Re: Nato warns of strike against cyber attackers
Owen DeLong wrote: Software has been out of control for a long time and I hope that the gov't will start by ruling the not responsible for our negligence or the damage it causes clauses of software licenses invalid. The beauty of my attractive nuisance argument is that the EULA doesn't shield Microsoft from the damage their software causes to a 3rd party such as the ISP who has to deal with the botnet infections of their customers. jc
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
On Tue, Jun 08, 2010 at 11:14:10PM -0700, Paul Ferguson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To cut through the noise and non-relevant discussion, let's see if we can boil this down to a couple of issues: 1. Should ISPs be responsible for abuse from within their customer base? No and no. The first no being legally, the second, morally. The user is responsible for the abuse. Now, if the question had been whether the ISP should be responsible for dealing with it appropriately, then the answer would be yes. Of course, when it comes to the legal aspect, it would probably vary from country to country. No, let me rephrase that: It _does_ vary from country to country, and probably also state to state. However, to hold someone else responsible for a person's criminal activity would be just plain wrong, as long as the ISP's part in the activity is only to give their customer access to networks and services that every other customer also gets access to. 2. Should hosting providers also be held responsible for customers who abuse their services in a criminal manner? No. For several reasons. First, the hosting provider normally does not have too much control over what the customers actually do. If someone complains, or they detect something through audits or similar, that is different. But even then, there will be certain problems. How does the hosting provider know that something is, in fact, criminal? In some cases, that may be obvious, but there will be cases where the case is not so clear. If the provider might be held responsible for something their customers do, they might decide to remove legal content 'just in case'. Also, who would determine whether something is illegal or not? Tech support? The admin? I doubt that any of those are able to determine something that courts tend to spend a lot of time and resources on. I think anyone in their right mind would agree that if a provider see criminal activity, they should take action, no? Not necessarily. Again, this would of course depend on the laws in the given state or country. However, people disagree on what is considered legal or not. If everyone _had_ agreed on this, the courts would have had less work. It is the responsibility of the judicial system to determine whether someone is breaking the law or not. For commercial companies to start making that sort of judgements is, at least in my opinion, _not_ a good thing. -- Ina Faye-Lund
Re: Nato warns of strike against cyber attackers
This would appear to be political in nature and therefore not operational, right? Larry Sheldon larryshel...@cox.net wrote: On 6/9/2010 08:21, Joe Greco wrote: Your car emits lots of greenhouse gases. Just because it's /less/ doesn't change the fact that the Prius has an ICE. We have a Prius and a HiHy too. Did Godwin say anything about rand discussions degenerating to mythologies like gorebull warming? -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: Nato warns of strike against cyber attackers
Going back then to a previous question, do we want more/any regulation ? Yes. All vulnerable industries should have their use of network communications regulated. This means all power stations, electricity line operators, dam gate operators, etc. They should all be required to meet a standard of practice for secure network communications, air gap between SCADA networks and all other networks, and annual network inspections to ensure compliance. If any organization operates an infrastructure which could be vulnerable to cyberattack that would damage the country in which they operate, that organization needs to be regulated to ensure that their networks cannot be exploited for cyberattack purposes. That is the correct and measured response which does not involve the military except possibly in a security advisory role, and which is within the powers of governments. I would expect that the increased awareness of network security that resulted would pay dividends in business and home use of networks. --Michael Dillon
Re: Nato warns of strike against cyber attackers
I would expect that the increased awareness of network security that resulted would pay dividends in business and home use of networks. I'd expect a lot of nice business for audit firms with the right government connections, and another checklist with a magic acronym that has everything to do with security theatre and nothing to do with either actual security or the reality of operating a network. But perhaps I'm jaded from dealing with current auditors. Regards, Tim.
Re: Nato warns of strike against cyber attackers
On Thu, 10 Jun 2010 12:27:18 BST, Michael Dillon said: If any organization operates an infrastructure which could be vulnerable to cyberattack that would damage the country in which they operate, that organization needs to be regulated to ensure that their networks cannot be exploited for cyberattack purposes. s/cannot be/minimize the risk of/ And would damage the country is a very fuzzy concept that you really don't want to go anywhere near. Remember Microsoft arguing that a Federal judge shouldn't impose an injunction that was going to make them miss a ship date, on the grounds that the resulting delay would cause lost productivity at customer sites and harm the economy? (Mind you, I thought MS was making a good case they *should* be regulated, if their ship dates actually had that much influence.. ;) pgpw3BZV4d1P7.pgp Description: PGP signature
Re: Nato warns of strike against cyber attackers
Tim Franklin wrote: and another checklist with a magic acronym that has everything to do with security theatre and nothing to do with either actual security or the reality of operating a network. Checklists come in handy in fact if many were followed (BCP checklists, appropriate industry standard fw, system rules) the net would be a cleaner place. What I've seen by many responses are feet dragging: Ah why bother it won't do nothing to stop it... Without even trying. It all begins with one's own network. The entire concept of peering was built on trust of the peer. Would you knowingly allow someone to share your hallway without taking precautionary measures or at least a vigilant eye. What happens when you see something out of the norm, do you continue to allow them without saying anything waiting for your neighbor to speak. In doing so, how can you be assured the individual won't try to creep up on your property. // JC Dill wrote: Yes, ISPs are going to have to handle the problem. But, IMHO the root cause of the problem starts in Redmond, and ISPs should sue Redmond for the lack of suitable security in their product, rendering it an attractive nuisance and requiring ISPs to clean up after Redmond's mess. It's not fair to expect ISPs to shoulder this burden, and it's not fair to pass on the cost to customers as a blanket surcharge (and it won't work from a business standpoint) as not all customer use Microsoft's virus-vector software. And it's not really fair to expect the end customer to shoulder this burden when it's Microsoft's fault for failing to properly secure their software. But end user customers don't have the resources to sue Microsoft, and then there's that whole EULA problem. ISPs who are NOT a party to the EULA between Microsoft and the user, but who are impacted by Microsoft's shoddy security can (IMHO) make a valid claim that Microsoft created an attractive nuisance (improperly secured software), and should be held accountable for the vandal's use thereof, used to access and steal resources (bandwidth, etc.) from the ISP thru the ISP's customers infested Windows computer. // More finger pointing here. Should MS now sue Adobe for shoddy coding because Adobe's PDF reader caused a compromise (improperly secured software). Let's take it from the top down for a moment and focus on what is going on. Operating systems are insecure it doesn't matter if it was produced by a company in Redmond or hacked together on IRC. ANY operating system that is in an attacking state (dishing out malware, attacking other machines) is doing so via a network. If slash when you see it, do you shrug it off and say not my problem, its because of someone's lack of oversight in Redmond when you have the capability to stop it. ISP's don't have to handle the problem, they SHOULD handle the problem. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E
Re: Nato warns of strike against cyber attackers
Checklists come in handy in fact if many were followed (BCP checklists, appropriate industry standard fw, system rules) the net would be a cleaner place. Sensible checklists that actually improve matters, yes. The audit checklists I've often been subjected to, full of security theatre and things that are accepted auditor wisdom rather than contributing to the security of the network in any meaningful way, not so much. Regards, Tim.
Re: Nato warns of strike against cyber attackers
And would damage the country is a very fuzzy concept that you really don't want to go anywhere near. I wasn't drafting legislation; I was introducing a concept. I would expect that actual legislation would explicitly list which industries were subject to such regulation. Otherwise it might include all Internet PoPs and datacenters which would be rather dumb. --Michael Dillon
Re: Nato warns of strike against cyber attackers
J. Oquendo wrote: More finger pointing here. You say that like it's a bad thing. I'm pointing fingers at the company that has a long history of selling software with shoddy security (including releasing newer versions with restored vulnerabilities that were found and fixed years earlier), and then passing the buck on fixing the issues it causes by hiding behind their EULA. Their EULA protects Microsoft from their own customers, but it does NOT protect Microsoft from the effects the damage causes on OTHERS who are not parties to the EULA. This is where attractive nuisance comes in. ISP's don't have to handle the problem, they SHOULD handle the problem. This whole thread is about ISPs not handling the problem and allowing the problem to affect others beyond the ISP. In this case we could claim the ISP is also allowing an attractive nuisance to damage others and hold that ISP responsible for the damage that extends outside their network. However, we don't need a legal framework to solve THAT problem - we can address it with appropriate network blocks etc. (UDP-style) jc
Re: Nato warns of strike against cyber attackers
On Jun 9, 2010, at 11:05 PM, JC Dill wrote: Owen DeLong wrote: Software has been out of control for a long time and I hope that the gov't will start by ruling the not responsible for our negligence or the damage it causes clauses of software licenses invalid. The beauty of my attractive nuisance argument is that the EULA doesn't shield Microsoft from the damage their software causes to a 3rd party such as the ISP who has to deal with the botnet infections of their customers. jc Yep... Much the same as my suggestion merely involves applying the same product liability standards as every other industry faces to software. Owen
Re: Nato warns of strike against cyber attackers
On 6/9/10 2:56 PM, Owen DeLong wrote: On Jun 9, 2010, at 8:26 AM, Brielle Bruns wrote: On 6/9/10 6:27 AM, Jorge Amodio wrote: Going back then to a previous question, do we want more/any regulation ? Laws and regulation exist because people can't behave civilly and be expected to respect the rights/boundries/property others. CAN-SPAM exists because the e-mail marketing business refused to self regulate and respect the wishes of consumers/administrators Which is good, because it certainly eliminated most of the SPAM. -- NOT! FDCPA exists because the debt collectors couldn't resist the temptation to harass and intimidate consumers, and behave ethically. And of course, it has caused them all to do so, now, right? -- NOT! These may not solve all problems, but it does give victims (at least in the case of debt collectors) the ability to club them in the face in court a few times to the tune of a thousand bucks or so an incident. Nothing is more satisfying then being able to offer a debt collector the option to settle for $X amount. :) Lately, the courts have been ruling that companies like LimeWire are responsible for their products being used for piracy/downloading because they knew what was going on, but were turning a blind eye. This is a positive step, IMHO, but, now companies like Apple and Micr0$0ft need to be held to similar standards. Problem is, Microsoft and Apple, though being lax in their coding practices, can't entirely help it. Open Source software has the same problems, but do you really think that we should be charging Linus every time a Linux box is owned? There comes a point where a program is so large and expansive that holes/exploits is a fact of life. Why not apply the same standards to ISPs? If it can be shown that you had knowledge of specific abuse coming from your network, but for whatever reason, opted to ignore it and turn a blind eye, then you are responsible. I agree. When I see abuse from my network or am made aware of it, I isolate and drop on my edge the IPs in question, then investigate and respond. Most times, it takes me maybe 10-15 minutes to track down the user responsible, shut off their server or host, then terminate their stupid self. Yep. A little bit of effort goes a long way. But, if you refuse to put in the effort (I'm looking at you, GoDaddy Abuse Desk), then of course the problems won't go away. Agreed. Now if only we could get certain providers to put some effort into it... -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org
Re: Nato warns of strike against cyber attackers
On Thu, Jun 10, 2010 at 4:22 AM, Jorge Amodio jmamo...@gmail.com wrote: Cyber Threats Yes, But Is It Cyber War? http://www.circleid.com/posts/20100609_cyber_threats_yes_but_is_it_cyberwar/ -J Cyber war is something made up by the security industry to save it from going bankrupt because the traditional profit vectors such as virus and worm authors aren't releasing threats to the web anymore because the motivation for the hackers has changed from fun to money. You've got folks now trying to artificially ramp up cyber security as a national security agenda now to create a new profit vector now that the traditional threats don't exist anymore. How do we ramp up cyber security as a national security agenda, something the next president has to worry about? How do we get cyber security as the top headline on CNN and Fox News so that cyber security is something The White House works on? http://www.youtube.com/watch?v=FSUPTZVlkyU The response to this video was It Shouldn't Take a 9/11 to Fix Cybersecurity (But it Might) http://www.youtube.com/watch?v=cojeP3kJBugfeature=watch_response I highlighted these suspicious videos on Full-disclosure mailing list but they didn't seem to think there was anything wrong. I also sent them to MI5 via their web form but I've had no reply from them. Andrew http://sites.google.com/site/n3td3v/
Re: Nato warns of strike against cyber attackers
On Wed, Jun 09, 2010 at 16:44:38PM -0400, Barry Shein wrote: MAYBE IF [please read thru before replying because I probably cover most knee-jerk responses eventually]: d) Microsoft hadn't ignored all these basic security practices in operating systems which were completely well understood and implemented in OS after OS back to at least 1970 if not before because they saw more profit in, to use a metaphor, selling cars without safety glass in the windshields etc, consequences be damned. That's a thesis argued in Clarke's book (already mentioned here on NANOG, and slashdot and ...): Microsoft has vast resources, literally billions of dollars in cash, or liquid assets reserves. Microsoft is an incredibly successful empire built on the premise of market dominance with low-quality goods. Who wrote those lines? Steve Jobs? Linux inventor Linus Torvalds? Ralph Nader? No, the author is former White House adviser Richard A. Clarke in his new book, Cyber War: The Next Threat to National Security and What to Do About It. Clarke tries to be fair. He notes that Microsoft didn't originally intend its software for critical networks. But even his efforts at fairness are unflattering. Microsoft's original goal was to get the product out the door and at a low cost of production, he explains. http://arstechnica.com/security/news/2010/06/cyber-war-microsof t-a-weak-link-in-national-security.ars -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
Re: Nato warns of strike against cyber attackers
http://www.theatlantic.com/politics/archive/2010/06/homeland-securitys-cyber-bill-would-codify-executive-emergency-powers/57946/ http://tinyurl.com/2gyezyg -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Nato warns of strike against cyber attackers
Owen DeLong wrote: Heck, at this point, I'd be OK with it being a regulatory issue. What entity do you see as having any possibility of effective regulatory control over the internet? The reason we have these problems to begin with is because there is no way for people (or government regulators) in the US to control ISPs in eastern Europe etc. jc
Re: Nato warns of strike against cyber attackers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Jun 8, 2010 at 11:11 PM, JC Dill jcdill.li...@gmail.com wrote: Owen DeLong wrote: Heck, at this point, I'd be OK with it being a regulatory issue. What entity do you see as having any possibility of effective regulatory control over the internet? The reason we have these problems to begin with is because there is no way for people (or government regulators) in the US to control ISPs in eastern Europe etc. Exactly, which is the problem we are foretelling. If you guys can't wrap your brains around the problem, and can't come up with suitable solutions to abate criminal activity, then the hammer drops in a way which none of us will appreciate. I think that is pretty clear. The U.S. Government doesn't care about ISPs in The Netherlands or Christmas Islands, because it is not within their jurisdiction. But you are. That is the entire point. Hello. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDzIxq1pz9mNUZTMRArlJAKDT6D467QFOadfq8iPXD8uT7YJcRgCdHbuY YVMk4psTJ342HUr5UPgCa0Q= =D/iK -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
On Tue, Jun 08, 2010 at 11:14:10PM -0700, Paul Ferguson wrote: 1. Should ISPs be responsible for abuse from within their customer base? Yes -- if they wish to be considered at least minimally professional. The principle is if it comes from your host/network on your watch, it's your abuse. Given that many common forms of abuse are easily identified, and in many cases, easily prevented with cursory due diligence upfront, there's really no excuse for what we see on a regular basis. Abusers have learned that they don't have to make the slightest effort at concealment or subtlety; even the most egregious and obvious instances can operate with impunity for extended periods of time. [1] As I've often said, spam (to pick one form out of abuse) does not just magically fall out of the sky. If I can see it arriving on one of my networks, then surely someone else can see it leaving theirs...if only they bother to look. And of course in many cases they need not even do that, because others have already done it for them and generously published the results or furnished them to the RFC2142-designated contact address for abuse issues. ---Rsk [1] One would think, for example, that many ISPs and web hosts would have learned by now that when a new customer fills a /24 with nonsensically named domains or with sequentially numbered domains that the spam will start any minute now. But fresh evidence arrives every day suggesting that this is still well beyond their capabilities.
