Re: Death of the Internet, Film at 11
And then what? The labor to clean up this mess is not free. Who's responsibility is it? The grandma who got a webcam for Christmas to watch the squirrels? The ISP?... No... The vendor? What if the vendor had released a patch to fix the issue months back, and grandma hadn't installed it? Making grandma and auntie Em responsible for the IT things in their house is likely not going to go well. Making the vendor responsible might work for the reputable ones to a point, but won't work for the fly by night shops that will sell the same products under different company names and model names until they get sued or "one starred" into oblivion. Then they just change names and start all over. The ISPs won't do it because of the cost to fix... The labor and potential loss of customers. So once identified, how do you suggest this gets fixed? On Oct 22, 2016 5:11 PM, "Mark Andrews" <marka@isc.org> wrote: One way to deal with this would be for ISP's to purchase DoS attacks against their own servers (not necessarially hosted on your own network) then look at which connections from their network attacking these machines then quarantine these connections after a delay period so that attacks can't be corollated with quarantine actions easily. This doesn't require a ISP to attempt to break into a customers machine to identify them. It may take several runs to identify most of the connections associated with a DoS provider. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
The person who owns the internet connection still has responsibility for what happens on it. So if the owners are educated to select reputable brands in order to prevent themselves from being implicated in a DDoS and liable for a fine or some other punitive thing, they 'vote with their feet' and the fly-by-nighters suddenly lose a chunk of marketshare, unless they up their game? I'm as sympathetic to Aunty Em and Grandma as the next I-started-on-a-helpdesk guys, but 'you get what you pay for' applies here as much as it does everywhere else...? On 23/10/2016 11:22 a.m., Josh Reynolds wrote:
And then what? The labor to clean up this mess is not free. Who's responsibility is it? The grandma who got a webcam for Christmas to watch the squirrels? The ISP?... No... The vendor? What if the vendor had released a patch to fix the issue months back, and grandma hadn't installed it?
Making grandma and auntie Em responsible for the IT things in their house is likely not going to go well.
Making the vendor responsible might work for the reputable ones to a point, but won't work for the fly by night shops that will sell the same products under different company names and model names until they get sued or "one starred" into oblivion. Then they just change names and start all over.
The ISPs won't do it because of the cost to fix... The labor and potential loss of customers.
So once identified, how do you suggest this gets fixed?
*snip*
I wish you luck with your plan, and please subscribe me to your newsletter in digest format. On Oct 22, 2016 5:32 PM, "Mark Foster" <blakjak@blakjak.net> wrote:
The person who owns the internet connection still has responsibility for what happens on it.
So if the owners are educated to select reputable brands in order to prevent themselves from being implicated in a DDoS and liable for a fine or some other punitive thing, they 'vote with their feet' and the fly-by-nighters suddenly lose a chunk of marketshare, unless they up their game?
I'm as sympathetic to Aunty Em and Grandma as the next I-started-on-a-helpdesk guys, but 'you get what you pay for' applies here as much as it does everywhere else...?
On 23/10/2016 11:22 a.m., Josh Reynolds wrote:
And then what? The labor to clean up this mess is not free. Who's responsibility is it? The grandma who got a webcam for Christmas to watch the squirrels? The ISP?... No... The vendor? What if the vendor had released a patch to fix the issue months back, and grandma hadn't installed it?
Making grandma and auntie Em responsible for the IT things in their house is likely not going to go well.
Making the vendor responsible might work for the reputable ones to a point, but won't work for the fly by night shops that will sell the same products under different company names and model names until they get sued or "one starred" into oblivion. Then they just change names and start all over.
The ISPs won't do it because of the cost to fix... The labor and potential loss of customers.
So once identified, how do you suggest this gets fixed?
*snip*
In message <CAC6=tfYKBWBXMFHJo617q_qOMuOjEtoTDGK2pepfrMw3CybFuw@mail.gmail.com> , Josh Reynolds writes:
And then what?
They get in someone to clean up their network. When they say it is clean you reconnect them. If this happens more often than once a year you charge them a months fees per additional incident. Have the year timer start when reconnect is requested. You give them what data you have to backup the claim.
The labor to clean up this mess is not free. Who's responsibility is it? The grandma who got a webcam for Christmas to watch the squirrels? The ISP?... No... The vendor? What if the vendor had released a patch to fix the issue months back, and grandma hadn't installed it?
Making grandma and auntie Em responsible for the IT things in their house is likely not going to go well.
