White House to Propose System for Wide Monitoring of Internet (fwd)
[This just jumped into the operational arena. Are you prepared with the router port for John Poindexter's vacuum? What changes will you need to make? What will they cost? Who will pay?] <http://www.nytimes.com/2002/12/20/technology/20MONI.html?pagewanted=print&position=top> December 20, 2002 White House to Propose System for Wide Monitoring of Internet By JOHN MARKOFF and JOHN SCHWARTZ The Bush administration is planning to propose requiring Internet service providers to help build a centralized system to enable broad monitoring of the Internet and, potentially, surveillance of its users. The proposal is part of a final version of a report, "The National Strategy to Secure Cyberspace," set for release early next year, according to several people who have been briefed on the report. It is a component of the effort to increase national security after the Sept. 11 attacks. The President's Critical Infrastructure Protection Board is preparing the report, and it is intended to create public and private cooperation to regulate and defend the national computer networks, not only from everyday hazards like viruses but also from terrorist attack. Ultimately the report is intended to provide an Internet strategy for the new Department of Homeland Security. ..............................
On Fri, 20 Dec 2002, David Lesher wrote:
[This just jumped into the operational arena. Are you prepared with the router port for John Poindexter's vacuum? What changes will you need to make? What will they cost? Who will pay?]
I read this in the paper this morning. The article is a summary of a summary of a briefing, and contains contradictory statements, ranging from the tracking of end-users web browsing (bad) to a clearing house to gather real-time information of attacks in progress (which sounds like a good idea to me). I'm reserving judgement until there are some actual facts. ========================================================== Chris Candreva -- chris@westnet.com -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
The -real- challenge is to create a system -capable- of monitoring the entire internet.... Today there isn't enough horsepower to accomplish such a thing, except by "exception to the rule", rather than "the rule". In analogy: We can adjust the flows of the Hoover (remember him ?) Damn, we cannot however stop to count bacteria in each and every drop, using today's technology. As I recall, didn't Hitler have basically the same problem in WWII ? Now we have to ask ourselves: What can we learn from history ? David Lesher wrote:
[This just jumped into the operational arena. Are you prepared with the router port for John Poindexter's vacuum? What changes will you need to make? What will they cost? Who will pay?]
<http://www.nytimes.com/2002/12/20/technology/20MONI.html?pagewanted=print&position=top>
December 20, 2002
White House to Propose System for Wide Monitoring of Internet
By JOHN MARKOFF and JOHN SCHWARTZ
The Bush administration is planning to propose requiring Internet service providers to help build a centralized system to enable broad monitoring of the Internet and, potentially, surveillance of its users.
The proposal is part of a final version of a report, "The National Strategy to Secure Cyberspace," set for release early next year, according to several people who have been briefed on the report. It is a component of the effort to increase national security after the Sept. 11 attacks.
The President's Critical Infrastructure Protection Board is preparing the report, and it is intended to create public and private cooperation to regulate and defend the national computer networks, not only from everyday hazards like viruses but also from terrorist attack. Ultimately the report is intended to provide an Internet strategy for the new Department of Homeland Security.
..............................
On Fri, Dec 20, 2002 at 11:12:43AM -0500, David Lesher wrote:
[This just jumped into the operational arena. Are you prepared with the router port for John Poindexter's vacuum? What changes will you need to make? What will they cost? Who will pay?]
<http://www.nytimes.com/2002/12/20/technology/20MONI.html?pagewanted=print&position=top>
December 20, 2002
White House to Propose System for Wide Monitoring of Internet
By JOHN MARKOFF and JOHN SCHWARTZ
The Bush administration is planning to propose requiring Internet service providers to help build a centralized system to enable broad monitoring of the Internet and, potentially, surveillance of its users.
The proposal is part of a final version of a report, "The National Strategy to Secure Cyberspace," set for release early next year, according to several people who have been briefed on the report. It is a component of the effort to increase national security after the Sept. 11 attacks.
The President's Critical Infrastructure Protection Board is preparing the report, and it is intended to create public and private cooperation to regulate and defend the national computer networks, not only from everyday hazards like viruses but also from terrorist attack. Ultimately the report is intended to provide an Internet strategy for the new Department of Homeland Security.
..............................