Re: Nato warns of strike against cyber attackers
On Jun 8, 2010, at 11:11 PM, JC Dill wrote: Owen DeLong wrote: Heck, at this point, I'd be OK with it being a regulatory issue. What entity do you see as having any possibility of effective regulatory control over the internet? The reason we have these problems to begin with is because there is no way for people (or government regulators) in the US to control ISPs in eastern Europe etc. The reason we have these problems is because NO government is taking action. If each government took the action I suggested locally against the ISPs in their region, it would be just as effective. In fact, the more governments that take the action I suggested, the more effective it would be. Owen
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
On Jun 8, 2010, at 11:14 PM, Paul Ferguson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To cut through the noise and non-relevant discussion, let's see if we can boil this down to a couple of issues: 1. Should ISPs be responsible for abuse from within their customer base? Yes, but, there should be an exemption from liability for ISPs that take action to resolve the situation within 24 hours of first awareness (by either internal detection or external report). 1a. If so, how? Unless exempt as I suggested above, they should be financially liable for the cleanup costs and damages to all affected systems. They should be entitled to recover these costs from the responsible customer through a process like subrogation. 2. Should hosting providers also be held responsible for customers who abuse their services in a criminal manner? Absolutely, with the same exemptions specified above. 2.a If so, how? See my answer to 1a above. I think anyone in their right mind would agree that if a provider see criminal activity, they should take action, no? Yes. If that also holds true, then why doesn't it happen? Because we don't inflict any form of liability or penalty when they fail to do so. Owen
Re: Nato warns of strike against cyber attackers
- Original message - All that said, the biggest problem is users. Social Engineering is a far bigger threat than anything in software. And I don't know how we stop that. Anyone have an idea? Users will click anything they find 'interesting', can't change that part up front. However, after those users get infected with whatever virii/worm/botnet client came along, you could detect it [1] and place them into a quarantaine vlan routing all traffic to an information page stating they have done something stupid and educate them how to clean-up and avoiding it from happening in the future again. This will stop the abuse almost instantly (if the detection and vlan move is done automatically), and it will educate users afterwards by learning from their msitakes. Most users appreciate such kind of warnings from their own ISP (afraid of loosing documents by a virus) and are willing to clean-up. You could charge fees when users need clean-up assistance. [1] Projects like ShadowServer.org scan all kinds of botnets and (after a sign-up) send out notifications to your abuse-desk when they find infected hosts at your IP subnets. You could also setup your own Snort IDS with the detection rules from EmergingThreats.net. With kind regards, Michiel Klaver IT Professional
Re: Nato warns of strike against cyber attackers
On Jun 8, 2010, at 10:37 PM, Paul Ferguson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Jun 8, 2010 at 10:22 PM, Owen DeLong o...@delong.com wrote: Please, be for real -- the criminals go after the entrenched majority. If it were any other OS, the story would be the same. If this were true, the criminals would be all over Apache and yet it is IIS that gets compromised most often. Actually, that is another fallacy. The majority of SQL Injections are on Apache-based systems. SQL injection is an SQL attack, not a compromise of the HTTP daemon itself (usually partially a compromise of PHP or similar scripting language). The majority of compromises (buffer overflows, etc.) against the web server itself are IIS. Look, this isn't a blame-game in which we need to point out one vendor, operating system, plug-in, browser, or whatever. Agreed... All vulnerable vendors should be treated the same. If you are selling software without source code and making money as professional developers by selling that software, then, it should come with liability for the damages caused by your failure to secure the software properly. If you're providing source code and allowing others to use it and you are not getting paid for developing it, then, obviously, it is ridiculous to hold you liable since the person who chose to use your source code has the ability to fix it to resolve any security issues. The problem is that it is a wide-spread problem wherein we have millions of compromised consumer (and non-consumer) hosts doing the bidding of Bad Guys. Yep. I would certainly love to hear your solution to this problem. Hold the owners of compromised systems financially liable for the damage they do. Make it possible for said owners to subrogate such claims against any suppliers of commercial closed insecure software which contributed to the compromise of their systems. And stop pointing fingers. No finger pointing there, just actual liability targeted at those actually resposnible. Owen
Re: Nato warns of strike against cyber attackers
I'm all for that, but, point is that people who fail to meet that standard are currently getting a free ride. IMHO, they should pay and they should have the recourse of being (at least partially) reimbursed by their at-fault software vendors for contributory negligence. Great idea. You know, I've got a great solution for global warming. Let's hold all the car owners accountable for all the greenhouse gases their cars belch out, and let them have the recourse of being (at least partially) reimbursed by their at-fault car manufacturers and gasoline distributors for contributory negligence. See how insane that sounds? ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Nato warns of strike against cyber attackers
Obviously NATO is not concerned with proving the culprit of an attack an albeit close to impossibility. Considering that many attackers compromise so many machines, what's to stop someone from instigating. I can see it coming now: hping -S 62.128.58.180 -a 62.220.119.62 -p ++21 -w 6000 hping -S 62.220.119.62 -a 62.128.58.180 -p ++21 -w 6000 Lets try to seperate the attacks into those that we (NANOG) have dealt with and those that NATO are referring to - and there is *no* overlap between the two. Attacks such as botnets, hpings, compromised machines, DDOS attacks, site defacements, prefix hijacks is what this list deals with, sometimes well and other times not. The attacks NATO is referring to are ones like causing trains to crash into each other, attacks causing oil and gas pipelines to overload and explode, attacks altering blood bank data, attacks poisoning the water supply, etc. - all of which can be done remotely. NATO is in no way (unless they have been out in the sun too long) condoning an attack for a DDOS attack. I think NATO is discussing attacking if 5,000 people die from some cyber attack as listed above (I have many more scenerios). That's a great starting place, because most will agree that such attacks would be sufficiently serious to warrant a response. However, 1) What happens when the attack moves on down the scale, towards a cyber attack that crippled vital military communication networks (but didn't kill anyone), or a cyber attack that crippled government websites (but was basically just a nuisance)? 2) What happens when a decision is made to play tit for tat, and A attacks B, B misidentifies A as C, and B attacks C with cyber warfare? Cyber warfare responses will almost certainly need to include DoS capabilities. This is troublesome. Let's consider, for the sake of discussion, an attack by the US on Elbonia. Everyone here knows how the 'net works; Elbonia isn't going to allow the US military to run a bunch of fiber to their border and hook up to their routers. That traffic will have to arrive via existing commercial connectivity. How exactly will that work? How exactly will that impact the carriers who are also running their normal traffic for other locations on the same networks? Some I've talked to seem to think that this is an unlikely or even unthinkable situation, but let's be realistic: if you want to render an enemy's radio communication useless, you flood their radio spectrum, etc., and at some point, it's not unthinkable to the average politician to expect to be able to do the same thing to a network. It's not unthinkable, alas. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Nato warns of strike against cyber attackers
On Wed, 9 Jun 2010 06:27:08 -0500 (CDT) Joe Greco jgr...@ns.sol.net wrote: I'm all for that, but, point is that people who fail to meet that standard are currently getting a free ride. IMHO, they should pay and they should have the recourse of being (at least partially) reimbursed by their at-fault software vendors for contributory negligence. Yeah, of course, let's go back into 1990's, and pay for every byte sent. This surely will keep users accountable for their all faulty software. Great idea. You know, I've got a great solution for global warming. Let's hold all the car owners accountable for all the greenhouse gases their cars belch out, and let them have the recourse of being (at least partially) reimbursed by their at-fault car manufacturers and gasoline distributors for contributory negligence. -- With best regards, Gregory Edigarov
Re: Nato warns of strike against cyber attackers
On Wed, 09 Jun 2010 00:36:29 EDT, Patrick W. Gilmore said: But it is not -just- market share. There are a lot more Windows Mobile compromises, viruses, etc., than iOS, Symbian, and RIM. I think combined. Yet Windows Mobile has the lowest market share of the four. I'll just point out that it's really hard for the user to install some random app they found on the net on 3 of those operating systems, Let's face it - a significant percentage of users really need to be restricted to a Harvard architecture no user serviceable parts inside system if you expect them to compute safely. pgpUlmt87oIWy.pgp Description: PGP signature
Re: Nato warns of strike against cyber attackers
So? If said end customer is operating a network-connected system without sufficient knowledge to properly maintain it and prevent it from doing mischief to the rest of the network, why should the rest of us subsidize her negligence? I don't see where making her pay is a bad thing. I see that you don't understand that. The internet may be a vast ocean where bad guys keep dumping garbage, but, if software vendors stopped building highly exploitable code and ISPs started disconnecting abusing systems rapidly, it would have a major effect on the constantly changing currents. If abuse departments were fully funded by cleanup fees charged to negligent users who failed to secure their systems properly, it would both incentivize users to do proper security _AND_ provide for more responsive abuse departments as issues are reduced and their budget scales linearly with the amount of abuse being conducted. The reality is that things change. Forty-three years ago, you could still buy a car that didn't have seat belts. Thirty years ago, most people still didn't wear seat belts. Twenty years ago, air bags began appearing in large volume in passenger vehicles. Throughout this period, cars have been de-stiffened with crumple zones, etc., in order to make them safer for passengers in the event of a crash. Mandatory child seat laws have been enacted at various times throughout. A little more than ten years ago, air bags were mandatory. Ten years ago, LATCH clips for child safety seats became mandatory. We now have side impact air bags, etc. Generally speaking, we do not penalize car owners for owning an older car, and we've maybe only made them retrofit seat belts (but not air bags, crumple zones, etc) into them, despite the fact that some of those big old boats can be quite deadly to other drivers in today's more easily-damaged cars. We've increased auto safety by mandating better cars, and by penalizing users who fail to make use of the safety features. There is only so much proper security you can expect the average PC user to do. The average PC user expects to be able to check e-mail, view the web, edit some documents, and listen to some songs. The average car driver expects to be able to drive around and do things. You can try to mandate that the average car driver must change their own oil, just as you can try to mandate that the average computer must do what you've naively referred to as proper security, but the reality is that grandma doesn't want to get under her car, doesn't have the knowledge or tools, and would rather spend $30 at SpeedyLube. If we can not make security a similarly easy target for the end-user, rather than telling them to take it in to NerdForce and spend some random amount between $50 and twice the cost of a new computer, then we - as the people who have designed and provided technology - have failed, and we are trying to pass off responsibility for our collective failure onto the end user. I'm all fine with noting that certain products are particularly awful. However, we have to be aware that users are simply not going to be required to go get a CompSci degree specializing in risk management and virus cleansing prior to being allowed to buy a computer. This implies that our operating systems need to be more secure, way more secure, our applications need to be less permissive, probably way less permissive, probably even sandboxed by default, our networks need to be more resilient to threats, ranging from simple things such as BCP38 and automatic detection of certain obvious violations, to more comprehensive things such as mandatory virus scanning by e-mail providers, etc., ... there's a lot that could be done, that most on the technology side of things have been unwilling to commit to. We can make their Internet cars safer for them - but we largely haven't. Now we can all look forward to misguided government efforts to mandate some of this stuff. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Nato warns of strike against cyber attackers
No, but we can and do require cars to have functional brakes and minimum tread depths, and to be tested periodically. Obviously this is acceptable because the failure modes for cars are worse, but the proposed solution is less intrusive being after the fact. Excuse topposting, on mobile. Joe Greco jgr...@ns.sol.net wrote: So? If said end customer is operating a network-connected system without sufficient knowledge to properly maintain it and prevent it from doing mischief to the rest of the network, why should the rest of us subsidize her negligence? I don't see where making her pay is a bad thing. I see that you don't understand that. The internet may be a vast ocean where bad guys keep dumping garbage, but, if software vendors stopped building highly exploitable code and ISPs started disconnecting abusing systems rapidly, it would have a major effect on the constantly changing currents. If abuse departments were fully funded by cleanup fees charged to negligent users who failed to secure their systems properly, it would both incentivize users to do proper security _AND_ provide for more responsive abuse departments as issues are reduced and their budget scales linearly with the amount of abuse being conducted. The reality is that things change. Forty-three years ago, you could still buy a car that didn't have seat belts. Thirty years ago, most people still didn't wear seat belts. Twenty years ago, air bags began appearing in large volume in passenger vehicles. Throughout this period, cars have been de-stiffened with crumple zones, etc., in order to make them safer for passengers in the event of a crash. Mandatory child seat laws have been enacted at various times throughout. A little more than ten years ago, air bags were mandatory. Ten years ago, LATCH clips for child safety seats became mandatory. We now have side impact air bags, etc. Generally speaking, we do not penalize car owners for owning an older car, and we've maybe only made them retrofit seat belts (but not air bags, crumple zones, etc) into them, despite the fact that some of those big old boats can be quite deadly to other drivers in today's more easily-damaged cars. We've increased auto safety by mandating better cars, and by penalizing users who fail to make use of the safety features. There is only so much proper security you can expect the average PC user to do. The average PC user expects to be able to check e-mail, view the web, edit some documents, and listen to some songs. The average car driver expects to be able to drive around and do things. You can try to mandate that the average car driver must change their own oil, just as you can try to mandate that the average computer must do what you've naively referred to as proper security, but the reality is that grandma doesn't want to get under her car, doesn't have the knowledge or tools, and would rather spend $30 at SpeedyLube. If we can not make security a similarly easy target for the end-user, rather than telling them to take it in to NerdForce and spend some random amount between $50 and twice the cost of a new computer, then we - as the people who have designed and provided technology - have failed, and we are trying to pass off responsibility for our collective failure onto the end user. I'm all fine with noting that certain products are particularly awful. However, we have to be aware that users are simply not going to be required to go get a CompSci degree specializing in risk management and virus cleansing prior to being allowed to buy a computer. This implies that our operating systems need to be more secure, way more secure, our applications need to be less permissive, probably way less permissive, probably even sandboxed by default, our networks need to be more resilient to threats, ranging from simple things such as BCP38 and automatic detection of certain obvious violations, to more comprehensive things such as mandatory virus scanning by e-mail providers, etc., ... there's a lot that could be done, that most on the technology side of things have been unwilling to commit to. We can make their Internet cars safer for them - but we largely haven't. Now we can all look forward to misguided government efforts to mandate some of this stuff. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: Nato warns of strike against cyber attackers
