More federal management of key components of the Internet needed
Its starting already. I don't mean to diss any of the root server operators, they all do a great job. But in the past it seemed the federal agency sysadmins had the most difficult job getting the budget approval for upgrades, and seemed to always be behind the performance curve. I don't understand how giving the US federal government management control of key components of the Internet will make it more secure. What steps could the US federal government take which non-governmental organizations aren't or couldn't do? Putting a root name server on a military base isn't really going to protect it from DDOS attacks. Should root servers be located in the "middle" of backbones, instead of stub networks? Or do networks naturally "grow" towards root servers? http://www.idg.net/ic_958962_1793_1-1681.html "More federal management of key components of the Internet infrastructure is needed, Julian and Brady agreed. That could include tax incentives or direct federal funding for private companies and public organizations managing key DNS servers to secure their systems, all of which are currently operated as a free service by companies, government entities and non-profit organizations. "This showcases a specific vulnerability that requires the government to get involved," Julian said. "If you run a DNS server what is your monetary incentive to secure it? There is none. This is the number one area of focus that the government should have."
Hey, Sean, if it is against the law to yell FIRE in a crowded movie theatre in America... Why isn't it against the law to (s)Yell "FUD" at Congress ? :\ Sean Donelan wrote:
It's starting already.
It started with the USA Patriot Act, the beginning paroxysms of rigor mortis of the American Constitutional Rights under a new regime, and the "virtual" death of the Bill of Rights.... This is just a continuation of an ongoing trend. (IMHO) Remember, after 10 years of being declared "paranoid", and an "Enemy of the State", Abbie Hoffman was -absolutely right-! (CoinTelPro) Did anyone notice that under the new laws, -== Watergate is perfectly LEGAL ? ==- </rant- but, let that one sink in....really.> Yes, I know Susan... switching to on-topic. :P
I don't understand how giving the US federal government management control of key components of the Internet will make it more secure.
Neither do I. For example, I recently received a joint FBI/DOJ letter... (I believe if I leave out details, I am allowed to mention this here...) It informed me that, 10 MONTHS AGO, a list was found that had an -email domain- of ours, as a -possibly- affected -server-. (There is no such actual server, it is only an e-mail domain.. ) And, wanted me to see of there was any strange activity, somewhere in a 4 MONTH time frame, that I could see.... Oh, BTW, they had NO information on methodology, layer 3 protocol affected, ports, IP's.. and stated as such. -=Nothing=- (Not even a valid server name) And, ONLY, 10 MONTHS after the fact! Why, do you know in Internet Years, that would be..... urrr.....that would be... carry the zero's...square the root, hrmmm... I would be DEAD ? :* And these are the people that are going to -=improve=- security ? How, by sentencing Perps to death by OLD AGE ? :D
What steps could the US federal government take which non-governmental organizations aren't or couldn't do? Putting a root name server on a military base isn't really going to protect it from DDOS attacks.
Should root servers be located in the "middle" of backbones, instead of stub networks? Or do networks naturally "grow" towards root servers?
http://www.idg.net/ic_958962_1793_1-1681.html "More federal management of key components of the Internet infrastructure is needed, Julian and Brady agreed. That could include tax incentives or direct federal funding for private companies and public organizations managing key DNS servers to secure their systems, all of which are currently operated as a free service by companies, government entities and non-profit organizations.
"This showcases a specific vulnerability that requires the government to get involved," Julian said. "If you run a DNS server what is your monetary incentive to secure it? There is none.
Wrong, the monetary incentive is that -=your=- system remains operational, and your network UP, and responding.... when others don't. What, no one in congress associates "uptime" with a "monetary advantage" in business ? No WONDER they all bought from Enron. * S * (Just kidding)
This is the number one
area of focus that the government should have."
I think they should be focusing on terrorist activity, if you ask me. * shrug * .Richard. -= FUD! it isn't a sales tool, it's a way of Managing a Nation. =- "God Bless America, and the American Constitution." I leave you with the Oath of Office of the American President: "I do solemnly swear (or affirm) that I will faithfully execute the Office of the President of the United States, and will to the best of my ability, preserve, protect and defend the -=constitution=- of the United States." Ok. One last Quote, from U2: "A Politicians Promise on the Day of Election"
Why isn't it against the law to (s)Yell "FUD" at Congress ?
