http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-... -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
quite a bit of coverage lately from the media. http://online.wsj.com/article/SB10001424127887323764804578313101135258708.ht... http://www.bbc.co.uk/news/world-asia-pacific-21505803 http://www.npr.org/2013/02/19/172373133/report-links-cyber-attacks-on-u-s-to... http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-u... On Mon, Feb 18, 2013 at 7:23 PM, Jay Ashworth <jra@baylink.com> wrote:
http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-... -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
boys and girls, all the cyber-capable countries are cyber-culpable. you can bet that they are all snooping and attacking eachother, the united states no less than the rest. news at eleven. randy
On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said:
boys and girls, all the cyber-capable countries are cyber-culpable. you can bet that they are all snooping and attacking eachother, the united states no less than the rest. news at eleven.
The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place....
On Feb 20, 2013, at 1:33 PM, valdis.kletnieks@vt.edu wrote:
On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said:
boys and girls, all the cyber-capable countries are cyber-culpable. you can bet that they are all snooping and attacking eachother, the united states no less than the rest. news at eleven.
The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place....
This strongly suggests that it's not their A-team, for whatever value of "their" you prefer. (My favorite mistake was some of them updating their Facebook pages when their work took them outside the Great Firewall.) They just don't show much in the way of good operational security. Aside: A few years ago, a non-US friend of mine mentioned a conversation he'd had with a cyber guy from his own country's military. According to this guy, about 130 countries had active military cyberwarfare units. I don't suppose that the likes of Ruritania has one, but I think it's a safe assumption that more or less every first and second world country, and not a few third world ones are in the list. The claim here is not not that China is engaging in cyberespionage. That would go under the heading of "I'm shocked, shocked to find that there's spying going on here." Rather, the issue that's being raised is the target: commercial firms, rather than the usual military and government secrets. That is what the US is saying goes beyond the usual rules of the game. In fact, the US has blamed not just China but also Russia, France, and Israel (see http://www.israelnationalnews.com/News/News.aspx/165108 -- and note that that's an Israeli news site) for such activities. France was notorious for that in the 1990s; there were many press reports of bugged first class seats on Air France, for example. The term for what's going on is "cyberexploitation", as opposed to "cyberwar". The US has never come out against it in principle, though it never likes it when aimed at the US. (Every other nation feels the same way about its companies and networks, of course.) For a good analysis of the legal aspects, see http://www.lawfareblog.com/2011/08/what-is-the-government%E2%80%99s-strategy... --Steve Bellovin, https://www.cs.columbia.edu/~smb
Very true. The objection is more that the exploits are aimed at civilian rather than (or, more accurately, as well as) military / government / beltway targets. Which makes the alleged chinese strategy rather more like financing jehadis to suicide bomb and shoot up hotels and train stations, rather than any sort of disciplined warfare or espionage. --srs (htc one x) On 21-Feb-2013 7:40 AM, "Steven Bellovin" <smb@cs.columbia.edu> wrote:
On Feb 20, 2013, at 1:33 PM, valdis.kletnieks@vt.edu wrote:
On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said:
boys and girls, all the cyber-capable countries are cyber-culpable. you can bet that they are all snooping and attacking eachother, the united states no less than the rest. news at eleven.
The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place....
This strongly suggests that it's not their A-team, for whatever value of "their" you prefer. (My favorite mistake was some of them updating their Facebook pages when their work took them outside the Great Firewall.) They just don't show much in the way of good operational security.
Aside: A few years ago, a non-US friend of mine mentioned a conversation he'd had with a cyber guy from his own country's military. According to this guy, about 130 countries had active military cyberwarfare units. I don't suppose that the likes of Ruritania has one, but I think it's a safe assumption that more or less every first and second world country, and not a few third world ones are in the list.
The claim here is not not that China is engaging in cyberespionage. That would go under the heading of "I'm shocked, shocked to find that there's spying going on here." Rather, the issue that's being raised is the target: commercial firms, rather than the usual military and government secrets. That is what the US is saying goes beyond the usual rules of the game. In fact, the US has blamed not just China but also Russia, France, and Israel (see http://www.israelnationalnews.com/News/News.aspx/165108 -- and note that that's an Israeli news site) for such activities. France was notorious for that in the 1990s; there were many press reports of bugged first class seats on Air France, for example.
