Re: [Operational] Internet Police

[isabel dias]

check the agreed maintenance windows as defined in the (SLA)section Maintenance 
Plans - etc 




 
- Original Message 
From: Joel Jaeggli 
To: valdis.kletni...@vt.edu
Cc: nanog@nanog.org
Sent: Fri, December 10, 2010 6:48:41 PM
Subject: Re: [Operational] Internet Police

On 12/10/10 9:06 AM, valdis.kletni...@vt.edu wrote:
> On Fri, 10 Dec 2010 11:08:00 EST, Lamar Owen said:
>
> I believe the word you wanted was "hooliganism".  And we have a legal system
> that has about 3,000 years of experience in dealing with *that*, thank you 
very
> much.

The code of hamurabi or ur-nammu  would probably  cut off your hand or
require the payment of several minas of silver.

The failure isn't one of the legal system not having the tools to
prosecute this sort of activity, it's the failure to effectively police
it. Other attractive nusances the cause economic damage such as graffiti
and antisocial behavior(of which much of this dos activity clearly is)
have been around longer than the code of ur-nammu and we haven't solved
them yet either.

Re: [Operational] Internet Police

[Joel Jaeggli]

On 12/10/10 9:06 AM, valdis.kletni...@vt.edu wrote:
> On Fri, 10 Dec 2010 11:08:00 EST, Lamar Owen said:
>
> I believe the word you wanted was "hooliganism".  And we have a legal system
> that has about 3,000 years of experience in dealing with *that*, thank you 
> very
> much.

The code of hamurabi or ur-nammu  would probably  cut off your hand or
require the payment of several minas of silver.

The failure isn't one of the legal system not having the tools to
prosecute this sort of activity, it's the failure to effectively police
it. Other attractive nusances the cause economic damage such as graffiti
and antisocial behavior(of which much of this dos activity clearly is)
have been around longer than the code of ur-nammu and we haven't solved
them yet either.

Re: [Operational] Internet Police

[Jack Bates]

On 12/10/2010 12:07 PM, Paul Graydon wrote:

Unless you can get every company to sign up to an agreement it will
never work.  Even then you'll still find unscrupulous companies that are
far more interested in revenue than reputation.  There are a number of
hosting companies I'm sure most network professionals are aware of that
are regular bases for C'n'C servers.


Why does it matter? If a customer isn't going to run a clean system, why 
would you want them on your network? Commodity customers are quick 
shutoffs, while businesses often have valid contacts to work with to 
resolve the issue without a full cutoff.


If they go to the competition, it's one less problem for me to deal with 
in the future (as repeat offenses are not uncommon). MOST of the 
customers I suspend service due to bots/spam/etc are happy with the 
service (once they realize the pretty locks on their web browser don't 
secure their communications from infections).




Jack

Re: [Operational] Internet Police

[Paul Graydon]

On 12/10/2010 07:59 AM, George Bonser wrote:

Not to mention the risk of lost business for customers that just can't
be bothered to fix broken machines.

Paul


That supposes that another ISP would accept their bot-infected machine.
It would require some cooperation among the providers.  And should some
ISP get the reputation of being a bot-haven, then maybe their customers
might notice connectivity issues.

Unless you can get every company to sign up to an agreement it will 
never work.  Even then you'll still find unscrupulous companies that are 
far more interested in revenue than reputation.  There are a number of 
hosting companies I'm sure most network professionals are aware of that 
are regular bases for C'n'C servers.

RE: [Operational] Internet Police

[George Bonser]

> Not to mention the risk of lost business for customers that just can't
> be bothered to fix broken machines.
> 
> Paul


That supposes that another ISP would accept their bot-infected machine.
It would require some cooperation among the providers.  And should some
ISP get the reputation of being a bot-haven, then maybe their customers
might notice connectivity issues.

Re: [Operational] Internet Police

[Paul Graydon]

On 12/10/2010 07:45 AM, George Bonser wrote:

From: William McCall
Sent: Friday, December 10, 2010 8:45 AM
To: Lamar Owen
Cc: nanog@nanog.org
Subject: Re: [Operational] Internet Police



To the folks out there that presently work for an SP, if someone
called you (or the relevant department) and gave you a list of
end-user IPs that were DDoSing this person/entity, how long would you
take to verify and stop the end user's stream of crap? Furthermore,
what is the actual incentive to do something about it?

