RE: White House to Propose System for Wide Monitoring of Internet(fwd) err, make that (fud)
Just another opportunity to grab some funding. The two major events at our local facility the past year have been the result of drivers taking out major power poles on the street adjacent to the facility. One even ended up in the parking lot. UPS/gen sets worked as planned so little impact on customers but sure made it interesting for the staff. Beavis and Butthead are much more likely to cause mayhem than Osama or Mohamed. 9-11 proved that human engineering is much more effective than any technology. Just my 2ยข worth. Best regards, __ Al Rowland
Re: White House to Propose System for Wide Monitoring of Internet (fwd)
On Mon, 23 Dec 2002 13:26:16 EST, batz said: You will miss script kids that bounce all over their compromised machines around the world, but even if you collected all the information about those attacks, there is little value in tracking them down anyway. The interjurisdictional administrative hell makes it more cost effective to just lock down your network than to re-enact The Cuckoos Egg. Unfortunately, this is (or should be) part of the threat model. What makes you think that J Random Cyberterrorist is any stupider than the guys Stoll was chasing? -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg07585/pgp0.pgp Description: PGP signature
Re: White House to Propose System for Wide Monitoring of Internet (fwd)
Thus spake [EMAIL PROTECTED] On Mon, 23 Dec 2002 13:26:16 EST, batz said: The interjurisdictional administrative hell makes it more cost effective to just lock down your network than to re-enact The Cuckoos Egg. Unfortunately, this is (or should be) part of the threat model. What makes you think that J Random Cyberterrorist is any stupider than the guys Stoll was chasing? Whether they're smart or dumb is moot when there's 100+ human attacks (not [D]DoS) against your network every day, plus tens of thousands of worms. It's simply not possible to respond in any meaningful way. Even if you could track down each attacker, they are often in countries that don't consider hacking a crime and won't grant extradition. This is why many organizations (eg .MIL) try to filter non-US addresses. S
Re: White House to Propose System for Wide Monitoring of Internet(fwd)
On Sat, 21 Dec 2002, Christopher L. Morrow wrote: Regarding CenterTrack: : :its not that they misinterpretted, its that its NOT EVER been implemented. I am content to believe you. However, that CenterTrack has never been implemented does not mean that a system for collecting IP session data has never been implemented. This further suggests that automated law enforcement access is also not impossible, which was my original point. :Ok, so lets say you wanted to IDS the 'internet' or 'any large ISP' :(Verio/UU/AOL/ATT/Sprint... make your list) there is little gig-e to :monitor, alot of oc-12/48/192. There isn't an IDS that can truely monitor :a oc-12 yet, never mind multipath oc-12's (dual/tri/quad paths in the same :box) Anyone with that size link could be deemed carrier class and be compelled to install monitoring equipment within their network. Though admittedly I don't think it's useful to speculate on the legislative could's. :Hmm, actually it is pretty darned simple, no-export+no-advertise do this :for you quickly, then trigger when you want to watch paul vixie's hotmail :activities... simple enough really. This gets back to distributing :'sensors' to each pop, on each carrier and having dedicated ports on :routers to support this... This seems like a very large cost to bear, more :than 'cost of doing business'. Those costs of doing business can be regulated, which it looks like they just might be. Same as the whole PEN register thing for telcoms. Also, if you have an existing IDS infrastructure, it is not difficult to add this kind of LEO-access to it. It is as simple as giving them a view of your security management console. :all of these vendors provide products capable of this kind of :'surveillance', whether or not thats the touted talking point or not, each :can provide this 'surveillance'. At least one of the vendors you listed does in fact tout the products surveillance features, at least during their sales pitch. The funny thing in my biz (IT security) is that I think it's the only one where people sell things by not saying what they can be used for. They nod meaningfully while saying that they can't really say just what it is that people use it for. Customers think Wow, I've never even heard of this, and the sales guy won't even tell me what it does, it *must* be valuable beyond imagination!. To hear them tell it, it's as if they are selling a turnkey blackbox ROI Generator, which uses top secret military technology that leverages dynamic security policies. Before there was carnivore, law enforcement got access to network data, and I have a few anecdotal accounts of how this was done. There is no reason why LEA's couldn't ask ISP's to permanently integrate this access into their networks. -- batz
Re: White House to Propose System for Wide Monitoring of Internet(fwd)
