Hi Everyone, I'm pleased to announce that the Voice Operators' Group has found an excellent home. Our web site, www.voiceops.org has a good home (thanks Scott!), while Jared, Daniel, and all the great folks over at nether.net are hosting our list server. If VoiceOps can do for voice anything close to what NANOG has done for IP, we'll all owe much to the people that are making this happen. email: voiceops-subscribe@voiceops.org web: https://puck.nether.net/mailman/listinfo/voiceops Thanks, David Hiers CCIE (R/S, V), CISSP ADP Dealer Services 2525 SW 1st Ave. Suite 300W Portland, OR 97201 o: 503-205-4467 f: 503-402-3277 This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
Governments already license stock brokers, pilots, commercial drivers, accountants, engineers, all sorts of people whose mistakes can be measured in the loss of hundreds of lives and millions of dollars. http://sip-trunking.tmcnet.com/topics/security/articles/63218-bill-give-pres... Good times.... David Hiers CCIE (R/S, V), CISSP ADP Dealer Services 2525 SW 1st Ave. Suite 300W Portland, OR 97201 o: 503-205-4467 f: 503-402-3277 This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
On Fri, 28 Aug 2009, Hiers, David wrote:
Governments already license stock brokers, pilots, commercial drivers, accountants, engineers, all sorts of people whose mistakes can be measured in the loss of hundreds of lives and millions of dollars.
"'The power company allowed their network security to be comprimised by a single Windows computer connected to the Internet in the main control facility, so we unplugged the entire Internet to mitigate the attack,' said Senator Rockefeller, the author of the bill that enabled the President to take swift action after an unknown hacker used the Internet to break into Brominion Power's main control facility and turn off the power to the entire East Coast. 'It will remain unplugged and nobody in the US will be allowed to connect to the Internet until the power is back on and this hacker is brought to justice.' Authorities are having a difficult time locating the hacker due to the unavailability of the Internet and electricity, and cannot communicate with lawmakers via traditional means due to the outage. A formal request to turn the power and Internet back on was sent on a pony earlier this afternoon to lawmakers in DC." Can't wait. Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
I'm trying really hard to find my "paranoia hat", and just to relieve some boredom I read the entire bill to try to figure out where this was all coming from.... "(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;" Now, I'm sorry, but that doesn't say anything about shutting down the entire Internet. Yes, I understand the idea that since they COULD possibly deem the entire Internet (that Al Gore created?) a critical infrastructure, it would seem simple enough to put a provision in to prevent that. But IMHO the point is to involve people outside the government (read the parts on establishing the committee and voting on rules/regs) as opposed to dictating to them. And it's no different than it is today for groups that have to connect to/from particular agencies within the government. There's already plenty of rules in place about that. So if someone hacks the electric grid, does it not make sense to unplug that portion of the infrastructrure from the Internet until the problem is fixed? (e.g. shut down traffic to/from) I think someone wrote an article after WAY over-thinking this whole thing and everyone else jumps on the bandwagon. So I'm open to hearing about things if I missed them. Reading Senate Bills isn't all that exciting, so it's possible I zoned out a bit, but can someone explain to me where this thought process is coming from? Thanks! Scott Peter Beckman wrote:
On Fri, 28 Aug 2009, Hiers, David wrote:
Governments already license stock brokers, pilots, commercial drivers, accountants, engineers, all sorts of people whose mistakes can be measured in the loss of hundreds of lives and millions of dollars.
"'The power company allowed their network security to be comprimised by a single Windows computer connected to the Internet in the main control facility, so we unplugged the entire Internet to mitigate the attack,' said Senator Rockefeller, the author of the bill that enabled the President to take swift action after an unknown hacker used the Internet to break into Brominion Power's main control facility and turn off the power to the entire East Coast. 'It will remain unplugged and nobody in the US will be allowed to connect to the Internet until the power is back on and this hacker is brought to justice.'
Authorities are having a difficult time locating the hacker due to the unavailability of the Internet and electricity, and cannot communicate with lawmakers via traditional means due to the outage. A formal request to turn the power and Internet back on was sent on a pony earlier this afternoon to lawmakers in DC."
Can't wait.
Beckman ---------------------------------------------------------------------------
Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
... this whole issue reminded me of: http://www.youtube.com/watch?v=iRmxXp62O8g and http://www.youtube.com/watch?v=wrQUWUfmR_I On the more serious note: the vagueness of some terms and definitions is what concerns me, for example. I am not sure if the problem could be fixed, though, under a mechanism fundamentally very litigious - thus so very likely to produce laws with potential for [lots of] interpretations (by paid specialists, of course). ***Stefan Mititelu http://twitter.com/netfortius http://www.linkedin.com/in/netfortius On Fri, Aug 28, 2009 at 10:11 PM, Scott Morris <swm@emanon.com> wrote:
I'm trying really hard to find my "paranoia hat", and just to relieve some boredom I read the entire bill to try to figure out where this was all coming from....