On the other hand think as the Internet being a vast ocean where the bad guys keep dumping garbage, you can't control or filter the currents that are constantly changing and you neither can inspect every water molecule, then what do you do to find and penalize the ones that drop or permit their systems to drop garbage on the ocean ? Bad analogy. There's some plumes of oil in the Gulf of Mexico that are getting mapped out very well by only a few ships. You don't have to examine every molecule to find parts-per-million oil, or to figure out who's oil rig the oil came from. May be, but that is a particular case where you can exactly finger point who made the mess and make him accountable and responsible to cleaning it. But it's another example that shows that companies make decisions based not on what is right or wrong to do but what is more or less profitable to do within a risk management context. And you don't need to look at every packet to find abusive traffic either - in most cases, simply letting the rest of the net do the work for you and just reading your abuse@ mailbox and actually dealing with the reports is 95% of what's needed. Agreed, but you still have no control about what happens on the other side of the ocean, and if you don't provide a liability waiver to the abuse@ guy they may have their hands tied by their legal department to do anything. I'll give you another bad analogy, for sure we need to keep an eye and deal with transport and distribution, but the only way to eradicate drugs (most unlikely because of the amount of $$$ it moves) is to go after production and particularly consume, meanwhile the only thing you can do is damage control and contention. If it is still so freaking easy for the crocks to have a profitable criminal biz on the net, they will find the workaround to keep making money while its easy. My point is, go hard after the crocks and fix the holes, things like why the heck access to the power grid control systems are accessible over the net from Hackertistan ? And if there is a real reason for it to be on the net put the necessary amount of money and technology to make it as secure as possible. Regards Jorge
Re: Nato warns of strike against cyber attackers
I'm all fine with noting that certain products are particularly awful. However, we have to be aware that users are simply not going to be required to go get a CompSci degree specializing in risk management and virus cleansing prior to being allowed to buy a computer. This implies that our operating systems need to be more secure, way more secure, our applications need to be less permissive, probably way less permissive, probably even sandboxed by default, our networks need to be more resilient to threats, ranging from simple things such as BCP38 and automatic detection of certain obvious violations, to more comprehensive things such as mandatory virus scanning by e-mail providers, etc., ... there's a lot that could be done, that most on the technology side of things have been unwilling to commit to. Great comments Joe, and I agree with you that there is a lot more that can be done and should be done, but there is a main difference with your recount about the auto industry, all those changes were pushed by evolving regulation and changes in the law and enforcement. Going back then to a previous question, do we want more/any regulation ? Cheers Jorge
Re: Nato warns of strike against cyber attackers
No, but we can and do require cars to have functional brakes and minimum tread depths, and to be tested periodically. Obviously this is acceptable because the failure modes for cars are worse, but the proposed solution is less intrusive being after the fact. Grandma does not go check her tread depth or check her own brake pads and discs for wear. She lets the shop do that. I was hoping I didn't have to get pedantic and that people could differentiate between I pay the shop a few bucks to do that for me and I take responsibility personally to drive my car in an appropriate fashion (which includes things like I take my car to the shop periodically for maintenance I don't have the skills to do myself), but there we have it. My point: We haven't designed computers for end users appropriately. It is not the fault of the end user that they're driving around the crapmobile we've provided for them. If you go to the store to get a new computer, you get a choice of crapmobiles all with engines by the same company, unless you go to the fruit store, in which case you get a somewhat less obviously vulnerable engine by a different company. The users don't know how to take apart the engines and repair them, and the engines aren't usefully protected sufficiently to ensure that they don't get fouled, so you have a Problem. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Nato warns of strike against cyber attackers
On Jun 9, 2010, at 5:02 AM, Joe Greco wrote: So? If said end customer is operating a network-connected system without sufficient knowledge to properly maintain it and prevent it from doing mischief to the rest of the network, why should the rest of us subsidize her negligence? I don't see where making her pay is a bad thing. I see that you don't understand that. Seems to me that you are the one not understanding... I can't refinance my mortgage right now to take advantage of the current interest rates. Why? Because irresponsible people got into loans they couldn't afford and engaged in speculative transactions. Their failure resulted in a huge drop in value to my house which brought me below the magic 80% loan to value ratio, which, because of said same bad actors became a legal restriction instead of a target number around which lenders had some flexibility. So, because I had a house I could afford and a reasonable mortgage, I'm now getting penalized by paying higher taxes to cover mortgage absorptions, reductions, and modifications for these irresponsible people. I'm getting penalized by paying higher interest rates because due to the damage they did to my property value and the laws they forced to be created, I can't refinance. I'm mad as hell and frankly, I don't want to take it any more. Do you see that? Do you still think I don't have a legitimate point on this? I'm tired of subsidizing stupidity and bad actors. It's too expensive. I don't want to do it any more. We already have too many stupid people and bad actors. We really don't need to subsidize or encourage the creation of more. The internet may be a vast ocean where bad guys keep dumping garbage, but, if software vendors stopped building highly exploitable code and ISPs started disconnecting abusing systems rapidly, it would have a major effect on the constantly changing currents. If abuse departments were fully funded by cleanup fees charged to negligent users who failed to secure their systems properly, it would both incentivize users to do proper security _AND_ provide for more responsive abuse departments as issues are reduced and their budget scales linearly with the amount of abuse being conducted. The reality is that things change. Forty-three years ago, you could still buy a car that didn't have seat belts. Thirty years ago, most people still didn't wear seat belts. Twenty years ago, air bags began appearing in large volume in passenger vehicles. Throughout this period, cars have been de-stiffened with crumple zones, etc., in order to make them safer for passengers in the event of a crash. Mandatory child seat laws have been enacted at various times throughout. A little more than ten years ago, air bags were mandatory. Ten years ago, LATCH clips for child safety seats became mandatory. We now have side impact air bags, etc. Sure. Generally speaking, we do not penalize car owners for owning an older car, and we've maybe only made them retrofit seat belts (but not air bags, crumple zones, etc) into them, despite the fact that some of those big old boats can be quite deadly to other drivers in today's more easily-damaged cars. We've increased auto safety by mandating better cars, and by penalizing users who fail to make use of the safety features. Right, but, owners of older cars are primarily placing themselves at risk, not others. In this case, it's a question of others putting me at risk. That, generally, isn't tolerated. There is only so much proper security you can expect the average PC user to do. The average PC user expects to be able to check e-mail, view the web, edit some documents, and listen to some songs. The average car driver expects to be able to drive around and do things. You can try to mandate that the average car driver must change their own oil, just as you can try to mandate that the average computer must do what you've naively referred to as proper security, but the reality is that grandma doesn't want to get under her car, doesn't have the knowledge or tools, and would rather spend $30 at SpeedyLube. If we can not make security a similarly easy target for the end-user, rather than telling them to take it in to NerdForce and spend some random amount between $50 and twice the cost of a new computer, then we - as the people who have designed and provided technology - have failed, and we are trying to pass off responsibility for our collective failure onto the end user. I disagree. It used to be that anyone could drive a car. Today, you need to take instruction on driving and pass a test showing you are competent to operate a motor vehicle before you are allowed to drive legally. Things change, as you say. I have no problem with the same requirement being added to attaching a computer to the network. If you drive a car in a reckless manner so as to endanger others, you are criminally liable for violating the safe driving
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
1. Should ISPs be responsible for abuse from within their customer base? Not sure, ISPs role is just to move packets from A to B, you need to clearly define what constitutes abuse and how much of it is considered a crime. If I call your home every five minutes to harass you over the phone is ATT responsible ? 1a. If so, how? Pull the plug without looking at how much you are billing. 2. Should hosting providers also be held responsible for customers who abuse their services in a criminal manner? Same as 1, 2.a If so, how? Same as 1a. I think anyone in their right mind would agree that if a provider see criminal activity, they should take action, no? If that also holds true, then why doesn't it happen? What incentive they have to do so ? and how liable they become if do something without a court order or such ? Providers in the U.S. are the worst offenders of hosting/accommodating criminal activities by Eastern European criminals. Period. Probably true, here money talks. Cheers Jorge
Re: Nato warns of strike against cyber attackers
On Jun 9, 2010, at 4:27 AM, Joe Greco wrote: I'm all for that, but, point is that people who fail to meet that standard are currently getting a free ride. IMHO, they should pay and they should have the recourse of being (at least partially) reimbursed by their at-fault software vendors for contributory negligence. Great idea. You know, I've got a great solution for global warming. Let's hold all the car owners accountable for all the greenhouse gases their cars belch out, and let them have the recourse of being (at least partially) reimbursed by their at-fault car manufacturers and gasoline distributors for contributory negligence. 1. My car emits very little greenhouse gas, so, I'm cool with that. Sounds great to me. (I drive a Prius). 2. Manufacturers are held liable for contributory negligence when the design of their vehicle is unsafe and causes an accident. 3. We're not talking about greenhouse gasses here... We're talking about car-wrecks on the information superhighway caused by a combination of irresponsible operators and poor vehicle design. See how insane that sounds? Actually, it sounds reasonably sane to me, but, it's not a good analogy as noted above, so, the relative merits are mostly irrelevant. Owen
Re: Nato warns of strike against cyber attackers
On Wed, 2010-06-09 at 07:02 -0500, Joe Greco wrote: There is only so much proper security you can expect the average PC user to do. Sure - but if their computer, as a result of their ignorance, starts belching out spam, ISPs should be able at very least to counteract the problem. For example, by disconnecting that user and telling them why they have been disconnected. Why should it be the ISP's duty to silently absorb the blows? Why should the user have no responsibility here? To carry your analogy a bit too far, if someone is roaming the streets in a beat-up jalopy with wobbly wheels, no lights, no brakes, no mirrors, and sideswiping parked cars, is it up to the city to somehow clear the way for that driver? No - the car is taken off the road and the driver told to fix it or get a new one. If the problem appears to be the driver rather than the vehicle, the driver is told they cannot drive until they have obtained a Clue. If the user, as a result of their computer being zombified or whatever, has to take it in to NerdForce and spend some random amount between $50 and twice the cost of a new computer, ...then that's the user's problem. They can solve it with insurance (appropriate policies will come into being), or they can solve it by becoming more knowledgeable, or they can solve it by hiring know how. But it is *their* problem. The fact that it is the user's problem will drive the industry to solve that problem, because anywhere there is a problem there is a market for a solution. then we - as the people who have designed and provided technology - have failed, and we are trying to pass off responsibility for our collective failure onto the end user. I think what's being called for is not total abdication of responsibility - just some sharing of the responsibility. This implies that our operating systems need to be more secure, way more secure, our applications need to be less permissive, probably way less permissive, probably even sandboxed by default Yep! And the fastest way to get more secure systems is to make consumers accountable, so that they demand accountability from their vendors. And so it goes, all the way up the chain. Make people accountable. At every level. We can make their Internet cars safer for them - but we largely haven't. I'm not sure that the word we is appropriate here. Who is we? How can (say) network operators be held responsible for (say) a weakness in Adobe Flash? At that level too, the consumer needs comeback - on the providers of weak software. Regards, K. -- ~~~ Karl Auer (ka...@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156 Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF signature.asc Description: This is a digitally signed message part
Re: Nato warns of strike against cyber attackers
I'm not opposed to making operating systems and applications safer. As I said, just as with cars, the manufacturers should be held liable by the consumers. However, the consumer that is operating the car that plows a group of pedestrians is liable to the pedestrians. The manufacturer is usually liable to the operator through subrogation. That's why at least in the US by *regulation* you must have insurance to be able to operate a car, instead of mitigating the safety issues that represents a teenager texting while driving we deal with the consequences. Perhaps we have to call the insurance industry to come up with something. Cheers Jorge
Re: Nato warns of strike against cyber attackers
On Jun 9, 2010, at 5:28 AM, Joe Greco wrote: No, but we can and do require cars to have functional brakes and minimum tread depths, and to be tested periodically. Obviously this is acceptable because the failure modes for cars are worse, but the proposed solution is less intrusive being after the fact. Grandma does not go check her tread depth or check her own brake pads and discs for wear. She lets the shop do that. I was hoping I didn't have to get pedantic and that people could differentiate between I pay the shop a few bucks to do that for me and I take responsibility personally to drive my car in an appropriate fashion (which includes things like I take my car to the shop periodically for maintenance I don't have the skills to do myself), but there we have it. Whether grandma measures the tread depth herself or takes it to the shop, the point is that grandma is expected to have tires with sufficient tread depth and working brakes when she operates the car. If not, she's liable. If she drives like the little old lady from Pasadena, she's liable for the accidents she causes. My point: We haven't designed computers for end users appropriately. It is not the fault of the end user that they're driving around the crapmobile we've provided for them. If you go to the store to get a new computer, you get a choice of crapmobiles all with engines by the same company, unless you go to the fruit store, in which case you get a somewhat less obviously vulnerable engine by a different company. The users don't know how to take apart the engines and repair them, and the engines aren't usefully protected sufficiently to ensure that they don't get fouled, so you have a Problem. The end user should be able to recover from the responsible manufacturer for the design flaws in the hardware/software they are driving. Agreed. That is how it works in cars, that's how it should work in computers. What I don't want to see which you are advocating... I don't want to see the end users who do take responsibility, drive well designed vehicles with proper seat belts and safety equipment, stay in their lane, and do not cause accidents held liable for the actions of others. Why should we penalize those that have done no wrong simply because they happen to be a minority? Owen
