[In the message entitled "Re: Nato warns of strike against cyber attackers" on Jun 8, 16:03, "J. Oquendo" writes:]
All humor aside, I'm curious to know what can anyone truly do at the end of the day if say a botnet was used to instigate a situation. Surely someone would have to say something to the tune of "better now than never" to implement BCP filtering on a large scale. Knobs, Levers, Dials and Switches: Now and Then (please sir, may I have some more ?) is 7 years old yet I wonder in practice, how many networks have 38/84 filtering. I'm wondering why it hasn't been implemented off the shelf in some of the newer equipment. This is not to say "huge backbones" should have it, but think about it, if smaller networks implemented it from the rip, the overheard wouldn't hurt that many of the bigger guys. On the contrary, my theory is it would save them headaches in the long run... Guess that's a pragmatic approach. Better that than an immediate pessimistic one.
It's really way, way past time for us to actually deal with compromised computers on our networks. Abuse desks need to have the power to filter customers immediately on notification of activity. We need to have tools to help us identify compromised customers. We need to have policies that actually work to help notify the customers when they are compromised. None of this needs to be done for free. There needs to be a "security fee" charged _all_ customers, which would fund the abuse desk. With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen. --
None of this needs to be done for free. There needs to be a "security fee" charged _all_ customers, which would fund the abuse desk.
With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen.
Or you should send the bill to the company that created the software that facilitated to get so many computers compromised, some folks in Redmond have a large chunk of money on the bank. My .02
Jorge Amodio wrote:
None of this needs to be done for free. There needs to be a "security fee" charged _all_ customers, which would fund the abuse desk.
With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen.
Or you should send the bill to the company that created the software that facilitated to get so many computers compromised, some folks in Redmond have a large chunk of money on the bank.
My .02
Seems like it's come full circle again (http://irbs.net/internet/nanog/0412/0109.html) and I can always recall Rob Thomas' take on this (http://irbs.net/internet/nanog/0412/0222.html) "Filtering out bogons removes yet one more potential source of badness. Does it remove all badness? Of course not. We win by degrees. Removing any tool from the bad persons' toolkit is useful." Not forgetting Mark Andrews "Any operator not implemting BCP 38 is potentially aiding and abetting some criminal. BCP 38 is over 10 years old. There is no excuse for not having equipment in place to handle the processing needs of BCP 38." ISP's could actually offset the charges to customers with helpdesks to re-coup some equipment costs while maintaining a clean network. As for the "blame the software" comment, irrelevant. If bad hosts were minimized, there would likely be less compromises irrespective of the vendor of the software. Statistically I would think the number of compromises would go down but at the same time I believe the criminals would get smarter. That's just the nature of the beast. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Sent from my iPad On Jun 8, 2010, at 3:27 PM, "J. Oquendo" <sil@infiltrated.net> wrote:
Jorge Amodio wrote:
None of this needs to be done for free. There needs to be a "security fee" charged _all_ customers, which would fund the abuse desk.
With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen.
Or you should send the bill to the company that created the software that facilitated to get so many computers compromised, some folks in Redmond have a large chunk of money on the bank.
My .02
Seems like it's come full circle again (http://irbs.net/internet/nanog/0412/0109.html) and I can always recall Rob Thomas' take on this (http://irbs.net/internet/nanog/0412/0222.html) "Filtering out bogons removes yet one more potential source of badness. Does it remove all badness? Of course not. We win by degrees. Removing any tool from the bad persons' toolkit is useful." Not forgetting Mark Andrews "Any operator not implemting BCP 38 is potentially aiding and abetting some criminal. BCP 38 is over 10 years old. There is no excuse for not having equipment in place to handle the processing needs of BCP 38."
ISP's could actually offset the charges to customers with helpdesks to re-coup some equipment costs while maintaining a clean network. As for the "blame the software" comment, irrelevant. If bad hosts were minimized, there would likely be less compromises irrespective of the vendor of the software. Statistically I would think the number of compromises would go down but at the same time I believe the criminals would get smarter. That's just the nature of the beast.
It's not irrelevant. If it were, apache would be more frequently exploited than IIS. It isn't. Owen
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
"It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett
227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Jorge Amodio wrote:
None of this needs to be done for free. There needs to be a "security fee" charged _all_ customers, which would fund the abuse desk.
With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen.
Or you should send the bill to the company that created the software that facilitated to get so many computers compromised, some folks in Redmond have a large chunk of money on the bank.
I'm still truly amazed that no one has sic'd a lawyer on Microsoft for creating an "attractive nuisance" - an operating system that is too easily hacked and used to attack innocent victims, and where others have to pay to clean up after Microsoft's mess. For instance, if you build a pool in your backyard, and you don't properly fence it, and kids illegally trespass on your property to get in to your pool, and they get hurt, you will be sued and will be held liable. You built this dangerous thing, and you didn't properly secure (fence it), and it's your responsibility even when someone *illegally* gains access and hurts themselves (or others). There are numerous other examples of "attractive nuisances" where individuals and companies are held liable for injuries caused by people who illegally gained access to improperly secured property and items. Why hasn't *someone* brought this up with Microsoft and Windows? http://en.wikipedia.org/wiki/Attractive_nuisance_doctrine jc
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jun 8, 2010 at 8:59 PM, JC Dill <jcdill.lists@gmail.com> wrote:
I'm still truly amazed that no one has sic'd a lawyer on Microsoft for creating an "attractive nuisance" - an operating system that is too easily hacked and used to attack innocent victims, and where others have to pay to clean up after Microsoft's mess.