The term for what's going on is "cyberexploitation", as opposed to "cyberwar". The US has never come out against it in principle, though it never likes it when aimed at the US. (Every other nation feels the same way about its companies and networks, of course.) For a good analysis of the legal aspects, see http://www.lawfareblog.com/2011/08/what-is-the-government%E2%80%99s-strategy...
--Steve Bellovin, https://www.cs.columbia.edu/~smb
When you really look at human behavior the thing that remains the same is core motives. The competition makes sense in that it is human nature to aggresse for resources. We are challenged in the "fact" that we 'want' to belong among the other five. This will never change but…………. What is really a travesty here is that most of us have been saying "hey this is critical" and can now shift to "I told you so"… in that if you did what we said to do 1 … 5 …. 10 … years ago .. you would have "mitigated" this risk.. Basically, genetically we have not changed, so what behavior would suggest that (even with the introduction of faster calculators).. why would we change? Just means we would do X faster ……. This is my first comment to the list.. please flame me privately to save the list :) *** or publicly who think I should really be spanked!!! *** Regards, Richard On Feb 20, 2013, at 7:27 PM, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
Very true. The objection is more that the exploits are aimed at civilian rather than (or, more accurately, as well as) military / government / beltway targets.
Which makes the alleged chinese strategy rather more like financing jehadis to suicide bomb and shoot up hotels and train stations, rather than any sort of disciplined warfare or espionage.
--srs (htc one x) On 21-Feb-2013 7:40 AM, "Steven Bellovin" <smb@cs.columbia.edu> wrote:
On Feb 20, 2013, at 1:33 PM, valdis.kletnieks@vt.edu wrote:
On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said:
boys and girls, all the cyber-capable countries are cyber-culpable. you can bet that they are all snooping and attacking eachother, the united states no less than the rest. news at eleven.
The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place....
This strongly suggests that it's not their A-team, for whatever value of "their" you prefer. (My favorite mistake was some of them updating their Facebook pages when their work took them outside the Great Firewall.) They just don't show much in the way of good operational security.
Aside: A few years ago, a non-US friend of mine mentioned a conversation he'd had with a cyber guy from his own country's military. According to this guy, about 130 countries had active military cyberwarfare units. I don't suppose that the likes of Ruritania has one, but I think it's a safe assumption that more or less every first and second world country, and not a few third world ones are in the list.
The claim here is not not that China is engaging in cyberespionage. That would go under the heading of "I'm shocked, shocked to find that there's spying going on here." Rather, the issue that's being raised is the target: commercial firms, rather than the usual military and government secrets. That is what the US is saying goes beyond the usual rules of the game. In fact, the US has blamed not just China but also Russia, France, and Israel (see http://www.israelnationalnews.com/News/News.aspx/165108 -- and note that that's an Israeli news site) for such activities. France was notorious for that in the 1990s; there were many press reports of bugged first class seats on Air France, for example.
The term for what's going on is "cyberexploitation", as opposed to "cyberwar". The US has never come out against it in principle, though it never likes it when aimed at the US. (Every other nation feels the same way about its companies and networks, of course.) For a good analysis of the legal aspects, see http://www.lawfareblog.com/2011/08/what-is-the-government%E2%80%99s-strategy...
--Steve Bellovin, https://www.cs.columbia.edu/~smb
The only spanking that has been going on nanog lately is Jay using his email to keep us up to date on current news. I am going to call it a night, and look for a SCUD fired from Florida in the morning. ;) On 2/20/13 11:29 PM, "Richard Porter" <richard@pedantictheory.com> wrote:
When you really look at human behavior the thing that remains the same is core motives. The competition makes sense in that it is human nature to aggresse for resources. We are challenged in the "fact" that we 'want' to belong among the other five. This will never change butŠŠŠŠ.
What is really a travesty here is that most of us have been saying "hey this is critical" and can now shift to "I told you so"Š in that if you did what we said to do 1 Š 5 Š. 10 Š years ago .. you would have "mitigated" this risk..
Basically, genetically we have not changed, so what behavior would suggest that (even with the introduction of faster calculators).. why would we change? Just means we would do X faster ŠŠ.