Wouldn't do any good, they don't know any better. Few if any Congresscritters are techno-literate -- I spent 3 years on the Hill, saw it first hand....and it's not gotten much better. The only language most Congresscritters understand is $$$$ and how it relates to their staying elected by keeping their constituients somewhat happy and impressed with their performance.
I don't understand how giving the US federal government management control of key components of the Internet will make it more secure.
<Sean's Rant about FBI info request removed> Remember this is the same 'cybercrime agency' that when I-Love-Y0U was released, simply posted a NIPC warning saying "A New Virus Has Been Detected in the Philippenes." -- I was about to make sure my immunization records were up to date. Even after I called them from my NOC, and told them that the security community had already dissected the worm and there were sigs and coutnermeasures available, they didn't update the warning on NIPC.GOV for like 5 hours. A screenshot of that particular example of NIPC's expertise is immortalized here: http://www.infowarrior.org/articles/NIPC.jpg Commentary I did about NIPC's warning capability is here, if you're interested. http://www.infowarrior.org/articles/2000-06.html
And these are the people that are going to -=improve=- security ?
Hardly. They have a hard enough time passing information from one squad to another within the FBI, they're never going to be able to survive and interoperate in the Information Age against high-tech threats that move at packet speed. And donĀ¹t get me started about Infragard.....ugh...
I think they should be focusing on terrorist activity, if you ask me.
Good idea, since they still haven't got that task down yet, either. Remember, the FBI - before and after its 2002 reorg - is, thanks to its internal culture, UNABLE to work well with outsiders, be they cops, the CIA, or ISP security teams. This has the unfortunate effect of severely torking those folks in the FBI that are intelligent and want to make a difference, but thanks to the system, their initiative is constrained by the 'status quo'. I feel sorry for some of these folks, they really do try, but the system there prevents them from being effective, thus partially explaining the mess the FBI and NIPC is in at the moment in responding to terrorism or hacker threats. re: The "DNS Attack" -- I'm hearing all this talk about DNS-on-CD that was some sort of research project that would be used during a loss of the roots. Anyone have any add'l info on what this is/was? Cheers from DC, Rick Infowarrior.org
On Wed, 23 Oct 2002, Sean Donelan wrote:
Should root servers be located in the "middle" of backbones, instead of stub networks? Or do networks naturally "grow" towards root servers?
http://www.idg.net/ic_958962_1793_1-1681.html "More federal management of key components of the Internet infrastructure is needed, Julian and Brady agreed. That could include tax incentives or direct federal funding for private companies and public organizations managing key DNS servers to secure their systems, all of which are currently operated as a free service by companies, government entities and non-profit organizations.
"This showcases a specific vulnerability that requires the government to get involved," Julian said. "If you run a DNS server what is your monetary incentive to secure it? There is none. This is the number one area of focus that the government should have."
This last quote is complete non-sense. The major reason an operator would want to keep a root server secure and available is, in my mind atleast, the stigma associated with running a poor service. Something that EVERYONE on the Internet could notice as a problem is a very large burden to bear. Gov't requirements or management of this system is a non-starter, its not going to increase the security or availability of the systems in the least. -Chris "I should have slept through yesterday" Morrow.
Hi, On 10/23/02 8:44 PM, "Christopher L. Morrow" <chris@UU.NET> wrote:
"This showcases a specific vulnerability that requires the government to get involved," Julian said. "If you run a DNS server what is your monetary incentive to secure it? There is none. This is the number one area of focus that the government should have." This last quote is complete non-sense. The major reason an operator would want to keep a root server secure and available is, in my mind atleast, the stigma associated with running a poor service.
Unfortunately, this has not been the case historically. Stigma has taken a back seat to fiscal and/or bureaucratic realities (and the requests of the people on the front lines trying to fix the situation).
Something that EVERYONE on the Internet could notice as a problem is a very large burden to bear.
Actually, not really, since the most popular caching server homes into the name server that responds the fastest. Poorly performing name servers don't get asked questions, so no one really notices they suck unless they look.
Gov't requirements or management of this system is a non-starter, its not going to increase the security or availability of the systems in the least.
That's very true. However, it seems to me politicians must be seen doing "something", regardless of whether the something makes a whole lot of sense technically. Rgds, -drc
Err. One should not post mail after long airplane flights and no sleep.