Do you honestly believe that if 80% of the world's consumer computers were *not* MS operating systems, that the majority of computers would still not be targeted? Please, be for real -- the criminals go after the entrenched majority. If it were any other OS, the story would be the same. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDxLoq1pz9mNUZTMRAl5MAKDaMY6WeUbWp4l4tzYrJNNsLz/tqQCg6lNw xQsaZQxjjRym7vPPvlW+OTY= =8667 -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
On Jun 8, 2010, at 9:05 PM, Paul Ferguson wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, Jun 8, 2010 at 8:59 PM, JC Dill <jcdill.lists@gmail.com> wrote:
I'm still truly amazed that no one has sic'd a lawyer on Microsoft for creating an "attractive nuisance" - an operating system that is too easily hacked and used to attack innocent victims, and where others have to pay to clean up after Microsoft's mess.
Do you honestly believe that if 80% of the world's consumer computers were *not* MS operating systems, that the majority of computers would still not be targeted?
Targeted? Yes. Successfully compromised? Less so. Look at it this way... The vast majority of web servers are Apache, yet, IIS is compromised far more often. Yes, Micr0$0ft is a major contributor to the problem.
Please, be for real -- the criminals go after the entrenched majority. If it were any other OS, the story would be the same.
If this were true, the criminals would be all over Apache and yet it is IIS that gets compromised most often. Owen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jun 8, 2010 at 10:22 PM, Owen DeLong <owen@delong.com> wrote:
Please, be for real -- the criminals go after the entrenched majority. If it were any other OS, the story would be the same.
If this were true, the criminals would be all over Apache and yet it is IIS that gets compromised most often.
Actually, that is another fallacy. The majority of SQL Injections are on Apache-based systems. Look, this isn't a blame-game in which we need to point out one vendor, operating system, plug-in, browser, or whatever. The problem is that it is a wide-spread problem wherein we have millions of compromised consumer (and non-consumer) hosts doing the bidding of Bad Guys. I would certainly love to hear your solution to this problem. And stop pointing fingers. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDyh1q1pz9mNUZTMRAqUSAKD9e+Bt+f1Q6+xE1f0MS3edKfbCtwCeMMEp cGOjbQNIcm58ZPj5JaT5Q74= =Oz/Q -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
On Jun 8, 2010, at 10:37 PM, Paul Ferguson wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, Jun 8, 2010 at 10:22 PM, Owen DeLong <owen@delong.com> wrote:
Please, be for real -- the criminals go after the entrenched majority. If it were any other OS, the story would be the same.
If this were true, the criminals would be all over Apache and yet it is IIS that gets compromised most often.
Actually, that is another fallacy.
The majority of SQL Injections are on Apache-based systems.
SQL injection is an SQL attack, not a compromise of the HTTP daemon itself (usually partially a compromise of PHP or similar scripting language). The majority of compromises (buffer overflows, etc.) against the web server itself are IIS.
Look, this isn't a blame-game in which we need to point out one vendor, operating system, plug-in, browser, or whatever.
Agreed... All vulnerable vendors should be treated the same. If you are selling software without source code and making money as "professional developers" by selling that software, then, it should come with liability for the damages caused by your failure to secure the software properly. If you're providing source code and allowing others to use it and you are not getting paid for developing it, then, obviously, it is ridiculous to hold you liable since the person who chose to use your source code has the ability to fix it to resolve any security issues.
The problem is that it is a wide-spread problem wherein we have millions of compromised consumer (and non-consumer) hosts doing the bidding of Bad Guys.
Yep.
I would certainly love to hear your solution to this problem.
Hold the owners of compromised systems financially liable for the damage they do. Make it possible for said owners to subrogate such claims against any suppliers of commercial closed insecure software which contributed to the compromise of their systems.
And stop pointing fingers.
No finger pointing there, just actual liability targeted at those actually resposnible. Owen
On June 8, 2010 at 21:05 fergdawgster@gmail.com (Paul Ferguson) wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, Jun 8, 2010 at 8:59 PM, JC Dill <jcdill.lists@gmail.com> wrote:
I'm still truly amazed that no one has sic'd a lawyer on Microsoft for creating an "attractive nuisance" - an operating system that is too easily hacked and used to attack innocent victims, and where others have to pay to clean up after Microsoft's mess.
Do you honestly believe that if 80% of the world's consumer computers were *not* MS operating systems, that the majority of computers would still not be targeted?