The behavior is no different than a street gang who would attempt to
influence the behavior of a local merchant by threatening damage to the
store.  In the case of internet operations, we seem to tolerate the
behavior or simply assume little can be done so many don't even try. If
an ISP were to actively disconnect clients who were infected with a bot
(intentionally infected or not), the end users themselves might be a
little more vigilant at keeping their systems free of them.  *But* any
ISP doing that would also have to be prepared to invest some effort in
trying to help absolutely clueless people (in many cases) remove these
bots from their systems.  It can quickly become a huge time swamp.


Not to mention the risk of lost business for customers that just can't 
be bothered to fix broken machines.


Paul

Re: [Operational] Internet Police

[Jack Bates]

On 12/10/2010 11:45 AM, George Bonser wrote:

If
an ISP were to actively disconnect clients who were infected with a bot
(intentionally infected or not), the end users themselves might be a
little more vigilant at keeping their systems free of them.*But*  any
ISP doing that would also have to be prepared to invest some effort in
trying to help absolutely clueless people (in many cases) remove these
bots from their systems.


Works well for the most part, and if they are clueless, they can seek 
professional help from a computer tech.



Jack

RE: [Operational] Internet Police

[George Bonser]

> From: William McCall 
> Sent: Friday, December 10, 2010 8:45 AM
> To: Lamar Owen
> Cc: nanog@nanog.org
> Subject: Re: [Operational] Internet Police


> To the folks out there that presently work for an SP, if someone
> called you (or the relevant department) and gave you a list of
> end-user IPs that were DDoSing this person/entity, how long would you
> take to verify and stop the end user's stream of crap? Furthermore,
> what is the actual incentive to do something about it?

The behavior is no different than a street gang who would attempt to
influence the behavior of a local merchant by threatening damage to the
store.  In the case of internet operations, we seem to tolerate the
behavior or simply assume little can be done so many don't even try. If
an ISP were to actively disconnect clients who were infected with a bot
(intentionally infected or not), the end users themselves might be a
little more vigilant at keeping their systems free of them.  *But* any
ISP doing that would also have to be prepared to invest some effort in
trying to help absolutely clueless people (in many cases) remove these
bots from their systems.  It can quickly become a huge time swamp.

Re: [Operational] Internet Police

[Valdis . Kletnieks]

On Fri, 10 Dec 2010 12:14:20 EST, Lamar Owen said:
> Identity theft can cause loss of life due to the stress of mopping up 
> afterwards.

Oh, give me a *break*. This is well off the end of the slippery slope.

My car got totaled in a rear-end collision a few weeks ago.  If I get so
stressed dealing with my insurance company that I die of a heart attack, does
that mean the guy who ran into me is guilty of murder? And for bonus points, is
he guilty of *attempted* murder if I *don't* have a heart attack?  No - in most
jurisdictions, if I expire of a heart attack as an unforseen and unpredictable
*direct* result of somebody's actions, that would maybe be manslaughter, not
murder.  And death during "mopping up afterwards" is *so* convoluted I don't
think you could even get a win in a civil trial, where the standards of
evidence are a lot lower than in criminal cases.

Similarly, identity theft isn't committed with the *intent* that people will
keel over - that's an unforeseeable and unpredictable result.

On the other hand, *real* terrorism usually involved the *intent* that you're
going to have some very messy corpses and/or fragments thereof.

Let me know when you have a documented case of a DDoS launched with
the *intent* of causing dead bodies in the street for the 6PM news crews,
so that the populace is in fact terrrified.



pgpVcpnyZ3zrs.pgp
Description: PGP signature

Re: [Operational] Internet Police

[Jack Bates]

On 12/10/2010 11:37 AM, Jack Bates wrote:

assassination, or kidnapping, and (C) occur primarily within the



At most, B ii applies, but if I'm not mistaken, A, B, and C must all
occur by that statute (the giveaway is C, as it doesn't make sense as a
single condition).


err, or one could just go by the use of "and".

head. desk.