"(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;"
Now, I'm sorry, but that doesn't say anything about shutting down the entire Internet. Yes, I understand the idea that since they COULD possibly deem the entire Internet (that Al Gore created?) a critical infrastructure, it would seem simple enough to put a provision in to prevent that. But IMHO the point is to involve people outside the government (read the parts on establishing the committee and voting on rules/regs) as opposed to dictating to them.
And it's no different than it is today for groups that have to connect to/from particular agencies within the government. There's already plenty of rules in place about that.
So if someone hacks the electric grid, does it not make sense to unplug that portion of the infrastructrure from the Internet until the problem is fixed? (e.g. shut down traffic to/from) I think someone wrote an article after WAY over-thinking this whole thing and everyone else jumps on the bandwagon.
So I'm open to hearing about things if I missed them. Reading Senate Bills isn't all that exciting, so it's possible I zoned out a bit, but can someone explain to me where this thought process is coming from?
Thanks!
Scott
Peter Beckman wrote:
On Fri, 28 Aug 2009, Hiers, David wrote:
Governments already license stock brokers, pilots, commercial drivers, accountants, engineers, all sorts of people whose mistakes can be measured in the loss of hundreds of lives and millions of dollars.
"'The power company allowed their network security to be comprimised by a single Windows computer connected to the Internet in the main control facility, so we unplugged the entire Internet to mitigate the attack,' said Senator Rockefeller, the author of the bill that enabled the President to take swift action after an unknown hacker used the Internet to break into Brominion Power's main control facility and turn off the power to the entire East Coast. 'It will remain unplugged and nobody in the US will be allowed to connect to the Internet until the power is back on and this hacker is brought to justice.'
Authorities are having a difficult time locating the hacker due to the unavailability of the Internet and electricity, and cannot communicate with lawmakers via traditional means due to the outage. A formal request to turn the power and Internet back on was sent on a pony earlier this afternoon to lawmakers in DC."
Can't wait.
Beckman
---------------------------------------------------------------------------
Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/
---------------------------------------------------------------------------
* Scott Morris:
I'm trying really hard to find my "paranoia hat", and just to relieve some boredom I read the entire bill to try to figure out where this was all coming from....
"(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;"
Wouldn't this mean you're allowed to set emergency ACLs only if a cybersecurity emergency has been declared by the President?
I must have missed the phrasing that says "nobody else can make an independent decision regarding any security measure above and beyond the minimum standards"... I'll go back and look for that. Scott Florian Weimer wrote:
* Scott Morris:
I'm trying really hard to find my "paranoia hat", and just to relieve some boredom I read the entire bill to try to figure out where this was all coming from....
"(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;"
Wouldn't this mean you're allowed to set emergency ACLs only if a cybersecurity emergency has been declared by the President?
On Sat, Aug 29, 2009 at 06:57, Scott Morris<swm@emanon.com> wrote:
I must have missed the phrasing that says "nobody else can make an independent decision regarding any security measure above and beyond the minimum standards"...
I'll go back and look for that.
Scott
Florian Weimer wrote:
* Scott Morris:
I'm trying really hard to find my "paranoia hat", and just to relieve some boredom I read the entire bill to try to figure out where this was all coming from....
"(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;"
Wouldn't this mean you're allowed to set emergency ACLs only if a cybersecurity emergency has been declared by the President?
The EFF summed up the problems with the bill's current text quite well I believe (without any tin-foil hats required): "The Cybersecurity Act is an example of the kind of dramatic proposal that doesn't address the real problems of security, and can actually make matters worse by weakening existing privacy safeguards – as opposed to simpler, practical measures that create real security by encouraging better computer hygiene." - http://www.eff.org/deeplinks/2009/04/cybersecurity-act $0.02 ~Chris -- Chris Grundemann weblog.chrisgrundemann.com www.burningwiththebush.com www.coisoc.org
I don't know, but #2 reads more like: If the president orders it, compromised federal websites or federal websites under attack can be ordered off the internet. That doesn't look to me like they can shut you down or require you to be a certified cyber-security person. --Curtis
I must have missed the phrasing that says "nobody else can make an independent decision regarding any security measure above and beyond the minimum standards"...
I'll go back and look for that.
Scott
Florian Weimer wrote:
* Scott Morris:
I'm trying really hard to find my "paranoia hat", and just to relieve some boredom I read the entire bill to try to figure out where this was all coming from....
"(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;"
Wouldn't this mean you're allowed to set emergency ACLs only if a cybersecurity emergency has been declared by the President?