Ah, the disinformation reply... MAYBE IF [please read thru before replying because I probably cover most knee-jerk responses eventually]: a) Microsoft hadn't ignored well-known techniques for dividing secure vs insecure operations in their kernel thus allowing any email script you're reading to do whatever it wants including, e.g., re-writing the boot blocks. b) Microsoft hadn't made the first and usually only newly created user "root" on a new system so it'd be easier to install applications they bought and administer the system and save them understanding that they sometimes have to type in a separate adminstrator's password. But the extra typing and forgetting that password of course would detract from the "user experience". c) Microsoft hadn't distributed, for decades, systems with graphics libraries which relied on injecting raw machine code into the kernel to speed up operations like scrolling a window (which used to be very slow without this, as one example), and got their third-party vendors so hooked on this technique that they screamed bloody murder every time MS even hinted that they might remove it. It took generations of OLE, X controls, .NET, etc to get rid of this, if it's even completely gone now. d) Microsoft hadn't ignored all these basic security practices in operating systems which were completely well understood and implemented in OS after OS back to at least 1970 if not before because they saw more profit in, to use a metaphor, selling cars without safety glass in the windshields etc, consequences be damned. e) Microsoft hadn't made tens if not hundreds of billions off the above willful negligence for decades (if you include the first warning when viruses became rampant in the late 80s, plus a decade of infected zombie bots starting in the late 90s) after they knew full well the disasterous consequences, causes, and fixes. f) The fact that Microsoft began putting exactly the fixes the above implies with, generously, XP SP2, but not seriously until Vista (general release: January 30, 2007) which is tantamount to an admission of guilt. Such as separating Administrator from User and the privileges thereof. Then, and only then, MAYBE their mere market dominance would be a plausible reason. But for those of us who actually UNDERSTAND operating systems and how their security works (or doesn't) and what the problems have been specifically statistics and probabilities and hand waves just can't trump KNOWING AND UNDERSTANDING THE FACTS AND HOW THESE THINGS WORK! Blaming Microsoft OS's vulnerability to viruses and zombification on their market dominance would be like blaming the running out of IPv4 addresses on cisco's market dominance. It has a certain appeal to the ignorant, but anyone who knows anything about the actual causes and history knows there's not one grain of truth to it. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On Wed, Jun 09, 2010 at 16:44:38PM -0400, Barry Shein wrote:
MAYBE IF [please read thru before replying because I probably cover most knee-jerk responses eventually]:
d) Microsoft hadn't ignored all these basic security practices in operating systems which were completely well understood and implemented in OS after OS back to at least 1970 if not before because they saw more profit in, to use a metaphor, selling cars without safety glass in the windshields etc, consequences be damned.
That's a thesis argued in Clarke's book (already mentioned here on NANOG, and slashdot and ...): "Microsoft has vast resources, literally billions of dollars in cash, or liquid assets reserves. Microsoft is an incredibly successful empire built on the premise of market dominance with low-quality goods." Who wrote those lines? Steve Jobs? Linux inventor Linus Torvalds? Ralph Nader? No, the author is former White House adviser Richard A. Clarke in his new book, Cyber War: The Next Threat to National Security and What to Do About It. Clarke tries to be fair. He notes that Microsoft didn't originally intend its software for critical networks. But even his efforts at fairness are unflattering. Microsoft's original goal "was to get the product out the door and at a low cost of production," he explains. <http://arstechnica.com/security/news/2010/06/cyber-war-microsof t-a-weak-link-in-national-security.ars> -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
http://www.theatlantic.com/politics/archive/2010/06/homeland-securitys-cyber... http://tinyurl.com/2gyezyg -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Once upon a time, JC Dill <jcdill.lists@gmail.com> said:
I'm still truly amazed that no one has sic'd a lawyer on Microsoft for creating an "attractive nuisance" - an operating system that is too easily hacked and used to attack innocent victims, and where others have to pay to clean up after Microsoft's mess.
Many of the problems are PEBKAC, as evidenced by the massive responses to phishing scams. I can't tell you the number of our users that have sent their password to Nigeria to be used to log in to our webmail and spam. Users open attachements, follow links, and click "OK" with alarming ease. As long as that is the case (and I don't see that changing), blaming one vendor is not going to help. Something like the NSA's SELinux helps (because you can have all browser plugins run in sandboxes, have saved attachments non-executable, etc.), but users will still follow the instructions to override it. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
On 6/9/2010 08:05, Chris Adams wrote:
Once upon a time, JC Dill <jcdill.lists@gmail.com> said:
I'm still truly amazed that no one has sic'd a lawyer on Microsoft for creating an "attractive nuisance" - an operating system that is too easily hacked and used to attack innocent victims, and where others have to pay to clean up after Microsoft's mess.
Many of the problems are PEBKAC, as evidenced by the massive responses to phishing scams. I can't tell you the number of our users that have sent their password to Nigeria to be used to log in to our webmail and spam.
