On the other hand, if you listen carefully to what ISPs need, you can be fairly effective working with ISPs. However there are practical limits to what an ISP can do.

I'll second this point. We've had great luck working with providers globally, but only after folks (such as Sean) took us under their wing and mentored us on the processes and setups that best help ISPs. That alone would make a great *NOG presentation. -- Rob Thomas Team Cymru Research NFP http://www.cymru.com/ cmn_err(do_panic, "Out of coffee!");

On Fri, 11 Jan 2008, Suresh Ramasubramanian wrote:

disclaimer: Names replaced by X, Y and Z solely to render this little story fit for public consumption .. it took place at a nominally closed meeting. It wont take you too long to arrive at reasonably plausible guesses for X, Y and Z, so I will leave you to the guessing. No points for the right answer, no comment either .. what I'm pointing out is general enough that it could be any X, Y and Z companies,

Yep, and X, Y and Z could be companies in any industry. I've been at conferences where the A/V presentor didn't know the other part of the same A/V company. And conferences where the ASP presentor wasn't aware what the other part of the same ASP was doing about the same problem. And so on. Likewise, banks don't seem to be as concerned about identity theft as the victimes of identity theft who call their customer service reps; anti-virus vendors doesn't seem to be as concerned about malware as the victims of malware who call their customer service reps; mail service providers don't seem to be as concerned about unsolicited messages as the victims of scams contacting their customer service reps; law enforcement agents doesn't seem to be as concerned about crimes as the victims who contact their emergency numbers. Q: What do anti-virus companies really think about security issues? Q: What do banks really think about security issues? Q: What do law enforcement agencies really think about security issues? That's why I suggested to Rob and other folks the importance of listening to what they tell you how to work their particular processes. Every large organization has them, although often the real processes are unwritten. Once you understand how the organization works, its much easier to figure out how to make it work for you. Shouting at the mountain won't move the mountain out of the way, and will just leave you frustrated. But ask a native nicely for help, and you might learn about the trails and passes over the mountain.

On Fri, 11 Jan 2008, Suresh Ramasubramanian wrote:

All of it translates to

1. X more mailing lists to sign up to (lots and lots more email, great) 2. X more conferences to attend (more miles, yay, that's plat for this year taken care of) 3. A sizeable amount of reinvention of the wheel too

Fun, isn't it?