This is my first comment to the list.. please flame me privately to save the list :) *** or publicly who think I should really be spanked!!! ***
Regards, Richard
On Feb 20, 2013, at 7:27 PM, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
Very true. The objection is more that the exploits are aimed at civilian rather than (or, more accurately, as well as) military / government / beltway targets.
Which makes the alleged chinese strategy rather more like financing jehadis to suicide bomb and shoot up hotels and train stations, rather than any sort of disciplined warfare or espionage.
--srs (htc one x) On 21-Feb-2013 7:40 AM, "Steven Bellovin" <smb@cs.columbia.edu> wrote:
On Feb 20, 2013, at 1:33 PM, valdis.kletnieks@vt.edu wrote:
On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said:
boys and girls, all the cyber-capable countries are cyber-culpable. you can bet that they are all snooping and attacking eachother, the united states no less than the rest. news at eleven.
The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place....
This strongly suggests that it's not their A-team, for whatever value of "their" you prefer. (My favorite mistake was some of them updating their Facebook pages when their work took them outside the Great Firewall.) They just don't show much in the way of good operational security.
Aside: A few years ago, a non-US friend of mine mentioned a conversation he'd had with a cyber guy from his own country's military. According to this guy, about 130 countries had active military cyberwarfare units. I don't suppose that the likes of Ruritania has one, but I think it's a safe assumption that more or less every first and second world country, and not a few third world ones are in the list.
The claim here is not not that China is engaging in cyberespionage. That would go under the heading of "I'm shocked, shocked to find that there's spying going on here." Rather, the issue that's being raised is the target: commercial firms, rather than the usual military and government secrets. That is what the US is saying goes beyond the usual rules of the game. In fact, the US has blamed not just China but also Russia, France, and Israel (see http://www.israelnationalnews.com/News/News.aspx/165108 -- and note that that's an Israeli news site) for such activities. France was notorious for that in the 1990s; there were many press reports of bugged first class seats on Air France, for example.
The term for what's going on is "cyberexploitation", as opposed to "cyberwar". The US has never come out against it in principle, though it never likes it when aimed at the US. (Every other nation feels the same way about its companies and networks, of course.) For a good analysis of the legal aspects, see
http://www.lawfareblog.com/2011/08/what-is-the-government%E2%80%99s-stra tegy-for-the-cyber-exploitation-threat/
--Steve Bellovin, https://www.cs.columbia.edu/~smb
On Thursday, February 21, 2013, Warren Bailey wrote:
The only spanking that has been going on nanog lately is Jay using his email to keep us up to date on current news. I am going to call it a night, and look for a SCUD fired from Florida in the morning. ;)
Nanog setting their list server up to mandate that envelope from matches header from should take care of this .. I see the envelope being whatever, nobody@server.example.com type stuff more often than not, in all these forwarded articles that are supposed to be coming from Jay's account. --srs -- --srs (iPad)
On Feb 20, 2013, at 9:07 PM, Steven Bellovin <smb@cs.columbia.edu> wrote:
On Feb 20, 2013, at 1:33 PM, valdis.kletnieks@vt.edu wrote:
On Wed, 20 Feb 2013 15:39:42 +0900, Randy Bush said:
boys and girls, all the cyber-capable countries are cyber-culpable. you can bet that they are all snooping and attacking eachother, the united states no less than the rest. news at eleven.
The scary part is that so many things got hacked by a bunch of people who made the totally noob mistake of launching all their attacks from the same place....
This strongly suggests that it's not their A-team, for whatever value of "their" you prefer. (My favorite mistake was some of them updating their Facebook pages when their work took them outside the Great Firewall.) They just don't show much in the way of good operational security.
Mandiant apparently feels the same way: http://www.forbes.com/sites/andygreenberg/2013/02/21/the-shanghai-army-unit-... --Steve Bellovin, https://www.cs.columbia.edu/~smb
We have done our part to China as well along with other countries in state sponsored "hacking". This is more of news amusement rather than news worthy. Question here should be how much of this is another effort to get a "kill switch" type bill back. Zaid On Feb 19, 2013, at 10:10 PM, Kyle Creyts <kyle.creyts@gmail.com> wrote:
quite a bit of coverage lately from the media.
http://online.wsj.com/article/SB10001424127887323764804578313101135258708.ht... http://www.bbc.co.uk/news/world-asia-pacific-21505803 http://www.npr.org/2013/02/19/172373133/report-links-cyber-attacks-on-u-s-to... http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-u...