Having met more than a few people in government IT, all jokes aside, I think they're pretty well equipped to know when and if they need to disconnect from the Internet, even without an executive order. Like many things in Washington, this all may be an attempt to put the "public" at ease by demonstrating the "we're from the government and we're here to help principle" with regard to Internet security but honestly... If the President wanted to disconnect the working parts of the US Government (beside the Judicial and Legislative branches) from the Internet all it would take is an executive order. The more troubling parts of this bill had to do with the President, at his discretion, classifying parts of public networks as "critical infrastructure" and so on. jy currently living overseas and finding all of this very amusing... On 30/08/2009, at 9:23 AM, cmaurand@xyonet.com wrote:
I don't know, but #2 reads more like: If the president orders it, compromised federal websites or federal websites under attack can be ordered off the internet. That doesn't look to me like they can shut you down or require you to be a certified cyber-security person.
--Curtis
I must have missed the phrasing that says "nobody else can make an independent decision regarding any security measure above and beyond the minimum standards"...
I'll go back and look for that.
Scott
Florian Weimer wrote:
* Scott Morris:
I'm trying really hard to find my "paranoia hat", and just to relieve some boredom I read the entire bill to try to figure out where this was all coming from....
"(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;"
Wouldn't this mean you're allowed to set emergency ACLs only if a cybersecurity emergency has been declared by the President?
On Sun, 30 Aug 2009, Jeff Young wrote:
The more troubling parts of this bill had to do with the President, at his discretion, classifying parts of public networks as "critical infrastructure" and so on.
Whatever your opinion, get involved. Let your representatives know about your better ideas.
currently living overseas and finding all of this very amusing...
If any other country has solved the problem of protecting Internet/data/cyber/critical/etc infrastructures and have some great ideas, it would be great to hear what those ideas are and how they did it.
On Sun, 30 Aug 2009 19:46:19 -0400 (EDT) Sean Donelan <sean@donelan.com> wrote:
On Sun, 30 Aug 2009, Jeff Young wrote:
The more troubling parts of this bill had to do with the President, at his discretion, classifying parts of public networks as "critical infrastructure" and so on.
Whatever your opinion, get involved. Let your representatives know about your better ideas.
I strongly second this. To quote a bumper sticker/slogan I've seen, "if you didn't vote, you shouldn't complain". Some prominent politicians have proposed something that we -- including me -- believe to be a bad idea, not just on ideological grounds but because we think that it won't accomplish its purported goals and may even be counterproductive. I don't see a lot of network operators in Congress -- if you know better, you really need to tell them. Some folks on this list -- and I know there are a few, very specifically including myself -- spend more than a little bit of time not just worrying about public policy issues, but actually spending time and effort on the subject. (I'm in D.C. right now, largely because of a policy-related meeting on Tuesday.) I'll misuses a security slogan I've seen on mass transit facilities in the New York area: if you see something, say something. If no one tells Congress that this is a bad idea, how should they know?
currently living overseas and finding all of this very amusing...
If any other country has solved the problem of protecting Internet/data/cyber/critical/etc infrastructures and have some great ideas, it would be great to hear what those ideas are and how they did it.
Indeed. --Steve Bellovin, http://www.cs.columbia.edu/~smb
I strongly second this. To quote a bumper sticker/slogan I've seen, "if you didn't vote, you shouldn't complain". Some prominent politicians have proposed something that we -- including me -- believe to be a bad idea, not just on ideological grounds but because we think that it won't accomplish its purported goals and may even be counterproductive. I don't see a lot of network operators in Congress -- if you know better, you really need to tell them.
we need an easy way to click and opine, a la moveon.org, and other social and political orgs. maybe forwardon.org? randy
randy, moveon is a maine-based org. it is an effective, fund raising, partisan organization. it is much more than a click-and-opine vehicle, it puts hundreds of thousands of dollars into competitive races, and has a competent political director. to create a "NagOn" we would have to hire or appoint a political director, and a financial director, and charge each with framing the issue, and executing a seven figure plan, and a communications director, to put the message with the money in targeted media markets, and finally, to show teeth, drop the margin of error, or on the order of high five, low six figures, in targeted congressional races, for challengers and incumbants. in about a year after starting down this path, the "Congressman, its NagOn on line one" conversation would be slightly different from today, and in several years time, more so. eric Randy Bush wrote:
I strongly second this. To quote a bumper sticker/slogan I've seen, "if you didn't vote, you shouldn't complain". Some prominent politicians have proposed something that we -- including me -- believe to be a bad idea, not just on ideological grounds but because we think that it won't accomplish its purported goals and may even be counterproductive. I don't see a lot of network operators in Congress -- if you know better, you really need to tell them.
we need an easy way to click and opine, a la moveon.org, and other social and political orgs. maybe forwardon.org?
randy
On Sun, 30 Aug 2009 22:20:55 -0400 Eric Brunner-Williams <brunner@nic-naa.net> wrote:
randy,
moveon is a maine-based org. it is an effective, fund raising, partisan organization. it is much more than a click-and-opine vehicle, it puts hundreds of thousands of dollars into competitive races, and has a competent political director.
to create a "NagOn" we would have to hire or appoint a political director, and a financial director, and charge each with framing the issue, and executing a seven figure plan, and a communications director, to put the message with the money in targeted media markets, and finally, to show teeth, drop the margin of error, or on the order of high five, low six figures, in targeted congressional races, for challengers and incumbants.
in about a year after starting down this path, the "Congressman, its NagOn on line one" conversation would be slightly different from today, and in several years time, more so.