Making the vendor responsible might work for the reputable ones to a point, but won't work for the fly by night shops that will sell the same products under different company names and model names until they get sued or "one starred" into oblivion. Then they just change names and start all over.
The ISPs won't do it because of the cost to fix... The labor and potential loss of customers.
So once identified, how do you suggest this gets fixed?
On Oct 22, 2016 5:11 PM, "Mark Andrews" <marka@isc.org> wrote:
One way to deal with this would be for ISP's to purchase DoS attacks against their own servers (not necessarially hosted on your own network) then look at which connections from their network attacking these machines then quarantine these connections after a delay period so that attacks can't be corollated with quarantine actions easily.
This doesn't require a ISP to attempt to break into a customers machine to identify them. It may take several runs to identify most of the connections associated with a DoS provider.
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
--94eb2c030b6c594dc5053f7b994f Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
<p dir=3D"ltr">And then what? The labor to clean up this mess is not free. = Who's responsibility is it? The grandma who got a webcam for Christmas = to watch the squirrels? The ISP?... No... The vendor? What if the vendor ha= d released a patch to fix the issue months back, and grandma hadn't ins= talled it?</p> <p dir=3D"ltr">Making grandma and auntie Em responsible for the IT things i= n their house is likely not going to go well.</p> <p dir=3D"ltr">Making the vendor responsible might work for the reputable o= nes to a point, but won't work for the fly by night shops that will sel= l the same products under different company names and model names until the= y get sued or "one starred" into oblivion. Then they just change = names and start all over.</p> <p dir=3D"ltr">The ISPs won't do it because of the cost to fix... The l= abor and potential loss of customers.</p> <p dir=3D"ltr">So once identified, how do you suggest this gets fixed?</p> <div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Oct 22, 2016 5= :11 PM, "Mark Andrews" <<a href=3D"mailto:marka@isc.org">marka= @isc.org</a>> wrote:<br type=3D"attribution"><blockquote class=3D"quote"= style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><b= r> One way to deal with this would be for ISP's to purchase DoS attacks<br=
against their own servers (not necessarially hosted on your own<br> network) then look at which connections from their network attacking<br> these machines then quarantine these connections after a delay<br> period so that attacks can't be corollated with quarantine actions<br> easily.<br> <br> This doesn't require a ISP to attempt to break into a customers<br> machine to identify them.=C2=A0 It may take several runs to identify<br> most of the connections associated with a DoS provider.<br> <font color=3D"#888888"><br> --<br> Mark Andrews, ISC<br> 1 Seymour St., Dundas Valley, NSW 2117, Australia<br> PHONE: <a href=3D"tel:%2B61%202%209871%204742" value=3D"+61298714742">+61 2= 9871 4742</a>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0INTERNET: <a href=3D"mailto:marka@isc.org">marka@isc.org</a><br> </font></blockquote></div><br></div>
--94eb2c030b6c594dc5053f7b994f-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
One sec, starting a relationship with $CPEvendor... I'll let you know how this goes. "Yes, every customer I went to had malware. That's okay, right?" ;) On Oct 22, 2016 5:56 PM, "Mark Andrews" <marka@isc.org> wrote:
In message <CAC6=tfYKBWBXMFHJo617q_qOMuOjEtoTDGK2pepfrMw3CybFuw@ mail.gmail.com> , Josh Reynolds writes:
And then what?
They get in someone to clean up their network. When they say it is clean you reconnect them. If this happens more often than once a year you charge them a months fees per additional incident. Have the year timer start when reconnect is requested. You give them what data you have to backup the claim.
The labor to clean up this mess is not free. Who's responsibility is it? The grandma who got a webcam for Christmas to watch the squirrels? The ISP?... No... The vendor? What if the vendor had released a patch to fix the issue months back, and grandma hadn't installed it?
Making grandma and auntie Em responsible for the IT things in their house is likely not going to go well.
Making the vendor responsible might work for the reputable ones to a point, but won't work for the fly by night shops that will sell the same products under different company names and model names until they get sued or "one starred" into oblivion. Then they just change names and start all over.
The ISPs won't do it because of the cost to fix... The labor and potential loss of customers.
So once identified, how do you suggest this gets fixed?
On Oct 22, 2016 5:11 PM, "Mark Andrews" <marka@isc.org> wrote:
One way to deal with this would be for ISP's to purchase DoS attacks against their own servers (not necessarially hosted on your own network) then look at which connections from their network attacking these machines then quarantine these connections after a delay period so that attacks can't be corollated with quarantine actions easily.