On Mon, Feb 18, 2013 at 7:23 PM, Jay Ashworth <jra@baylink.com> wrote:
http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-... -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-- Kyle Creyts
Information Assurance Professional BSidesDetroit Organizer
An Internet kill switch is a nightmare. We can't even figure out how to run a relay radio system for national emergencies.. Now we are going to assume the people who were owned can somehow shut off communications? We as Americans have plenty of things we have done halfass.. I hope an Internet kill switch doesn't end up being one of them. Build your own private networks, you can't get rooted if someone can't knock. Simple as that.
From my Android phone on T-Mobile. The first nationwide 4G network.
-------- Original message -------- From: Zaid Ali Kahn <zaid@zaidali.com> Date: 02/19/2013 10:44 PM (GMT-08:00) To: Kyle Creyts <kyle.creyts@gmail.com> Cc: nanog@nanog.org Subject: Re: NYT covers China cyberthreat We have done our part to China as well along with other countries in state sponsored "hacking". This is more of news amusement rather than news worthy. Question here should be how much of this is another effort to get a "kill switch" type bill back. Zaid On Feb 19, 2013, at 10:10 PM, Kyle Creyts <kyle.creyts@gmail.com> wrote:
quite a bit of coverage lately from the media.
http://online.wsj.com/article/SB10001424127887323764804578313101135258708.ht... http://www.bbc.co.uk/news/world-asia-pacific-21505803 http://www.npr.org/2013/02/19/172373133/report-links-cyber-attacks-on-u-s-to... http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-u...
On Mon, Feb 18, 2013 at 7:23 PM, Jay Ashworth <jra@baylink.com> wrote:
http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-... -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-- Kyle Creyts
Information Assurance Professional BSidesDetroit Organizer
Don't be lulled into complacency by a private network: all it takes is one thumb-drive or rogue AP and you have a back door. Private networks reduce but do not eliminate attackable surface. David Barak Sent from a mobile device, please forgive autocorrection. On Feb 20, 2013, at 2:04 AM, Warren Bailey <wbailey@satelliteintelligencegroup.com> wrote:
An Internet kill switch is a nightmare. We can't even figure out how to run a relay radio system for national emergencies.. Now we are going to assume the people who were owned can somehow shut off communications?
We as Americans have plenty of things we have done halfass.. I hope an Internet kill switch doesn't end up being one of them. Build your own private networks, you can't get rooted if someone can't knock. Simple as that.
From my Android phone on T-Mobile. The first nationwide 4G network.
-------- Original message -------- From: Zaid Ali Kahn <zaid@zaidali.com> Date: 02/19/2013 10:44 PM (GMT-08:00) To: Kyle Creyts <kyle.creyts@gmail.com> Cc: nanog@nanog.org Subject: Re: NYT covers China cyberthreat
We have done our part to China as well along with other countries in state sponsored "hacking". This is more of news amusement rather than news worthy. Question here should be how much of this is another effort to get a "kill switch" type bill back.
Zaid
On Feb 19, 2013, at 10:10 PM, Kyle Creyts <kyle.creyts@gmail.com> wrote:
quite a bit of coverage lately from the media.
http://online.wsj.com/article/SB10001424127887323764804578313101135258708.ht... http://www.bbc.co.uk/news/world-asia-pacific-21505803 http://www.npr.org/2013/02/19/172373133/report-links-cyber-attacks-on-u-s-to... http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-u...
On Mon, Feb 18, 2013 at 7:23 PM, Jay Ashworth <jra@baylink.com> wrote:
http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-... -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-- Kyle Creyts
Information Assurance Professional BSidesDetroit Organizer
----- Original Message -----
From: "Warren Bailey" <wbailey@satelliteintelligencegroup.com>
We as Americans have plenty of things we have done halfass.. I hope an Internet kill switch doesn't end up being one of them. Build your own private networks, you can't get rooted if someone can't knock. Simple as that.