"A journey of a thousand miles begins with a single step." I don't know that a NagOn is the best way or the only way to make progress. I do know that the most likely source of that kind of funding is (many of) our employers, who may not have technical excellence on the top of their lists. But I'm even more certain that if technical people never speak up, their message will never be heard, except perhaps by accident. --Steve Bellovin, http://www.cs.columbia.edu/~smb
On Sun, Aug 30, 2009 at 20:28, Steven M. Bellovin<smb@cs.columbia.edu> wrote:
On Sun, 30 Aug 2009 22:20:55 -0400 Eric Brunner-Williams <brunner@nic-naa.net> wrote:
randy,
moveon is a maine-based org. it is an effective, fund raising, partisan organization. it is much more than a click-and-opine vehicle, it puts hundreds of thousands of dollars into competitive races, and has a competent political director.
to create a "NagOn" we would have to hire or appoint a political director, and a financial director, and charge each with framing the issue, and executing a seven figure plan, and a communications director, to put the message with the money in targeted media markets, and finally, to show teeth, drop the margin of error, or on the order of high five, low six figures, in targeted congressional races, for challengers and incumbants.
in about a year after starting down this path, the "Congressman, its NagOn on line one" conversation would be slightly different from today, and in several years time, more so.
"A journey of a thousand miles begins with a single step."
I don't know that a NagOn is the best way or the only way to make progress. I do know that the most likely source of that kind of funding is (many of) our employers, who may not have technical excellence on the top of their lists. But I'm even more certain that if technical people never speak up, their message will never be heard, except perhaps by accident.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
I believe that this is exactly the kind of thing that the US ISOC Chapters should be (and are to varying degrees) involved in -- providing legitimate technical information and expert analysis of local, state and federal policies which impact the Internet, to those making the policies. The global ISOC already does this for ICANN and other international organizations, it seems fitting that the chapters do more of this here inside the USA. I encourage everyone with even a fleeting interest in tech-policy to seek out their local ISOC chapter (http://www.isoc.org/isoc/chapters/list.php?region=worldwide&status=A) and let them know that you care. I can tell you as the founding chair of the Colorado chapter that my largest hurdle today is getting active members to participate - I have funding, etc, just no help... (I invite everyone to contact me directly with suggestions and ideas in this vein - I have some vehicles in place to start making this happen quickly with a bit of help) </soapbox> ~Chris -- Chris Grundemann weblog.chrisgrundemann.com www.burningwiththebush.com www.coisoc.org
As secretary of the Internet Society's NY Chapter I'd like to back up Chris's appeal. We are in a position of familiarity and consultation with local government but definitely needful of the kind of technical expertise so abundant in Nanog. We'd very much welcome fresh blood. Steven - I believe you are in our neighborhood? joly http://isoc-ny.org On Mon, Aug 31, 2009 at 10:57 AM, Chris Grundemann <cgrundemann@gmail.com> wrote:
On Sun, Aug 30, 2009 at 20:28, Steven M. Bellovin<smb@cs.columbia.edu> wrote:
"A journey of a thousand miles begins with a single step."
I don't know that a NagOn is the best way or the only way to make progress. I do know that the most likely source of that kind of funding is (many of) our employers, who may not have technical excellence on the top of their lists. But I'm even more certain that if technical people never speak up, their message will never be heard, except perhaps by accident.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
I believe that this is exactly the kind of thing that the US ISOC Chapters should be (and are to varying degrees) involved in -- providing legitimate technical information and expert analysis of local, state and federal policies which impact the Internet, to those making the policies. The global ISOC already does this for ICANN and other international organizations, it seems fitting that the chapters do more of this here inside the USA.
I encourage everyone with even a fleeting interest in tech-policy to seek out their local ISOC chapter (http://www.isoc.org/isoc/chapters/list.php?region=worldwide&status=A) and let them know that you care. I can tell you as the founding chair of the Colorado chapter that my largest hurdle today is getting active members to participate - I have funding, etc, just no help... (I invite everyone to contact me directly with suggestions and ideas in this vein - I have some vehicles in place to start making this happen quickly with a bit of help)
</soapbox> ~Chris
-- Chris Grundemann weblog.chrisgrundemann.com www.burningwiththebush.com www.coisoc.org
-- --------------------------------------------------------------- Joly MacFie 917 442 8665 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com ---------------------------------------------------------------
"A journey of a thousand miles begins with a single step."