In other words, if somebody is going to handle the problem, the people that know how ("ISP's" for want of a term) are going to have to do it. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Larry Sheldon wrote:
On 6/9/2010 08:05, Chris Adams wrote:
Once upon a time, JC Dill <jcdill.lists@gmail.com> said:
I'm still truly amazed that no one has sic'd a lawyer on Microsoft for creating an "attractive nuisance" - an operating system that is too easily hacked and used to attack innocent victims, and where others have to pay to clean up after Microsoft's mess.
Many of the problems are PEBKAC, as evidenced by the massive responses to phishing scams. I can't tell you the number of our users that have sent their password to Nigeria to be used to log in to our webmail and spam.
In other words, if somebody is going to handle the problem, the people that know how ("ISP's" for want of a term) are going to have to do it.
Yes, ISPs are going to have to "handle" the problem. But, IMHO the root cause of the problem starts in Redmond, and ISPs should sue Redmond for the lack of suitable security in their product, rendering it an attractive nuisance and requiring ISPs to clean up after Redmond's mess. It's not fair to expect ISPs to shoulder this burden, and it's not fair to pass on the cost to customers as a blanket surcharge (and it won't work from a business standpoint) as not all customer use Microsoft's virus-vector software. And it's not really fair to expect the end customer to shoulder this burden when it's Microsoft's fault for failing to properly secure their software. But end user customers don't have the resources to sue Microsoft, and then there's that whole EULA problem. ISPs who are NOT a party to the EULA between Microsoft and the user, but who are impacted by Microsoft's shoddy security can (IMHO) make a valid claim that Microsoft created an attractive nuisance (improperly secured software), and should be held accountable for the vandal's use thereof, used to access and steal resources (bandwidth, etc.) from the ISP thru the ISP's customers infested Windows computer. jc
On 6/8/10 2:12 PM, Dave Rand wrote:
It's really way, way past time for us to actually deal with compromised computers on our networks. Abuse desks need to have the power to filter customers immediately on notification of activity. We need to have tools to help us identify compromised customers. We need to have policies that actually work to help notify the customers when they are compromised.
None of this needs to be done for free. There needs to be a "security fee" charged _all_ customers, which would fund the abuse desk.
With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen.
Problem is, there's no financial penalties for providers who ignore abuse coming from their network. DNSbl lists work only because after a while, providers can't ignore their customer complaints and exodus when they dig deep into the bottom line. We've got several large scale IP blocks in place in the AHBL due to this exact problem - providers know there's abuse going on, they won't terminate the customers or deal with it, because they are more then happy to take money. Legit customers get caught in the cross-fire, and they suffer - but at the same time, those legit customers are the only ones that will be able to force a change on said provider. They contact us, and act all innocent, and tell people we're being unreasonable, neglecting to tell people at the same time that the 'unreasonable' DNSbl maintainer only wants for them to do a simple task that thousands of other providers and administrators have done before. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
Brielle Bruns wrote:
Problem is, there's no financial penalties for providers who ignore abuse coming from their network.
DNSbl lists work only because after a while, providers can't ignore their customer complaints and exodus when they dig deep into the bottom line.
We've got several large scale IP blocks in place in the AHBL due to this exact problem - providers know there's abuse going on, they won't terminate the customers or deal with it, because they are more then happy to take money.
Legit customers get caught in the cross-fire, and they suffer - but at the same time, those legit customers are the only ones that will be able to force a change on said provider.
They contact us, and act all innocent, and tell people we're being unreasonable, neglecting to tell people at the same time that the 'unreasonable' DNSbl maintainer only wants for them to do a simple task that thousands of other providers and administrators have done before.
I know it's akin to Apples and Oranges but maybe a "network forfeiture" (http://www.lectlaw.com/def/f054.htm) clause be drafted. Surely there should be no outcry for stating: "If your network is dirty, its gone including all your equipment" I wonder how fast some network operators would have their networks. Again, re-visiting re-hashed threads: http://www.mail-archive.com/nanog@merit.edu/msg50472.html (http://www.mail-archive.com/nanog@merit.edu/msg50472.html) Surely a vast majority have to be tired of the garbage coming from your own networks and others. I can tell you I'm tired of my phone ringing because some tollfraudster keeps thinking he's making uber calls when he's stuck in one of my honeypots. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
On 6/8/2010 15:44, J. Oquendo wrote:
Brielle Bruns wrote:
Problem is, there's no financial penalties for providers who ignore abuse coming from their network.
DNSbl lists work only because after a while, providers can't ignore their customer complaints and exodus when they dig deep into the bottom line.
We've got several large scale IP blocks in place in the AHBL due to this exact problem - providers know there's abuse going on, they won't terminate the customers or deal with it, because they are more then happy to take money.
Legit customers get caught in the cross-fire, and they suffer - but at the same time, those legit customers are the only ones that will be able to force a change on said provider.
They contact us, and act all innocent, and tell people we're being unreasonable, neglecting to tell people at the same time that the 'unreasonable' DNSbl maintainer only wants for them to do a simple task that thousands of other providers and administrators have done before.