Well, Warren, I once had a discussion with someone about whether dedicated DS-1 to tie your SCADA network together were "secure enough" and they asked me: "Does it run through a DACS? Where can you program the DACS from?" Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
If you are doing DS0 splitting on the DACS, you'll see that on the other end (it's not like channelized CAS ds1's or PRI's are difficult to look at now) assuming you have access to that. If the DACS is an issue, buy the DACS and lock it up. I was on a .mil project that used old school Coastcom DI III Mux with RLB cards and FXO/FXS cards, that DACS carried some pretty top notch traffic and the microwave network (licensed .gov band) brought it right back to the base that project was owned by. Security is expensive, because you cannot leverage a service provider model effectively around it. You can explain the billion dollars you spent on your global network of CRS-1's, but CRS-1's for a single application usually are difficult to swallow. I'm not saying that it isn't done EVER, I'm just saying there are ways to avoid your 1998 red hat box from rpc.statd exploitation - unplug aforementioned boxen from inter webs. If you created a LAN at your house, disabled all types of insertable media, and had a decent lock on your front door, it would be pretty difficult to own that network. Sure there are spy types that argue EMI emission from cable etc, but they solved that issue with their tin foil hats. We broadcast extremely sensitive information (financial, medical, etc) to probably 75% of the worlds population all day long, if you walk outside of your house today my signal will be broadcasting down upon sunny St. Petersburg, Florida. Satellite Communications are widely used, the signal is propagated (from GSO generally) over a relatively wide area and no one knows the better. And for those of you who say.. I CAN LOOK AT A SPEC AN TO FIND THE SIGNAL, MEASURE AND DEMODULATE! Take a look at spread spectrum TDMA operation - my signal to noise on my returns is often -4dB to -6dB c/n0 and spread at a factor of 4 to 8. They are expensive, but as far as the planet is concerned they are awgn. I guess it's my argument that if you do a good enough job blending a signal into the noise, you are much more likely to maintain secrecy. On 2/20/13 9:13 AM, "Jay Ashworth" <jra@baylink.com> wrote:
----- Original Message -----
From: "Warren Bailey" <wbailey@satelliteintelligencegroup.com>
We as Americans have plenty of things we have done halfass.. I hope an Internet kill switch doesn't end up being one of them. Build your own private networks, you can't get rooted if someone can't knock. Simple as that.
Well, Warren, I once had a discussion with someone about whether dedicated DS-1 to tie your SCADA network together were "secure enough" and they asked me:
"Does it run through a DACS? Where can you program the DACS from?"
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
From: Warren Bailey [mailto:wbailey@satelliteintelligencegroup.com]
If you are doing DS0 splitting on the DACS, you'll see that on the other end (it's not like channelized CAS ds1's or PRI's are difficult to look at now) assuming you have access to that. If the DACS is an issue, buy the DACS and lock it up. I was on a .mil project that used old school Coastcom DI III Mux with RLB cards and FXO/FXS cards, that DACS carried some pretty top notch traffic and the microwave network (licensed .gov band) brought it right back to the base that project was owned by. Security is expensive, because you cannot leverage a service provider model effectively around it. You can explain the billion dollars you spent on your global network of CRS-1's, but CRS-1's for a single application usually are difficult to swallow. I'm not saying that it isn't done EVER, I'm just saying there are ways to avoid your 1998 red hat box from rpc.statd exploitation - unplug aforementioned boxen from inter webs.