Jack

Re: [Operational] Internet Police

[Jack Bates]

On 12/10/2010 11:06 AM, valdis.kletni...@vt.edu wrote:

The USA Patriot act says: "activities that (A) involve acts dangerous to human
life that are a violation of the criminal laws of the U.S. or of any state,
that (B) appear to be intended (i) to intimidate or coerce a civilian
population, (ii) to influence the policy of a government by intimidation or
coercion, or (iii) to affect the conduct of a government by mass destruction,
assassination, or kidnapping, and (C) occur primarily within the territorial
jurisdiction of the U.S."


At most, B ii applies, but if I'm not mistaken, A, B, and C must all 
occur by that statute (the giveaway is C, as it doesn't make sense as a 
single condition).


The Patriot act seems to discount foreign terrorism (unsurprising), but 
even going by A and B, the DDOS would have to be dangerous to human life 
and be illegal by US/state law, in addition to intimidating (which 
purposefully being dangerous to human life definitely falls under 
intimidation).


So attacking infrastructure (effecting traffic lights, power, air 
traffic control systems, etc) would fall under terrorism (regardless of 
attack mechanism). I don't think one could constitute the inability to 
sell a product or process a payment as life threatening. Those acts fall 
under other legal definitions.



Jack

Re: [Operational] Internet Police

[Lamar Owen]

On Friday, December 10, 2010 11:46:43 am JC Dill wrote:
>   On 10/12/10 8:08 AM, Lamar Owen wrote:
> > In reality DoS threats/execution of those threats/ 'pwning' / website 
> > vandalism are all forms of terrorism.

> No one was "terrorized" because they couldn't reach MasterCard or 
> because MasterCard's website was defaced.  Vandalism doesn't even begin 
> to equate to terrorism.  You demean everyone who has been impacted by 
> true terrorism by trying to equate these relatively trivial events with 
> the real events of terrorism.

As I sat deciding on the words to use before hitting send, that, even though 
the word terrorism is emotionally and politically charged, that it is an 
accurate, if vague, term, especially in the age of identity theft.  And I say 
that having family members that have been impacted directly by terrorism, so I 
certainly am not intending to demean anyone, and I did carefully consider that 
some might consider it a demeaning statement.

But the fact of the matter is that website defacement and DDoS can cause loss 
of income or even worse, depending upon the exact content of the defacement and 
the exact nature of the DDoS.  Identity theft can cause loss of life due to the 
stress of mopping up afterwards.  If your employer's bottom line is negatively 
impacted by a website defacement or by DoS, your job itself could be negatively 
impacted.

Just because it's on the web or in e-mail or whatnot (I'm really resisting the 
c*space metaphor here) doesn't mean dire real-world consequences can't be felt.

Re: [Operational] Internet Police

[Valdis . Kletnieks]

On Fri, 10 Dec 2010 11:08:00 EST, Lamar Owen said:
> In reality DoS threats/execution of those threats/ 'pwning' / website
> vandalism are all forms of terrorism.

Let's not dilute the meaning of terrorism to the point where graffiti, cyber
or otherwise, is classifed as terrorism.

The USA Patriot act says: "activities that (A) involve acts dangerous to human
life that are a violation of the criminal laws of the U.S. or of any state,
that (B) appear to be intended (i) to intimidate or coerce a civilian
population, (ii) to influence the policy of a government by intimidation or
coercion, or (iii) to affect the conduct of a government by mass destruction,
assassination, or kidnapping, and (C) occur primarily within the territorial
jurisdiction of the U.S."

I don't think Joe SIxpack felt intimidated or coerced by a few DDoS attacks,
nor did it seem to do much to change official US policy (mostly because
the guys in DC are running around like the Headless Horsechicken trying
to figure out what our policy *IS*).  And it's the rare DDoS that becomes
an act "dangerous to human life".