This doesn't require a ISP to attempt to break into a customers machine to identify them. It may take several runs to identify most of the connections associated with a DoS provider.
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
--94eb2c030b6c594dc5053f7b994f Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
<p dir=3D"ltr">And then what? The labor to clean up this mess is not free. = Who's responsibility is it? The grandma who got a webcam for Christmas = to watch the squirrels? The ISP?... No... The vendor? What if the vendor ha= d released a patch to fix the issue months back, and grandma hadn't ins= talled it?</p> <p dir=3D"ltr">Making grandma and auntie Em responsible for the IT things i= n their house is likely not going to go well.</p> <p dir=3D"ltr">Making the vendor responsible might work for the reputable o= nes to a point, but won't work for the fly by night shops that will sel= l the same products under different company names and model names until the= y get sued or "one starred" into oblivion. Then they just change = names and start all over.</p> <p dir=3D"ltr">The ISPs won't do it because of the cost to fix... The l= abor and potential loss of customers.</p> <p dir=3D"ltr">So once identified, how do you suggest this gets fixed?</p> <div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Oct 22, 2016 5= :11 PM, "Mark Andrews" <<a href=3D"mailto:marka@isc.org"> marka= @isc.org</a>> wrote:<br type=3D"attribution"><blockquote class=3D"quote"= style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><b= r> One way to deal with this would be for ISP's to purchase DoS attacks<br=
against their own servers (not necessarially hosted on your own<br> network) then look at which connections from their network attacking<br> these machines then quarantine these connections after a delay<br> period so that attacks can't be corollated with quarantine actions<br> easily.<br> <br> This doesn't require a ISP to attempt to break into a customers<br> machine to identify them.=C2=A0 It may take several runs to identify<br> most of the connections associated with a DoS provider.<br> <font color=3D"#888888"><br> --<br> Mark Andrews, ISC<br> 1 Seymour St., Dundas Valley, NSW 2117, Australia<br> PHONE: <a href=3D"tel:%2B61%202%209871%204742" value=3D"+61298714742">+61 2= 9871 4742</a>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0INTERNET: <a href=3D"mailto:marka@isc.org">marka@isc.org</a><br> </font></blockquote></div><br></div>
--94eb2c030b6c594dc5053f7b994f-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
So once identified, how do you suggest this gets fixed?
Assuming these manufacturers who are culpable carry product liability insurance go to their insurance companies and explain the situation. Better would be someone launching a product liability lawsuit against one of them but it's not necessary, ins cos work on projections and probabilities as much as being reactive. The insurance companies will likely re-assess their risk on these policies and inform the manufacturers of any adjustment in premiums. If the premiums are adjusted up significantly the manufacturers will sit down with the ins cos and try to determine what needs to be improved in their product to bring premiums back down. Look at what Samsung just went thru with the Note 7. I'd imagine their product liability insurance premiums took a big hit. Even if they're self-insured they have to treat that as a cost center and make sure sufficient money to pay claims is going into that cost center. It's a button to push, so to speak, and has been successful many times in the past (cars, worker exposure to health hazards, etc.) -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
Sure lets sue people because they put too many/bad packets/packets I don't like on the internet. Do you think this will really solve the porblem? Do you think we'll not just all end up with internet prices like US medical care prices? On Sun, Oct 23, 2016 at 4:41 PM, <bzs@theworld.com> wrote:
So once identified, how do you suggest this gets fixed?
Assuming these manufacturers who are culpable carry product liability insurance go to their insurance companies and explain the situation.
Better would be someone launching a product liability lawsuit against one of them but it's not necessary, ins cos work on projections and probabilities as much as being reactive.
The insurance companies will likely re-assess their risk on these policies and inform the manufacturers of any adjustment in premiums.
If the premiums are adjusted up significantly the manufacturers will sit down with the ins cos and try to determine what needs to be improved in their product to bring premiums back down.
Look at what Samsung just went thru with the Note 7. I'd imagine their product liability insurance premiums took a big hit. Even if they're self-insured they have to treat that as a cost center and make sure sufficient money to pay claims is going into that cost center.
It's a button to push, so to speak, and has been successful many times in the past (cars, worker exposure to health hazards, etc.)