Our connections to various .mil and others are private ds1's with full on end to end crypto over them. You can potentially kill our connections, but you're not snooping them or injecting traffic into them. Jamie
I did not approach the inline encryption units on purpose. Obviously anything that leaves .mil land not riding something blessed by DISA is going to have something like a KG on both ends. Generally Satellite systems use TRANSEC, though in our line of work it's an extremely expensive add-on to an otherwise decent security implementation. I'm not saying it can NEVER be owned, I'm just saying that 90% of the l33t hax0rs who are going to look to own something are doing so because it is somehow exposed to public infrastructure. If I were to put up an SCPC (single channel per carrier, synonymous to point to point circuits) circuit between point A and B, the persons looking to intercept my traffic would need to know quite a bit of information about my signals.. Origination Point, Destination Point, Modulation, Symbol Rates, Center Frequencies, PN codes, TRANSEC keys, IP lay out, etc. You won't hear me talk about how something is absolutely and completely secure, but you will hear me preach from the rooftops the application of technology that many people believe is outdated and abandoned. There is a reason media providers and MSO's still use Satellite to downlink video signals. The military is still heavily invested in this type of technology because you are able to completely bypass traditionally used infrastructure, and Utility companies are jumping on the band wagon as well. I know of several SCADA (massive power companies) networks that ride satellite completely for this reason. You can justify the cost and latency with the security of owning a network that is completely removed from the usual infrastructure. On 2/20/13 10:05 AM, "Jamie Bowden" <jamie@photon.com> wrote:
From: Warren Bailey [mailto:wbailey@satelliteintelligencegroup.com]
If you are doing DS0 splitting on the DACS, you'll see that on the other end (it's not like channelized CAS ds1's or PRI's are difficult to look at now) assuming you have access to that. If the DACS is an issue, buy the DACS and lock it up. I was on a .mil project that used old school Coastcom DI III Mux with RLB cards and FXO/FXS cards, that DACS carried some pretty top notch traffic and the microwave network (licensed .gov band) brought it right back to the base that project was owned by. Security is expensive, because you cannot leverage a service provider model effectively around it. You can explain the billion dollars you spent on your global network of CRS-1's, but CRS-1's for a single application usually are difficult to swallow. I'm not saying that it isn't done EVER, I'm just saying there are ways to avoid your 1998 red hat box from rpc.statd exploitation - unplug aforementioned boxen from inter webs.
Our connections to various .mil and others are private ds1's with full on end to end crypto over them. You can potentially kill our connections, but you're not snooping them or injecting traffic into them.
Jamie
Many DACS have provision for "monitoring" circuits and feeding the data off to a third circuit in an undetectable manner. The DACS question wasn't about DACS owned by the people using the circuit, it was about DACS inside the circuit provider. When you buy a DS1 that goes through more than one CO in between two points, you're virtually guaranteed that it goes through one or more of {DS-3 Mux, Fiber Mux, DACS, etc.}. All of these are under the control of the circuit provider and not you. Owen On Feb 20, 2013, at 09:47 , Warren Bailey <wbailey@satelliteintelligencegroup.com> wrote:
If you are doing DS0 splitting on the DACS, you'll see that on the other end (it's not like channelized CAS ds1's or PRI's are difficult to look at now) assuming you have access to that. If the DACS is an issue, buy the DACS and lock it up. I was on a .mil project that used old school Coastcom DI III Mux with RLB cards and FXO/FXS cards, that DACS carried some pretty top notch traffic and the microwave network (licensed .gov band) brought it right back to the base that project was owned by. Security is expensive, because you cannot leverage a service provider model effectively around it. You can explain the billion dollars you spent on your global network of CRS-1's, but CRS-1's for a single application usually are difficult to swallow. I'm not saying that it isn't done EVER, I'm just saying there are ways to avoid your 1998 red hat box from rpc.statd exploitation - unplug aforementioned boxen from inter webs.
If you created a LAN at your house, disabled all types of insertable media, and had a decent lock on your front door, it would be pretty difficult to own that network. Sure there are spy types that argue EMI emission from cable etc, but they solved that issue with their tin foil hats. We broadcast extremely sensitive information (financial, medical, etc) to probably 75% of the worlds population all day long, if you walk outside of your house today my signal will be broadcasting down upon sunny St. Petersburg, Florida. Satellite Communications are widely used, the signal is propagated (from GSO generally) over a relatively wide area and no one knows the better. And for those of you who say.. I CAN LOOK AT A SPEC AN TO FIND THE SIGNAL, MEASURE AND DEMODULATE! Take a look at spread spectrum TDMA operation - my signal to noise on my returns is often -4dB to -6dB c/n0 and spread at a factor of 4 to 8. They are expensive, but as far as the planet is concerned they are awgn. I guess it's my argument that if you do a good enough job blending a signal into the noise, you are much more likely to maintain secrecy.
On 2/20/13 9:13 AM, "Jay Ashworth" <jra@baylink.com> wrote:
----- Original Message -----
From: "Warren Bailey" <wbailey@satelliteintelligencegroup.com>
We as Americans have plenty of things we have done halfass.. I hope an Internet kill switch doesn't end up being one of them. Build your own private networks, you can't get rooted if someone can't knock. Simple as that.