I believe the word you wanted was "hooliganism".  And we have a legal system
that has about 3,000 years of experience in dealing with *that*, thank you very
much.



pgpIRocqMRhhW.pgp
Description: PGP signature

Re: [Operational] Internet Police

[Michael Smith]

On Fri, Dec 10, 2010 at 11:46 AM, JC Dill 

> We *really* don't need Homeland Security and TSA deciding that
> cyber-vandalism falls into the realm of terrorism and thus comes under their
> purview to "protect us against".  Their security theater at the airport is
> too much already, I can't begin to imagine how badly they could screw it up
> if they had a mandate to implement similar "protective" processes on the
> internet.
>
> jc
>
>
>
Now, we're getting to the original question.  If the Federal Govt decides
that state secrets and ability to conduct commerce raise this to the level
of a "global guerrilla war", we can all laugh it off for its absurity, but
I'm curious what architectural and operational decisions will be if we are
*ordered* to consider what options are available...  ..or... would it simply
be a NSA/DoD appliance that we're all required to place in-line?...

Re: [Operational] Internet Police

[Jack Bates]

On 12/10/2010 10:44 AM, William McCall wrote:

To the folks out there that presently work for an SP, if someone
called you (or the relevant department) and gave you a list of
end-user IPs that were DDoSing this person/entity, how long would you
take to verify and stop the end user's stream of crap? Furthermore,
what is the actual incentive to do something about it?



It falls under standard abuse role, though if the destination just wants 
a filter or their IP nullrouted, that is usually accommodated immediately.



Jack

Re: [Operational] Internet Police

[JC Dill]

 On 10/12/10 8:08 AM, Lamar Owen wrote:

On Thursday, December 09, 2010 01:26:30 pm Dobbins, Roland wrote:

On Dec 10, 2010, at 1:19 AM, Michael Smith wrote:

"front lines of this "cyberwar"?

Warfare isn't the correct metaphor.
Espionage/covert action is the correct metaphor.

In reality DoS threats/execution of those threats/ 'pwning' / website vandalism 
are all forms of terrorism.


No one was "terrorized" because they couldn't reach MasterCard or 
because MasterCard's website was defaced.  Vandalism doesn't even begin 
to equate to terrorism.  You demean everyone who has been impacted by 
true terrorism by trying to equate these relatively trivial events with 
the real events of terrorism.


We *really* don't need Homeland Security and TSA deciding that 
cyber-vandalism falls into the realm of terrorism and thus comes under 
their purview to "protect us against".  Their security theater at the 
airport is too much already, I can't begin to imagine how badly they 
could screw it up if they had a mandate to implement similar 
"protective" processes on the internet.


jc

Re: [Operational] Internet Police

[William McCall]

On Fri, Dec 10, 2010 at 10:08 AM, Lamar Owen  wrote:
> On Thursday, December 09, 2010 01:26:30 pm Dobbins, Roland wrote:
>> On Dec 10, 2010, at 1:19 AM, Michael Smith wrote:
>> > "front lines of this "cyberwar"?
>> Warfare isn't the correct metaphor.
>
>> Espionage/covert action is the correct metaphor.
>
> In reality DoS threats/execution of those threats/ 'pwning' / website 
> vandalism are all forms of terrorism.  An easily pronounceable version with a 
> 'net-' 'e-' or even 'cyber-' prefix. is difficult.
>
>

Terrorism? Hell, I guess you're right since the definition of
"terrorism" seems to extend to anything remotely criminal and scary.
Especially if more than one person is involved. I bet the old school
terrorists who believed terrorism required massive panic are quite
disturbed by this lowered bar for success.

I think thats a lot of undue credit given to basic criminal behavior
and watching the boogieman come out because the perpetrators either
can't be stopped or the reality that SPs apparently don't care to stop
it.

To the folks out there that presently work for an SP, if someone
called you (or the relevant department) and gave you a list of
end-user IPs that were DDoSing this person/entity, how long would you
take to verify and stop the end user's stream of crap? Furthermore,
what is the actual incentive to do something about it?


-- 
William McCall

Re: [Operational] Internet Police

[J. Oquendo]

On 12/10/2010 11:08 AM, Lamar Owen wrote:
>
> In reality DoS threats/execution of those threats/ 'pwning' / website 
> vandalism are all forms of terrorism.  An easily pronounceable version with a 
> 'net-' 'e-' or even 'cyber-' prefix. is difficult.  