Also, this threat can be mitigated more cost effectively through system and network hardening than by expanding the monitoring infrastructure to be able to handle such a difficult to codify threat (in any general sense). I agree totally. However, it's unglamorous, and not as sexy of an announcement - or as cool looking - as saying the Federal UberSOC is on its way. But it's Uncle Sam doing what he does best - reinventing a less-capable wheel at a higher cost. Cyberattacks (again IMHO) are still in the realm of being opportunistic, as we have seen that given as little as $5-10,000, the resources necessary to reliably cause widespread damage are better spent on a plane ticket than a hacker. Definitely agree - 0911 was done for under $150K according to some reports, and if you think about it, the terrorists got a heck of a return for their investment, far more than they could hope to achive in a 'cyberwar' attack. The motive of terrorism is to sow fear. There's much more visceral fear seeing the WTC collapse than watching a graphic on television trying to show how a buffer overflow worked on SCADA system. :) The cyberterrorist threat is based upon the exposure of network systems and the motivation of the attacker. What is not taken into account in this threat description is the other, more reliable and severe options available to someone with the same resources and motives. No, the cyberterrorist threat is a sensational concept based on FUD, ignorance, and hypeand believed to be true by the same politicos who think Swordfish was a realistic movie about INFOSEC. If we're going to say there are cyberterrorists, then we've got to start saying 0911 was the result of aeroterrorists. The manner in which the attack is carried out doesn't matter -- terrorism is terrorism is terrorism. As George Carlin might say, there are no cyberterrorists. In this case, instead of accepting responsibility for our actions (or inactions) regarding INFOSEC, we point fingers at anyone else - such as phantom cyberterrorists - to avoid responsibility and accountability. It's nothing more than the latest version of Passing The Buck. We see INFOSEC incidents occur regularly because WE MAKE IT EASY FOR THEM TO OCCUR and thus BRING IT ON OURSELVESeither through poor management, bad system/network administration and design, or shoddy software. (BTW, I meant we in terms of the IT Society, not we meaning the experts here on NANOG!) threat model, we can be relatively successful. However, some threats are best dealt with by limiting our assets exposure to them instead of building in safeguards whose reliability is inversely proportional to their complexity. :) Which goes along with what I tell students at NDU each month -- if something's deemed a 'critical infrastructure system' (SCADA, banking, etc.) it should not be on any publicly-accessible network, and the higher costs associated with higher levels of security (eg, using dedicated, privately-owned pipes vice a VPN over the Internet) must be an acceptable and necessary part of the security solution. If something's deemed 'critical' to a large segment of the population, then security must NEVER outweigh conveinience. Period. Non-negotiable. inherant administrative overhead of tracking them. The only defense against them is to keep your patch levels current, your firewalls strict, and watch until they get lazy and make a mistake. Amen! This goes back to making sure system admins are competent, trained, and have the time to ensure these security functions are carried out. Unfortunately, I've found they spend most of their time hunting repeated problems in certain mainstream OS environments -- which means that PROACTIVE security routinely takes a back-burner to REACTING to the latest overflow, trojan, worm, or virusor to a 'new' problem injected by the vendor-endorsed patches that allegedly fixed existing ones. Of course, while no OS is perfect, if our systems weren't built on such a flaky foundation, we'd have more time to work on securing them instead of just keeping them operational and somewhat less-annoying while simultaneously providing a self-inflicted target of opportunity for some n'er-do-well. It does not matter who is watching if you are invisible. A sensor can only see what it is looking for. A hacker cannot be seen merely by looking. Hence the need for intelligent network monitoring and pattern profiling, something I've been mulling over for a while now. /rant. :) Rick Infowarrior.org
Re: White House to Propose System for Wide Monitoring of Internet(fwd)
On Fri, 20 Dec 2002, batz wrote:
Lets say you have a an IDS load balancer sitting on a GigE span
port with a few sensors watching everything go by. If an alert is
triggered, a script is executed which goes out to the router closest
to the origin of the session and initiates the overlaid tunnel.
On any major backbone the IDS function becomes
GlobalIDSFunction() {
While (1) {
printf(Attack Detected!);
}
}
Do you really want an automatic wiretap installed on your line
every time an attack is detected? Have you recently connected a
system to the Internet that hasn't been attacked?