Well, Warren, I once had a discussion with someone about whether dedicated DS-1 to tie your SCADA network together were "secure enough" and they asked me:
"Does it run through a DACS? Where can you program the DACS from?"
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
----- Original Message -----
From: "Owen DeLong" <owen@delong.com>
Many DACS have provision for "monitoring" circuits and feeding the data off to a third circuit in an undetectable manner.
The DACS question wasn't about DACS owned by the people using the circuit, it was about DACS inside the circuit provider. When you buy a DS1 that goes through more than one CO in between two points, you're virtually guaranteed that it goes through one or more of {DS-3 Mux, Fiber Mux, DACS, etc.}. All of these are under the control of the circuit provider and not you.
Correct, and they expand the attack surface in ways that even many network engineers may not consider unless prompted. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Isn't this a strong argument to deploy and operate a network independent of the traditional switch circuit provider space? On 2/20/13 11:22 AM, "Jay Ashworth" <jra@baylink.com> wrote:
----- Original Message -----
From: "Owen DeLong" <owen@delong.com>
Many DACS have provision for "monitoring" circuits and feeding the data off to a third circuit in an undetectable manner.
The DACS question wasn't about DACS owned by the people using the circuit, it was about DACS inside the circuit provider. When you buy a DS1 that goes through more than one CO in between two points, you're virtually guaranteed that it goes through one or more of {DS-3 Mux, Fiber Mux, DACS, etc.}. All of these are under the control of the circuit provider and not you.
Correct, and they expand the attack surface in ways that even many network engineers may not consider unless prompted.
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
If you have that option, I suppose that would be one way to solve it. I, rather, see it as a reason to: 1. Cryptographically secure links that may be carrying private data. 2. Rotate cryptographic keys (relatively) often on such links. YMMV, but I think encryption is a lot cheaper than building a telco. Especially over long distances. Owen On Feb 20, 2013, at 11:33 , Warren Bailey <wbailey@satelliteintelligencegroup.com> wrote:
Isn't this a strong argument to deploy and operate a network independent of the traditional switch circuit provider space?
On 2/20/13 11:22 AM, "Jay Ashworth" <jra@baylink.com> wrote:
----- Original Message -----
From: "Owen DeLong" <owen@delong.com>
Many DACS have provision for "monitoring" circuits and feeding the data off to a third circuit in an undetectable manner.
The DACS question wasn't about DACS owned by the people using the circuit, it was about DACS inside the circuit provider. When you buy a DS1 that goes through more than one CO in between two points, you're virtually guaranteed that it goes through one or more of {DS-3 Mux, Fiber Mux, DACS, etc.}. All of these are under the control of the circuit provider and not you.
Correct, and they expand the attack surface in ways that even many network engineers may not consider unless prompted.
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
--- On Wed, 2/20/13, Jay Ashworth <jra@baylink.com> wrote:
----- Original Message -----
From: "Owen DeLong" <owen@delong.com>
The DACS question wasn't about DACS owned by the people using the circuit, it was about DACS inside the circuit provider. When you buy a DS1 that goes through more than one CO in between two points, you're virtually guaranteed that it goes through one or more of {DS-3 Mux, Fiber Mux, DACS, etc.}. All of these are under the control of the circuit provider and not you.
Correct, and they expand the attack surface in ways that even many network engineers may not consider unless prompted.
This is precisely the value of encryption on point to point links, preferably at the link layer rather than at the IP layer. When coupled with decent end-to-end application-layer encryption on top of that, the value proposition for sniffing traffic from the network drops a whole lot. David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com
On Wed, Feb 20, 2013 at 9:13 AM, Jay Ashworth <jra@baylink.com> wrote:
----- Original Message -----
From: "Warren Bailey" <wbailey@satelliteintelligencegroup.com>
We as Americans have plenty of things we have done halfass.. I hope an Internet kill switch doesn't end up being one of them. Build your own private networks, you can't get rooted if someone can't knock. Simple as that.
Well, Warren, I once had a discussion with someone about whether dedicated DS-1 to tie your SCADA network together were "secure enough" and they asked me:
"Does it run through a DACS? Where can you program the DACS from?"