I thought "e-*" was so yesterday, wouldn't this be "i-*" or to be more
complete "i-* 2.0"

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

Re: [Operational] Internet Police

[Lamar Owen]

On Thursday, December 09, 2010 01:26:30 pm Dobbins, Roland wrote: 
> On Dec 10, 2010, at 1:19 AM, Michael Smith wrote:
> > "front lines of this "cyberwar"?
> Warfare isn't the correct metaphor.

> Espionage/covert action is the correct metaphor.

In reality DoS threats/execution of those threats/ 'pwning' / website vandalism 
are all forms of terrorism.  An easily pronounceable version with a 'net-' 'e-' 
or even 'cyber-' prefix. is difficult.  

Re: [Operational] Internet Police

[Jorge Amodio]

On Thu, Dec 9, 2010 at 1:12 PM, Randy Bush  wrote:
>> And if I ever find the genius who came up with the "we are not the
>> internet police" meme ...
>
> he died over a decade ago

He also said "The Internet works because a lot of people cooperate to
do things together"

Remove the "together" and there is no Internet.

-J

Re: [Operational] Internet Police

[Bill Woodcock]

Butlerian Jihad. 

-Bill


On Dec 9, 2010, at 19:02, "Robert E. Seastrom"  wrote:

> 
> mikea  writes:
> 
>> On Thu, Dec 09, 2010 at 06:26:30PM +, Dobbins, Roland wrote:
>> 
>>> On Dec 10, 2010, at 1:19 AM, Michael Smith wrote:
>> 
 "front lines of this "cyberwar"?
>> 
>>> Warfare isn't the correct metaphor.
>> 
>>> Espionage/covert action is the correct metaphor.
>> 
>> "Low intensity conflict" may be more correct. 
> 
> For the past several years I've felt that "cyber-intifada" was the
> proper trope, but so far it has failed to grow legs.
> 
> -r
> 
> 

Re: [Operational] Internet Police

[Dobbins, Roland]

On Dec 10, 2010, at 10:01 AM, Robert E. Seastrom wrote:

> "cyber-intifada" was the proper trope, but so far it has failed to grow legs.


The problem is that non-ironic use of the appellation 'cyber-' is generally 
inversely proportional to actual clue, so it should be avoided at all costs.

;>

---
Roland Dobbins  // 

   Sell your computer and buy a guitar.

Re: [Operational] Internet Police

[Robert E. Seastrom]

mikea  writes:

> On Thu, Dec 09, 2010 at 06:26:30PM +, Dobbins, Roland wrote:
>
>> On Dec 10, 2010, at 1:19 AM, Michael Smith wrote:
>
>> > "front lines of this "cyberwar"?
>
>> Warfare isn't the correct metaphor.
>
>> Espionage/covert action is the correct metaphor.
>
> "Low intensity conflict" may be more correct. 

For the past several years I've felt that "cyber-intifada" was the
proper trope, but so far it has failed to grow legs.

-r

Re: [Operational] Internet Police

[Suresh Ramasubramanian]

On Fri, Dec 10, 2010 at 12:42 AM, Randy Bush  wrote:
>> And if I ever find the genius who came up with the "we are not the
>> internet police" meme ...
>
> he died over a decade ago

All due respect to him, but I didnt want to kick his teeth in or
anything, merely ask if he'd like to reconsider it, given the new
security threats we all face that have outdated that meme.

-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: [Operational] Internet Police

[David Conrad]

On Dec 9, 2010, at 10:44 AM, Jack Bates wrote:
> [CALEA] is designed to track down and prosecute people, not stop malicious 
> activity.

Right. 

> In order for the law to try and stop malicious activities (digital or real), 
> it must place constraints on our freedoms. See TSA/Airport Security.

Or, more relevant to NANOG, see COICA 
(http://www.gpo.gov/fdsys/pkg/BILLS-111s3804rs/pdf/BILLS-111s3804rs.pdf).

Regards,
-drc

Re: [Operational] Internet Police

[Chris Adams]

Once upon a time, Fred Baker  said:
> did you know that DSLRs are illegal in Kuwait unless one is a registered 
> journalist?

Did you know that they are not?

http://thenextweb.com/me/2010/11/30/kuwait-dslr-ban-does-not-exist-after-all/

This is like the people attacking EasyDNS because they took
wikileaks.org down.  Oops, except it wasn't, it was EveryDNS.