Heard about this on the news this morning and you know, I am so not worried about it. IMO, it's so completely unfeasable at every level as to be actually funny. So they want us to monitor our customers. Okay, define that. You mean you want me to snarf packets off a fully loaded OC-48 link and analyze them in real time? No? You mean you just want it at the customer boundries? So now I have to hook this up to each of perhaps 250 routers? Are you going to pay for this? No? You mean you consider it a "cost of doing business." So who makes this gear? Thats something that the router vendors have to do and integrate them into their systems? And who is going to pay for that cost? "Cost of doing business" again, eh? And naturally, those costs get passed onto us, the providers and we pass them along to the customers. What about your cries for "affordable internet" for the "underprivileged"? Okay, back to the technical questions... You want me to track the hack-of-the-day and track it back to its source despite the fact that it takes no small amount of effort to correlate this stuff? You say you want coppies of all email meeting certain criteria? You say you want me to keep track of each web page users visit to watch for patterns? Now you want to know what they're buying online too? Oh, and while you're at it, you say you also want to use this convenient access to look into other areas of potentially criminal activity? Oh, REALLY? Just keeping track of the gigabytes of data per hour even a moderately sized ISP can generate poses its own technical challenge. (And sifting through that borders on impossible.) Not to mention deploying systems all over the U.S., maintaining those systems, altering various other systems to permit their use, and maintaining an open pipeline to Big Brother (probably several) at our own expense, yadda, yadda, yadda. The whole thing is just not practical if, indeed, it's even possible. But it is good for a laugh. -Wayne --- Wayne Bouchard web@typo.org Network Engineer http://www.typo.org/~web/resume.html
"Wayne E. Bouchard" wrote:
On Fri, Dec 20, 2002 at 11:12:43AM -0500, David Lesher wrote: But it is good for a laugh.
Or a cry. :) :* :( FWIW, One American Government Legislative body, all full of itself, had all but passed an act requiring the value of PI to be legislated to 3, from 3.1415..~etc.... "Suits" don't like to be bothered with details, eh ? ...Never forget "A Divine Comedy", really isn't.
-Wayne
http://www.urbanlegends.com/legal/pi_indiana.html
--- Wayne Bouchard web@typo.org Network Engineer http://www.typo.org/~web/resume.html
On Fri, 20 Dec 2002 11:31:39 MST, "Wayne E. Bouchard" said:
On Fri, Dec 20, 2002 at 11:12:43AM -0500, David Lesher wrote:
[This just jumped into the operational arena. Are you prepared with the router port for John Poindexter's vacuum? What changes will you need to make? What will they cost? Who will pay?]
Heard about this on the news this morning and you know, I am so not worried about it.
IMO, it's so completely unfeasable at every level as to be actually funny.
All the same, I suggest you forward the rest of your quite well-reasoned comments to your congresscritter and/or the White House. Remember that the idea was probably propsed by people who have little or no clue of what the actual impact would be - and the final decision will likely be made by somebody with even less technical edge. The truly scary part is that it could actually be approved....
On Fri, 20 Dec 2002, David Lesher wrote: :[This just jumped into the operational arena. Are you prepared :with the router port for John Poindexter's vacuum? What changes :will you need to make? What will they cost? Who will pay?] There is a really easy way to accomplish this, and it has been apparently partially implemented within UUNet as an overlaid network of GRE tunnels for a few years, at least based on a Nanog presentaton from October 1999. This can be accomplished quite cost effectively, provided the government doesn't want to archive *everything*. I keep mentioning this, and for some reason few people seem to recognize how profoundly simple it would be for the government to legislate themselves into exchange points and have the authority to announce certain prefixes to the IX, tunnel the traffic of the affected route into their own network, and monitor it without ever showing up in a traceroute. MPLS makes this even simpler, where certain routes can be tagged and switched invisibly into the Total Information Awareness network for monitoring, and switched back out with nobody being the wiser. Technically this is simple. The infrastructure is in place, it just needs some legal teeth. As soon as they figure out BGP, governments could seek authority over exchange point routing tables so that they can implement data sanctions against foreign and/or non-compliant ASN's. It's pretty easy to imagine, we'll just have to see how it plays out. Also, if you want to monitor massive amounts of data (something people say can't be done easily) you just demux it using a device like those at www.toplayer.com, or http://www.radware.com/content/products/fire.asp . Both solutions are adequate for breaking up massive amounts of data. I could write snort signatures that will trigger a session to be re-routed based on packet content. It's fugly, but if I can do it in my basement, a multi-billion dollar agency acting on behalf of the only global superpower can probably think up something a little more elegant. :) -- batz
Cough! On Fri, 20 Dec 2002, batz wrote:
On Fri, 20 Dec 2002, David Lesher wrote:
:[This just jumped into the operational arena. Are you prepared :with the router port for John Poindexter's vacuum? What changes :will you need to make? What will they cost? Who will pay?]