Absolutely true, but many folks from the technical side are sick tired trying to talk to people that "hear" but do not "listen" and dealing with others that have nothing else to contribute than their selfish interests or the interests of the corporation backing them. Unfortunately many organizations including ISOC lost their appeal and mission, and in many cases is just a platform to self promote particular individuals. Have a great weekend and happy chocolate in heart shape day. Cheers Jorge
+1 I operate a Maine ISP/ASP, and Senator Snowe is my lobbying target. Steven M. Bellovin wrote:
On Sun, 30 Aug 2009 19:46:19 -0400 (EDT) Sean Donelan <sean@donelan.com> wrote:
On Sun, 30 Aug 2009, Jeff Young wrote:
The more troubling parts of this bill had to do with the President, at his discretion, classifying parts of public networks as "critical infrastructure" and so on.
Whatever your opinion, get involved. Let your representatives know about your better ideas.
I strongly second this. To quote a bumper sticker/slogan I've seen, "if you didn't vote, you shouldn't complain". Some prominent politicians have proposed something that we -- including me -- believe to be a bad idea, not just on ideological grounds but because we think that it won't accomplish its purported goals and may even be counterproductive. I don't see a lot of network operators in Congress -- if you know better, you really need to tell them.
Some folks on this list -- and I know there are a few, very specifically including myself -- spend more than a little bit of time not just worrying about public policy issues, but actually spending time and effort on the subject. (I'm in D.C. right now, largely because of a policy-related meeting on Tuesday.) I'll misuses a security slogan I've seen on mass transit facilities in the New York area: if you see something, say something. If no one tells Congress that this is a bad idea, how should they know?
currently living overseas and finding all of this very amusing...
If any other country has solved the problem of protecting Internet/data/cyber/critical/etc infrastructures and have some great ideas, it would be great to hear what those ideas are and how they did it.
Indeed.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
Steven M. Bellovin wrote:
On Sun, 30 Aug 2009 19:46:19 -0400 (EDT) Sean Donelan <sean@donelan.com> wrote:
On Sun, 30 Aug 2009, Jeff Young wrote:
The more troubling parts of this bill had to do with the President, at his discretion, classifying parts of public networks as "critical infrastructure" and so on. Whatever your opinion, get involved. Let your representatives know about your better ideas.
I strongly second this. To quote a bumper sticker/slogan I've seen, "if you didn't vote, you shouldn't complain".
"Democracy is not a spectator's sport" Justin Shore
Sean, We had a clipped conversation years ago. I'm no longer with the DIA or the NSA or the ASA (an old '70's agency) I've worked at Columbia University in the 80's, the NSA in the 70's, and a lot of other places in the 90's and beyond. Because of my past, I have to "lurk"... However, and you must be getting tired after all these years but, please, keep interjecting your points. My 2 cents.... Best Ed -----Original Message----- From: Sean Donelan [mailto:sean@donelan.com] Sent: Sunday, August 30, 2009 7:46 PM To: nanog@nanog.org Subject: Re: Ready to get your federal computer license? On Sun, 30 Aug 2009, Jeff Young wrote:
The more troubling parts of this bill had to do with the President, at his discretion, classifying parts of public networks as "critical infrastructure" and so on.
Whatever your opinion, get involved. Let your representatives know about your better ideas.
currently living overseas and finding all of this very amusing...
If any other country has solved the problem of protecting Internet/data/cyber/critical/etc infrastructures and have some great ideas, it would be great to hear what those ideas are and how they did it.
On Sun, 30 Aug 2009 10:59:34 +1000, Jeff Young said:
Having met more than a few people in government IT, all jokes aside, I think they're pretty well equipped to know when and if they need to disconnect from the Internet, even without an executive order.
Department of the Interior had *how* many court-ordered disconnections?
Valdis.Kletnieks@vt.edu wrote:
On Sun, 30 Aug 2009 10:59:34 +1000, Jeff Young said:
Having met more than a few people in government IT, all jokes aside, I think they're pretty well equipped to know when and if they need to disconnect from the Internet, even without an executive order.
Department of the Interior had *how* many court-ordered disconnections?
Does this tread on open "secrets," inside knowledge, or hoped-for info? Just asking, I'm guessing you know something I don't and I'd like to be in on it. OTOH, I'm pretty sure I agree with you on the merit and worth of licenses for hairdressers. It seems that the silly season besets us from the right and from the left. The M&W of government licenses for IT Pros has been debated and thoroughly discredited, elsewhere. Much like other things that have been thoroughly discredited but keep coming back again and again, until they pass when someone drops the hot potato. Follow the money, is the adage of yore. Who benefits immediately, from licensing IT Pros? Easy answer. Who sponsors them or their cause, if anyone? Or are we to believe that a few (dozen?) independent agencies are truly the source of this concerted, prolonged push?
On Mon, 31 Aug 2009 12:15:10 -0500 Reese <reese@inkworkswell.com> wrote:
Valdis.Kletnieks@vt.edu wrote:
On Sun, 30 Aug 2009 10:59:34 +1000, Jeff Young said:
Having met more than a few people in government IT, all jokes aside, I think they're pretty well equipped to know when and if they need to disconnect from the Internet, even without an executive order.