I read it on the Internet so it must be true!
-- 
Chris Adams 
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

Re: [Operational] Internet Police

[mikea]

On Thu, Dec 09, 2010 at 06:26:30PM +, Dobbins, Roland wrote:

> On Dec 10, 2010, at 1:19 AM, Michael Smith wrote:

> > "front lines of this "cyberwar"?

> Warfare isn't the correct metaphor.

> Espionage/covert action is the correct metaphor.

"Low intensity conflict" may be more correct. 

-- 
Mike Andrews, W5EGO
mi...@mikea.ath.cx
Tired old sysadmin 

Re: [Operational] Internet Police

[Fred Baker]

On Dec 9, 2010, at 10:19 AM, Michael Smith wrote:
> My question is what architectural recommendations will you make to your 
> employer if/when the US Govt compels our employers to accept our role as the 
> "front lines of this "cyberwar"?
> 
> I figure once someone with a relevant degree of influence in the govts 
> realizes that the "cyberwar" is between content/service controllers and 
> eyeballs. With involuntary and voluntary botnets as the weapons of "the 
> eyeballs", relying exclusively on a line of defense near to the content 
> (services) leaves a great expanse of "battlefield". I would expect the 
> content/service controllers to look for means to move the battleline as close 
> to the eyeballs as possible (this community) So... if/when our employers are 
> unable to resist the US Govt's demand that we "join in the national defense", 
> wouldn't this community be the ones asked to guard the border?
> 
> Assuming the govt won't send federal agents into each of our NOCs, won't our 
> employers ask us "what can we do?"
> 
> If inspecting and correlating every single packet/flow for attack signatures 
> is not feasible (on scale), are there name/address registration/resolution 
> measures that could effectively lock-down the edge? ...will we look toward 
> China/Saudi Arabia/etc for lessons learned in there 'great firewalls' to 
> develop a distributed version where central control pushes policy out to the 
> edge (into the private networks that currently provide the dreaded "low 
> barrier for entry")?
> 
> Obviously the environment is created by layers 8/9, but I'm interested in the 
> layer 1-7 solutions that the community would consider/recommend.
> 
> -Michael

In my ever-so-humble opinion, this is not primarily about copyrighted material; 
it is primarily about content control. Go to any country in the world; they 
have something they wish wasn't available on the net. It might be child 
pornography, pornography in general by some definition of that term or lack 
thereof, journalist reports regarding their country or certain events in their 
country, paparazzi photos of their leaders or their consorts, or comments or 
comics featuring important religious figures or violating local social norms 
(did you know that DSLRs are illegal in Kuwait unless one is a registered 
journalist?). The UN Al Qua'da Task Force would like to block all files that 
originate from Al Qua'da. During the US 2004 presidential elections, one of the 
candidates suggested using CleanFeed to suppress information about dog racing. 
It might be COICA, HADOPI, or some municipal court judge who has no idea what 
he is asking but makes a decree that  should go away. They are all, 
at the end of the say, talking about the same thing: "we don't care what other 
countries or other people think; in our country,  should not be 
available on the Internet."

Which is to say that they think that they should be in control of some bit of 
content. Content control, which they might well decry when others do it and 
respond very poorly when you point out their own actions. 

I would note that in many cases similar laws already exist in the various 
countries' legal systems. For some reason, rather than enforcing the existing 
law of the land, they feel compelled to make a new law that is specific to the 
Internet. I asked a lawyer advocating yet another such a law about this once, 
trying to find out why she thought that was necessary. Her response was that 
the existing law of the land had been found in court after court and 
jurisdiction over jurisdiction to be unimplementable and unenforceable; a 
certain famous statement about the definition of obscenity comes to mind, and 
very appropriately. "If I have the law, it gives me one more chance to argue 
the case in court". A case she freely admitted that she would very likely lose.