There is a really easy way to accomplish this, and it has been apparently partially implemented within UUNet as an overlaid network of GRE tunnels for a few years, at least based on a Nanog presentaton from October 1999.
This is incorrect, this isn't implemented, its not implementable, current routing gear doesn't gre tunnel a) fast enough, b) at all.... HOWEVER, juniper will allow you to copy packets on an interface in 5.5 or perhaps a bit later code, this is one way to implement this... however having a new oc-X for each oc-X you wanna monitor. I wonder if there is a limit to the amount of fiber the OCS/NCS/NPIC wants to monitor?
This can be accomplished quite cost effectively, provided the government doesn't want to archive *everything*.
even if the gre tunnel (Center Track (c) Robert Stone, et al.) idea worked right and scaled correctly things would still be 'expensive'... to monitor/maintain/manage.
I keep mentioning this, and for some reason few people seem to recognize how profoundly simple it would be for the government to legislate themselves into exchange points and have the authority to announce certain prefixes to the IX, tunnel the traffic of the affected route into their own network, and monitor it without ever showing up in a traceroute.
Sure, or they could ask carriers to tap lines for them silently... in fact they can do that today with a court order. -Chris
"Christopher L. Morrow" wrote:
Cough! Sure, or they could ask carriers to tap lines for them silently... in fact they can do that today with a court order.
Nope. USA Patriot Act, No Court Order Needed. :( Civil Liberties for Tax Refunds, Takers ? :P A COO I know is actually enthused, all he can say is "Do you know how much money that means to me ?!" Dohh! The Myopia of the Rich, eh ? He also spouted the philosophy, one day: "Give the money to the Rich, and they can put it into the Bank... and the rest of you can borrow it.... it will stimulate the economy." A verbatim quote. ( He is GOP, FWIW. ) * shudder * So, we can borrow it -=without=- a source of income ?
-Chris
On Fri, 20 Dec 2002, Christopher L. Morrow wrote: :Cough! Heh. Bless you. ;) :This is incorrect, this isn't implemented, its not implementable, current :routing gear doesn't gre tunnel a) fast enough, b) at all.... HOWEVER, :juniper will allow you to copy packets on an interface in 5.5 or perhaps a :bit later code, this is one way to implement this... however having a new :oc-X for each oc-X you wanna monitor. I wonder if there is a limit to the :amount of fiber the OCS/NCS/NPIC wants to monitor? I was told it was implemented when I called security a couple of years ago, and then my other questions were met with "no comment". "No comment" is the appropriate response to a stranger calling and asking for security information, and doesn't imply any other answer, and I am willing to accept that it is no longer implemented, but somebody told me it was. I am willing to accept that the person I spoke to misinterpreted my question. That said, I don't think it's economical to want to tap an oc-X, but being able to grab single sessions doesn't necessarily have to scale if they aren't grabbing lots of them, and can access them relatively close to their source. It's the same issues as running IDS's. Lets say you have a an IDS load balancer sitting on a GigE span port with a few sensors watching everything go by. If an alert is triggered, a script is executed which goes out to the router closest to the origin of the session and initiates the overlaid tunnel. :even if the gre tunnel (Center Track (c) Robert Stone, et al.) idea worked :right and scaled correctly things would still be 'expensive'... to :monitor/maintain/manage. Well, one would assume that these features would be necessary for the maintainance of a robust security policy and architecture implementation. The value is the same value that you get from regular IDS's, just with a new customer. :Sure, or they could ask carriers to tap lines for them silently... in fact :they can do that today with a court order. Indeed, and building features for automating the initialization of those taps into the network is not extrordinarily difficult. (I retract my "profoundly simple" comment.) The cost of doing so is another loss avoidance cost that would be integrated into the overhead cost that we currently call security anyway. Are you suggesting that there might be money to be made by someone who offered to integrate this sort of surviellence architecture into a network? -- batz
On Fri, 20 Dec 2002, batz wrote:
On Fri, 20 Dec 2002, Christopher L. Morrow wrote:
:Cough!
Heh. Bless you. ;)
its this damned changing weather :)
:This is incorrect, this isn't implemented, its not implementable, current :routing gear doesn't gre tunnel a) fast enough, b) at all.... HOWEVER, :juniper will allow you to copy packets on an interface in 5.5 or perhaps a :bit later code, this is one way to implement this... however having a new :oc-X for each oc-X you wanna monitor. I wonder if there is a limit to the :amount of fiber the OCS/NCS/NPIC wants to monitor?