Re: Fw: Re: White House to Propose System for Wide Monitoring of Internet (fwd)
BRAVO FRED You encapsulated this well...now its up to us. The bureaucracy is bound to forge ahead in establishing the police-state, we do NOT have to help them... At 14:30 12/20/02 -0800, you wrote: I have restrained from saying this so far but... I told you so. When I attended the Oakland NANOG in October 2001, I had just returned from Washington DC. The trip originally was for my brother's wedding but I extended it for some personal lobbying on the so-called USA PATRIOT bill as it rushed through the process, having not one single public hearing in either the House or Senate. During that time I was continually in contact with the very knowledgeable staff at CDT, EFF and an attorney who is a recognized expert on Fourth Amendment search and seizure law and the 1996 AEDPA anti-terrorism law that laid the groundwork for Patriot. As a USENIX member and NANOG participant, I had more insight into the practical effect of the sweeping proposals in Patriot on actual net operations than the attorneys did. I realized that the Patriot law, when passed, would sooner or later entangle network operators in crucial decisions affecting the ability of ordinary users to traverse the net freely as we have always done. I did my best to alert my Oregon congressional delegation to these issues, in personal meetings with their staff on Capitol Hill the first week of October. I've got a lot of background in lobbying but found this very hard to do. Bridging the gap between communications and security policy and operational reality is a difficult matter at best. But still, we have to try. At the Oakland NANOG, following meeting procedure, I sent an email query requesting some discussion of the implications of the Patriot bill, which ended up passing late in the month, and received a polite but firm reply from Susan Harris: this was beyond the scope of NANOG. I begged to differ then, and now I suggest that we all give serious thought to the implications that increasing and direct government intervention in the operation of the Net is starting to have. We all want security, but security without liberty runs contrary to the founding principles of the United States. And as Bruce Schneier has emphatically pointed out, security is a process not a product, whether it's a firewall or Total Information Awareness. Avi Rubin observes the issue is not that the potential already exists to do great damage with the Internet. With the advent of ever more potent attacks, from ordinary worms and viruses to Code Red and Nimda to root server DDOS and beyond, that is not disputed. The question is why this capability is not used more often. The restraint from using technology for its maximum destructive potential is the social bonds that we have as human beings. The great benefit of the Internet is that it helps strengthen those bonds, improve our planetary communications, and at its best help us collectively address the issues our societies face. If we do not have the maximum freedom to use the net for those purposes, free of government interference and arbitrary control wherever possible, but consistent with *reasoned and reasonable* security measures, our security will instead be undermined in the long run. That is why the approach and attitude of network operators makes a difference. It mattered at the time of the Oakland NANOG, and it matters now. Perhaps NANOG is not the organizational locale to work these issues out, although I could see it being so. But a coherent response to increasing intrusion of governmental policy on network operations needs to happen, one way or another. You might say, it's not my job to make policy. And that may be true. It's not a branch librarian or circulation manager's job to make policy either, but they all belong to the American Library Association, which has emerged as an effective champion of real security and real freedom on the Internet, because they are committed to the principle that their primary obligation is to the users of library services. I believe network operators should, and do, take very seriously their primary obligation to the users of Internet services. So I ask my friends in this organization NANOG whose purpose and work I, a mere net user, greatly admire, to consider this question with the greatest thoroughness. When the government (whichever one, not just the US) comes knocking and asking you to do something that restricts the freedom of net users, what will you do? When those in your organization who set policy come asking what it will cost and what it will mean to users to do what the government wants, what will you say? I don't mean to place the entire burden on the shoulders of NANOG and its members. But I do think it's important to consider the obligations that all of us, who have some in-depth knowledge of how the Internet *really* works, have to the users of the Internet, which will ultimately be every last one of us on the planet. thanks, Fred