Re: Nato warns of strike against cyber attackers
I'm all fine with noting that certain products are particularly awful. However, we have to be aware that users are simply not going to be required to go get a CompSci degree specializing in risk management and virus cleansing prior to being allowed to buy a computer. This implies that our operating systems need to be more secure, way more secure, our applications need to be less permissive, probably way less permissive, probably even sandboxed by default, our networks need to be more resilient to threats, ranging from simple things such as BCP38 and automatic detection of certain obvious violations, to more comprehensive things such as mandatory virus scanning by e-mail providers, etc., ... there's a lot that could be done, that most on the technology side of things have been unwilling to commit to. Great comments Joe, and I agree with you that there is a lot more that can be done and should be done, but there is a main difference with your recount about the auto industry, all those changes were pushed by evolving regulation and changes in the law and enforcement. Oh, good, you GOT my point. Going back then to a previous question, do we want more/any regulation ? We're going to get it, I think, because collectively we're too stupid to self-regulate. Locally, for example, we implement BCP38, we screen potential customers, and we have an abuse desk that will be happy to help. If you complain to us that you're getting packets from a customer here that contain the data octet 0x65, we'll put a stop to it (though you'll probably stop getting packets entirely), because we feel that it's being a good neighbour to not send things that we've been told are not wanted. Most network providers are in the unfortunate position of having allowed themselves to get too swamped and/or don't care to begin with. Running a dirty network is the norm, just as running Windows (sorry Gates) is the norm, just as running Internet Explorer is something of a norm, just as running with Administrator privs is the norm, etc. We've allowed horrible practices to become the norm. It's exceedingly hard to fix a bad norm. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Nato warns of strike against cyber attackers
Once upon a time, JC Dill jcdill.li...@gmail.com said: I'm still truly amazed that no one has sic'd a lawyer on Microsoft for creating an attractive nuisance - an operating system that is too easily hacked and used to attack innocent victims, and where others have to pay to clean up after Microsoft's mess. Many of the problems are PEBKAC, as evidenced by the massive responses to phishing scams. I can't tell you the number of our users that have sent their password to Nigeria to be used to log in to our webmail and spam. Users open attachements, follow links, and click OK with alarming ease. As long as that is the case (and I don't see that changing), blaming one vendor is not going to help. Something like the NSA's SELinux helps (because you can have all browser plugins run in sandboxes, have saved attachments non-executable, etc.), but users will still follow the instructions to override it. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Nato warns of strike against cyber attackers
Once upon a time, Alexander Harrowell a.harrow...@gmail.com said: No, but we can and do require cars to have functional brakes and minimum tread depths, and to be tested periodically. Not in this state. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Nato warns of strike against cyber attackers
Once upon a time, Jorge Amodio jmamo...@gmail.com said: That's why at least in the US by *regulation* you must have insurance to be able to operate a car, instead of mitigating the safety issues that represents a teenager texting while driving we deal with the consequences. The insurance requirement is a state-by-state thing. It was only added here a few years ago, and I don't think it is universal. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Nato warns of strike against cyber attackers
On Jun 9, 2010, at 5:02 AM, Joe Greco wrote: So? If said end customer is operating a network-connected system without sufficient knowledge to properly maintain it and prevent it from doing mischief to the rest of the network, why should the rest of us subsidize her negligence? I don't see where making her pay is a bad thing. I see that you don't understand that. Seems to me that you are the one not understanding... I can't refinance my mortgage right now to take advantage of the current interest rates. Why? Because irresponsible people got into loans they couldn't afford and engaged in speculative transactions. Their failure resulted in a huge drop in value to my house which brought me below the magic 80% loan to value ratio, which, because of said same bad actors became a legal restriction instead of a target number around which lenders had some flexibility. So, because I had a house I could afford and a reasonable mortgage, I'm now getting penalized by paying higher taxes to cover mortgage absorptions, reductions, and modifications for these irresponsible people. I'm getting penalized by paying higher interest rates because due to the damage they did to my property value and the laws they forced to be created, I can't refinance. I'm mad as hell and frankly, I don't want to take it any more. Do you see that? Do you still think I don't have a legitimate point on this? I'm tired of subsidizing stupidity and bad actors. It's too expensive. I don't want to do it any more. We already have too many stupid people and bad actors. We really don't need to subsidize or encourage the creation of more. A doesn't really seem connected to B. The internet may be a vast ocean where bad guys keep dumping garbage, but, if software vendors stopped building highly exploitable code and ISPs started disconnecting abusing systems rapidly, it would have a major effect on the constantly changing currents. If abuse departments were fully funded by cleanup fees charged to negligent users who failed to secure their systems properly, it would both incentivize users to do proper security _AND_ provide for more responsive abuse departments as issues are reduced and their budget scales linearly with the amount of abuse being conducted. The reality is that things change. Forty-three years ago, you could still buy a car that didn't have seat belts. Thirty years ago, most people still didn't wear seat belts. Twenty years ago, air bags began appearing in large volume in passenger vehicles. Throughout this period, cars have been de-stiffened with crumple zones, etc., in order to make them safer for passengers in the event of a crash. Mandatory child seat laws have been enacted at various times throughout. A little more than ten years ago, air bags were mandatory. Ten years ago, LATCH clips for child safety seats became mandatory. We now have side impact air bags, etc. Sure. Generally speaking, we do not penalize car owners for owning an older car, and we've maybe only made them retrofit seat belts (but not air bags, crumple zones, etc) into them, despite the fact that some of those big old boats can be quite deadly to other drivers in today's more easily-damaged cars. We've increased auto safety by mandating better cars, and by penalizing users who fail to make use of the safety features. Right, but, owners of older cars are primarily placing themselves at risk, not others. I am pretty sure I saw stats that suggested that old cars that crashed into new cars did substantially more damage to the new car and its occupants than an equivalent crash between two new cars, something to do with the old car not absorbing about half the impact into its own (nonexistent) crumple zones, though there are obvious deficiencies in the protection afforded to the occupants of the old car as well... In this case, it's a question of others putting me at risk. That, generally, isn't tolerated. There is only so much proper security you can expect the average PC user to do. The average PC user expects to be able to check e-mail, view the web, edit some documents, and listen to some songs. The average car driver expects to be able to drive around and do things. You can try to mandate that the average car driver must change their own oil, just as you can try to mandate that the average computer must do what you've naively referred to as proper security, but the reality is that grandma doesn't want to get under her car, doesn't have the knowledge or tools, and would rather spend $30 at SpeedyLube. If we can not make security a similarly easy target for the end-user, rather than telling them to take it in to NerdForce and spend some random amount between $50 and twice the cost of a new computer, then we - as the people who have designed and provided technology - have failed, and we are trying to
Re: Nato warns of strike against cyber attackers
On Jun 9, 2010, at 6:09 AM, Chris Adams wrote: Once upon a time, Jorge Amodio jmamo...@gmail.com said: That's why at least in the US by *regulation* you must have insurance to be able to operate a car, instead of mitigating the safety issues that represents a teenager texting while driving we deal with the consequences. The insurance requirement is a state-by-state thing. It was only added here a few years ago, and I don't think it is universal. I believe at least 48, if not 50 states now have compulsory financial responsibility laws. However, even if you didn't have insurance, that never exempted you from liability, it just made you less likely to be able to meet your obligations under that liability. Owen
Re: Nato warns of strike against cyber attackers
On Jun 9, 2010, at 4:27 AM, Joe Greco wrote: I'm all for that, but, point is that people who fail to meet that standard are currently getting a free ride. IMHO, they should pay and they should have the recourse of being (at least partially) reimbursed by their at-fault software vendors for contributory negligence. Great idea. You know, I've got a great solution for global warming. Let's hold all the car owners accountable for all the greenhouse gases their cars belch out, and let them have the recourse of being (at least partially) reimbursed by their at-fault car manufacturers and gasoline distributors for contributory negligence. 1.My car emits very little greenhouse gas, so, I'm cool with that. Sounds great to me. (I drive a Prius). Your car emits lots of greenhouse gases. Just because it's /less/ doesn't change the fact that the Prius has an ICE. We have a Prius and a HiHy too. 2.Manufacturers are held liable for contributory negligence when the design of their vehicle is unsafe and causes an accident. That isn't relevant to what I suggested. 3.We're not talking about greenhouse gasses here... We're talking about car-wrecks on the information superhighway caused by a combination of irresponsible operators and poor vehicle design. That wasn't the analogy I was making. I was stabbing at the whole idea behind your suggestion, by directly translating it to a real-world example. See how insane that sounds? Actually, it sounds reasonably sane to me, but, it's not a good analogy as noted above, so, the relative merits are mostly irrelevant. Owen -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Nato warns of strike against cyber attackers
On Wed, 2010-06-09 at 07:02 -0500, Joe Greco wrote: There is only so much proper security you can expect the average PC use= r to do. Sure - but if their computer, as a result of their ignorance, starts belching out spam, ISPs should be able at very least to counteract the problem. For example, by disconnecting that user and telling them why they have been disconnected. Why should it be the ISP's duty to silently absorb the blows? Why should the user have no responsibility here? Primarily because the product that they've been given to use is defective by design. I'm not even saying no responsibility; I'm just arguing that we have to be realistic about our expectations of the level of responsibility users will have. At this point, we're teaching computers to children in elementary school, and kids in second and third grade are being expected to submit homework to teachers via e-mail. How is that supposed to play out for the single mom with a latchkey kid? Let's be realistic here. It's the computer that ought to be safer. We can expect modest improvements on the part of users, sure, but to place it all on them is simply a fantastic display of incredible naivete. To carry your analogy a bit too far, if someone is roaming the streets in a beat-up jalopy with wobbly wheels, no lights, no brakes, no mirrors, and sideswiping parked cars, is it up to the city to somehow clear the way for that driver? No - the car is taken off the road and the driver told to fix it or get a new one. If the problem appears to be the driver rather than the vehicle, the driver is told they cannot drive until they have obtained a Clue. Generally speaking, nobody wants to be the cop that makes that call. Theoretically an ISP *might* be able to do that, but most are unwilling, and those of us that do actually play BOFH run the risk of losing customers to a sewerISP that doesn't. If the user, as a result of their computer being zombified or whatever, has to take it in to NerdForce and spend some random amount between $50 and twice the cost of a new computer, ...then that's the user's problem. They can solve it with insurance (appropriate policies will come into being), or they can solve it by becoming more knowledgeable, or they can solve it by hiring know how. But it is *their* problem. The fact that it is the user's problem will drive the industry to solve that problem, because anywhere there is a problem there is a market for a solution. That shows an incredible lack of understanding of how the market actually works. It's nice in theory. We (as technical people) have caused this problem because we've failed to design computers and networks that are resistant to this sort of thing. Trying to pin it on the users is of course easy, because users (generally speaking) are stupid and are at fault for not doing enough to secure their own systems, but that's a ridiculous smugness on our part. then we - as the people who have designed and provided=20 technology - have failed, and we are trying to pass off responsibility=20 for our collective failure onto the end user. I think what's being called for is not total abdication of responsibility - just some sharing of the responsibility. I'm fine with that, but as long as we keep handing loaded guns without any reasonably-identifiable safeties to the end users, we can expect to keep getting shot at now and then. This implies that our operating systems need to be more secure, way more secure, our applicatio= ns need to be less permissive, probably way less permissive, probably even sandboxed by default Yep! And the fastest way to get more secure systems is to make consumers accountable, so that they demand accountability from their vendors. And so it goes, all the way up the chain. Make people accountable. At every level. Again, that shows an incredible lack of understanding of how the market actually works. It's still nice in theory. We would be better off short-circuiting that mechanism; for example, how about we simply mandate that browsers must be isolated from their underlying operating systems? Do you really think that the game of telephone works? Are we really going to be able to hold customers accountable? And if we do, are they really going to put vendor feet to the fire? Or is Microsoft just going to laugh and point at their EULA, and say, our legal department will bankrupt you, you silly little twerp? Everyone has carefully made it clear that they're not liable to the users, so the users are left holding the bag, and nobody who's actually responsible is able to be held responsible by the end users. We can make their Internet cars safer for them - but we largely haven't. I'm not sure that the word we is appropriate here. Who is we? How can (say) network operators be held responsible for (say) a weakness in Adobe Flash? At that level too, the consumer needs comeback - on the providers of
Re: Nato warns of strike against cyber attackers