I was told it was implemented when I called security a couple of years ago, and then my other questions were met with "no comment". "No comment" is the appropriate response to a stranger calling and asking for security information, and doesn't imply any other answer, and I am willing to accept that it is no longer implemented, but somebody told me it was. I am willing to accept that the person I spoke to misinterpreted my question.
its not that they misinterpretted, its that its NOT EVER been implemented.
That said, I don't think it's economical to want to tap an oc-X, but being able to grab single sessions doesn't necessarily have to scale if they aren't grabbing lots of them, and can access them relatively close to their source. It's the same issues as running IDS's.
Except rarely (for larger pipes) are things symetrically routed. So, lets take my favorite example: ebay. Your session to ebay is only really reliably symetric at the router upstream from your workstation... all other paths become highly asymetric quickly, most likely.
Lets say you have a an IDS load balancer sitting on a GigE span port with a few sensors watching everything go by. If an alert is triggered, a script is executed which goes out to the router closest to the origin of the session and initiates the overlaid tunnel.
For this I'd think 'riverhead box' and again, only at the datacenter where the LB was, or at your facility infront of your workstation.
:even if the gre tunnel (Center Track (c) Robert Stone, et al.) idea worked :right and scaled correctly things would still be 'expensive'... to :monitor/maintain/manage.
Well, one would assume that these features would be necessary for the maintainance of a robust security policy and architecture implementation. The value is the same value that you get from regular IDS's, just with a new customer.
Ok, so lets say you wanted to IDS the 'internet' or 'any large ISP' (Verio/UU/AOL/ATT/Sprint... make your list) there is little gig-e to monitor, alot of oc-12/48/192. There isn't an IDS that can truely monitor a oc-12 yet, never mind multipath oc-12's (dual/tri/quad paths in the same box) The CenterTrack concept was never supposed to IDS traffic, it incurs a large latency for the traffic and actually isn't implementable on 90% or more of the edge routing gear of these providers.
:Sure, or they could ask carriers to tap lines for them silently... in fact :they can do that today with a court order.
Indeed, and building features for automating the initialization of those taps into the network is not extrordinarily difficult. (I retract my "profoundly simple" comment.) The cost of doing so is another loss avoidance cost that would be integrated into the overhead cost that we currently call security anyway.
Hmm, actually it is pretty darned simple, no-export+no-advertise do this for you quickly, then trigger when you want to watch paul vixie's hotmail activities... simple enough really. This gets back to distributing 'sensors' to each pop, on each carrier and having dedicated ports on routers to support this... This seems like a very large cost to bear, more than 'cost of doing business'.
Are you suggesting that there might be money to be made by someone who offered to integrate this sort of surviellence architecture into a network?
I'm not, but lots of people are already selling this very thing... riverhead arbor mazu cloudshield toplayer all of these vendors provide products capable of this kind of 'surveillance', whether or not thats the touted talking point or not, each can provide this 'surveillance'.
On Sat, 21 Dec 2002, Christopher L. Morrow wrote: Regarding CenterTrack: : :its not that they misinterpretted, its that its NOT EVER been implemented. I am content to believe you. However, that CenterTrack has never been implemented does not mean that a system for collecting IP session data has never been implemented. This further suggests that automated law enforcement access is also not impossible, which was my original point. :Ok, so lets say you wanted to IDS the 'internet' or 'any large ISP' :(Verio/UU/AOL/ATT/Sprint... make your list) there is little gig-e to :monitor, alot of oc-12/48/192. There isn't an IDS that can truely monitor :a oc-12 yet, never mind multipath oc-12's (dual/tri/quad paths in the same :box) Anyone with that size link could be deemed "carrier class" and be compelled to install monitoring equipment within their network. Though admittedly I don't think it's useful to speculate on the legislative "could"'s. :Hmm, actually it is pretty darned simple, no-export+no-advertise do this :for you quickly, then trigger when you want to watch paul vixie's hotmail :activities... simple enough really. This gets back to distributing :'sensors' to each pop, on each carrier and having dedicated ports on :routers to support this... This seems like a very large cost to bear, more :than 'cost of doing business'. Those costs of doing business can be regulated, which it looks like they just might be. Same as the whole PEN register thing for telcoms. Also, if you have an existing IDS infrastructure, it is not difficult to add this kind of LEO-access to it. It is as simple as giving them a view of your security management console. :all of these vendors provide products capable of this kind of :'surveillance', whether or not thats the touted talking point or not, each :can provide this 'surveillance'. At least one of the vendors you listed does in fact tout the products surveillance features, at least during their sales pitch. The funny thing in my biz (IT security) is that I think it's the only one where people sell things by not saying what they can be used for. They nod meaningfully while saying that they can't really say just what it is that people use it for. Customers think "Wow, I've never even heard of this, and the sales guy won't even tell me what it does, it *must* be valuable beyond imagination!". To hear them tell it, it's as if they are selling a turnkey blackbox ROI Generator, which uses top secret military technology that "leverages dynamic security policies". Before there was carnivore, law enforcement got access to network data, and I have a few anecdotal accounts of how this was done. There is no reason why LEA's couldn't ask ISP's to permanently integrate this access into their networks. -- batz
On Fri, 20 Dec 2002, batz wrote:
Lets say you have a an IDS load balancer sitting on a GigE span port with a few sensors watching everything go by. If an alert is triggered, a script is executed which goes out to the router closest to the origin of the session and initiates the overlaid tunnel.
