Re: Hi, we're from the government and we're here to help
Subject: Re: Hi, we're from the government and we're here to help
On Mar 10, 9:57am, Patrick Greenwell wrote: * *On 9 Mar 2000, Sean Donelan wrote: * *> The US Government as been amazingly pro-active in this area, or at least *> some small groups have been. They've also consistently said the government *> can't protect the Internet. The infrastructure is owned by private companies *> and individuals; and industry has to work together to protect it. *> *> The question is does industry think its worthwhile to work together? * *Funny you should ask that. There was a lot of discussion on Bugtraq *recently about the attacks and from those discussions another list was *started to discuss formation of an "Assocation of Responsible Internet *Providers" (ARIP@SECURITYFOCUS.COM). Discussion ensued regarding what the *organization should be doing. There seemed to be general agreement *on the idea of first creating a NOC<->NOC communication *protocol/procedures(this is at the people layer, not the technical *layer.) I suggested that the group develop a charter, form a 501(c)(6), *elect officers, obtain D&O insurance and then proceed. I also stated that *any such venture was going to require very real money to accomplish, and *asked if there was anyone willing to put their money where there mouth is, *and monetarily contribute to such a venture(I offered to put up a few *hundred dollars.) * *Suddenly, the list got very, very quiet. In fact, since I posted that *message, there hasn't been a single post to the list. Emperically, this *suggests to me that while everyone is quick to spend countless *hours expressing an opinion on mailing lists, there is nobody willing to *invest in making this happen. People who coordinate these kinds of consortia do so on a practically full-time basis if they want to get anything done. Asking someone who already has a full-time job (and if it has anything to do with security, several full-time jobs and a bad case of paranoia) to take on that level of additional involvement could be considered prohibitive. If a specific ISP sponsors the group, what's to stop the rest of the world from accusing that ISP of bias? Same issue with a vendor. The problems of anti-trust are very serious in this arena. If you have an elected board doing volunteer work and meeting on a periodic basis to discuss security, you suffer from the same problem of resources without someone more dedicated to sheparding the process along. Everybody wants a NDA (Non-Disclosure Agreement), but their NDA has to look like THIS while the other ISPs want the NDA to look like THAT. If the government sponsors the group, they can circumvent the anti-trust issue, but the gov't doesn't ever seem to be happy about just letting things be. Everything has a tendency to become a political pawn. There's a very real possibility that gov't sponsorship of a group trying to set standards for work and incident response could evolve into the basis for regulation. The "r" word frightens everyone in the ISP industry, so no one's taking a proposal to D/ARPA (whichever they are this week) to convince them that this is a good idea. The "r" word frightens a lot of people in gov't as well - many don't want the added overhead of another regulated industry. The gov't has created a bunch of crisis centers (like NIPC) who won't/can't sponsor an ISP Consortium, but want to be invited to one if it happens. You have CERT, keeping things close the vest unless you establish a long-term relationship with them. You have SANS, trying to be an industry leader but maybe getting lost in all the noise created by BUGTRAQ and NT BUGTRAQ and the CVE and the Abuse newsgroups and the Abuse mailing lists and ALL the OS security warnings and ALL the Firewall security warnings and the MAPS RBL and the ORBS list and NANOG and the IETF (particularly the GRIP working group) and the FBI's INFRAGARD every freakin' person who stands up and claims to be a security expert who wants things done HIS way or his university's way or his consortia's way and ON AND ON. So you have places like CNRI (a non-profit organization which sponsors the XIWT, aka the Cross-Industry Working group, which spawned IOPS, the Internet Operators Consortium) and ICSA (a for-profit organization which sponsors a bunch of consortia, but most relevant here they sponsor ISPSEC, the ISP Security Consortium). Both charge a certain amount of money for membership & they try and get things done, but their efforts are often met with jeers from the community (in fora like, OH I DUNNO, NANOG?) because their consortia cost money, so they aren't open to everyone, so they couldn't possibly provide an accurate representation of the community. But they aren't the only groups out there. There are others. However, there are only so many of us who go to