Re: White House to Propose System for Wide Monitoring of Internet (fwd)
Also, if you want to monitor massive amounts of data (something people say can't be done easily) you just demux it using a device like those at www.toplayer.com, or http://www.radware.com/content/products/fire.asp . Both solutions are adequate for breaking up massive amounts of data. I could write snort signatures that will trigger a session to be re-routed based on packet content. It's fugly, but if I can do it in my basement, a multi-billion dollar agency acting on behalf of the only global superpower can probably think up something a little more elegant. :) The problem with this argument is you have to know exactly what you are looking for *before* the event. Foresight is almost never 20/20. How many times have we all encountered a variation of the following?: 1. Get a call from an FBI agent (or insert any other gov't agency) 2. Play phone tag for a week. 3. Finally get each other on the phone. 4. Special Agent Soso requests a log file or packet trace from X months ago. The value of X usually = 6 months or more. Only when it was a murder case have I seen a request come in under 3 months. 5. Laugh and say... OK, we'll try. 6. Dig and Dig... if lucky, find a 200+ megabyte log file. 7. Call agent back, offer to FTP/burn to a CD and send. 8. Agent replies: Can you look at it for us, we are real busy. 9. Reply: Uh... so are we, we'll let you know if we have a minute... 10. Lather, rinse, repeat. I have personally had this exact scenario play out four times so far in 2002. That said, the way we have chosen to empower our government to act is as a tool of justice (after the act), not prevention. I have no problem with that setup, and really don't like the 'shoot first, ask later direction drift of the current administration. Too many packets, not enough time, too many cooks in the government's kitchen all looking over their shoulders at all the *other* cooks and closely guarding their little corner of counter space and utensils. Nothing to see, carry on... --chuck insert ironic sig -- Were there mistakes? Yes. Only those who don't act don't make mistakes. But to organize well --- *that* is a difficult task. -- Lenin, April 24, 1917
Re: White House to Propose System for Wide Monitoring of Internet(fwd)
On Fri, 20 Dec 2002, David Lesher wrote: [This just jumped into the operational arena. Are you prepared with the router port for John Poindexter's vacuum? What changes will you need to make? What will they cost? Who will pay?] I read this in the paper this morning. The article is a summary of a summary of a briefing, and contains contradictory statements, ranging from the tracking of end-users web browsing (bad) to a clearing house to gather real-time information of attacks in progress (which sounds like a good idea to me). I'm reserving judgement until there are some actual facts. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Re: White House to Propose System for Wide Monitoring of Internet (fwd)
The -real- challenge is to create a system -capable- of monitoring the entire internet Today there isn't enough horsepower to accomplish such a thing, except by exception to the rule, rather than the rule. In analogy: We can adjust the flows of the Hoover (remember him ?) Damn, we cannot however stop to count bacteria in each and every drop, using today's technology. As I recall, didn't Hitler have basically the same problem in WWII ? Now we have to ask ourselves: What can we learn from history ? David Lesher wrote: [This just jumped into the operational arena. Are you prepared with the router port for John Poindexter's vacuum? What changes will you need to make? What will they cost? Who will pay?] http://www.nytimes.com/2002/12/20/technology/20MONI.html?pagewanted=printposition=top December 20, 2002 White House to Propose System for Wide Monitoring of Internet By JOHN MARKOFF and JOHN SCHWARTZ The Bush administration is planning to propose requiring Internet service providers to help build a centralized system to enable broad monitoring of the Internet and, potentially, surveillance of its users. The proposal is part of a final version of a report, The National Strategy to Secure Cyberspace, set for release early next year, according to several people who have been briefed on the report. It is a component of the effort to increase national security after the Sept. 11 attacks. The President's Critical Infrastructure Protection Board is preparing the report, and it is intended to create public and private cooperation to regulate and defend the national computer networks, not only from everyday hazards like viruses but also from terrorist attack. Ultimately the report is intended to provide an Internet strategy for the new Department of Homeland Security. ..