On any major backbone the IDS function becomes GlobalIDSFunction() { While (1) { printf("Attack Detected!"); } } Do you really want an automatic wiretap installed on your line every time an attack is detected? Have you recently connected a system to the Internet that hasn't been attacked?
On Sun, 22 Dec 2002, Sean Donelan wrote:
On Fri, 20 Dec 2002, batz wrote:
Lets say you have a an IDS load balancer sitting on a GigE span port with a few sensors watching everything go by. If an alert is triggered, a script is executed which goes out to the router closest to the origin of the session and initiates the overlaid tunnel.
On any major backbone the IDS function becomes
GlobalIDSFunction() { While (1) { printf("Attack Detected!"); } }
An overlaid tunnel initiates each time THIS MANY attack is detected? Wow... I'd imagine...: System restarted by error - a Software forced crash, PC 0x602E3780 :-) -hc
Do you really want an automatic wiretap installed on your line every time an attack is detected? Have you recently connected a system to the Internet that hasn't been attacked?
On Sun, 22 Dec 2002, Sean Donelan wrote: :On any major backbone the IDS function becomes : :GlobalIDSFunction() { : While (1) { : printf("Attack Detected!"); : } :} : :Do you really want an automatic wiretap installed on your line :every time an attack is detected? Have you recently connected a :system to the Internet that hasn't been attacked? It depends on the attack you are looking for. All signatures are not created equal. Also, the actual logic is a little more like: For each attack_source_ip, if all attacks in attack_source are the same, send low alert. If attacks from any single attack_source are different, with a range of more than 2 distinct attacks, look into it. attack_source can be anything from a /32 to a /24, with monthly reports breaking it down into the diversity of attacks originating from certain ASN's so that followup can be done with the ISP. The idea being that you only respond to incidents where followup may yeild meaningful results. Those incidents can be recognized by the diversity of attacks originating from a single area and followed up based on their ISP. The diversity of attacks will provide compelling evidence that there is someone making a concerted effort to crack a network, instead of just worm activity. You will miss script kids that bounce all over their compromised machines around the world, but even if you collected all the information about those attacks, there is little value in tracking them down anyway. The interjurisdictional administrative hell makes it more cost effective to just lock down your network than to re-enact The Cuckoos Egg. Back to the law enforcement access issue, they could really just be collecting intelligence from the sensors, to inform their decision on who to follow up with an investigation on. IDS's aren't as useful for giving evidence (IMHO) because there are too many variables (like asymmetry, log integrity, chain of evidence etc) to take into account. What they can do very well is tell you where suspicious activity is originating from and tell you whether further analysis is warranted. eg, whether to have someone sieze the machine as physical evidence, as that's where it's all got to come from for prosecution anyway, or to monitor that sites traffic for more information before launching a full seizure. So, the value of an IDS, or law enforcement access to IDS-like devices for sifting information, is to assess who they should be investigating, not to be used as an investigative tool by itself. As for how they can do it, they can't put it in a core somewhere. They would have to put inexpensive ones connected as close to the customer equipment as possible. This could be at the edge of a CUG as some people call it, or as Chris Morrow mentioned, one in each POP. As far as doing it at an exchange point, it is still possible to redirect all traffic originating from within a large ISP and destined to a single site through a secondary GigE monitoring network. I would be suprised if anyone currently sustains 500Mb/s of traffic from one of customers to any single IP address that is outside their own network. It doesn't matter if I am wrong, as for the purposes of monitoring for further information, it still works. Adding them to POP's would make sense as there is a geographical basis for their distribution, something law enforcement likes and understands quite well, as that's how their jurisdictions are laid out. The reason I am persuing this is that I would hate for people to waste their energy insisting that ubiquitous intelligence and law enforcement access to Internet traffic is impossible. It can be made very possible, just not in the way, or for the same reasons, some people might imagine it. -- batz
On Mon, 23 Dec 2002 13:26:16 EST, batz said:
You will miss script kids that bounce all over their compromised machines around the world, but even if you collected all the information about those attacks, there is little value in tracking them down anyway. The interjurisdictional administrative hell makes it more cost effective to just lock down your network than to re-enact The Cuckoos Egg.