Did you open that PDF regarding DACS security ? http://money.cnn.com/2013/02/20/news/economy/hacking-infrastructure/index.ht... CB
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
On Wed, 20 Feb 2013, Jay Ashworth wrote:
Well, Warren, I once had a discussion with someone about whether dedicated DS-1 to tie your SCADA network together were "secure enough" and they asked me:
"Does it run through a DACS? Where can you program the DACS from?"
See thread: nanog impossible circuit Even your leased lines can have packets copied off or injected into them, apparently so easily it can be done by accident. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On 2/20/2013 1:05 PM, Jon Lewis wrote:
See thread: nanog impossible circuit
Even your leased lines can have packets copied off or injected into them, apparently so easily it can be done by accident.
This is especially true with pseudo-wire and mpls. Most of my equipment can filter based mirror to alternative mpls circuits where I can drop packets into my analyzers. If I misconfigure, those packets could easily find themselves back on public networks. Jack
On Feb 20, 2013, at 3:20 PM, Jack Bates <jbates@brightok.net> wrote:
On 2/20/2013 1:05 PM, Jon Lewis wrote:
See thread: nanog impossible circuit
Even your leased lines can have packets copied off or injected into them, apparently so easily it can be done by accident.
This is especially true with pseudo-wire and mpls. Most of my equipment can filter based mirror to alternative mpls circuits where I can drop packets into my analyzers. If I misconfigure, those packets could easily find themselves back on public networks.
An amazing percentage of "private" lines are pseudowires, and neither you nor your telco salesdroid can know or tell; even the "real" circuits are routed through DACS, ATM switches, and the like. This is what link encryptors are all about; use them. (Way back when, we had a policy of using link encryptors on all overseas circuits -- there was a high enough probability of underwater fiber cuts, perhaps by fishing trawlers or "fishing trawlers", that our circuits mighty suddenly end up on a satellite link. And we were only worrying about commercial-grade security.) --Steve Bellovin, https://www.cs.columbia.edu/~smb
On 20 February 2013 08:04, Warren Bailey <wbailey@satelliteintelligencegroup.com> wrote:
An Internet kill switch is a nightmare. We can't even figure out how to run a relay radio system for national emergencies.. Now we are going to assume the people who were owned can somehow shut off communications?
We as Americans have plenty of things we have done halfass.. I hope an Internet kill switch doesn't end up being one of them. Build your own private networks, you can't get rooted if someone can't knock. Simple as that.
He!, we share the internet with america. If you guys decide to build and use a internet kill switch, just nuke your part of the internet. People outside USA are happy with the internet, and we need it :D just don't use code 666 on the keypad :D http://www.youtube.com/watch?v=Ed6Yr81jZ6g I know theres a lot of it, and If suddenly tomorrow a enormeous solar flare kill every electronic in the america continent, we will have problems here in europe. I just want to make sure you guys know that we want our part of the internet to continue, even if you guys decide to pull the plug. -- -- ℱin del ℳensaje.
This is a improvement over some russian spies, that have the passwords written down in a piece of paper. http://www.networkworld.com/news/2010/063010-russian-spy-ring.html?hpg1=bn <<One of the technical issues the ring faced was described by one suspect in a message to Moscow reporting on a meeting between two spies "A" and "M": "Meeting with M went as planned … A passed to M laptop, two flash drives, and $9K in cash. From what M described, the problem with his equipment is due to his laptop "hanging"/"freezing" before completion of the normal program run." >> Windows XP crapines, slowing down russian spies :D My password at home is "don't be the low hanging fruit". Every time that I read on the news that USA is funding this or that cracking group I get a bit angry. Thats a world where is best to not put money. More like direct Interpol to stop mafias profiting from it, to remove money from it. The least thing we want is a "cyber arms race". But if you don't want one, don't start one. -- -- ℱin del ℳensaje.
participants (16)
-
.
-
Cameron Byrne
-
David Barak
-
Jack Bates
-
Jamie Bowden
-
Jay Ashworth
-
Jon Lewis
-
Kyle Creyts
-
Owen DeLong
-
Randy Bush
-
Richard Porter
-
Steven Bellovin
-
Suresh Ramasubramanian
-
Valdis.Kletnieks@vt.edu
-
Warren Bailey
-
Zaid Ali Kahn