Re: White House to Propose System for Wide Monitoring of Internet (fwd)
On Fri, Dec 20, 2002 at 11:12:43AM -0500, David Lesher wrote: [This just jumped into the operational arena. Are you prepared with the router port for John Poindexter's vacuum? What changes will you need to make? What will they cost? Who will pay?] http://www.nytimes.com/2002/12/20/technology/20MONI.html?pagewanted=printposition=top December 20, 2002 White House to Propose System for Wide Monitoring of Internet By JOHN MARKOFF and JOHN SCHWARTZ The Bush administration is planning to propose requiring Internet service providers to help build a centralized system to enable broad monitoring of the Internet and, potentially, surveillance of its users. The proposal is part of a final version of a report, The National Strategy to Secure Cyberspace, set for release early next year, according to several people who have been briefed on the report. It is a component of the effort to increase national security after the Sept. 11 attacks. The President's Critical Infrastructure Protection Board is preparing the report, and it is intended to create public and private cooperation to regulate and defend the national computer networks, not only from everyday hazards like viruses but also from terrorist attack. Ultimately the report is intended to provide an Internet strategy for the new Department of Homeland Security. .. Heard about this on the news this morning and you know, I am so not worried about it. IMO, it's so completely unfeasable at every level as to be actually funny. So they want us to monitor our customers. Okay, define that. You mean you want me to snarf packets off a fully loaded OC-48 link and analyze them in real time? No? You mean you just want it at the customer boundries? So now I have to hook this up to each of perhaps 250 routers? Are you going to pay for this? No? You mean you consider it a cost of doing business. So who makes this gear? Thats something that the router vendors have to do and integrate them into their systems? And who is going to pay for that cost? Cost of doing business again, eh? And naturally, those costs get passed onto us, the providers and we pass them along to the customers. What about your cries for affordable internet for the underprivileged? Okay, back to the technical questions... You want me to track the hack-of-the-day and track it back to its source despite the fact that it takes no small amount of effort to correlate this stuff? You say you want coppies of all email meeting certain criteria? You say you want me to keep track of each web page users visit to watch for patterns? Now you want to know what they're buying online too? Oh, and while you're at it, you say you also want to use this convenient access to look into other areas of potentially criminal activity? Oh, REALLY? Just keeping track of the gigabytes of data per hour even a moderately sized ISP can generate poses its own technical challenge. (And sifting through that borders on impossible.) Not to mention deploying systems all over the U.S., maintaining those systems, altering various other systems to permit their use, and maintaining an open pipeline to Big Brother (probably several) at our own expense, yadda, yadda, yadda. The whole thing is just not practical if, indeed, it's even possible. But it is good for a laugh. -Wayne --- Wayne Bouchard [EMAIL PROTECTED] Network Engineer http://www.typo.org/~web/resume.html
Re: White House to Propose System for Wide Monitoring of Internet (fwd)
Freud, your slip is showing ? :P Robert E. Seastrom wrote: Richard Irving [EMAIL PROTECTED] writes: In analogy: We can adjust the flows of the Hoover (remember him ?) Damn, we cannot however stop to count damn is an expletive, dam is a noun. :) ---rob
Re: White House to Propose System for Wide Monitoring of Internet (fwd)
Wayne E. Bouchard wrote: On Fri, Dec 20, 2002 at 11:12:43AM -0500, David Lesher wrote: But it is good for a laugh. Or a cry. :) :* :( FWIW, One American Government Legislative body, all full of itself, had all but passed an act requiring the value of PI to be legislated to 3, from 3.1415..~etc Suits don't like to be bothered with details, eh ? ...Never forget A Divine Comedy, really isn't. -Wayne http://www.urbanlegends.com/legal/pi_indiana.html --- Wayne Bouchard [EMAIL PROTECTED] Network Engineer http://www.typo.org/~web/resume.html
Re: White House to Propose System for Wide Monitoring of Internet (fwd)
On Fri, 20 Dec 2002 11:31:39 MST, Wayne E. Bouchard said: On Fri, Dec 20, 2002 at 11:12:43AM -0500, David Lesher wrote: [This just jumped into the operational arena. Are you prepared with the router port for John Poindexter's vacuum? What changes will you need to make? What will they cost? Who will pay?] Heard about this on the news this morning and you know, I am so not worried about it. IMO, it's so completely unfeasable at every level as to be actually funny. All the same, I suggest you forward the rest of your quite well-reasoned comments to your congresscritter and/or the White House. Remember that the idea was probably propsed by people who have little or no clue of what the actual impact would be - and the final decision will likely be made by somebody with even less technical edge. The truly scary part is that it could actually be approved msg07551/pgp0.pgp Description: PGP signature