Unfortunately, this is (or should be) part of the threat model. What makes you think that J Random Cyberterrorist is any stupider than the guys Stoll was chasing? -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
On Mon, 23 Dec 2002 Valdis.Kletnieks@vt.edu wrote: :Unfortunately, this is (or should be) part of the threat model. What makes :you think that J Random Cyberterrorist is any stupider than the guys Stoll :was chasing? Because Random J Cyberterrorist would know that the probability of success and scope of damage of his action is substantially less than that of a physical attack, given the resources he has to spend on it. Also, this threat can be mitigated more cost effectively through system and network hardening than by expanding the monitoring infrastructure to be able to handle such a difficult to codify threat (in any general sense). Cyberattacks (again IMHO) are still in the realm of being opportunistic, as we have seen that given as little as $5-10,000, the resources necessary to reliably cause widespread damage are better spent on a plane ticket than a hacker. The cyberterrorist threat is based upon the exposure of network systems and the motivation of the attacker. What is not taken into account in this threat description is the other, more reliable and severe options available to someone with the same resources and motives. In the triage of sorting out what to protect and how to protect it, we can exercise lots of control over our technology, and given a limited threat model, we can be relatively successful. However, some threats are best dealt with by limiting our assets exposure to them instead of building in safeguards whose reliability is inversely proportional to their complexity. :) Thus (IMHO again) there is limited value in using what is ultimately a passive monitoring technology to combat the most agile and directed threats against the network. These agile threats being sophisticated hackers using multiple source hosts and jurisdictions, who can evade sensors and who leverage the inherant administrative overhead of tracking them. The only defense against them is to keep your patch levels current, your firewalls strict, and watch until they get lazy and make a mistake. The only way to catch them is if they use multiple sources over a short period of time with diverse attacks, thus your search token in the logs would be the timeframe. Needless to say, given the amount of cruft that sensors amass, this isn't very reliable. I have a hacker koan that expresses this problem: It does not matter who is watching if you are invisible. A sensor can only see what it is looking for. A hacker cannot be seen merely by looking. Cheers:) -- batz
Also, this threat can be mitigated more cost effectively through system and network hardening than by expanding the monitoring infrastructure to be able to handle such a difficult to codify threat (in any general sense).
I agree totally. However, it's unglamorous, and not as sexy of an announcement - or as cool looking - as saying the Federal UberSOC is on its way. But it's Uncle Sam doing what he does best - reinventing a less-capable wheel at a higher cost.
Cyberattacks (again IMHO) are still in the realm of being opportunistic, as we have seen that given as little as $5-10,000, the resources necessary to reliably cause widespread damage are better spent on a plane ticket than a hacker.
Definitely agree - 0911 was done for under $150K according to some reports, and if you think about it, the terrorists got a heck of a return for their investment, far more than they could hope to achive in a 'cyberwar' attack. The motive of terrorism is to sow fear. There's much more visceral fear seeing the WTC collapse than watching a graphic on television trying to show how a buffer overflow worked on SCADA system. :)
The cyberterrorist threat is based upon the exposure of network systems and the motivation of the attacker. What is not taken into account in this threat description is the other, more reliable and severe options available to someone with the same resources and motives.