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
I'm not sure who you mean when you say "people". My reference was to manufacturers of IoT devices only. But as I said in the note which you quoted lawsuits might be helpful but aren't necessary. One just has to get underwriters of the manufacturers' product liability insurance to acknowledge they have not fully assessed future financial risks of those policies. Since manufacturers probably won't like those new increased premiums, and it's within their control to improve the potential product liability and get their insurance premiums lowered, they would likely respond by improving their product (i.e.. security.) Put in simple terms if your auto insurance company told you your annual premiums are going up because your tires are bad (whatever) you might consider getting new tires particularly if the net cost (increased premiums year after year vs cost of tires) was positive to you. Please for the love of all that is sane and reasonable don't quibble about tires and insurance. If you have a pile of fire-prone materials near your house, no railings on steps, whatever, you're likely to prioritize fixing that if your premiums go up sufficiently. Since manufacturers have huge multipliers (number of devices, number of potential liability claims) this sort of approach can and has been effective. On October 23, 2016 at 16:46 deleskie@gmail.com (jim deleskie) wrote:
Sure lets sue people because they put too many/bad packets/packets I don't like on the internet. Do you think this will really solve the porblem? Do you think we'll not just all end up with internet prices like US medical care prices?
On Sun, Oct 23, 2016 at 4:41 PM, <bzs@theworld.com> wrote:
So once identified, how do you suggest this gets fixed?
Assuming these manufacturers who are culpable carry product liability insurance go to their insurance companies and explain the situation.
Better would be someone launching a product liability lawsuit against one of them but it's not necessary, ins cos work on projections and probabilities as much as being reactive.
The insurance companies will likely re-assess their risk on these policies and inform the manufacturers of any adjustment in premiums.
If the premiums are adjusted up significantly the manufacturers will sit down with the ins cos and try to determine what needs to be improved in their product to bring premiums back down.
Look at what Samsung just went thru with the Note 7. I'd imagine their product liability insurance premiums took a big hit. Even if they're self-insured they have to treat that as a cost center and make sure sufficient money to pay claims is going into that cost center.
It's a button to push, so to speak, and has been successful many times in the past (cars, worker exposure to health hazards, etc.)
-- -Barry Shein
Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On Oct 23, 2016, at 16:26, bzs@TheWorld.com wrote:
I'm not sure who you mean when you say "people". My reference was to manufacturers of IoT devices only.
The users are not going to be able to help. You're right, it's all about the manufacturers. If you can remove or reduce profits enough where it matters, it will help tremendously. I spent an hour looking through the IEEE standards RA pattern searching mac addrs thinking about mitigation techniques and doing random lookups of the registrants. These attacks are the canary in the coal mine in terms of what is probably coming. Best, -M<
On October 23, 2016 at 17:14 hannigan@gmail.com (Martin Hannigan) wrote:
On Oct 23, 2016, at 16:26, bzs@TheWorld.com wrote:
I'm not sure who you mean when you say "people". My reference was to manufacturers of IoT devices only.
The users are not going to be able to help. You're right, it's all about the manufacturers. If you can remove or reduce profits enough where it matters, it will help tremendously.
I spent an hour looking through the IEEE standards RA pattern searching mac addrs thinking about mitigation techniques and doing random lookups of the registrants.
That's a good idea particularly in terms of not letting this stuff out. For example one could imagine a patch to DSL, cable, and similar last mile equipment to rate limit, perhaps flag etc, packets from known vulnerable MAC ID ranges if they can be identified. That'd be relatively cheap and easy.
These attacks are the canary in the coal mine in terms of what is probably coming.
Oh yeah...that code is out there. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
On 2016-10-23 15:46, jim deleskie wrote:
Sure lets sue people because they put too many/bad packets/packets I don't like on the internet. Do you think this will really solve the porblem? Do you think we'll not just all end up with internet prices like US medical care prices?
If this were to get to a court of law, would there be proof that products Axis IP Camera Inc or Panasonic or even Xerox Printers were (partly) responsible for the attack ? Won't they deflect this to trying to find those who hacked their products ? Won't they deflect this to onwers who did not secure their networks from inbound telnet ? And do those units really declare their port 23 to the NAT router via UPnP ? that is really really stupid. One problem with consumer goods is lack of documentation and support. Could years back, I got a very early Smart RG DSL modem specially modified to work on Bell Canada's non standard VDSL dslams. No instruction manual, no documentation. I found a number of bugs in the software, and sent a lengthy email to document them. As an early adopter, I wanted to help the company fix those before wider deployment. (and yes, the units have a command line, and from the command line you can get into a linux shell). The response I got: Unless you sign a contract with one of our distributors, you cannot report bugs. Unfortunately, this appears to be widespread with consumer goods vendors who sell sophisticated devices without documentation or support.