Re: White House to Propose System for Wide Monitoring of Internet(fwd)
On Fri, 20 Dec 2002, David Lesher wrote: :[This just jumped into the operational arena. Are you prepared :with the router port for John Poindexter's vacuum? What changes :will you need to make? What will they cost? Who will pay?] There is a really easy way to accomplish this, and it has been apparently partially implemented within UUNet as an overlaid network of GRE tunnels for a few years, at least based on a Nanog presentaton from October 1999. This can be accomplished quite cost effectively, provided the government doesn't want to archive *everything*. I keep mentioning this, and for some reason few people seem to recognize how profoundly simple it would be for the government to legislate themselves into exchange points and have the authority to announce certain prefixes to the IX, tunnel the traffic of the affected route into their own network, and monitor it without ever showing up in a traceroute. MPLS makes this even simpler, where certain routes can be tagged and switched invisibly into the Total Information Awareness network for monitoring, and switched back out with nobody being the wiser. Technically this is simple. The infrastructure is in place, it just needs some legal teeth. As soon as they figure out BGP, governments could seek authority over exchange point routing tables so that they can implement data sanctions against foreign and/or non-compliant ASN's. It's pretty easy to imagine, we'll just have to see how it plays out. Also, if you want to monitor massive amounts of data (something people say can't be done easily) you just demux it using a device like those at www.toplayer.com, or http://www.radware.com/content/products/fire.asp . Both solutions are adequate for breaking up massive amounts of data. I could write snort signatures that will trigger a session to be re-routed based on packet content. It's fugly, but if I can do it in my basement, a multi-billion dollar agency acting on behalf of the only global superpower can probably think up something a little more elegant. :) -- batz
Re: White House to Propose System for Wide Monitoring of Internet(fwd)
Cough! On Fri, 20 Dec 2002, batz wrote: On Fri, 20 Dec 2002, David Lesher wrote: :[This just jumped into the operational arena. Are you prepared :with the router port for John Poindexter's vacuum? What changes :will you need to make? What will they cost? Who will pay?] There is a really easy way to accomplish this, and it has been apparently partially implemented within UUNet as an overlaid network of GRE tunnels for a few years, at least based on a Nanog presentaton from October 1999. This is incorrect, this isn't implemented, its not implementable, current routing gear doesn't gre tunnel a) fast enough, b) at all HOWEVER, juniper will allow you to copy packets on an interface in 5.5 or perhaps a bit later code, this is one way to implement this... however having a new oc-X for each oc-X you wanna monitor. I wonder if there is a limit to the amount of fiber the OCS/NCS/NPIC wants to monitor? This can be accomplished quite cost effectively, provided the government doesn't want to archive *everything*. even if the gre tunnel (Center Track (c) Robert Stone, et al.) idea worked right and scaled correctly things would still be 'expensive'... to monitor/maintain/manage. I keep mentioning this, and for some reason few people seem to recognize how profoundly simple it would be for the government to legislate themselves into exchange points and have the authority to announce certain prefixes to the IX, tunnel the traffic of the affected route into their own network, and monitor it without ever showing up in a traceroute. Sure, or they could ask carriers to tap lines for them silently... in fact they can do that today with a court order. -Chris
Fw: Re: White House to Propose System for Wide Monitoring of Internet (fwd)
I have restrained from saying this so far but... I told you so. When I attended the Oakland NANOG in October 2001, I had just returned from Washington DC. The trip originally was for my brother's wedding but I extended it for some personal lobbying on the so-called USA PATRIOT bill as it rushed through the process, having not one single public hearing in either the House or Senate. During that time I was continually in contact with the very knowledgeable staff at CDT, EFF and an attorney who is a recognized expert on Fourth Amendment search and seizure law and the 1996 AEDPA anti-terrorism law that laid the groundwork for Patriot. As a USENIX member and NANOG participant, I had more insight into the practical effect of the sweeping proposals in Patriot on actual net operations than the attorneys did. I realized that the Patriot law, when passed, would sooner or later entangle network operators in crucial decisions affecting the ability of ordinary