Department of the Interior had *how* many court-ordered disconnections?
Does this tread on open "secrets," inside knowledge, or hoped-for info? Just asking, I'm guessing you know something I don't and I'd like to be in on it.
I'm not sure what you're asking. Those disconnections were well-covered in the press. Start with http://www.doi.gov/news/grilesmemo.htm but there's a lot more that a quick google search will find. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Steven M. Bellovin wrote:
I'm not sure what you're asking. Those disconnections were well-covered in the press. Start with http://www.doi.gov/news/grilesmemo.htm but there's a lot more that a quick google search will find.
A news-item or -event I missed for whatever reason, okay. I'll consult Google. Thank you, Reese
The order arose from Cobell v. Salazar (was C. v. Kempthorne, was C. v. Norton, was C. v. Babbitt). On October 20th, 2005, Judge Royce C. Lamberth ordered the Interior Department to disconnect from the Internet all computer systems that house or provide access to Individual Indian Trust records. "Indian Trust records continue to be in imminent risk of being manipulated and destroyed by computer hackers." The link to the ruling is http://wampum.wabanaki.net/archives/20051020ITPI.pdf Former Interior Deputy Secretary Steven Griles was sentenced to 10 months in prison for obstructing a U.S. Senate investigation of Jack A. Abramoff. He was also ordered to pay a fine of $30,000, and serve a term of three years of supervised release. Eric Reese wrote:
Steven M. Bellovin wrote:
I'm not sure what you're asking. Those disconnections were well-covered in the press. Start with http://www.doi.gov/news/grilesmemo.htm but there's a lot more that a quick google search will find.
A news-item or -event I missed for whatever reason, okay. I'll consult Google. Thank you,
Reese
I guess the precedence for blocking is the way cops can close airspace, roads, and any piece of property when needed. If you accept the notion that we've built private and public "roads" and "buildings" on the "information superhighway", the notion of emergency roadblocks, crime-scene tape, traffic cameras, and bears-in-the-air can't be too far behind. I didn't mean to imply that computer *users* would need a license, but that many in NANOG would probably be considered as license candidates by that bill. My message was sent to NANOG (which is not just your average bunch of users) and is best understood in that context. I may be wrong, but I suspect that most NANOG subscribers have a security aspect to their job. Thanks, David
I must have missed something here... I cannot find in the article or the bill where it states or alludes to a federal computer license requirement for computer users.
Is this just more fear mongering or is it in the bill? If it is ... where?
Jason Jenisch
David On Mon, Aug 31, 2009 at 8:42 AM, <Valdis.Kletnieks@vt.edu> wrote:
On Sun, 30 Aug 2009 10:59:34 +1000, Jeff Young said:
Having met more than a few people in government IT, all jokes aside, I think they're pretty well equipped to know when and if they need to disconnect from the Internet, even without an executive order.
Department of the Interior had *how* many court-ordered disconnections?
* Scott Morris:
Florian Weimer wrote:
* Scott Morris:
I'm trying really hard to find my "paranoia hat", and just to relieve some boredom I read the entire bill to try to figure out where this was all coming from....
"(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;"
Wouldn't this mean you're allowed to set emergency ACLs only if a cybersecurity emergency has been declared by the President?
I must have missed the phrasing that says "nobody else can make an independent decision regarding any security measure above and beyond the minimum standards"...
I'll go back and look for that.
The thing your looking for is called "exclusio unius". 8-)
On Fri, Feb 12, 2010 at 7:11 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
* Scott Morris:
Florian Weimer wrote:
* Scott Morris:
I'm trying really hard to find my "paranoia hat", and just to relieve some boredom I read the entire bill to try to figure out where this was all coming from....
"(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;"
Wouldn't this mean you're allowed to set emergency ACLs only if a cybersecurity emergency has been declared by the President?
I must have missed the phrasing that says "nobody else can make an independent decision regarding any security measure above and beyond the minimum standards"...
I'll go back and look for that.
The thing your looking for is called "exclusio unius". 8-)
Now the President will not only carry "The football" now he will also start carrying "The switch". Cheers
Scott Morris wrote:
So if someone hacks the electric grid, does it not make sense to unplug that portion of the infrastructrure from the Internet until the problem is fixed? (e.g. shut down traffic to/from) I think someone wrote an article after WAY over-thinking this whole thing and everyone else jumps on the bandwagon.
Declan does that a lot. It's very annoying, but I suppose cnet has never claimed to be an impartial news organization...or have they? -- J.D. Falk
On 8/28/2009 6:11 PM, Peter Beckman wrote:
On Fri, 28 Aug 2009, Hiers, David wrote:
Governments already license stock brokers, pilots, commercial drivers, accountants, engineers, all sorts of people whose mistakes can be measured in the loss of hundreds of lives and millions of dollars.