I know it's akin to Apples and Oranges but maybe a "network forfeiture" (http://www.lectlaw.com/def/f054.htm) clause be drafted. Surely there should be no outcry for stating: "If your network is dirty, its gone including all your equipment" I wonder how fast some network operators would have their networks. Again, re-visiting re-hashed threads: http://www.mail-archive.com/nanog@merit.edu/msg50472.html (http://www.mail-archive.com/nanog@merit.edu/msg50472.html) Surely a vast majority have to be tired of the garbage coming from your own networks and others. I can tell you I'm tired of my phone ringing because some tollfraudster keeps thinking he's making uber calls when he's stuck in one of my honeypots.
I have for what, 20 years? been begging for vendors to provide clean service. But there is no hurry, the world government (spare me the the tin hats thing. Have you noticed what is going on in Washington lately?) will take care of it. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jun 8, 2010 at 1:30 PM, Brielle Bruns <bruns@2mbit.com> wrote:
On 6/8/10 2:12 PM, Dave Rand wrote:
It's really way, way past time for us to actually deal with compromised computers on our networks. Abuse desks need to have the power to filter customers immediately on notification of activity. We need to have tools to help us identify compromised customers. We need to have policies that actually work to help notify the customers when they are compromised.
None of this needs to be done for free. There needs to be a "security fee" charged _all_ customers, which would fund the abuse desk.
With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen.
Problem is, there's no financial penalties for providers who ignore abuse coming from their network.
Actually, the real problem is that if providers *don't* start doing something to remediate abuse originating within their customer base -- and begin policing themselves -- I don't think they will like someone else (e.g. the gummint) forcing them to do something (which actually may be worse). The opportunity for providers to address this problem by policing themselves is being overshadowed by the real possibility that the government may step in and force them to do so, unfortunately. $.02, - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDrt9q1pz9mNUZTMRAl7nAKC3hrq4Jbyq3HzOPJBrQFSDAESroACgxzPu ZiRk4x2DQGNqPcLOn/iqDIA= =x4JB -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Sent from my iPad On Jun 8, 2010, at 3:30 PM, Brielle Bruns <bruns@2mbit.com> wrote:
On 6/8/10 2:12 PM, Dave Rand wrote:
It's really way, way past time for us to actually deal with compromised computers on our networks. Abuse desks need to have the power to filter customers immediately on notification of activity. We need to have tools to help us identify compromised customers. We need to have policies that actually work to help notify the customers when they are compromised.
None of this needs to be done for free. There needs to be a "security fee" charged _all_ customers, which would fund the abuse desk.
With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen.
Problem is, there's no financial penalties for providers who ignore abuse coming from their network.
Problem is there's no financial liability for producing massively exploitable software. No financial penalty for operating a compromised system. No penalty for ignoring abuse complaints. Etc. Imagine how fast things would change in Redmond if Micr0$0ft had to pay the cleanup costs for each and every infected system and any damage said infected system did prior to the owner/operator becoming aware of the infection.
DNSbl lists work only because after a while, providers can't ignore their customer complaints and exodus when they dig deep into the bottom line.
We've got several large scale IP blocks in place in the AHBL due to this exact problem - providers know there's abuse going on, they won't terminate the customers or deal with it, because they are more then happy to take money.
Legit customers get caught in the cross-fire, and they suffer - but at the same time, those legit customers are the only ones that will be able to force a change on said provider.
They contact us, and act all innocent, and tell people we're being unreasonable, neglecting to tell people at the same time that the 'unreasonable' DNSbl maintainer only wants for them to do a simple task that thousands of other providers and administrators have done before.
-- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
Lots of finger pointing. Lots of discussion about who should pay, and so forth. How about we just take responsibility for our own part. Don't malicious traffic in or out.? If it can't move, it will die. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
I'm all for that, but, point is that people who fail to meet that standard are currently getting a free ride. IMHO, they should pay and they should have the recourse of being (at least partially) reimbursed by their at-fault software vendors for contributory negligence. Owen On Jun 8, 2010, at 7:39 PM, Larry Sheldon wrote:
Lots of finger pointing. Lots of discussion about who should pay, and so forth.
How about we just take responsibility for our own part. Don't malicious traffic in or out.?
If it can't move, it will die. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner.
Freedom under a constitutional republic is a well armed lamb contesting the vote.
Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca
ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
I'm all for that, but, point is that people who fail to meet that standard are currently getting a free ride. IMHO, they should pay and they should have the recourse of being (at least partially) reimbursed by their at-fault software vendors for contributory negligence.
Great idea. You know, I've got a great solution for global warming. Let's hold all the car owners accountable for all the greenhouse gases their cars belch out, and let them have the recourse of being (at least partially) reimbursed by their at-fault car manufacturers and gasoline distributors for contributory negligence. See how insane that sounds? ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Wed, 9 Jun 2010 06:27:08 -0500 (CDT) Joe Greco <jgreco@ns.sol.net> wrote:
I'm all for that, but, point is that people who fail to meet that standard are currently getting a free ride. IMHO, they should pay and they should have the recourse of being (at least partially) reimbursed by their at-fault software vendors for contributory negligence.
Yeah, of course, let's go back into 1990's, and pay for every byte sent. This surely will keep users accountable for their all faulty software.
