuck on the runways waiting for the computers to come back up. Such secondary procedures are okay in the banking world, where you can back out transactions that an audit reveals are fraudulent after the fact. The same does not apply to letting persons across a border where you can't retroactively deny them entry after they've killed a bunch of people (and, most likely, martyred themselves). It's the same problem with voting systems, actually: the anonymity requirements mean all security hinges on making sure only authorized people vote, and only once at that; you can't back out fraudulent votes after they're cast, which is why all of the attacks are on the authorization system and being undetected in an audit doesn't matter. S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
On Mon, Aug 20, 2007 at 10:11:33PM -0500, Stephen Sprunk wrote:
The problem is that if you have a second path of entry with lesser security protocols, attackers will find a way to get themselves onto that path. For instance, imagine the terrorists have papers that look legit but they know won't pass computer cross-references; any time they want to come in, they would just disrupt the computer network and force the agents to rely on the papers alone. That's why people get stuck on the runways waiting for the computers to come back up.
So what happens when the attack changes from trying to harm/kill people to disrupting daily life in general? If the attackers (who may or may not be terrorists, whatever that means) can disrupt our networks whenever they want why isn't that a bigger problem than the fact they might slip a few people in? Remember, almost all of the 9/11 hijackers came into this country legitimately and had verifiable (if not legit) ID. To bring this back into the sea of on-topicness, I invite you to remember the early 90s, when the biggest security problem a network operator had to face was compromised machines. Everyone "knew" that this was the only real aspect to computer security, and the fact that some sites could cram (a lot) more data down a pipe than others was known, but only crackpots thought it was a problem. Then a little tool called smurf was released, and the game changed. It opened our eyes to the fact that not all security problems involve illegitimate access. We realized that a Denial of Service attack was just as bad, sometimes even worse, than a system compromise. This same period gave rise to other tools that became the bane of network operators and irc users everywhere. Pepsi, winnuke, sping, jolt. These tools didn't do anything to help the user gain access to a system, but they allowed the user to cause just as much trouble. How many of you who were working in any capacity then can honestly say you never spent hours calling upstream providers to get a flow of packets stopped? At some point our networks have to remain useful. If they can be shut down for hours or days at a time are they really secure? -Zach
On Tue, 21 Aug 2007, Zach White wrote:
At some point our networks have to remain useful. If they can be shut down for hours or days at a time are they really secure?
The first question to ask in designing something is what you're trying to accomplish. This is a mailing list of network operators, meaning that most of us are in the business of forwarding packets, or otherwise seeing that packets get forwarded. It matters very little what those packets are, as long as they get where they're supposed to go. If our networks stop forwarding packets, we've got a problem. Compare that to somebody designing a bank vault. They've still got to be able to get things in and out, but their most important priority is that stuff that's supposed to stay in the vault stays in the vault. If somebody legitimate can't get the vault open that's annoying, but it's nowhere near the level of problem they'd have if the vault turned out to be openable by somebody who wasn't supposed to open it. The question for the designers of immigration systems, then, is whether they're designing something like the Internet, intended to forward people through efficiently, or something like a bank vault, intended to keep people out. If the former, they'd presumably want to default to being open in the event of a failure. If the latter, they'd want to default to being closed in the event of a failure. If their goals are somewhere in the middle, it becomes a matter of weighing the costs of the two failure modes and deciding which one will do less damage. But at that point, it becomes a political question, not an engineering question and certainly not a network operations question, so it's beyond the scope of the NANOG list. -Steve
Steven M. Bellovin wrote:
On Sat, 18 Aug 2007 17:09:10 GMT "Paul Ferguson" <fergdawg@netzero.net> wrote:
They don't even have to touch the hardware. :-)
Did you see what the GAO found when they audited the US-VISIT network? The summary is at http://www.washingtonpost.com/wp-dyn/content/article/2007/08/02/AR2007080202...; the full report is at http://www.gao.gov/new.items/d07870.pdf
Interesting. At SFO, US-VISIT shut down completely about 1-2 months ago. Maybe it will come back when they fix the system. Can't find any article confirming that the overall program was shut down, but I can verify that the US-VISIT program at SFO is gone, at least for the time being. michael
participants (7)
-
Bill Stewart
-
Michael Sinatra
-
Paul Ferguson
-
Stephen Sprunk
-
Steve Gibbard
-
Steven M. Bellovin
-
Zach White