users to traverse the net freely as we have always done. I did my best to alert my Oregon congressional delegation to these issues, in personal meetings with their staff on Capitol Hill the first week of October. I've got a lot of background in lobbying but found this very hard to do. Bridging the gap between communications and security policy and operational reality is a difficult matter at best. But still, we have to try. At the Oakland NANOG, following meeting procedure, I sent an email query requesting some discussion of the implications of the Patriot bill, which ended up passing late in the month, and received a polite but firm reply from Susan Harris: this was beyond the scope of NANOG. I begged to differ then, and now I suggest that we all give serious thought to the implications that increasing and direct government intervention in the operation of the Net is starting to have. We all want security, but security without liberty runs contrary to the founding principles of the United States. And as Bruce Schneier has emphatically pointed out, security is a process not a product, whether it's a firewall or Total Information Awareness. Avi Rubin observes the issue is not that the potential already exists to do great damage with the Internet. With the advent of ever more potent attacks, from ordinary worms and viruses to Code Red and Nimda to root server DDOS and beyond, that is not disputed. The question is why this capability is not used more often. The restraint from using technology for its maximum destructive potential is the social bonds that we have as human beings. The great benefit of the Internet is that it helps strengthen those bonds, improve our planetary communications, and at its best help us collectively address the issues our societies face. If we do not have the maximum freedom to use the net for those purposes, free of government interference and arbitrary control wherever possible, but consistent with *reasoned and reasonable* security measures, our security will instead be undermined in the long run. That is why the approach and attitude of network operators makes a difference. It mattered at the time of the Oakland NANOG, and it matters now. Perhaps NANOG is not the organizational locale to work these issues out, although I could see it being so. But a coherent response to increasing intrusion of governmental policy on network operations needs to happen, one way or another. You might say, it's not my job to make policy. And that may be true. It's not a branch librarian or circulation manager's job to make policy either, but they all belong to the American Library Association, which has emerged as an effective champion of real security and real freedom on the Internet, because they are committed to the principle that their primary obligation is to the users of library services. I believe network operators should, and do, take very seriously their primary obligation to the users of Internet services. So I ask my friends in this organization NANOG whose purpose and work I, a mere net user, greatly admire, to consider this question with the greatest thoroughness. When the government (whichever one, not just the US) comes knocking and asking you to do something that restricts the freedom of net users, what will you do? When those in your organization who set policy come asking what it will cost and what it will mean to users to do what the government wants, what will you say? I don't mean to place the entire burden on the shoulders of NANOG and its members. But I do think it's important to consider the obligations that all of us, who have some in-depth knowledge of how the Internet *really* works, have to the users of the Internet, which will ultimately be every last one of us on the planet. thanks, Fred -- mail forwarded, original message follows -- From: [EMAIL PROTECTED] Subject: Re: White House to Propose System for Wide
Re: White House to Propose System for Wide Monitoring of Internet(fwd)
Christopher L. Morrow wrote: Cough! Sure, or they could ask carriers to tap lines for them silently... in fact they can do that today with a court order. Nope. USA Patriot Act, No Court Order Needed. :( Civil Liberties for Tax Refunds, Takers ? :P A COO I know is actually enthused, all he can say is Do you know how much money that means to me ?! Dohh! The Myopia of the Rich, eh ? He also spouted the philosophy, one day: Give the money to the Rich, and they can put it into the Bank... and the rest of you can borrow it it will stimulate the economy. A verbatim quote. ( He is GOP, FWIW. ) * shudder * So, we can borrow it -=without=- a source of income ? -Chris
Re: White House to Propose System for Wide Monitoring of Internet (fwd)
Methinks they'll try the Russian SORM model. Since this country is hell bent on establishing a police-state, this seems logical. Why not use the one thats been developed? http://www.libertarium.ru/eng/sorm/ :[This just jumped into the operational arena. Are you prepared :with the router port for John Poindexter's vacuum? What changes :will you need to make? What will they cost? Who will pay?]