Great idea. You know, I've got a great solution for global warming. Let's hold all the car owners accountable for all the greenhouse gases their cars belch out, and let them have the recourse of being (at least partially) reimbursed by their at-fault car manufacturers and gasoline distributors for contributory negligence.
-- With best regards, Gregory Edigarov
On Jun 9, 2010, at 4:27 AM, Joe Greco wrote:
I'm all for that, but, point is that people who fail to meet that standard are currently getting a free ride. IMHO, they should pay and they should have the recourse of being (at least partially) reimbursed by their at-fault software vendors for contributory negligence.
Great idea. You know, I've got a great solution for global warming. Let's hold all the car owners accountable for all the greenhouse gases their cars belch out, and let them have the recourse of being (at least partially) reimbursed by their at-fault car manufacturers and gasoline distributors for contributory negligence.
1. My car emits very little greenhouse gas, so, I'm cool with that. Sounds great to me. (I drive a Prius). 2. Manufacturers are held liable for contributory negligence when the design of their vehicle is unsafe and causes an accident. 3. We're not talking about greenhouse gasses here... We're talking about car-wrecks on the information superhighway caused by a combination of irresponsible operators and poor vehicle design.
See how insane that sounds?
Actually, it sounds reasonably sane to me, but, it's not a good analogy as noted above, so, the relative merits are mostly irrelevant. Owen
On Jun 9, 2010, at 4:27 AM, Joe Greco wrote:
I'm all for that, but, point is that people who fail to meet that standard are currently getting a free ride. IMHO, they should pay and they should have the recourse of being (at least partially) reimbursed by their at-fault software vendors for contributory negligence.
Great idea. You know, I've got a great solution for global warming. Let's hold all the car owners accountable for all the greenhouse gases their cars belch out, and let them have the recourse of being (at least partially) reimbursed by their at-fault car manufacturers and gasoline distributors for contributory negligence.
1. My car emits very little greenhouse gas, so, I'm cool with that. Sounds great to me. (I drive a Prius).
Your car emits lots of greenhouse gases. Just because it's /less/ doesn't change the fact that the Prius has an ICE. We have a Prius and a HiHy too.
2. Manufacturers are held liable for contributory negligence when the design of their vehicle is unsafe and causes an accident.
That isn't relevant to what I suggested.
3. We're not talking about greenhouse gasses here... We're talking about car-wrecks on the information superhighway caused by a combination of irresponsible operators and poor vehicle design.
That wasn't the analogy I was making. I was stabbing at the whole idea behind your suggestion, by directly translating it to a real-world example.
See how insane that sounds?
Actually, it sounds reasonably sane to me, but, it's not a good analogy as noted above, so, the relative merits are mostly irrelevant.
Owen
-- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On 6/9/2010 08:21, Joe Greco wrote:
Your car emits lots of greenhouse gases. Just because it's /less/ doesn't change the fact that the Prius has an ICE. We have a Prius and a HiHy too.
Did Godwin say anything about rand discussions degenerating to mythologies like "gorebull warming"? -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
This would appear to be political in nature and therefore not operational, right? "Larry Sheldon" <LarrySheldon@cox.net> wrote:
On 6/9/2010 08:21, Joe Greco wrote:
Your car emits lots of greenhouse gases. Just because it's /less/ doesn't change the fact that the Prius has an ICE. We have a Prius and a HiHy too.
Did Godwin say anything about rand discussions degenerating to mythologies like "gorebull warming"?
-- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner.
Freedom under a constitutional republic is a well armed lamb contesting the vote.
Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca
ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
-- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Problem is there's no financial liability for producing massively exploitable software. No financial penalty for operating a compromised system. No penalty for ignoring abuse complaints. Etc.
Imagine how fast things would change in Redmond if Micr0$0ft had to pay the cleanup costs for each and every infected system and any damage said infected system did prior to the owner/operator becoming aware of the infection.
It isn't Microsoft. It once was, but Vista and Windows 7 are really solid, probably much better than Linux or Mac OS. (Note that I run NetBSD and Mac OS; I don't run Windows not because it's insecure but because it's an unpleasant work environment for me.) Microsoft is targeted because they have the market. If Steve Jobs keeps succeeding with his reality distortion field, we'll see a lot more attacks on Macs in a very few years. It's also Flash and Acrobat Reader. It's also users who click to install every plug-in recommended by every dodgy web site they visit. It's also users who don't install patches, including those for XP (which really was that buggy). There's plenty of blame to go around here.... A liability scheme, with penalties on users and vendors, is certainly worth considering. Such a scheme would also have side-effects -- think of the effect on open source software. It would also be a lovely source of income for lawyers, and would inhibit new software development. The tradeoff may be worth while -- or it may not, because I have yet to see evidence that *anyone* can produce really secure software without driving up costs at least five-fold. --Steve Bellovin, http://www.cs.columbia.edu/~smb
On Jun 9, 2010, at 12:26 AM, Steven Bellovin wrote:
Problem is there's no financial liability for producing massively exploitable software. No financial penalty for operating a compromised system. No penalty for ignoring abuse complaints. Etc.