If your boss comes to you and asks you to be part of it, my suggestion (I am 
not a lawyer, and this is not legal advice) would be to first ask him whether 
he has a court order. If you are obligated to comply, you are obligated to 
comply. But in any event, I would suggest that he read 
http://www.washingtonpost.com/wp-dyn/content/article/2010/12/08/AR2010120804038.html.
 I suspect we will be reading similar articles about some 70 sites that have 
been taken down recently, and in some cases they may take whoever-did-it to 
court and win a judgement. The Internet routes around failure, and people who 
think they can control content are notorious for failing.

That's not a political viewpoint; some of those things that folks would like to 
go away probably should. From a very pragmatic and practical perspective, any 
technical mechanism that has been proposed is trivially defeated. The first 
implementers of DKIM were the spammers. What does CleanFeed do with https or 
encrypted BitTorrent? DNS Blocking is very interesting in a DNSSEC world, and 
is trivially overcome by purchasing a name in another TLD - or a 

Re: [Operational] Internet Police

[Michael Smith]

Was it the original IANA?


- Original Message -
From: Randy Bush 
To: Suresh Ramasubramanian 
Cc: North American Network Operators Group 
Sent: Thu Dec 09 14:12:41 2010
Subject: Re: [Operational] Internet Police

> And if I ever find the genius who came up with the "we are not the
> internet police" meme ...

he died over a decade ago

Re: [Operational] Internet Police

[Randy Bush]

> And if I ever find the genius who came up with the "we are not the
> internet police" meme ...

he died over a decade ago

Re: [Operational] Internet Police

[Michael Holstein]

> Obviously the environment is created by layers 8/9, but I'm interested in
> the layer 1-7 solutions that the community would consider/recommend.
>
>   

BGP blackhole communities is a good way to push the problem upstream,
assuming your provider will agree to it. In theory, that could also work
on a larger scale, but it becomes a matter of trust (as has been
discussed many times before .. "just because *you* say it's bad, doesn't
make it so").

Cheers,

Michael Holstein
Cleveland State University

Re: [Operational] Internet Police

[Suresh Ramasubramanian]

And if I ever find the genius who came up with the "we are not the
internet police" meme ...

On Fri, Dec 10, 2010 at 12:19 AM, Suresh Ramasubramanian
 wrote:
> Let's put it this way.
>
> 1. If you host government agencies, provide connectivity to say a
> nuclear power plant or an army base, or a bank or .. .. - you'd
> certainly work with your customers to meet their security
> requirements.
>
> 2. If you are a service provider serving up DSL - why then, there are
> some governments (say Australia) that have blacklists of child porn
> sites - and I think Interpol came up with something similar too.  And
> yes there's CALEA and a few other such things .. not much more that's
> new.
>
> Separating rhetoric and military metaphors will help you see this a
> lot more clearly.  As will not dismissing the entire idea with
> contempt.
>
> As a service provider for anything at all, you'll see your share of attacks.
>
> Whether coordinated by 4chan or by comrade joe chan shouldnt really
> matter, except at the level where you work with law enforcement etc to
> coordinate a response that goes beyond the technical.  [And ALL
> responses to these are not going to restrict themselves to being
> solvable by technical means].
>
> --srs
>
> On Fri, Dec 10, 2010 at 12:01 AM, Michael Smith  wrote:
>> How is "what to block" identified?  ...by content key words?  ..traffic
>> profiles / signatures?  Deny all, unless flow (addresses/protocol/port) is
>> pre-approved / registered?
>>
>> What does the technical solution look like?
>>
>> Any solutions to maintain some semblance of freedom?
>>
>
>
>
> --
> Suresh Ramasubramanian (ops.li...@gmail.com)
>



-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: [Operational] Internet Police

[Suresh Ramasubramanian]

Let's put it this way.

1. If you host government agencies, provide connectivity to say a
nuclear power plant or an army base, or a bank or .. .. - you'd
certainly work with your customers to meet their security
requirements.

2. If you are a service provider serving up DSL - why then, there are
some governments (say Australia) that have blacklists of child porn
sites - and I think Interpol came up with something similar too.  And
yes there's CALEA and a few other such things .. not much more that's
new.

Separating rhetoric and military metaphors will help you see this a
lot more clearly.  As will not dismissing the entire idea with
contempt.

As a service provider for anything at all, you'll see your share of attacks.