Re: White House to Propose System for Wide Monitoring of Internet(fwd)
On Fri, 20 Dec 2002, Christopher L. Morrow wrote: :Cough! Heh. Bless you. ;) :This is incorrect, this isn't implemented, its not implementable, current :routing gear doesn't gre tunnel a) fast enough, b) at all HOWEVER, :juniper will allow you to copy packets on an interface in 5.5 or perhaps a :bit later code, this is one way to implement this... however having a new :oc-X for each oc-X you wanna monitor. I wonder if there is a limit to the :amount of fiber the OCS/NCS/NPIC wants to monitor? I was told it was implemented when I called security a couple of years ago, and then my other questions were met with no comment. No comment is the appropriate response to a stranger calling and asking for security information, and doesn't imply any other answer, and I am willing to accept that it is no longer implemented, but somebody told me it was. I am willing to accept that the person I spoke to misinterpreted my question. That said, I don't think it's economical to want to tap an oc-X, but being able to grab single sessions doesn't necessarily have to scale if they aren't grabbing lots of them, and can access them relatively close to their source. It's the same issues as running IDS's. Lets say you have a an IDS load balancer sitting on a GigE span port with a few sensors watching everything go by. If an alert is triggered, a script is executed which goes out to the router closest to the origin of the session and initiates the overlaid tunnel. :even if the gre tunnel (Center Track (c) Robert Stone, et al.) idea worked :right and scaled correctly things would still be 'expensive'... to :monitor/maintain/manage. Well, one would assume that these features would be necessary for the maintainance of a robust security policy and architecture implementation. The value is the same value that you get from regular IDS's, just with a new customer. :Sure, or they could ask carriers to tap lines for them silently... in fact :they can do that today with a court order. Indeed, and building features for automating the initialization of those taps into the network is not extrordinarily difficult. (I retract my profoundly simple comment.) The cost of doing so is another loss avoidance cost that would be integrated into the overhead cost that we currently call security anyway. Are you suggesting that there might be money to be made by someone who offered to integrate this sort of surviellence architecture into a network? -- batz
Re: White House to Propose System for Wide Monitoring of Internet(fwd)
On Fri, 20 Dec 2002, batz wrote: On Fri, 20 Dec 2002, Christopher L. Morrow wrote: :Cough! Heh. Bless you. ;) its this damned changing weather :) :This is incorrect, this isn't implemented, its not implementable, current :routing gear doesn't gre tunnel a) fast enough, b) at all HOWEVER, :juniper will allow you to copy packets on an interface in 5.5 or perhaps a :bit later code, this is one way to implement this... however having a new :oc-X for each oc-X you wanna monitor. I wonder if there is a limit to the :amount of fiber the OCS/NCS/NPIC wants to monitor? I was told it was implemented when I called security a couple of years ago, and then my other questions were met with no comment. No comment is the appropriate response to a stranger calling and asking for security information, and doesn't imply any other answer, and I am willing to accept that it is no longer implemented, but somebody told me it was. I am willing to accept that the person I spoke to misinterpreted my question. its not that they misinterpretted, its that its NOT EVER been implemented. That said, I don't think it's economical to want to tap an oc-X, but being able to grab single sessions doesn't necessarily have to scale if they aren't grabbing lots of them, and can access them relatively close to their source. It's the same issues as running IDS's. Except rarely (for larger pipes) are things symetrically routed. So, lets take my favorite example: ebay. Your session to ebay is only really reliably symetric at the router upstream from your workstation... all other paths become highly asymetric quickly, most likely. Lets say you have a an IDS load balancer sitting on a GigE span port with a few sensors watching everything go by. If an alert is triggered, a script is executed which goes out to the router closest to the origin of the session and initiates the overlaid tunnel. For this I'd think 'riverhead box' and again, only at the datacenter where the LB was, or at your facility infront of your workstation. :even if the gre tunnel (Center Track (c) Robert Stone, et al.) idea worked :right and scaled correctly things would still be 'expensive'... to :monitor/maintain/manage. Well, one would assume that these features would be necessary for the maintainance of a robust security policy and architecture implementation. The value is the same value that you get from regular IDS's, just with a new customer. Ok, so lets say you wanted to IDS the 'internet' or 'any large ISP' (Verio/UU/AOL/ATT/Sprint... make your list) there is little gig-e to monitor, alot of oc-12/48/192. There isn't an IDS that can truely monitor a oc-12 yet, never mind multipath oc-12's (dual/tri/quad paths in the same box) The CenterTrack concept was never supposed to IDS traffic, it incurs a large latency for the traffic and actually isn't implementable on 90% or more of the edge routing gear of these providers. :Sure, or they could ask carriers to tap lines for them silently... in fact :they can do that today with a court order. Indeed, and building features for automating the initialization of those taps into the network is not extrordinarily difficult. (I retract my profoundly simple comment.) The cost of doing so is another loss avoidance cost that would be integrated into the overhead cost that we currently call security anyway. Hmm, actually it is pretty darned simple, no-export+no-advertise do this for you quickly, then trigger when you want to watch paul vixie's hotmail activities... simple enough really. This gets back to distributing 'sensors' to each pop, on each carrier and having dedicated ports on routers to support this... This seems like a very large cost to bear, more than 'cost of doing business'. Are you suggesting that there might be money to be made by someone who offered to integrate this sort of surviellence architecture into a network? I'm not, but lots of people are already selling this very thing... riverhead arbor mazu cloudshield toplayer all of these vendors provide products capable of this kind of 'surveillance', whether or not thats the touted talking point or not, each can provide this 'surveillance'.