On Jun 9, 2010, at 6:17 AM, Joe Greco wrote: On Jun 9, 2010, at 5:02 AM, Joe Greco wrote: So? If said end customer is operating a network-connected system without sufficient knowledge to properly maintain it and prevent it from doing mischief to the rest of the network, why should the rest of us subsidize her negligence? I don't see where making her pay is a bad thing. I see that you don't understand that. Seems to me that you are the one not understanding... I can't refinance my mortgage right now to take advantage of the current interest rates. Why? Because irresponsible people got into loans they couldn't afford and engaged in speculative transactions. Their failure resulted in a huge drop in value to my house which brought me below the magic 80% loan to value ratio, which, because of said same bad actors became a legal restriction instead of a target number around which lenders had some flexibility. So, because I had a house I could afford and a reasonable mortgage, I'm now getting penalized by paying higher taxes to cover mortgage absorptions, reductions, and modifications for these irresponsible people. I'm getting penalized by paying higher interest rates because due to the damage they did to my property value and the laws they forced to be created, I can't refinance. I'm mad as hell and frankly, I don't want to take it any more. Do you see that? Do you still think I don't have a legitimate point on this? I'm tired of subsidizing stupidity and bad actors. It's too expensive. I don't want to do it any more. We already have too many stupid people and bad actors. We really don't need to subsidize or encourage the creation of more. A doesn't really seem connected to B. Proof that you still don't get it. Punishing those that are responsible by making them pay for the behavior of those who fail to take responsibility IS a major problem. A and B are both examples of such a process. The internet may be a vast ocean where bad guys keep dumping garbage, but, if software vendors stopped building highly exploitable code and ISPs started disconnecting abusing systems rapidly, it would have a major effect on the constantly changing currents. If abuse departments were fully funded by cleanup fees charged to negligent users who failed to secure their systems properly, it would both incentivize users to do proper security _AND_ provide for more responsive abuse departments as issues are reduced and their budget scales linearly with the amount of abuse being conducted. The reality is that things change. Forty-three years ago, you could still buy a car that didn't have seat belts. Thirty years ago, most people still didn't wear seat belts. Twenty years ago, air bags began appearing in large volume in passenger vehicles. Throughout this period, cars have been de-stiffened with crumple zones, etc., in order to make them safer for passengers in the event of a crash. Mandatory child seat laws have been enacted at various times throughout. A little more than ten years ago, air bags were mandatory. Ten years ago, LATCH clips for child safety seats became mandatory. We now have side impact air bags, etc. Sure. Generally speaking, we do not penalize car owners for owning an older car, and we've maybe only made them retrofit seat belts (but not air bags, crumple zones, etc) into them, despite the fact that some of those big old boats can be quite deadly to other drivers in today's more easily-damaged cars. We've increased auto safety by mandating better cars, and by penalizing users who fail to make use of the safety features. Right, but, owners of older cars are primarily placing themselves at risk, not others. I am pretty sure I saw stats that suggested that old cars that crashed into new cars did substantially more damage to the new car and its occupants than an equivalent crash between two new cars, something to do with the old car not absorbing about half the impact into its own (nonexistent) crumple zones, though there are obvious deficiencies in the protection afforded to the occupants of the old car as well... Old cars without crumple zones tend to do more damage to new cars with crumple zones. Occupants of new cars tend to receive less damage because the crumple zones absorb some of the energy while occupants of older cars receive more of the energy transferred directly to them due to the higher stiffness of the older car. At least in the studies I have read. In this case, it's a question of others putting me at risk. That, generally, isn't tolerated. There is only so much proper security you can expect the average PC user to do. The average PC user expects to be able to check e-mail, view the web, edit some documents, and listen to some songs. The average car driver expects to be able to drive around and do things. You can try to mandate that the average car driver must change their
Re: Nato warns of strike against cyber attackers
Grandma does not go check her tread depth or check her own brake pads and discs for wear. She lets the shop do that. I was hoping I didn't have to get pedantic and that people could differentiate between I pay the shop a few bucks to do that for me and I take responsibility personally to drive my car in an appropriate fashion (which includes things like I take my car to the shop periodically for maintenance I don't have the skills to do myself), but there we have it. Whether grandma measures the tread depth herself or takes it to the shop, the point is that grandma is expected to have tires with sufficient tread depth and working brakes when she operates the car. If not, she's liable. If she drives like the little old lady from Pasadena, she's liable for the accidents she causes. There is no shop that the average computer owner should take their computer to, and unlike a car, anything that might seem to require some periodic maintenance is typically automated (OS updates, virus updates, etc). There are places like NerdForce that you can take your computer to, but you're likely to be sold a load of crap, and you can even take the same computer to five different services and get wildly differing results (and wildly differing bills). There's no standardization, and part of *that* is due to the way we've allowed end user operating systems to be designed. My point: We haven't designed computers for end users appropriately. It is not the fault of the end user that they're driving around the crapmobile we've provided for them. If you go to the store to get a new computer, you get a choice of crapmobiles all with engines by the same company, unless you go to the fruit store, in which case you get a somewhat less obviously vulnerable engine by a different company. The users don't know how to take apart the engines and repair them, and the engines aren't usefully protected sufficiently to ensure that they don't get fouled, so you have a Problem. The end user should be able to recover from the responsible manufacturer for the design flaws in the hardware/software they are driving. Agreed. That is how it works in cars, that's how it should work in computers. It doesn't; look at that wonderful EULA. Want to fix that? Be my guest, seriously. What I don't want to see which you are advocating... I don't want to see the end users who do take responsibility, drive well designed vehicles with proper seat belts and safety equipment, stay in their lane, and do not cause accidents held liable for the actions of others. Why should we penalize those that have done no wrong simply because they happen to be a minority? I agree, on the other hand, what about those people who genuinely didn't do anything wrong, and their computer still got Pwned? From this perspective: Our technology sucks. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
:I think anyone in their right mind would agree that if a provider see :criminal activity, they should take action, no? What a provider should do and what makes sense under the law of the land are two different things. :If that also holds true, then why doesn't it happen? The laws pertaining to what's required of people when witnessing a crime vary by locality within the U.S. I dunno how they work for the rest of the NANOG audience. What is required of people versus what's required of corporate entities varies, too. Good Samaritan laws are hardly universal, and don't always play well with the other laws of the land. Things can get ugly when some murky behavior gets retroactively deemed a crime (perhaps by some tech-challenged judge or jury) and a provider becomes an accessory after the fact. You mean, the DMCA makes THAT illegal?!? Or, perhaps a provider tries to take some small action in the face of a crime, then is deemed to have a special relationship making them liable for not being quite helpful enough. You mean, I have to rebuild my entire network because my customer support rep has reported bad behavior to the authorities? Ultimately, acting on crime is a rat's nest. Some providers have enough trouble dealing with attacks from Pax0rland, extracting sane prices for last-mile service, evaluating/deploying new technology, keeping up with all the off-topic emails on NANOG, etc. Raise the bar so the least-paid front-line rep requires a customer support within the law class. Create a legal climate where the only way it makes sense to provide bits involves a big army of attorneys and lobbyists to define the regulatory climate. Let's make total provider consolidation a reality... then we won't need those pesky 32-bit ASNs. :) Back to work... -- Michael J. O'Connor m...@dojo.mi.org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= Not baked goods, professor... baked BADS!-The Tick
Re: Nato warns of strike against cyber attackers
On 6/9/2010 01:11, JC Dill wrote: Owen DeLong wrote: Heck, at this point, I'd be OK with it being a regulatory issue. What entity do you see as having any possibility of effective regulatory control over the internet? Doesn't matter as long as it enables radial outbound finger pointing. The reason we have these problems to begin with is because there is no way for people (or government regulators) in the US to control ISPs in eastern Europe etc. Or in the US. But what we see here is what is what is wrong with regulation--the regulated specify the regulation, primarily to protect the economic interests of the entrenched. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Nato warns of strike against cyber attackers
On Jun 9, 2010, at 6:50 AM, Joe Greco wrote: On Wed, 2010-06-09 at 07:02 -0500, Joe Greco wrote: There is only so much proper security you can expect the average PC use= r to do. Sure - but if their computer, as a result of their ignorance, starts belching out spam, ISPs should be able at very least to counteract the problem. For example, by disconnecting that user and telling them why they have been disconnected. Why should it be the ISP's duty to silently absorb the blows? Why should the user have no responsibility here? Primarily because the product that they've been given to use is defective by design. I'm not even saying no responsibility; I'm just arguing that we have to be realistic about our expectations of the level of responsibility users will have. At this point, we're teaching computers to children in elementary school, and kids in second and third grade are being expected to submit homework to teachers via e-mail. How is that supposed to play out for the single mom with a latchkey kid? Let's be realistic here. It's the computer that ought to be safer. We can expect modest improvements on the part of users, sure, but to place it all on them is simply a fantastic display of incredible naivete. I don't think that is what is being proposed. What is being proposed is that in order for this to work legally in the framework that exists in the current law is to create a chain of liability. Let's use the example of a third party check which should be fairly familiar to everyone. A writes a check to B who endorses it to C who deposits it. The check bounces. C cannot sue A. C must sue B. B can then recover from A. So, to make this work realistically, the end user (latchkey mom in your example) has a computer and little Suzie opens MakeMeSpam.exe and next thing you know, that computer is using her full 7Mbps uplink from $CABLECO to deliver all the spam it can deliver at that speed. Some target of said spam calls up $CABLECO and $CABLECO turns off LatchKeyMom's service. The spam targets can (if they choose) go after LatchKeyMom ($CABLECO would be liable if they hadn't disconnected LatchKeyMom promptly), but, they probably won't if LatchKeyMom isn't a persistent problem. LatchKeyMom can go after the makers of MakeMeSpam.exe and also can go after the makers of her OS, etc. if she has a case that their design was negligent and contributed to the problem. Yes, it's complex, but, it is the only mechanism the law provides for the transfer of liability. You can't leap-frog the process and have the SPAM victims going directly after LatchKeyMom's OS Vendor because there's no relationship there to provide a legal link of liability. To carry your analogy a bit too far, if someone is roaming the streets in a beat-up jalopy with wobbly wheels, no lights, no brakes, no mirrors, and sideswiping parked cars, is it up to the city to somehow clear the way for that driver? No - the car is taken off the road and the driver told to fix it or get a new one. If the problem appears to be the driver rather than the vehicle, the driver is told they cannot drive until they have obtained a Clue. Generally speaking, nobody wants to be the cop that makes that call. Theoretically an ISP *might* be able to do that, but most are unwilling, and those of us that do actually play BOFH run the risk of losing customers to a sewerISP that doesn't. Whether anyone wants to be the cop or not, someone has to be the cop. The point is that SewerISPs need to be held liable (hence my proposal for ISP liability outside of a 24 hour grace period from notification). If SewerISP has to pay the costs of failing to address abuse from their customers, SewerISP will either stop running a cesspool, or, they will go bankrupt and become a self-rectifying problem. If the user, as a result of their computer being zombified or whatever, has to take it in to NerdForce and spend some random amount between $50 and twice the cost of a new computer, ...then that's the user's problem. They can solve it with insurance (appropriate policies will come into being), or they can solve it by becoming more knowledgeable, or they can solve it by hiring know how. But it is *their* problem. The fact that it is the user's problem will drive the industry to solve that problem, because anywhere there is a problem there is a market for a solution. That shows an incredible lack of understanding of how the market actually works. It's nice in theory. No, it shows how broken current market practice is. What we are saying is that some relatively minor application of existing law to the computer market would correct this brokenness. We (as technical people) have caused this problem because we've failed to design computers and networks that are resistant to this sort of thing. Trying to pin it on the users is of course easy, because users (generally speaking) are stupid and are at fault for not doing
Re: Nato warns of strike against cyber attackers
I am pretty sure I saw stats that suggested that old cars that crashed into new cars did substantially more damage to the new car and its occupants than an equivalent crash between two new cars, something to do with the old car not absorbing about half the impact into its own (nonexistent) crumple zones, though there are obvious deficiencies in the protection afforded to the occupants of the old car as well... Old cars without crumple zones tend to do more damage to new cars with crumple zones. Occupants of new cars tend to receive less damage because the crumple zones absorb some of the energy while occupants of older cars receive more of the energy transferred directly to them due to the higher stiffness of the older car. At least in the studies I have read. I'm talking about the difference between the levels of damage to a new car where you have a crash between an old and new car, and a crash between two new cars. The evidence that an old car is more lethal to its occupants is well known. We were discussing damage inflicted upon others, so that is not relevant. Generally speaking, because the computer is unsafe by design, and most of the problems we're discussing are not driving the car in a reckless manner. I do not live in mortal fear that I am going to steer my car into the median and it's going to jump over into oncoming traffic and ram into an oncoming semi, because that's simply not something I'd do, and it's not something the car designers expected would be a regular thing to do. On the other hand, I do live in mortal fear of opening a PDF document on a Windows machine, something that both Adobe and Microsoft deliberately engineered to be as easy and trivial as possible, and which millions of people do on a daily and regular basis, but which nonetheless can have the undesirable side effect of infecting my computer with the latest stealth exploit, at least if I read the news correctly. I don't agree with your premise. Yes, some operating systems are unsafe by design, but, not all. As I said, you should be accountable for the behavior of your computer. If you can show that the behavior was the result of faulty software, then, you should be able to recover from the manufacturer of that software (assuming you paid a professional for your software). That is a nice theory, but does not play out in practice. If you are suggesting that part of the solution to the overall problem is to legislate such liability, overriding any EULA's in the process, we can certainly discuss that. Just as a driver of a car with a stuck accelerator due to manufacturer defect is liable to the pedestrians they plow, and, the manufacturer is liable to the driver, I see no reason not to have a similar liability chain for software. Doesn't exist at this time, see EULA. Strangely, I don't live in mortal fear of opening a PDF document on my Macs or Linux systems. As such, I don't see why we should all be punished for the fact that you chose to buy software from the morons in Redmond. A bad choice made by a majority of people is still a bad choice. (Note: You are the one who singled out Micr0$0ft first.) The latest Adobe vulnerability applies to pretty much all platforms. It is, in this case, a Flash vulnerability, but others have been PDF. You can use an alternative Flash or PDF player, of course, but that's not a guarantee, it's just lowering the risk. As a Windows user, I *am* *expected* to open web documents and go browsing around. The Internet has been deliberately designed with millions upon millions of domains and web sites; it's ridiculous to suggest that users should be aware that visiting a particular web site is likely to be harmful, especially given that we can't even keep servers safe, and some legitimate high-volume web sites have even been known to serve up bad stuff. I assume all web sites are potentially harmful unless I have good reason to believe otherwise. Why shouldn't everyone be expected to behave in a similar manner? Seems to me that is the only rational approach. Don't you tell your kids not to talk to strangers? Isn't this sort of the same thing? I haven't been a child for many years. Generally speaking, I expect to be able to talk to another person without significant risk. What you suggest makes sense from a security point of view, but many people are only able to identify a small handful of websites as being ones they know. If you're suggesting that people should never visit other websites, then that really limits the usefulness of the Internet. Why shouldn't it be, instead, that web browsers are made to be safe and invulnerable? I'm not out to target specific products. Yes, I'll celebrate the death of our favorite convicted felon in Redmond, but, that's not the point. I don't have a CompSci degree specializing in that stuff and I seem to be able to run clean systems. I don't have