"'The power company allowed their network security to be comprimised by a single Windows computer connected to the Internet in the main control facility, so we unplugged the entire Internet to mitigate the attack,' said Senator Rockefeller, the author of the bill that enabled the President to take swift action after an unknown hacker used the Internet to break into Brominion Power's main control facility and turn off the power to the entire East Coast. 'It will remain unplugged and nobody in the US will be allowed to connect to the Internet until the power is back on and this hacker is brought to justice.'
Authorities are having a difficult time locating the hacker due to the unavailability of the Internet and electricity, and cannot communicate with lawmakers via traditional means due to the outage. A formal request to turn the power and Internet back on was sent on a pony earlier this afternoon to lawmakers in DC."
Can't wait.
Beckman ---------------------------------------------------------------------------
Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
ROFL!
On Fri, Aug 28, 2009 at 2:51 PM, Hiers, David <David_Hiers@adp.com> wrote:
Governments already license stock brokers, pilots, commercial drivers, accountants, engineers, all sorts of people whose mistakes can be measured in the loss of hundreds of lives and millions of dollars.
http://sip-trunking.tmcnet.com/topics/security/articles/63218-bill-give-pres...
Good times....
David Hiers
CCIE (R/S, V), CISSP ADP Dealer Services
It would appear as though your employer should be amongst the first to apply... http://www.baselinemag.com/c/a/Tools-Security%98hold/ADP-Duped-Into-Disclosi... -Dave (who long ago learned to not post contentious stuff from his employers' e-mail)
On Fri, 28 Aug 2009 16:51:39 CDT, "Hiers, David" said:
Governments already license stock brokers, pilots, commercial drivers, accountants, engineers, all sorts of people whose mistakes can be measured in the loss of hundreds of lives and millions of dollars.
In many localities, hairdressers require licenses as well. Draw your own conclusions. ;)
Hiers, David wrote:
Governments already license stock brokers, pilots, commercial drivers, accountants, engineers, all sorts of people whose mistakes can be measured in the loss of hundreds of lives and millions of dollars.
http://sip-trunking.tmcnet.com/topics/security/articles/63218-bill-give-pres...
Good times....
David Hiers
CCIE (R/S, V), CISSP ADP Dealer Services 2525 SW 1st Ave. Suite 300W Portland, OR 97201 o: 503-205-4467 f: 503-402-3277
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
I must have missed something here... I cannot find in the article or the bill where it states or alludes to a federal computer license requirement for computer users. Is this just more fear mongering or is it in the bill? If it is ... where? Jason Jenisch
On Mon, 31 Aug 2009, Jason Jenisch wrote:
Hiers, David wrote:
http://sip-trunking.tmcnet.com/topics/security/articles/63218-bill-give-pres... I must have missed something here... I cannot find in the article or the bill where it states or alludes to a federal computer license requirement for computer users.
"The proposal also includes a federal certification program for "cyber security professionals," and a requirement that certain computer systems and networks in the private sector be managed by people who receive that license, CNET said." --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
Peter Beckman wrote:
"The proposal also includes a federal certification program for "cyber security professionals," and a requirement that certain computer systems and networks in the private sector be managed by people who receive that license, CNET said."
Presumably, this is to increase security of private sector networks that interconnect with government networks and high risk networks such as banks and utilities. Presumably it wouldn't mandate the social networking, ESP/ISP sectors. Jack
Perhaps it's intended to be a workaround to the current problem with a lot of government IT Security: The (big) contractors are told to follow IT security guidelines, at which point they point back to their contract and say "That's not in the statement of work, lets renegotiate the contract and cost it out." Jack Bates wrote:
Peter Beckman wrote:
"The proposal also includes a federal certification program for "cyber security professionals," and a requirement that certain computer systems and networks in the private sector be managed by people who receive that license, CNET said."
Presumably, this is to increase security of private sector networks that interconnect with government networks and high risk networks such as banks and utilities. Presumably it wouldn't mandate the social networking, ESP/ISP sectors.