Imagine how fast things would change in Redmond if Micr0$0ft had to pay the cleanup costs for each and every infected system and any damage said infected system did prior to the owner/operator becoming aware of the infection.
It isn't Microsoft. It once was, but Vista and Windows 7 are really solid, probably much better than Linux or Mac OS. (Note that I run NetBSD and Mac OS; I don't run Windows not because it's insecure but because it's an unpleasant work environment for me.)
Microsoft is targeted because they have the market. If Steve Jobs keeps succeeding with his reality distortion field, we'll see a lot more attacks on Macs in a very few years. It's also Flash and Acrobat Reader. It's also users who click to install every plug-in recommended by every dodgy web site they visit. It's also users who don't install patches, including those for XP (which really was that buggy). There's plenty of blame to go around here....
A liability scheme, with penalties on users and vendors, is certainly worth considering. Such a scheme would also have side-effects -- think of the effect on open source software. It would also be a lovely source of income for lawyers, and would inhibit new software development. The tradeoff may be worth while -- or it may not, because I have yet to see evidence that *anyone* can produce really secure software without driving up costs at least five-fold.
I agree the miscreants go for the bigger bang for the buck. That said, earlier versions of Windows really were soft targets. I don't know enough about Win7 to comment, but I respect Steve and will accept his opinion. Let's hope MS keeps up the good work - I do not want to bash Windows (no matter how fun it is :), I want to stop being attacked. But it is not -just- market share. There are a lot more Windows Mobile compromises, viruses, etc., than iOS, Symbian, and RIM. I think combined. Yet Windows Mobile has the lowest market share of the four. So unless that is spill over because Windows Mobile & Windows Desktop have the same vulnerabilities, it shows that market share is only one piece of the puzzle. All that said, the biggest problem is users. Social Engineering is a far bigger threat than anything in software. And I don't know how we stop that. Anyone have an idea? -- TTFN, patrick
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jun 8, 2010 at 9:36 PM, Patrick W. Gilmore <patrick@ianai.net> wrote:
But it is not -just- market share. There are a lot more Windows Mobile compromises, viruses, etc., than iOS, Symbian, and RIM. I think combined. Yet Windows Mobile has the lowest market share of the four. So unless that is spill over because Windows Mobile & Windows Desktop have the same vulnerabilities, it shows that market share is only one piece of the puzzle.
All that said, the biggest problem is users. Social Engineering is a far bigger threat than anything in software. And I don't know how we stop that. Anyone have an idea?
Actually, it *is* market-share. That's the "low-hanging fruit" for criminals. And educating users? That bus left the station long ago. Let's not be distracted from the issue here -- ISPs. xSPs, and other similar providers have a responsibility here that should not shirk, or pass along. Police your own backyards. Before someone else forces you to do so. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDxwAq1pz9mNUZTMRAssSAJ9HDGFhEQ3X1mfV25FPoVLCpx7xDACg3/Hr UbkgB/Mb+J0/Z7YRBO9OPL8= =E0MH -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
On 09-Jun-2010, at 12:36 PM, Patrick W. Gilmore wrote:
On Jun 9, 2010, at 12:26 AM, Steven Bellovin wrote:
Problem is there's no financial liability for producing massively exploitable software. No financial penalty for operating a compromised system. No penalty for ignoring abuse complaints. Etc.
Imagine how fast things would change in Redmond if Micr0$0ft had to pay the cleanup costs for each and every infected system and any damage said infected system did prior to the owner/operator becoming aware of the infection.
It isn't Microsoft. It once was, but Vista and Windows 7 are really solid, probably much better than Linux or Mac OS. (Note that I run NetBSD and Mac OS; I don't run Windows not because it's insecure but because it's an unpleasant work environment for me.)
Microsoft is targeted because they have the market. If Steve Jobs keeps succeeding with his reality distortion field, we'll see a lot more attacks on Macs in a very few years. It's also Flash and Acrobat Reader. It's also users who click to install every plug-in recommended by every dodgy web site they visit. It's also users who don't install patches, including those for XP (which really was that buggy). There's plenty of blame to go around here....
A liability scheme, with penalties on users and vendors, is certainly worth considering. Such a scheme would also have side-effects -- think of the effect on open source software. It would also be a lovely source of income for lawyers, and would inhibit new software development. The tradeoff may be worth while -- or it may not, because I have yet to see evidence that *anyone* can produce really secure software without driving up costs at least five-fold.
I agree the miscreants go for the bigger bang for the buck. That said, earlier versions of Windows really were soft targets. I don't know enough about Win7 to comment, but I respect Steve and will accept his opinion. Let's hope MS keeps up the good work - I do not want to bash Windows (no matter how fun it is :), I want to stop being attacked.
But it is not -just- market share. There are a lot more Windows Mobile compromises, viruses, etc., than iOS, Symbian, and RIM. I think combined. Yet Windows Mobile has the lowest market share of the four. So unless that is spill over because Windows Mobile & Windows Desktop have the same vulnerabilities, it shows that market share is only one piece of the puzzle.