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
On 6/9/2010 01:14, Paul Ferguson wrote: To cut through the noise and non-relevant discussion, let's see if we can boil this down to a couple of issues: If I may offer a few edits and comments . 1. Should ISPs be responsible for abuse from within their customer base? 1. Should ISPs be responsible for every thing from within their customer base? 1a. If so, how? [Good question. The answers will be hard, and some of the answers will seem to some to be against their own self interest. How does a toll-road operator do it? An inn-keeper?] 2. Should hosting providers also be held responsible for customers who abuse their services in a criminal manner? [A legal question--is the inn keeper responsible for the harm to you of a meth lab he allows to operate in the room next to yours?] 2.a If so, how? See above. I think anyone in their right mind would agree that if a provider see criminal activity, they should take action, no? In some US states the law requires it. If that also holds true, then why doesn't it happen? It's hard. It costs to much (actually false in my opinion--see trashed hotel rooms). Somebody else should be doing it. Personal (see also corporations as persons) responsibility is now an undefined term. Providers in the U.S. are the worst offenders of hosting/accommodating criminal activities by Eastern European criminals. Period. All the crap I get, I get from a (nominally[1]) US provider. [1] China probably holds the mortgage, which is another problem for discussion another day (and somewhere else). -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Nato warns of strike against cyber attackers
Original message Generally speaking, nobody wants to be the cop that makes that call. Theoretically an ISP *might* be able to do that, but most are unwilling, and those of us that do actually play BOFH run the risk of losing customers to a sewerISP that doesn't. Our experiences from the Dutch ISP market indicate otherwise, customers are more than happy to be informed they might have been infected by a virus/worm. Most customers are too afraid of loosing valuable documents due to a file-eating virus for example, or afraid of loosing connection to the internet entirely and appreciate it to get an opportunity to do some clean-up when placed in quarantaine vlan. They even will recommend you, and your reputation as ISP-with-clue will increase. To stay on-topic, this is one of the first steps to prevent hosts in your network attacking NATO and decrease the risk of being disconnected by them. Commercial products that might assist you: http://www.quarantainenet.nl/?language=en;page=product-qnet Michiel Klaver IT Professional
Re: Nato warns of strike against cyber attackers
On 6/9/2010 06:11, Owen DeLong wrote: On Jun 8, 2010, at 11:11 PM, JC Dill wrote: Owen DeLong wrote: Heck, at this point, I'd be OK with it being a regulatory issue. What entity do you see as having any possibility of effective regulatory control over the internet? The reason we have these problems to begin with is because there is no way for people (or government regulators) in the US to control ISPs in eastern Europe etc. What happ3ens if you replace the word government with the word person? (And since the cost is the only thing that matters, how much does government cost? I suppose that is something somebody else should worry about too.) The reason we have these problems is because NO government is taking action. If each government took the action I suggested locally against the ISPs in their region, it would be just as effective. In fact, the more governments that take the action I suggested, the more effective it would be. It is my strongly held belief that with my substitution a lot would get done and at a much lower individual cost. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
On 6/9/2010 06:14, Owen DeLong wrote: On Jun 8, 2010, at 11:14 PM, Paul Ferguson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To cut through the noise and non-relevant discussion, let's see if we can boil this down to a couple of issues: 1. Should ISPs be responsible for abuse from within their customer base? Yes, but, there should be an exemption from liability for ISPs that take action to resolve the situation within 24 hours of first awareness (by either internal detection or external report). What happened to the acronyms AUP and TOS? -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Nato warns of strike against cyber attackers
On Wed, 2010-06-09 at 08:50 -0500, Joe Greco wrote: Primarily because the product that they've been given to use is defective by design. Indeed. So one approach is to remove the protection such defective designs currently enjoy. supposed to play out for the single mom with a latchkey kid? Let's be realistic here. It's the computer that ought to be safer. Fine. Agreed. Now what mechanisms do you suggest for achieving that? Technical suggestions are no good, because noone will implement them unless they have to, or unless implementing them in some way improves the product so it sells better. modest improvements on the part of users, sure, but to place it all on them is simply a fantastic display of incredible naivete. Indeed. And certainly not something I'd advocate. at least not without making sure that they, in turn, could pass the responsibility on. That shows an incredible lack of understanding of how the market actually works. It's nice in theory. It would be a lot more pleasant discussing things with you if you understood that people may disagree with you without necessarily being naive or stupid. We (as technical people) have caused this problem because we've failed to design computers and networks that are resistant to this sort of thing. And why did we do that? What allowed us to get away with it? Answer: Inadequate application of ordinary product liability law to the producers of software. Acceptance of ridiculous EULAs that in any sane legal system would not be worth the cellophane they are printed behind. And so forth. I know the ecosystem that arose around software is more complicated than that, but you get the idea. Trying to pin it on the users is of course easy, because users (generally speaking) are stupid and are at fault for not doing enough to secure their own systems, but that's a ridiculous smugness on our part. You're right. And again, I am not advocating that. People are always going to be stupid (or ignorant, which is not the same thing as stupid). The trick is to give them a way out - whether it's insurance, education or effective legal remedy. That way they can choose how to handle the risk that *they* represent - in computers just as in any other realm of life. I'm fine with that, but as long as we keep handing loaded guns without any reasonably-identifiable safeties to the end users, we can expect to keep getting shot at now and then. You keep stating the problem, where what others are trying to do is frame a solution. Right now we are just absorbing the impact; that is not sustainable, as long as the people providing the avenues of attack (through ignorance or whatever) have no obligation at all to do better. Yep! And the fastest way to get more secure systems is to make consumers accountable, so that they demand accountability from their vendors. And so it goes, all the way up the chain. Make people accountable. At every level. Again, that shows an incredible lack of understanding of how the market actually works. It's still nice in theory. There are whole industries built around vehicular safety. There are numerous varieties of insurance that protect people - at every level - from their own failures. Where there is no accountability in a human system, failure is practically guaranteed - whether in the form of tyranny, monopoly, danger to life and limb or whatever. The idea of accountability and the drive to attain it forms the basis of most legal and democratic systems, and of uncountable numbers of smaller systems in democratic societies. Now, what were you saying about theory? Do you really think that the game of telephone works? Are we really going to be able to hold customers accountable? And if we do, are they really going to put vendor feet to the fire? Or is Microsoft just going to laugh and point at their EULA, and say, our legal department will bankrupt you, you silly little twerp? Please, read more carefully. At every level. If the consumer is made responsible, they must simultaneously get some avenue of recourse. Those ridiculous EULAs should be the first things against the wall :-) Everyone has carefully made it clear that they're not liable to the users, so the users are left holding the bag, and nobody who's actually responsible is able to be held responsible by the end users. Correct. That is the current situation, and it needs to be altered. On the one hand consumers benefit because they will finally have recourse for defective software, but with that gain comes increased responsibility. Yes, we needs to include all the technical stakeholders, and we as network operators ought to be able to tell we the website operators to tell we the web designers to stop using Flash if it's that big a liability. This, of course, fails for the same reasons that expecting end users to hold vendors responsible does, but there are a lot less of us technical stakeholders than there are end users, so if we
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
On 6/9/2010 07:39, Jorge Amodio wrote: 1. Should ISPs be responsible for abuse from within their customer base? Not sure, ISPs role is just to move packets from A to B, you need to clearly define what constitutes abuse and how much of it is considered a crime. If I call your home every five minutes to harass you over the phone is ATT responsible ? 1a. If so, how? Pull the plug without looking at how much you are billing. I'd say pull the plug while watching the balance sheet. I have no idea how many providers of netnews service there are left--not many because they waited for somebody else to solve the problems. I subscribe to one that rigorously polices spam and troll traffic (from their own customers _and_from_the_world). And for less than some of the other services. (They are associated with a German University, I think, so there may be a subsidy issue. I would pay several times as much as I do for the service--maybe an order of magnitude more.) What incentive they have to do so ? and how liable they become if do something without a court order or such ? Is survival an incentive? Providers in the U.S. are the worst offenders of hosting/accommodating criminal activities by Eastern European criminals. Period. Probably true, here money talks. But it doesn't listen. It waits for the bailout. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
On 6/9/2010 07:39, Jorge Amodio wrote: 1. Should ISPs be responsible for abuse from within their customer base? Not sure, ISPs role is just to move packets from A to B, you need to clearly define what constitutes abuse and how much of it is considered a crime. If I call your home every five minutes to harass you over the phone is ATT responsible ? How does the question change with a regulator telling them they are? And does it matter if I refuse all calls from ATT because they don't? -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Nato warns of strike against cyber attackers
On 6/9/2010 08:05, Chris Adams wrote: Once upon a time, JC Dill jcdill.li...@gmail.com said: I'm still truly amazed that no one has sic'd a lawyer on Microsoft for creating an attractive nuisance - an operating system that is too easily hacked and used to attack innocent victims, and where others have to pay to clean up after Microsoft's mess. Many of the problems are PEBKAC, as evidenced by the massive responses to phishing scams. I can't tell you the number of our users that have sent their password to Nigeria to be used to log in to our webmail and spam. In other words, if somebody is going to handle the problem, the people that know how (ISP's for want of a term) are going to have to do it. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Nato warns of strike against cyber attackers
On 6/9/2010 08:08, Chris Adams wrote: Once upon a time, Alexander Harrowell a.harrow...@gmail.com said: No, but we can and do require cars to have functional brakes and minimum tread depths, and to be tested periodically. Not in this state. You might not have the state inspection rip-off, but I'll bet that if your state accepts federal highway money, you have mechanical condition standards that include tires, brakes, seat belts and a lot of other things. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Nato warns of strike against cyber attackers
On 6/9/2010 08:09, Chris Adams wrote: Once upon a time, Jorge Amodio jmamo...@gmail.com said: That's why at least in the US by *regulation* you must have insurance to be able to operate a car, instead of mitigating the safety issues that represents a teenager texting while driving we deal with the consequences. The insurance requirement is a state-by-state thing. It was only added here a few years ago, and I don't think it is universal. Similar answer as the one for the brakes and tires thing. Implementation may vary from state to state, just like the mechanical standards thing. When last I lived in California, there was no insurance requirement but there was a proof of financial responsibility requirement that was most easily (for most people) by carrying insurance to certain standards for Public Liability and Property Damage. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Nato warns of strike against cyber attackers
On 6/9/2010 08:21, Joe Greco wrote: Your car emits lots of greenhouse gases. Just because it's /less/ doesn't change the fact that the Prius has an ICE. We have a Prius and a HiHy too. Did Godwin say anything about rand discussions degenerating to mythologies like gorebull warming? -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Nato warns of strike against cyber attackers
On 6/9/10 6:27 AM, Jorge Amodio wrote: Going back then to a previous question, do we want more/any regulation ? Laws and regulation exist because people can't behave civilly and be expected to respect the rights/boundries/property others. CAN-SPAM exists because the e-mail marketing business refused to self regulate and respect the wishes of consumers/administrators FDCPA exists because the debt collectors couldn't resist the temptation to harass and intimidate consumers, and behave ethically. It's just a matter of time, and really unavoidable. The thing is, these industries have no one to blame but themselves. In all cases, these laws/regulation only came into affect AFTER situations got out of control. Lately, the courts have been ruling that companies like LimeWire are responsible for their products being used for piracy/downloading because they knew what was going on, but were turning a blind eye. Why not apply the same standards to ISPs? If it can be shown that you had knowledge of specific abuse coming from your network, but for whatever reason, opted to ignore it and turn a blind eye, then you are responsible. When I see abuse from my network or am made aware of it, I isolate and drop on my edge the IPs in question, then investigate and respond. Most times, it takes me maybe 10-15 minutes to track down the user responsible, shut off their server or host, then terminate their stupid self. A little bit of effort goes a long way. But, if you refuse to put in the effort (I'm looking at you, GoDaddy Abuse Desk), then of course the problems won't go away. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org
Re: Nato warns of strike against cyber attackers
On Wed, Jun 09, 2010, Larry Sheldon wrote: You might not have the state inspection rip-off, but I'll bet that if your state accepts federal highway money, you have mechanical condition standards that include tires, brakes, seat belts and a lot of other things. .. and a change in the minimum drinking age? Adrian (Before you go That's not relevant to the discussion, think again. Hard.)