Unfortunately, this has not been the case historically. Stigma has taken a back seat to fiscal and/or bureaucratic realities (and the requests of the people on the front lines trying to fix the situation).
What I meant was that fiscal and/or bureaucratic realities overrode both stigma and the requests of people on the front lines trying to fix the situation. Rgds, -drc
At 07:05 AM 10/24/2002, Alan Hannan wrote:
It worked for airline security.
Oh, did it now? Just to paraphrase Seans very professional language: Before the US government proposes to unilaterally take responsibility for a particular service it should consider its track record of providing parts of that particular service in the past. Not to mention that the service serves the World and not just the US. Daniel
On Wed, 23 Oct 2002, Alan Hannan wrote:
I don't understand how giving the US federal government management control of key components of the Internet will make it more secure.
It worked for airline security.
Yeah... removing shoes and "randomly" searching peace activists while allowing to carry on glass bottles containing unknown liquids on board. Holding air companies liable for lax security could've been a lot more efficient. --vadim
Alan Hannan wrote:
I don't understand how giving the US federal government management control of key components of the Internet will make it more secure.
It worked for airline security.
Sure, searching Ray Charles makes me feel much safer. Asking me whether any one helped me packed my bags or handed me a package always shows whether or not I should be trusted to get on the plane. Stopping a little boy from taking on a toy with a 1 inch long gun makes me feel safer too. These are the same people who can't be trusted to make sure that your luggage flies the same flight you do. Puh-leeze. There is not one single thing that goes on in airport "security" that contributes one whit to actual security. ...and surely you aren't suggesting that you want those same people to run the root servers. I'm just glad they aren't all in the US (so that there can be no preemptive strike by some poser-crazed congress critter). -- Only the mediocre are always at their best. Jean Giraudoux
Etaoin Shrdlu wrote (on Oct 24):
There is not one single thing that goes on in airport "security" that contributes one whit to actual security.
Having, on more than one occasion been allowed to board an aircraft in the US whilst accidentally carrying a Leatherman tool (complete with locking blades), and most recently only 2 or 3 weeks ago, I somewhat agree. I have friends who have managed to get on with sewing kits, those credit-card-sized Swiss-army jobbies, and all manner of other sharp pointy objects. In contrast, I made the same mistake in London once when on my way to Madrid, and never saw said tool again after it was confiscated. The only thing I've ever been stopped for in the US was forgetting my Palm was in my inside pocket when going through the metal detector. At the opposite extreme, Madrid airport has a habit of asking me to remove my belt and pass it through the xray machine, which I found a little odd at the time. That said, in my limited experience (and it may entirely be superficial) countries with Government run airport security tend to be more thorough - and that means Govt. employed people doing the job, not some 2-bit company they found down the road that gave the "best value for money" - we don't want cheap, we want security, without finger-pointing when it screws up. I don't think this necessarily applies to the problems of attacks (of the nature that started this discussion - sticking a few kilos of semtex inside your server case, wiring it to the parallel port and hosting that at 60 Hudson is very easy, but is a different discussion) on the Internet however. Prevention probably works only when you stand a reasonable chance of never letting the attack get near its target. In commercial air travel, that means the airport, which is the earliest common point before the aircraft. The Internet has no such common point, unless you define it to mean "the networks" - and that covers a lot of ground. Also in my experience, attacks on the Internet (DoS) tend to scale with the size of the target. If you happen to have a large unused line lying around, someone, somewhere, will find a way to fill it for you. An attack on my employers network a few nights ago was of a scale enough to cause UUnet to call C&W, one of our upstreams, because t was of a scale large enough for them to notice it, even considering the size of the interconnects between them (and that's somewhat bigger than what we have from C&W.) If you spread the target over, say, 100 destinations, then the attacker with his virus-driven DDoS network need only infect a small percentage more machines and, given a command, will be able to mount just as effective an attack on most if not all of those distributed targets. Protecting the targets therefore won't help, however big/distributed you make the target - it may mitigate the effect of the attack, but it did not prevent people from being affected. Governments should not be allowed to say that even 1% of the population is an "acceptable loss" if at the same time what they were trying to protect was considered to be of important to national security (or under many other classification). Government involvement here would only have marginal, if any, impact over what we can achieve ourselves. My personal feeling is we can do it quicker. So the role left open for Government involvement is tracking and removing attack sources and tracking and prosecuting the offenders responsible - which is within their remit already... The above are only examples that came to mind as I wrote this. If Government can make these problems go away, I'd love to hear about the method they would use. Meanwhile, we still have many attacks yet to come. Chris. -- == chrisy@flix.net
At 05:34 PM 10/24/2002 +0100, Chrisy Luke wrote:
That said, in my limited experience (and it may entirely be superficial) countries with Government run airport security tend to be more thorough - and that means Govt. employed people doing the job, not some 2-bit company they found down the road that gave the "best value for money" - we don't want cheap, we want security, without finger-pointing when it screws up.