No, the cyberterrorist threat is a sensational concept based on FUD, ignorance, and hype....and believed to be true by the same politicos who think "Swordfish" was a realistic movie about INFOSEC. If we're going to say there are cyberterrorists, then we've got to start saying 0911 was the result of aeroterrorists. The manner in which the attack is carried out doesn't matter -- terrorism is terrorism is terrorism. As George Carlin might say, "there are no cyberterrorists." In this case, instead of accepting responsibility for our actions (or inactions) regarding INFOSEC, we point fingers at anyone else - such as phantom cyberterrorists - to avoid responsibility and accountability. It's nothing more than the latest version of Passing The Buck. We see INFOSEC incidents occur regularly because WE MAKE IT EASY FOR THEM TO OCCUR and thus BRING IT ON OURSELVES....either through poor management, bad system/network administration and design, or shoddy software. (BTW, I meant "we" in terms of the IT Society, not "we" meaning the experts here on NANOG!)
threat model, we can be relatively successful. However, some threats are best dealt with by limiting our assets exposure to them instead of building in safeguards whose reliability is inversely proportional to their complexity. :)
Which goes along with what I tell students at NDU each month -- if something's deemed a 'critical infrastructure system' (SCADA, banking, etc.) it should not be on any publicly-accessible network, and the higher costs associated with higher levels of security (eg, using dedicated, privately-owned pipes vice a VPN over the Internet) must be an acceptable and necessary part of the security solution. If something's deemed 'critical' to a large segment of the population, then security must NEVER outweigh conveinience. Period. Non-negotiable.
inherant administrative overhead of tracking them. The only defense against them is to keep your patch levels current, your firewalls strict, and watch until they get lazy and make a mistake.
Amen! This goes back to making sure system admins are competent, trained, and have the time to ensure these security functions are carried out. Unfortunately, I've found they spend most of their time hunting repeated problems in certain mainstream OS environments -- which means that PROACTIVE security routinely takes a back-burner to REACTING to the latest overflow, trojan, worm, or virus....or to a 'new' problem injected by the vendor-endorsed patches that allegedly fixed existing ones. Of course, while no OS is perfect, if our systems weren't built on such a flaky foundation, we'd have more time to work on securing them instead of just keeping them operational and somewhat less-annoying while simultaneously providing a self-inflicted target of opportunity for some n'er-do-well.
It does not matter who is watching if you are invisible. A sensor can only see what it is looking for. A hacker cannot be seen merely by looking.
Hence the need for intelligent network monitoring and pattern profiling, something I've been mulling over for a while now. /rant. :) Rick Infowarrior.org
In my last post when I said this:
If something's deemed 'critical' to a large segment of the population, then security must NEVER outweigh conveinience. Period. Non-negotiable.
I meant to say that security must ALWAYS outweigh convienience. My goof....guess I had too much NOG and not enough NAN at the party last night. :) Happy Holidays all - sorry 'bout the mixup. Rick Infowarrior.org
On Tue, 24 Dec 2002 10:26:09 EST, Richard Forno said:
In my last post when I said this:
If something's deemed 'critical' to a large segment of the population, then security must NEVER outweigh conveinience. Period. Non-negotiable. I meant to say that security must ALWAYS outweigh convienience.
My goof....guess I had too much NOG and not enough NAN at the party last night. :)
A case could be made that you had it right the first time, in that a "large segment" of the population cares less about security than they do about dancing hamsters, and that they'd designate the latter as "critical". Thus the sorry state of certain end-user software on 90% of the desktops. Happy Holidays! ;)
This is obviously a "great truth" - a statement whose opposite is also true. Regards and Best Wishes Marshall Eubanks On Tuesday, December 24, 2002, at 03:31 PM, Valdis.Kletnieks@vt.edu wrote:
On Tue, 24 Dec 2002 10:26:09 EST, Richard Forno said:
In my last post when I said this:
If something's deemed 'critical' to a large segment of the population, then security must NEVER outweigh conveinience. Period. Non-negotiable. I meant to say that security must ALWAYS outweigh convienience.
My goof....guess I had too much NOG and not enough NAN at the party last night. :)
A case could be made that you had it right the first time, in that a "large segment" of the population cares less about security than they do about dancing hamsters, and that they'd designate the latter as "critical". Thus the sorry state of certain end-user software on 90% of the desktops.
Happy Holidays! ;) <mime-attachment>
On Tue, 24 Dec 2002, Richard Forno wrote:
In my last post when I said this:
If something's deemed 'critical' to a large segment of the population, then security must NEVER outweigh conveinience. Period. Non-negotiable.
I meant to say that security must ALWAYS outweigh convienience.
Sigh, people are playing games with words to force false choices. Of course its negotiable because the act of defining something "critical" is a negotiation.