Re: Nato warns of strike against cyber attackers
On 6/9/10 8:43 AM, Michiel Klaver wrote: Our experiences from the Dutch ISP market indicate otherwise, customers are more than happy to be informed they might have been infected by a virus/worm. Most customers are too afraid of loosing valuable documents due to a file-eating virus for example, or afraid of loosing connection to the internet entirely and appreciate it to get an opportunity to do some clean-up when placed in quarantaine vlan. They even will recommend you, and your reputation as ISP-with-clue will increase. Unfortunately, here in the US, as someone who decrapifies computers for several home and business users, I find that no matter how much I alert users to infections, they just don't care. They say... But I can still use my computer! You're just trying to get more money out of me. You warn them that opening attachments is dangerous. They say... But I got this great power point presentation that shows me how to make cookies on the hood of my car, which I would have never seen had I listened to you! You warn them that the screen saver they just downloaded and ran sent their passwords and credit cards to a cracker. They say... Oh, but my credit card company won't hold me liable, so it's not a big deal. They install MyCleanPC or similar, which proceeds to install more crapware which eventually starts randomly deleting important files on their computer. They say... But I saw it on TV, and people were saying its a great product that makes my 386 perform like a Core i7! Your a computer expert, I'm sure you've backed up my files on your computer without me needed to tell you. Yeah, things may be different overseas, but here in the US, ignorance is bliss and endorsed by the GOP and Tea Party. Here, people take pride in being the dumbest moron on the block. In all cases of the above, I was told almost that exact statement by a customer. They will do _anything_ to try and avoid responsibility for their behavior. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org
Re: Nato warns of strike against cyber attackers
What I don't want to see which you are advocating... I don't want to see the end users who do take responsibility, drive well designed vehicles with proper seat belts and safety equipment, stay in their lane, and do not cause accidents held liable for the actions of others. Why should we penalize those that have done no wrong simply because they happen to be a minority? I agree, on the other hand, what about those people who genuinely didn't do anything wrong, and their computer still got Pwned? Fiction. At the very least, if you connected a system to the network and it got Pwned, you were negligent in your behavior, if not malicious. Negligence is still wrong, even if not malice. Owen
Re: Nato warns of strike against cyber attackers
Yes, it's complex, but, it is the only mechanism the law provides for the transfer of liability. You can't leap-frog the process and have the SPAM victims going directly after LatchKeyMom's OS Vendor because there's no relationship there to provide a legal link of liability. This leads to an incredibly Rube-Goldberg-like setup to solve the problem; if that's the case, even if the issue of EULA's leaving end users holding the bag were resolved, this would not be much of an incentive to vendors to fix the problem. To carry your analogy a bit too far, if someone is roaming the streets in a beat-up jalopy with wobbly wheels, no lights, no brakes, no mirrors, and sideswiping parked cars, is it up to the city to somehow clear the way for that driver? No - the car is taken off the road and the driver told to fix it or get a new one. If the problem appears to be the driver rather than the vehicle, the driver is told they cannot drive until they have obtained a Clue. Generally speaking, nobody wants to be the cop that makes that call. Theoretically an ISP *might* be able to do that, but most are unwilling, and those of us that do actually play BOFH run the risk of losing customers to a sewerISP that doesn't. Whether anyone wants to be the cop or not, someone has to be the cop. The point is that SewerISPs need to be held liable (hence my proposal for ISP liability outside of a 24 hour grace period from notification). If SewerISP has to pay the costs of failing to address abuse from their customers, SewerISP will either stop running a cesspool, or, they will go bankrupt and become a self-rectifying problem. In the meantime, CleanISP is bleeding customers to SewerISP, rewarding SewerISP. And tomorrow there's another SewerISP. If the user, as a result of their computer being zombified or whatever, has to take it in to NerdForce and spend some random amount between $50 and twice the cost of a new computer, ...then that's the user's problem. They can solve it with insurance (appropriate policies will come into being), or they can solve it by becoming more knowledgeable, or they can solve it by hiring know how. But it is *their* problem. The fact that it is the user's problem will drive the industry to solve that problem, because anywhere there is a problem there is a market for a solution. That shows an incredible lack of understanding of how the market actually works. It's nice in theory. No, it shows how broken current market practice is. What we are saying is that some relatively minor application of existing law to the computer market would correct this brokenness. That's like saying going to the moon is a relatively minor application of rocket science. We (as technical people) have caused this problem because we've failed to design computers and networks that are resistant to this sort of thing. Trying to pin it on the users is of course easy, because users (generally speaking) are stupid and are at fault for not doing enough to secure their own systems, but that's a ridiculous smugness on our part. You keep saying WE as if the majority of people on this list have anything to do with the design or construction of these systems. We do not. We are mostly network operators. I keep saying we as opposed to them because we are part of the problem, and they are simply end users. We can (and, from past experience with the membership of this list, does) include members of the networking community, hardware community, software community, developers, and other related interests. We have done a poor job of designing technology that they can understand, comprehend, and just use, which is, when it comes right down to it, all they want to be able to do. However, again, if the end user is held liable, the end user is then in a position to hold the manufacturer/vendors that they received defective systems from liable. The hell they are. Why don't you READ that nice EULA you accepted when you bought that Mac. It does exactly what you are saying needs to happen, just without exempting irresponsible users from their share of the pain which seems to be a central part of your theory. If I leave my credit card laying around in an airport, I'm liable for part of the pain up until the point where I report my credit card lost. Why should irresponsible computer usage be any different? Because the average person would consider that to be dangerous, and the average person would not consider opening an e-mail in their e-mail client to be dangerous, except that it is. then we - as the people who have designed and provided=20 technology - have failed, and we are trying to pass off responsibility=20 for our collective failure onto the end user. I think what's being called for is not total abdication of responsibility - just some sharing of the responsibility. I'm fine with that, but as long as we
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
On 6/9/2010 10:58, Owen DeLong wrote: What happened to the acronyms AUP and TOS? I'm not sure what you mean by that. I'm talking about an ISPs liability to third party victims, not to their customers. Acceptable Use Policy and Terms of Service AUP/TOS are between the ISP and their customer. Very good. Does that provide an answer to the earlier question about what is a provider to do? when a customer misbehaves? Does that provide a method for assigning liability? I am not a lawyer, but it doesn't seem a stretch to me to include, in this context, traffic from peers and transit providers. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
Larry Sheldon wrote: On 6/9/2010 10:58, Owen DeLong wrote: What happened to the acronyms AUP and TOS? I'm not sure what you mean by that. I'm talking about an ISPs liability to third party victims, not to their customers. Acceptable Use Policy and Terms of Service AUP/TOS are between the ISP and their customer. Very good. Does that provide an answer to the earlier question about what is a provider to do? when a customer misbehaves? Does that provide a method for assigning liability? I am not a lawyer, but it doesn't seem a stretch to me to include, in this context, traffic from peers and transit providers. Acceptable Use Policy and Terms of Service Imagine for a moment you're speeding... You get pulled over, get off with a warning. Phew! You speed again, get pulled over again, you get a warning. How long will it be before you just outright ignore the law and speed simply because you know all you will get is a warning. AUP's and TOS' mean little if they're not enforced and I theorize that they're not enforced perhaps because a company's staff is likely to be overwhelmed or underclued as to how to proceed past a generic: Thou shall not spew dirty traffic in my network or else... Or else what? You're going to flood their inbox with Thou shall not messages? In the case of Mr. Amodio and I believe Owen griping about insecure software, I offer you this analogy... You buy a car and as you're driving along a message comes into the dashboard: Car Update needed, to fix A/C you ignore it. Don't update it who cares, you're driving smoothly. Another alert comes into the car dashboard: Critical alert, your breaks need this patch... You ignore it and drive along. 5-10 years later the car manufacturer EOL's the car and support for it. You crash... Who is to blame, the car manufacturer or you for not applying the updates. Granted the manufacturer could have given you a better product, the fact remains, it is what it is. Don't blame the software vendors blame oneself. I've seen even the most savvy users using OS' *other* than Windows get compromised. I performed an incident response about 8 months ago... 42 machines 41 Linux, 1 Windows... Guess what, all the Linux boxes running Apache were compromised. They were running vulnerable software on them (Wordpress, etc). So to compare Apples and Oranges (Windows versus another) is pointless. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E
Re: Nato warns of strike against cyber attackers
--=-sFVAwQY0p26r8nFOk9Ww Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Wed, 2010-06-09 at 08:50 -0500, Joe Greco wrote: Primarily because the product that they've been given to use is defective by design. Indeed. So one approach is to remove the protection such defective designs currently enjoy. That's not going to happen (but I'll be happy to be proven wrong). As it stands, were software manufacturers to be held liable for the damages caused by their products, think of what would happen. How much does it cost for NerdForce to disinfect a computer? How many man-hours did that MS-SQL Slammer worm cost us? How much is lost when a website is down? What legislator is going to vote for software liability reforms that will ruin major software companies? When their own staff and experts will be willing to state that outcome, in no uncertain terms? What are the outcomes here? We pass such legislation, it doesn't magically fix things. It just means that companies like Adobe and Microsoft are suddenly on the hook for huge liabilities if they continue to sell their current products. Do we expect them to *stop* selling Windows, etc.,? supposed to play out for the single mom with a latchkey kid? Let's be realistic here. It's the computer that ought to be safer. Fine. Agreed. Now what mechanisms do you suggest for achieving that? Technical suggestions are no good, because noone will implement them unless they have to, or unless implementing them in some way improves the product so it sells better. That's the problem, isn't it. If we were serious about it, we could approach the problem differently: rather than trying to tackle it from a marketplace point of view, perhaps we could instead tackle it from a regulatory point of view. Could we mandate that the next generation of browsers must have certain qualities? It's an interesting discussion, and in some way parallels the car safety examples I provided earlier. modest improvements on the part of users, sure, but to place it all on=20 them is simply a fantastic display of incredible naivete. Indeed. And certainly not something I'd advocate. at least not without making sure that they, in turn, could pass the responsibility on. That shows an incredible lack of understanding of how the market actually works. It's nice in theory. It would be a lot more pleasant discussing things with you if you understood that people may disagree with you without necessarily being naive or stupid. It's not a pleasant discussion, because in all visible directions are pure suck. I'll call naive when I see it. We (as technical people) have caused this problem because we've failed to= =20 design computers and networks that are resistant to this sort of thing. And why did we do that? What allowed us to get away with it? Answer: Inadequate application of ordinary product liability law to the producers of software. Acceptance of ridiculous EULAs that in any sane legal system would not be worth the cellophane they are printed behind. And so forth. I know the ecosystem that arose around software is more complicated than that, but you get the idea. I certainly agree, but it isn't going to be wished away in a minute. To do so would effectively destroy some major technology companies. Trying to pin it on the users is of course easy, because users (generally speaking) are stupid and are at fault for not doing enough to secure their own systems, but that's a ridiculous smugness on our part. You're right. And again, I am not advocating that. People are always going to be stupid (or ignorant, which is not the same thing as stupid). The trick is to give them a way out - whether it's insurance, education or effective legal remedy. That way they can choose how to handle the risk that *they* represent - in computers just as in any other realm of life. Actually, IRL, we've been largely successful in making much safer cars. It's by no means a complete solution, but it seems to be the best case scenario at this time. Software is devilishly hard to make safer, of course, and companies with a decade of legacy sludge being dragged along for the ride do not have it easy. (I really do feel sorry for Microsoft in a way) That's one of the reasons I had predicted more appliance-like computers, and now they seem to be appearing in the form of app-running devices like the iPad. From a network operator's point of view, that's just great, because the chance of a user being able to do something bad to the device is greatly reduced. I'm fine with that, but as long as we keep handing loaded guns without=20 any reasonably-identifiable safeties to the end users, we can expect to keep getting shot at now and then. You keep stating the problem, where what others are trying to do is frame a solution. Right now we are just absorbing the impact; that is not sustainable, as long as the people
Re: Nato warns of strike against cyber attackers
d...@bungi.com (Dave Rand) writes: ... With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen. +1. -- Paul Vixie KI6YSY