The London airport that found and confiscated your leatherman tool is run by a publicly traded company, BAA Plc (http://www.baa.co.uk), not the government, as are pretty much all of the airports in the UK. There are local, UK and European airline security regulations, but the security people are paid for, employed by and answer to the airport company, not the government. BAA even sells airport security consulting services. Poor security is bad for business if you're an airport. Cheers, Mathew
On 05:16 AM 10/24/02, Etaoin Shrdlu wrote:
Alan Hannan wrote:
I don't understand how giving the US federal government management
control
of key components of the Internet will make it more secure.
It worked for airline security.
Sure, searching Ray Charles makes me feel much safer. Asking me whether any one helped me packed my bags or handed me a package always shows whether or not I should be trusted to get on the plane. Stopping a little boy from taking on a toy with a 1 inch long gun makes me feel safer too. These are the same people who can't be trusted to make sure that your luggage flies the same flight you do. Puh-leeze.
There is not one single thing that goes on in airport "security" that contributes one whit to actual security.
Amazingly enough, Admiral James M. Loy - the new COO of the Transportation Security Administration, shows strong signs of having a clue WRT security, see: <http://www.cnn.com/2002/US/08/23/loy.cnna/> In an opinion piece by Joseph Perkins (San Diego Union-Tribune columnist, the article ran in the SF Chronicle on 10/21 but I can't find it online anywhere), it lists a bunch of the present stupid rules, and then goes on to say: So those dictates and others like them, included on Loys' not-so- facetiously named "Stupid Rule List," have been thrown out. The litmus test in each case, he explained, is whether a rule substantively contributes to security or primarily to longer airport lines. There are several online references to this list, see: <http://www.apfa.org/public/articles/News-Events/STUPID_RULES.HTML> <http://www.washingtonpost.com/wp-dyn/articles/A32246-2002Oct15.html> ObNetwork Operations: Does this mean I can once again carry a cable crimper tool with me in my carry on luggage (one was confiscated at SFO a few months ago, the cable cutting blades were deemed a "potential weapon")? jc
I saw in a forum on ExtremeTech (where they had an article ranting about how the internet was almost brought to it's knees)http://www.extremetech.com/article2/0,3973,646157,00.asp that after the root servers attack the gTLD's were attacked as well, taking out .biz, .info, and .gov ... can anyone verify if anything happened? *********** REPLY SEPARATOR *********** On 10/23/2002 at 10:05 PM Alan Hannan wrote:
I don't understand how giving the US federal government management control of key components of the Internet will make it more secure.
It worked for airline security.
-- Jeff Shultz Network Support Technician Willamette Valley Internet 503-769-3331 (Stayton) 503-390-7000 (Salem) tech@wvi.com ...most of us have as our claim to fame the ability to talk to inanimate objects and convince them they want to listen to us. -- Valdis Kletnieks in a.s.r
Once upon a time, Jeff Shultz <jeffshul@wvi.com> said:
I saw in a forum on ExtremeTech (where they had an article ranting about how the internet was almost brought to it's knees)http://www.extremetech.com/article2/0,3973,646157,00.asp that after the root servers attack the gTLD's were attacked as well, taking out .biz, .info, and .gov ... can anyone verify if anything happened?
Well, since the gTLD servers don't serve .biz, .info, or .gov (and those three zones are served by three different sets of servers), it sounds bogus. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
participants (14)
-
Alan Hannan -
Chris Adams -
Christopher L. Morrow -
Chrisy Luke -
Daniel Karrenberg -
David Conrad -
Etaoin Shrdlu -
JC Dill -
Jeff Shultz -
Mathew Lodge -
Richard Forno -
Rick Irving -
Sean Donelan -
Vadim Antonov