Just another opportunity to grab some funding. The two major events at our local facility the past year have been the result of drivers taking out major power poles on the street adjacent to the facility. One even ended up in the parking lot. UPS/gen sets worked as planned so little impact on customers but sure made it interesting for the staff. Beavis and Butthead are much more likely to cause mayhem than Osama or Mohamed. 9-11 proved that human engineering is much more effective than any technology. Just my 2¢ worth. Best regards, ______________________________ Al Rowland
Thus spake <Valdis.Kletnieks@vt.edu>
On Mon, 23 Dec 2002 13:26:16 EST, batz said:
The interjurisdictional administrative hell makes it more cost effective to just lock down your network than to re-enact The Cuckoos Egg.
Unfortunately, this is (or should be) part of the threat model. What makes you think that J Random Cyberterrorist is any stupider than the guys Stoll was chasing?
Whether they're smart or dumb is moot when there's 100+ human attacks (not [D]DoS) against your network every day, plus tens of thousands of worms. It's simply not possible to respond in any meaningful way. Even if you could track down each attacker, they are often in countries that don't consider hacking a crime and won't grant extradition. This is why many organizations (eg .MIL) try to filter non-US addresses. S
A White House spokesperson has already denied the report in the New York Times. Of course, the US Government is a big place. On Fri, 20 Dec 2002, Christopher L. Morrow wrote:
Sure, or they could ask carriers to tap lines for them silently... in fact they can do that today with a court order.
or "lawful authority" Information from the FBI http://www.askcalea.net/ Information from Cisco http://www.cisco.com/wwl/regaffairs/lawful_intercept/ Verisign already offers out-sourced, one-stop wiretapping for voice. http://www.verisign.com/telecom/products/network/netDiscovery.html One Connection to all LEAs Instead of maintaining multiple delivery connections from every switch to every LEA, carriers only need one connection to VeriSign, who in turn connects to LEA facilities. http://www.csoonline.com/csoresearch/report49.html CSO survey of nearly 800 senior security executives found that 24 percent were willing to share information about customers with law enforcement without a court order. If law enforcement agents claim that their investigation concerns national security, the percentage of executives willing to share information without a court order rises to 41 percent. http://www.ala.org/alaorg/oif/guidelineslibrary.html Librarians professional ethics require that personally identifiable information about library users be kept confidential. This principle is reflected in Article III of the Code of Ethics, which states that [librarians] protect each library users right to privacy and confidentiality with respect to information sought or received, and resources consulted, borrowed, acquired, or transmitted.
Also, if you want to monitor massive amounts of data (something people say can't be done easily) you just demux it using a device like those at www.toplayer.com, or http://www.radware.com/content/products/fire.asp . Both solutions are adequate for breaking up massive amounts of data.
I could write snort signatures that will trigger a session to be re-routed based on packet content. It's fugly, but if I can do it in my basement, a multi-billion dollar agency acting on behalf of the only global superpower can probably think up something a little more elegant. :)
The problem with this argument is you have to know exactly what you are looking for *before* the event. Foresight is almost never 20/20. How many times have we all encountered a variation of the following?: 1. Get a call from an FBI agent (or insert any other gov't agency) 2. Play phone tag for a week. 3. Finally get each other on the phone. 4. Special Agent So&so requests a log file or packet trace from X months ago. The value of X usually = 6 months or more. Only when it was a murder case have I seen a request come in under 3 months. 5. Laugh and say... "OK, we'll try." 6. Dig and Dig... if lucky, find a 200+ megabyte log file. 7. Call agent back, offer to FTP/burn to a CD and send. 8. Agent replies: "Can you look at it for us, we are real busy." 9. Reply: "Uh... so are we, we'll let you know if we have a minute..." 10. Lather, rinse, repeat. I have personally had this exact scenario play out four times so far in 2002. That said, the way we have chosen to empower our government to act is as a tool of justice (after the act), not prevention. I have no problem with that setup, and really don't like the 'shoot first, ask later" direction drift of the current administration. Too many packets, not enough time, too many cooks in the government's kitchen all looking over their shoulders at all the *other* cooks and closely guarding their little corner of counter space and utensils. Nothing to see, carry on... --chuck <insert ironic sig>.... -- ____________________________________________________________ Were there mistakes? Yes. Only those who don't act don't make mistakes. But to organize well --- *that* is a difficult task. -- Lenin, April 24, 1917
participants (14)
-
Al Rowland -
batz -
Christopher L. Morrow -
Christopher X. Candreva -
chuck goolsbee -
David Lesher -
Haesu -
Marshall Eubanks -
Richard Forno -
Richard Irving -
Sean Donelan -
Stephen Sprunk -
Valdis.Kletnieks@vt.edu -
Wayne E. Bouchard