To begin, I hate my inbox too. I want the same thing. And yes, I know a serious part of your inbox problem comes from me and mine--all I can offer in reparations is beer. I also dislike the fact many people are clueless, but I do like the fact clueless people are starting to get clued by, to a level, re-inventing the wheel. This email is long, I am giving you my take. What I want to see is not necessarily your thoughts on my philosophy, but rather what YOU think should be done. What would MAKE a difference in the fighting, for you? Suresh, you *know* I am with you and that there is nothing more important to me that information sharing and cooperation. Now let me correct that to recent times, that *used* to be the most important consideration, whether some of those in need never share back or give feedback only meant we only shared some of what we have, rather than all of it--not that we won't share. Getting cooperation inside industries, then between them, then with academics, then with law enforcement, then with policy makers. It's been a rocky ride.. but well worth it. The first ammendment to this was the understanding that 'diversity is good', meaning; not to get upset when others choose to double resources and not cooperate. Diversity truly is great: * It lets new blood in * It creates new political presences (not necessarily powers) that we need to cope with, making us less close-minded * Helps create and foster a community * Proves time and again that what we believe to be evil may have been bad once, but is actually pretty good in the current landscape--we got set in our ways and set taboos (sharing virus samples outside the AV world, sharing C&C information, listening in on bad guys, etc.) Letting efforts run free enforces a sort of Darwinian selection as far as their methods and people, but more importantly it pushes the successful ones up to our sand box.. if only we can protect them from people like us long enough. Naturally, diversity is not *always* good, which is the second ammendment to the thinking process. Moving on, these subjects are in fact mainstream, no longer discussed in rants by few looney people such as us. This brought some good, and naturally some bad.. but when affecting change one has to remember people need to decide for themselves and they in turn let us be successful in protecting them. Our accomplishments aside we kept what we were working on so secret that: * Administrators didn't have the knowledge or tools to cope (and they could help) * Public awareness was non existent (which we are suffering from now) * Political awareness was non existent (which we are suffering from now) It is not about an holier than thou attitude, it's about understanding that the Internet is truly the only functioning anarchy, and that "doing" by itself makes a difference. New people who come along and will try their own way, and a sort of non-committal Darwinian seclusion or capitalism (not necessarily monetary) will determine their success. We can't stop them so may as well help them, yes? As to current existing mail tornados of too many places to be and to see... we get less and less over time, but it is what it is, and it is about human nature. Human nature, social structures, etc.--nuff said. Meeting the new crowd is always good, but seeing how they not only re-invent the wheel on the how to cope, but rather in their whole thinking process, I am slightly concerned. We HAVE information sharing, we HAVE cooperations. What the Internet, and we, need, is to move to the next level, whatever that may be--of course I have my ideas about that. That means moving from good-will based relationships to something more substantial, as the criminal side has moved on long ago to billions in revenue, R&D teams, outsourcing, and kinetic [support] operations (from fraud to throat-cutting). We are of course limited to what we *can* do: * Physical world efforts (law enforcment getting better, conferences to bring people together) * Intelligence gathering Non operational: * Political outreach ("there is no cyber-crime problem") * Awareness raising We may have achieved a LOT on our end, but at the end of the day we have made exactly a dent in the criminals' operations, and no more. We make that dent once in a while and they move on, evolving. In retrospect we haven't made any difference on their side, and they won. Won what, you may ask. The war? We never really fought, it is a false argument that we did, and as one of the many people who are doers out there and gave a chunk of their lives to this 'fighting' I can say that and not offend myself. Our fighting has been (mostly) limited to getting slapped, and writing analysis about it. What I'd like to see? Here's three items on a strategic level rather than tactical, which I can go on about forever (you know I like to hear my own voice, right? :) ) * People working to bridge the tech-policy gap between people like us and policy makers (who following Estonia *are* writing policy which will affect us) * In a situation where we don't start a war not we, but rather the Internet can't win--actively fight back * These efforts stopping to be a volunteer-based 'thing' and moving to people who should be doing it (not people like me)

Listening is, of course, important. As is coming in with an open mind and without a holier than thou attitude .. especially if the attitude is combined with the sort of URGENT!! TAKE THIS PHISHER DOWN NOW!!" abrasiveness nobody else really appreciates.

That, by the way, is why I'm glad to see more and more organizations holding collocated / joint meetings .. across, to use some igov jargon (and for want of a better word) "stakeholder communities" .. banks talking to ISPs talking to LE / regulators talking to independent researchers etc.

Indeed! Thing is, most stop at the talking stage, which they get off their chest and will do again 6 months from now. The Internet is not gonna die tomorrow, it is already IPv6 in Asia. :P Taking a step back from security, from my niche, in which I am extremely worried--as long as people can download their pr0n and argue over Captain Kirk, I am happy. Thing is, all these millions of incidents every moment are nothing but background noise. WE CAN'T handle them, we can just jump at big ones. As long as things remain this way, my hollistic-view self will be happy, but as the awareness decreases and the background noise increases--we will eventually be "only useless" rather than "mostly useless" in bottom line net effect on the criminals. That of course unless we understand we need to do something drastically different than what failed us so far, even if it did help us get organized. What ISPs can do? They can do a lot more than they do now. That is also a false statement as people can always do more. ISPs may be a part of the solution, but they are not the solution. We can affect how techies work, but the business folks are the ones making the decisions and making fighting criminals make business sense is not always the best use of our time. ISPs? Some of the best and smarted people in the world work at ISPs. Unfortunately, also some of the stupidest.