On Sun, Oct 23, 2016 at 12:41 PM, <bzs@theworld.com> wrote:
Assuming these manufacturers who are culpable carry product liability insurance go to their insurance companies and explain the situation.
Cheaper solution: Start a company, build crappy firmware, carry product liability insurance, release the product, immediately sell millions of units to various vendors that 'rebrand' your product. Close your business / go out of business. Wait for lawsuits to roll in after the business has been shut down. -A
A bit tidbits of information from:
http://www.networkworld.com/article/3134035/chinese-firm-admits-its-hacked-p...
Chinese firm admits its hacked products were behind Friday's massive DDOS attack Hangzhou Xiongmai Technology, a vendor behind DVRs and internet-connected cameras, said on Sunday that security vulnerabilities involving weak default passwords in its products were partly to blame. ... Because these devices have weak default passwords and are easy to infect, Mirai has been found spreading to at least 500,000 devices, according to internet backbone provider Level 3 Communications. ... Xiongmai says it patched the flaws with its products in September 2015 and its devices now ask the customer to change the default password when used for the first time. But products running older versions of the firmware are still vulnerable. To stop the Mirai malware, Xiongmai is advising that customers update their product’s firmware and change the default username and passwords to them. Customers can also disconnect the products from the internet. ## Note: the company's web site does not (yet) show a press release. Appears the information was sent to IDG via email.
Aaron C. de Bruyn via NANOG <nanog@nanog.org>:
On Sun, Oct 23, 2016 at 12:41 PM, <bzs@theworld.com> wrote:
Assuming these manufacturers who are culpable carry product liability insurance go to their insurance companies and explain the situation.
Cheaper solution: Start a company, build crappy firmware, carry product liability insurance, release the product, immediately sell millions of units to various vendors that 'rebrand' your product. Close your business / go out of business. Wait for lawsuits to roll in after the business has been shut down.
-A
For anyone who thinks this is a hypothetical, the market for consumer-grade GPSes already works this way -- though, not for liability reasons in quite the same sense. The issue in GPS-land is blocking patents and other IP. Fly-by-night GPS vendors with 60-to-90-day life cycles keep a lot of Shenzhen shops busy. -- <a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
In message <CAC6=tfYKBWBXMFHJo617q_qOMuOjEtoTDGK2pepfrMw3CybFuw@mail.gmail.com> Josh Reynolds <josh@kyneticwifi.com> wrote:
And then what? The labor to clean up this mess is not free... ... The ISPs won't do it because of the cost to fix... The labor and potential loss of customers.
Yes, and yes. Unfortunately, the economics of the current situation are rather clearly and rather sadly broken. And I feel sure that the same "cost" arguments were also advanced, in the 1970s, against the Clean Air Act and the Clean Water Act. More recently, I'm also fairly sure that banks have pushed back strongly against anti money-laundering regulations, based on similar or identical "cost and loss of customers" arguments. Nonetheless, government regulation in these areas has advanced, and has resulted in a salutary leveling of the playing field. All players in the affected industries must comply, and thus none can undercut the others by reducing their costs, in a relentless race to the bottom, by simply shirking their social responsibilities. And since all players across an industry must bear the same costs, all should find it equally possible to pass along these costs their respective customer bases. (This answers the question of who is going to pay to clean up this whole mess we call the Internet.) To those who would advance the argument that government regulation simply will not work and/or that such is not actually possible on a globally dispersed Internet, I would only note that essentially the same concerns, issues and arguments apply equally to the globally interconnected banking system, and that although there still remain major challanges, mostly now isolated to a few specific locales, the global fight against money laundering has made impressive advances in recent years, and continues to make steady progress. I cite this fact simply to point out that globally interconnected industries are not inherently immune to prudent cross-border regulation in the interests of the common good. Given the Internet industry's abject, long-standing, and ongoing near total abdication of any resposibility for even a modicum of self-regulation, I, for one, look forward to the Clean Internet Act, whenever that may arrive. Regards, Ronald F. Guilmette (DDoS'd off the Internet, to little or no public fanfare, 2003)
participants (10)
-
Aaron C. de Bruyn -
bzs@TheWorld.com -
Eric S. Raymond -
Jean-Francois Mezei -
jim deleskie -
Josh Reynolds -
Mark Andrews -
Mark Foster -
Martin Hannigan -
Ronald F. Guilmette