Jack
It's not a proposed "license for computer users" but rather a proposal to license computer security professionals. Here is the draft bill text, so that we are all on the same sheet of music: TITLE I-WORKFORCE DEVELOPMENT SEC. 101. CERTIFICATION AND TRAINING OF CYBERSECURITY PROFESSIONALS. (a) IN GENERAL.-Within 1 year after the date of enactment of this Act, the Secretary of Commerce, in consultation with relevant Federal agencies, industry sectors, and nongovernmental organizations, shall develop or coordinate and integrate a national certification, and periodic recertification program for cybersecurity professionals. (b) TRAINING AND DEVELOPMENT.-The Secretary of Commerce, in consultation with relevant Federal agencies, industry sectors, and nongovernmental organizations, shall devise a strategy to improve, increase, and coordinate cybersecurity training across all sectors. (c) FEDERAL EMPLOYEES.-The Secretary, in cooperation with the Director of the Office of Personnel Management and other Federal departments and agencies, shall develop and implement a plan to train cybersecurity professionals across the Federal government to ensure they achieve and maintain certification. (d) CERTIFICATION.-Beginning 3 years after the date of enactment of this Act, it shall be unlawful for an individual who is not certified under the program to represent himself or herself as a cybersecurity professional. (e) CERTIFIED SERVICE PROVIDER REQUIREMENT.-Notwithstanding any provision of law to the contrary, the head of a Federal agency may not use, or permit the use of, cybersecurity services for that agency that are not managed by a cybersecurity professional who is certified under the program. It is unlawful for the operator of an information system or network designated by the President, or the President's designee, as a critical infrastructure information system or network, to use, or permit the use of, cybersecurity services for that system or net work that are not managed by a cybersecurity professional who is certified under the program. A question for the NANOG community - if this section were to only apply to US government employees would it be acceptable? In other words, strike any reference to the private sector (except perhaps for those in the private sector who are under contract to perform government work.) Marc -- Marcus H. Sachs, P.E. <marcus.sachs@verizon.com> Executive Director, National Security and Cyber Policy Office of Federal Government Relations Verizon, 1300 I (eye) St. NW Suite 400 W Washington, D.C. 20005 USA tel +1 202 515 2463 fax +1 202 336 7921 -----Original Message----- From: Peter Beckman [mailto:beckman@angryox.com] Sent: Monday, August 31, 2009 12:20 PM To: Jason Jenisch Cc: nanog@nanog.org; Hiers, David Subject: Re: Ready to get your federal computer license? On Mon, 31 Aug 2009, Jason Jenisch wrote:
Hiers, David wrote:
http://sip-trunking.tmcnet.com/topics/security/articles/63218-bill-give-pres... I must have missed something here... I cannot find in the article or the bill where it states or alludes to a federal computer license requirement for computer users.
"The proposal also includes a federal certification program for "cyber security professionals," and a requirement that certain computer systems and networks in the private sector be managed by people who receive that license, CNET said." --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
On Mon, 31 Aug 2009 14:06:56 EDT, "Sachs, Marcus Hans (Marc)" said:
(d) CERTIFICATION.-Beginning 3 years after the date of enactment of this Act, it shall be unlawful for an individual who is not certified under the program to represent himself or herself as a cybersecurity professional.
Highly unlikely that 3 years is sufficient time to devise a certification, a testing program, and get enough people certified. 5 years would be much more reasonable. It will probably take over a year just to thrash out what a "certification" is. Consider the vast difference in scope and depth between a CISSP and one of the GIAC certs. (Ghod forbid somebody suggest something rational like "upper managers need a CISSP-ish cert and line emplouees need a relevant GIAC-ish cert.. :)
(e) CERTIFIED SERVICE PROVIDER REQUIREMENT.-Notwithstanding any provision of law to the contrary, the head of a Federal agency may not use, or permit the use of, cybersecurity services for that agency that are not managed by a cybersecurity professional who is certified under the program.
Unintended consequences - will this encourage the head of an agency to instead say "screw it" and *not* use any cybersecurity services?
A question for the NANOG community - if this section were to only apply to US government employees would it be acceptable? In other words, strike any reference to the private sector (except perhaps for those in the private sector who are under contract to perform government work.)
Limiting it to "US government agencies, employees, and contractors" would certainly trim out about 95% of the contentious areas. But it still leaves me, personally, on the hot seat - am I on the hook because I'm responsible for research data that's NSF-funded? ;)
Highly unlikely that 3 years is sufficient time to devise a certification,
No big deal; they could just adopt the CISSP/GIAC cert without modification as an interim step. Existing certs are already being used in some court cases: http://www.wisbar.org/AM/Template.cfm?Section=Home&TEMPLATE=/CM/ContentDisplay.cfm&CONTENTID=70438
Unintended consequences - will this encourage the head of an agency to instead say "screw it" and *not* use any cybersecurity services?
Not likely. Corporate Officers must already make decisions that meet a wide range of existing "reasonable man" tests with respect to security. This is not the only law/regulation in existence. David
participants (26)
-
AMuse
-
Chris Grundemann
-
cmaurand@xyonet.com
-
David Hiers
-
David Temkin
-
Ed Schweitzer
-
Eric Brunner-Williams
-
Florian Weimer
-
Hiers, David
-
J.D. Falk
-
Jack Bates
-
Jason Jenisch
-
Jeff Young
-
Joly MacFie
-
Jorge Amodio
-
Justin Shore
-
Peter Beckman
-
Randy Bush
-
Reese
-
Sachs, Marcus Hans (Marc)
-
Scott Morris
-
Sean Donelan
-
Stefan
-
Steven M. Bellovin
-
Valdis.Kletnieks@vt.edu
-
William Warren