All that said, the biggest problem is users. Social Engineering is a far bigger threat than anything in software. And I don't know how we stop that. Anyone have an idea?
Remove the users. The problem goes away. Just kidding on that. Really, the only way ahead is educating the users of the threats and all and maybe a "learning experience" is due for most of them.
-- TTFN, patrick
On Wed, 09 Jun 2010 00:36:29 EDT, "Patrick W. Gilmore" said:
But it is not -just- market share. There are a lot more Windows Mobile compromises, viruses, etc., than iOS, Symbian, and RIM. I think combined. Yet Windows Mobile has the lowest market share of the four.
I'll just point out that it's really hard for the user to install some random app they found on the net on 3 of those operating systems, Let's face it - a significant percentage of users really need to be restricted to a Harvard architecture "no user serviceable parts inside" system if you expect them to compute safely.
On Jun 8, 2010, at 9:26 PM, Steven Bellovin wrote:
Problem is there's no financial liability for producing massively exploitable software. No financial penalty for operating a compromised system. No penalty for ignoring abuse complaints. Etc.
Imagine how fast things would change in Redmond if Micr0$0ft had to pay the cleanup costs for each and every infected system and any damage said infected system did prior to the owner/operator becoming aware of the infection.
It isn't Microsoft. It once was, but Vista and Windows 7 are really solid, probably much better than Linux or Mac OS. (Note that I run NetBSD and Mac OS; I don't run Windows not because it's insecure but because it's an unpleasant work environment for me.)
Microsoft is targeted because they have the market. If Steve Jobs keeps succeeding with his reality distortion field, we'll see a lot more attacks on Macs in a very few years. It's also Flash and Acrobat Reader. It's also users who click to install every plug-in recommended by every dodgy web site they visit. It's also users who don't install patches, including those for XP (which really was that buggy). There's plenty of blame to go around here....
A liability scheme, with penalties on users and vendors, is certainly worth considering. Such a scheme would also have side-effects -- think of the effect on open source software. It would also be a lovely source of income for lawyers, and would inhibit new software development. The tradeoff may be worth while -- or it may not, because I have yet to see evidence that *anyone* can produce really secure software without driving up costs at least five-fold.
Open source should be basically covered by the equivalent of a good samaritan clause. After all, the source is open, so, anyone who wants it fixed can fix it. OTOH, non-open-source software which is subject to dependency on a vendor who got paid for the software as a professional development house should carry a different standard of liability. Just as the mechanic you pay at the local garage is held to a higher standard of liability than the shade-tree mechanic on your block that changes your oil for free. Owen
Dave, I realize your fond of punishing all of us to subsidize the ignorant, but I would rather see those with compromised machines pay the bill for letting their machines get compromised than have to subsidize their ignorant or worse behavior. Owen Sent from my iPad On Jun 8, 2010, at 1:12 PM, dlr@bungi.com (Dave Rand) wrote:
[In the message entitled "Re: Nato warns of strike against cyber attackers" on Jun 8, 16:03, "J. Oquendo" writes:]
All humor aside, I'm curious to know what can anyone truly do at the end of the day if say a botnet was used to instigate a situation. Surely someone would have to say something to the tune of "better now than never" to implement BCP filtering on a large scale. Knobs, Levers, Dials and Switches: Now and Then (please sir, may I have some more ?) is 7 years old yet I wonder in practice, how many networks have 38/84 filtering. I'm wondering why it hasn't been implemented off the shelf in some of the newer equipment. This is not to say "huge backbones" should have it, but think about it, if smaller networks implemented it from the rip, the overheard wouldn't hurt that many of the bigger guys. On the contrary, my theory is it would save them headaches in the long run... Guess that's a pragmatic approach. Better that than an immediate pessimistic one.
It's really way, way past time for us to actually deal with compromised computers on our networks. Abuse desks need to have the power to filter customers immediately on notification of activity. We need to have tools to help us identify compromised customers. We need to have policies that actually work to help notify the customers when they are compromised.
None of this needs to be done for free. There needs to be a "security fee" charged _all_ customers, which would fund the abuse desk.
With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen.
--
Your humor has me roflmao -henry ________________________________ From: Paul Vixie <vixie@isc.org> To: nanog@merit.edu Sent: Wed, June 9, 2010 10:14:34 AM Subject: Re: Nato warns of strike against cyber attackers dlr@bungi.com (Dave Rand) writes:
... With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen.
+1. -- Paul Vixie KI6YSY
participants (20)
-
Alexander Harrowell
-
Barry Shein
-
Brielle Bruns
-
Chris Adams
-
dlr@bungi.com
-
Gregory Edigarov
-
Henry Linneweh
-
Henry Yen
-
J. Oquendo
-
JC Dill
-
Joe Greco
-
Jorge Amodio
-
Larry Sheldon
-
Mark
-
Owen DeLong
-
Patrick W. Gilmore
-
Paul Ferguson
-
Paul Vixie
-
Steven Bellovin
-
Valdis.Kletnieks@vt.edu