--srs

On Fri, 11 Jan 2008, Suresh Ramasubramanian wrote:

Another vendor who, after being given clear escalation paths, first kept cc'ing our upstream abuse desk, and every role account OTHER than abuse at our domain. When they finally get enough clue hammered into them to cc our abuse desk, they escalate to my work address within two hours of that, demanding it be taken down.

Let me guess which one it is, the same one that called 2 minutes later and threatened to go to the Police on YOU?

Our abuse desk would handle tix within a business day, or even earlier. And email about phish takes priority right after (say) LE requests that find their way there (instead of the special POC we already have given most LE agencies). So, escalating a manual complaint after two hours is a bit thick, I'd say.

Anyway, that particular vendor got told to take a hike, told that we wouldnt accept any further reports from them (and that our automated scripts kill about 20 for every one that they report anyway), and that we'd contact the one client they seem to send these alerts for directly and set up something more automated, where they could send us a list (in a standard format, and verified at their end) and we'd take it down automatically. Of course with manual review later.

Their client's name starts with C? :)

Neither of those two takedown services (especially not the one in #2) is going to get anything like this offered to them. Not until they actually learn to play nice with other ISPs. Which comes right back to Sean's remark that I replied to.

Sorry for the long emails, but I do wish more takedown services (and more abuse / security desks) would read the MAAWG abuse desk best practice document ..

http://www.maawg.org/about/publishedDocuments/Abuse_Desk_Common_Practices.pd...

Best suggestion of the thread. Now how can we make that happen? If we can give it an easily Googable name, we may be able to mention it in the press when the occasion rises. We may be able to inform them of it (nicely) in response to abuse email. What did you find works for you?

--srs

Gadi.

On Fri, 11 Jan 2008, Suresh Ramasubramanian wrote:

All of it translates to

1. X more mailing lists to sign up to (lots and lots more email, great) 2. X more conferences to attend (more miles, yay, that's plat for this year taken care of) 3. A sizeable amount of reinvention of the wheel too

Fun, isn't it?

We could just meet at the Universal Postal Union meeting, and get rid of all those extra organizations like the ITU, IETF, NANOG, etc :-) Although communication technology evolved to postal letters, to telegraphs, and now to the Internet most of the security problems (crimes, scams, abuse and so on) have been the same for centuries. Is it easier to teach a technologist how to investigate, or to teach an investigator about technology?

That, by the way, is why I'm glad to see more and more organizations holding collocated / joint meetings .. across, to use some igov jargon (and for want of a better word) "stakeholder communities" .. banks talking to ISPs talking to LE / regulators talking to independent researchers etc.

Having both shared and separate meetings and communications is important. We can all learn alot from sharing. But its also important for organizations and people to be able to communicate just with similar organizations and people. There is an organizational dynamic that happens. Enabling sharing within groups is as important as sharing between groups, but they don't and usually aren't the same. There have been several training classes and meetings I wished I could have attended over the years, but they were closed to only people in law enforcement, or in banking, or in a university. While personally frustrating, I understand why.

On Jan 10, 2008 9:32 PM, Sean Donelan <sean@donelan.com> wrote:

Q: What do anti-virus companies really think about security issues?

http://www.nruns.com/ps/The_Death_of_AV_Defense_in_Depth-Revisiting_Anti-Vir... Of particular interest are the slides on "Vendor responses"...

Q: What do banks really think about security issues? Q: What do law enforcement agencies really think about security issues?

In order to best answer these types of questions, I suggest you first read Geekonomics, the dotCrime Manifesto, and Secure Programming with Static Analysis for some background. I see a lot of you talking about information sharing, which is great. How much overlap is there between nspsec and the Financial ISAC? Is FIRST the place to go to sort out these issues? This sort of conversation came up in passing on the botnets mailing-list only a few months ago - http://www.mail-archive.com/botnets@whitestar.linuxbox.org/msg00924.html I don't see any particular failure of the ISP community. We all hit our vendors pretty hard when it comes to security issues, and we protect and respond to customer issues better than any software vendor that I'm aware of. If you want to get involved in security with your local bank, attend a local OWASP meeting. If you want to get involved with law enforcement, attend a local Infragard meeting. dre