Whether coordinated by 4chan or by comrade joe chan shouldnt really
matter, except at the level where you work with law enforcement etc to
coordinate a response that goes beyond the technical.  [And ALL
responses to these are not going to restrict themselves to being
solvable by technical means].

--srs

On Fri, Dec 10, 2010 at 12:01 AM, Michael Smith  wrote:
> How is "what to block" identified?  ...by content key words?  ..traffic
> profiles / signatures?  Deny all, unless flow (addresses/protocol/port) is
> pre-approved / registered?
>
> What does the technical solution look like?
>
> Any solutions to maintain some semblance of freedom?
>



-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: [Operational] Internet Police

[Jack Bates]

On 12/9/2010 12:31 PM, Michael Smith wrote:

How is "what to block" identified?  ...by content key words?  ..traffic
profiles / signatures?  Deny all, unless flow (addresses/protocol/port)
is pre-approved / registered?



CALEA doesn't provide block. It provides full data dumps to the 
authorities. It's up to them to analyze, prove illegality, and seek 
warrants.


A single CALEA tap on a bot, for example, could provide the government 
with a bot controller, or with details of what a specific bot is doing.


A tap on the controller itself could show the large number of bots and 
their location, or provide the next step in backtracking the connection 
to the person using the controller.


On and On. Is it ideal? No. Is it possible to do within current law, 
until it crosses international boundaries, but even then there is some 
amount of recourse.


The law is designed to track down and prosecute people, not stop 
malicious activity. In order for the law to try and stop malicious 
activities (digital or real), it must place constraints on our freedoms. 
See TSA/Airport Security.



Jack

Re: [Operational] Internet Police

[Michael Smith]

How is "what to block" identified?  ...by content key words?  ..traffic
profiles / signatures?  Deny all, unless flow (addresses/protocol/port) is
pre-approved / registered?

What does the technical solution look like?

Any solutions to maintain some semblance of freedom?


On Thu, Dec 9, 2010 at 1:25 PM, Jack Bates  wrote:

>
>
> On 12/9/2010 12:19 PM, Michael Smith wrote:
>
>> So... if/when our
>> employers are unable to resist the US Govt's demand that we "join in the
>> national defense", wouldn't this community be the ones asked to guard the
>> border?
>>
>
> CALEA
>
> done
>

Re: [Operational] Internet Police

[Dobbins, Roland]

On Dec 10, 2010, at 1:19 AM, Michael Smith wrote:

> "front lines of this "cyberwar"?


Warfare isn't the correct metaphor.

Espionage/covert action is the correct metaphor.

---
Roland Dobbins  // 

   Sell your computer and buy a guitar.

Re: [Operational] Internet Police

[Jack Bates]

On 12/9/2010 12:19 PM, Michael Smith wrote:

So... if/when our
employers are unable to resist the US Govt's demand that we "join in the
national defense", wouldn't this community be the ones asked to guard the
border?


CALEA

done

[Operational] Internet Police

[Michael Smith]

My question is what architectural recommendations will you make to your
employer if/when the US Govt compels our employers to accept our role as the
"front lines of this "cyberwar"?

I figure once someone with a relevant degree of influence in the govts
realizes that the "cyberwar" is between content/service controllers and
eyeballs.  With involuntary and voluntary botnets as the weapons of "the
eyeballs", relying exclusively on a line of defense near to the content
(services) leaves a great expanse of "battlefield".  I would expect the
content/service controllers to look for means to move the battleline as
close to the eyeballs as possible (this community) So... if/when our
employers are unable to resist the US Govt's demand that we "join in the
national defense", wouldn't this community be the ones asked to guard the
border?

Assuming the govt won't send federal agents into each of our NOCs, won't our
employers ask us "what can we do?"

If inspecting and correlating every single packet/flow for attack signatures
is not feasible (on scale), are there name/address registration/resolution
measures that could effectively lock-down the edge?  ...will we look toward
China/Saudi Arabia/etc for lessons learned in there 'great firewalls' to
develop a distributed version where central control pushes policy out to the
edge (into the private networks that currently provide the dreaded "low
barrier for entry")?

Obviously the environment is created by layers 8/9, but I'm interested in
the layer 1-7 solutions that the community would consider/recommend.

-Michael