these things - and we can't spend all of our time going to meetings or we become useless, not having time to do our jobs and stay in the loop and able to contribute. All the groups suffer from the same problems - they slack off, lose funding, re-invent themselves, start some new subgroup, try to drum up interest, etc. Because sustained volunteer work is HARD. If you don't think it's hard, then you don't have enough to do. THEN the next big thing comes along, people get scared, the consortia suddenly get well-attended, NEW groups spring up, the community starts complaining again and the cycle is renewed. That is, until people get bored again, or budgets change or the NEXT big thing that comes along has nothing to do with security. This cycle is old. I know I'm bored with it. So now what? How do you propose to cull the wheat from the chaff? Get all the right information about what ISPs are trying to do, and going into the lab to test, and researching into the right ears (of other ISPs)? How are you going to get the right people to speak and the wrong people to shut up for a few minutes? Because if it was just as easy as kicking in a few bucks to yet another consortium, I'd do it in a heartbeat. Kelly J. -- Kelly J. Cooper - Internet Security Officer GTE Internetworking - Powered by BBN - 800-632-7638 3 Van de Graaff Drive Fax - 781-262-2819 Burlington, MA 01803 http://www.bbn.com
On Fri, 10 Mar 2000, Kelly J. Cooper wrote:
People who coordinate these kinds of consortia do so on a practically full-time basis if they want to get anything done.
Having sat on the board of such an organization, I know this full well. I've also come to realize that this is because many such organizations attempt to do far too many things.
If a specific ISP sponsors the group, what's to stop the rest of the world from accusing that ISP of bias?
I wasn't suggesting any one ISP sponsor such an entity by itself.
Same issue with a vendor. The problems of anti-trust are very serious in this arena.
That is entirely dependent on the scope of the organization, how it is formed, and how it behaves in operation.
If you have an elected board doing volunteer work and meeting on a periodic basis to discuss security, you suffer from the same problem of resources without someone more dedicated to sheparding the process along.
What I've suggested is a much narrower focus initially: creating workable communication/procedures protocols for NOC<->NOC event handling. That's it. Effective communication and event handling is what is needed most IMO, and that which is completely lacking among providers. Having these things would have served to both greatly decrease the length and severity of the recent round of attacks, and more importantly may have significantly aided attempts to track down the perpetrator. People are going to continue to run insecure boxes/networks. People are going to continue to author insecure code. It's a fact of life. It's not a problem that is going to be solved in the short or mid-term by anyone. That is why I feel so strongly that working on a problem where there is a reasonable chance of solving it(communication) is of much greater benefit to the community at large. It certainly is a better expenditure of my time which is a rare commodity and not something I am eager to waste.
All the groups suffer from the same problems - they slack off, lose funding, re-invent themselves, start some new subgroup, try to drum up interest, etc. Because sustained volunteer work is HARD. If you don't think it's hard, then you don't have enough to do.
Again, like you, I've been there. I know all too well the difficulties surrounding volunteer labor in this arena. However as I stated above, I believe this is due to a scoping issue. Trying to be the "all-singing all-dancing organization" is what leads to these failures. As an example of a relatively successful community-based effort take a look at the RBL. It has maintained a fairly narrow focus, and succeded on that basis. It should serve as evidence that carefully scoped organizations *can* succeed.
This cycle is old. I know I'm bored with it.
So now what?
That's up to you.
How do you propose to cull the wheat from the chaff?
By doing what I've already done: ask that those among us who are willing to put their money where their mouths are do so. It is seemingly damn near the quickest way of shutting up the uncommitted.
Because if it was just as easy as kicking in a few bucks to yet another consortium, I'd do it in a heartbeat.
That of course isn't enough. The only way that these things are going to get fixed is if people care enough to do so. I'm not holding my breath.... /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Greenwell Earth is a single point of failure. \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
participants (2)
-
Kelly J. Cooper -
Patrick Greenwell