Re: Nato warns of strike against cyber attackers
What I don't want to see which you are advocating... I don't want to see the end users who do take responsibility, drive well designed vehicles with proper seat belts and safety equipment, stay in their lane, and do not cause accidents held liable for the actions of others. Why should we penalize those that have done no wrong simply because they happen to be a minority? I agree, on the other hand, what about those people who genuinely didn't do anything wrong, and their computer still got Pwned? Fiction. At the very least, if you connected a system to the network and it got Pwned, you were negligent in your behavior, if not malicious. Negligence is still wrong, even if not malice. So, just so we're clear here, I go to Best Buy, I buy a computer, I bring it home, plug it into my cablemodem, and am instantly Pwned by the non-updated Windows version on the drive plus the incessant cable modem scanning, resulting in a bot infection... therefore I am negligent? Do you actually think a judge would find that negligent, or is this just your own personal definition of negligence? Because I doubt that a judge, or even an ordinary person, could possibly consider it such. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Nato warns of strike against cyber attackers
On 6/9/2010 12:17, Joe Greco wrote: What I don't want to see which you are advocating... I don't want to see the end users who do take responsibility, drive well designed vehicles with proper seat belts and safety equipment, stay in their lane, and do not cause accidents held liable for the actions of others. Why should we penalize those that have done no wrong simply because they happen to be a minority? I agree, on the other hand, what about those people who genuinely didn't do anything wrong, and their computer still got Pwned? Fiction. At the very least, if you connected a system to the network and it got Pwned, you were negligent in your behavior, if not malicious. Negligence is still wrong, even if not malice. So, just so we're clear here, I go to Best Buy, I buy a computer, I bring it home, plug it into my cablemodem, and am instantly Pwned by the non-updated Windows version on the drive plus the incessant cable modem scanning, resulting in a bot infection... therefore I am negligent? Do you actually think a judge would find that negligent, or is this just your own personal definition of negligence? Because I doubt that a judge, or even an ordinary person, could possibly consider it such. One can argue (and I will) that there is indeed some culpability because the buyer bought the cheapest version of everything and connected it to a negligent provider's system. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
You buy a car and as you're driving along a message comes into the dashboard: Car Update needed, to fix A/C you ignore it. Don't update it who cares, you're driving smoothly. Another alert comes into the car dashboard: Critical alert, your breaks need this patch... You ignore it and drive along. 5-10 years later the car manufacturer EOL's the car and support for it. You crash... Who is to blame, the car manufacturer or you for not applying the updates. Granted the manufacturer could have given you a better product, the fact remains, it is what it is. Unfortunately in the software industry you get (when you do, not always) the alert and the patch after the fact, ie the exploit has been already out there and your machine may probably have been already compromised. I never seen any operating system coming with a sign saying Use at your own risk, why when I buy a piece of software I have to assume it to be insecure, and why I have to spend extra money on a recurring basis to make it less insecure, when there is no guarantee whatsoever that after maintenance, upgrades, patches and extra money my system will not get compromised because a moron forgot to include a term inside an if before compiling. Insecurity and exploitable software is a huge business. I don't expect software to be 100% safe or correct, but some of the holes and issues are derived form bad quality stuff and as car manufacturers the software producers should have a recall/replacement program at their own cost. My .02 Jorge
Re: Nato warns of strike against cyber attackers
So, just so we're clear here, I go to Best Buy, I buy a computer, I bring it home, plug it into my cablemodem, and am instantly Pwned by the non-updated Windows version on the drive plus the incessant cable modem scanning, resulting in a bot infection... therefore I am negligent? Do you actually think a judge would find that negligent, or is this just your own personal definition of negligence? Because I doubt that a judge, or even an ordinary person, could possibly consider it such. One can argue (and I will) that there is indeed some culpability because the buyer bought the cheapest version of everything and connected it to a negligent provider's system. Really? Because the *cheapest* version of everything seems to run the same OS as the most *expensive* version of everythiing. Best Buy - Computers - Desktop Computers - Towers Only - a Presario Sempron with Windows 7 Home Premium, $279. Best Buy - Computers - Desktop Computers - Desktop Packages - a Dell Intel Core i5 package with Windows 7 Home Premium, $859. So, since I mentioned Best Buy, but didn't mention anything about what was paid, I am hard pressed to imagine the basis for your claim, since the cheapest PC I was able to quickly locate runs the same OS as the most expensive PC I was able to quickly locate (it's of course possible that there are cheaper and more expensive at BB, as well as gear that does not run W7HP). Further, since the incumbent provider in many areas is also the *only* provider, I wonder what theory you use to hold the customer responsible for their choice of provider, or where they're supposed to get information on the negligence of a provider so that they can make informed choices of this sort. And are you really suggesting that people should expect to get Pwned if they buy an inexpensive computer, but not if they buy a better one? I can understand you saying they can expect the hard drive to fail sooner or the fans will burn out faster, because that seems to be borne out by actual real world experience, but I wasn't aware that the security quality of Windows varied significantly based on the cost of the computer. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Nato warns of strike against cyber attackers
On Wed, 09 Jun 2010 12:32:54 CDT, Larry Sheldon said: On 6/9/2010 12:17, Joe Greco wrote: So, just so we're clear here, I go to Best Buy, I buy a computer, I bring it home, plug it into my cablemodem, and am instantly Pwned by the non-updated Windows version on the drive plus the incessant cable modem scanning, resulting in a bot infection... therefore I am negligent? Do you actually think a judge would find that negligent, or is this just your own personal definition of negligence? Because I doubt that a judge, or even an ordinary person, could possibly consider it such. One can argue (and I will) that there is indeed some culpability because the buyer bought the cheapest version of everything and connected it to a negligent provider's system. And the average consumer can avoid the culpability in this scenario, how, exactly? If people place a nice chocky in their mouth, they don't want their cheeks pierced http://orangecow.org/pythonet/sketches/crunchy.htm pgpY3ZDVw6KX2.pgp Description: PGP signature
Re: Nato warns of strike against cyber attackers
Larry Sheldon wrote: On 6/9/2010 08:05, Chris Adams wrote: Once upon a time, JC Dill jcdill.li...@gmail.com said: I'm still truly amazed that no one has sic'd a lawyer on Microsoft for creating an attractive nuisance - an operating system that is too easily hacked and used to attack innocent victims, and where others have to pay to clean up after Microsoft's mess. Many of the problems are PEBKAC, as evidenced by the massive responses to phishing scams. I can't tell you the number of our users that have sent their password to Nigeria to be used to log in to our webmail and spam. In other words, if somebody is going to handle the problem, the people that know how (ISP's for want of a term) are going to have to do it. Yes, ISPs are going to have to handle the problem. But, IMHO the root cause of the problem starts in Redmond, and ISPs should sue Redmond for the lack of suitable security in their product, rendering it an attractive nuisance and requiring ISPs to clean up after Redmond's mess. It's not fair to expect ISPs to shoulder this burden, and it's not fair to pass on the cost to customers as a blanket surcharge (and it won't work from a business standpoint) as not all customer use Microsoft's virus-vector software. And it's not really fair to expect the end customer to shoulder this burden when it's Microsoft's fault for failing to properly secure their software. But end user customers don't have the resources to sue Microsoft, and then there's that whole EULA problem. ISPs who are NOT a party to the EULA between Microsoft and the user, but who are impacted by Microsoft's shoddy security can (IMHO) make a valid claim that Microsoft created an attractive nuisance (improperly secured software), and should be held accountable for the vandal's use thereof, used to access and steal resources (bandwidth, etc.) from the ISP thru the ISP's customers infested Windows computer. jc
Re: Nato warns of strike against cyber attackers
Larry Sheldon wrote: On 6/9/2010 01:11, JC Dill wrote: Owen DeLong wrote: Heck, at this point, I'd be OK with it being a regulatory issue. What entity do you see as having any possibility of effective regulatory control over the internet? Doesn't matter as long as it enables radial outbound finger pointing. It does matter because THERE IS NO SUCH ENTITY. The reason we have these problems to begin with is because there is no way for people (or government regulators) in the US to control ISPs in eastern Europe etc. Or in the US. But what we see here is what is what is wrong with regulation--the regulated specify the regulation, primarily to protect the economic interests of the entrenched. IMHO it is impossible to regulate the internet as a whole. It is built out of too many different unregulated fragments (IP registries, domain registries, ASs, Tier 1 networks, smaller networks, etc.) and there will never be enough willingness for the unregulated entities to voluntarily become regulated - if some of them agree to become regulated then others will tout their unregulated (and cheaper) services. IMHO it would require a massive effort of great firewalls (such as China has in place) to *begin* to force regulation on the internet as a whole. jc
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
Jorge Amodio wrote: Unfortunately in the software industry you get (when you do, not always) the alert and the patch after the fact, ie the exploit has been already out there and your machine may probably have been already compromised. I never seen any operating system coming with a sign saying Use at your own risk, why when I buy a piece of software I have to assume it to be insecure, and why I have to spend extra money on a recurring basis to make it less insecure, when there is no guarantee whatsoever that after maintenance, upgrades, patches and extra money my system will not get compromised because a moron forgot to include a term inside an if before compiling. Insecurity and exploitable software is a huge business. I don't expect software to be 100% safe or correct, but some of the holes and issues are derived form bad quality stuff and as car manufacturers the software producers should have a recall/replacement program at their own cost. My .02 Jorge Again, apples and oranges to a degree. Car owners don't receive a use at your own risk disclaimer either. Yet some Toyota owners faced horrifying instances of subpar prechecks. GM recalled a million or so cars and the list will always go on and on. Mistakes happen period and when mistakes DON'T happen Murphy's Law does. I can speak for any software vendor but I can speak about insecurity and exploitability of software. That too is what it is from any standpoint be it anywhere in Redmond to any other location. Look at Sun's horrible misstep with telnet: humor Highlights The Solaris 10 Operating System, the most secure OS on the planet, provides security features previously only found in Sun's military-grade Trusted Solaris OS. /humor Really? http://blogs.securiteam.com/index.php/archives/814 9 Vulnerabilities for Microsoft *ANYTHING* of the first 60 published. But again, this is irrelevant. I don't care for any operating system anymore. I care for the one that accomplishes what I need to do at any given time. Be it Linux, Windows, BSD, Solaris heck get me plan9 with Rio, I could care less. However, myself as an end user, I'm the one responsible for my machine as I am the one running it. If I find it to be insecure or virus/trojan/malware/exploitability prone, there is no one shoving it down my throat. Even if I didn't know any better. So for those who are unaware of what's going on, how difficult would it be to create a function within an ISP tasked with keeping a network structured to avoid allowing OUTBOUND malicious traffic. We could argue about: But that would be snooping where I could always point at that a NAC could be set up prior to allowing a client to connect. Can anyone honestly tell me that one of their clients would be upset slash disturbed slash alarmed about an ISP protecting them (the customer) as well as other neighbors (customers)? That's like saying: Oh they set up a neighborhood watch association... and they're watching over my house when I'm not home or capable of watching all sides of my house... HOW DARE THEY! Sorry I can't picture that happening. What I picture is fear and people dragging their feet. I can tell you what though, for the first company to pick up on that framework, I can guarantee you the turnover rate wouldn't be as high as say being on a network where now the business connection is lagged because of spam, botnets and other oddities that could have been prevented. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E
Re: Nato warns of strike against cyber attackers
On 6/9/2010 13:35, JC Dill wrote: IMHO it is impossible to regulate the internet as a whole. Exactly so. That is precisely why you don't want somebody else to attempt it. The only hope is for everybody to take personal responsibility for their little piece of it. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Nato warns of strike against cyber attackers
The original article is FUD. The Times newspaper is historically known as MI5, MI6's newspaper of choice. Andrew http://sites.google.com/site/n3td3v/
Re: Nato warns of strike against cyber attackers
On 6/9/2010 1:43 PM, Larry Sheldon wrote: On 6/9/2010 13:35, JC Dill wrote: IMHO it is impossible to regulate the internet as a whole. Exactly so. That is precisely why you don't want somebody else to attempt it. The only hope is for everybody to take personal responsibility for their little piece of it. This situation has led to the growth of blacklists, and whitelists of all sorts. These, at least have some potential to drive dollars to hosts/providers with better records of behavior. Not a silver bullet.. and not without controversy. And of course the cost is paid by victims up-front. Law and order in the wild west.. Ken -- Ken Anderson Pacific Internet - http://www.pacific.net
Re: Nato warns of strike against cyber attackers
On Wed, 2010-06-09 at 12:08 -0500, Joe Greco wrote: That's not going to happen (but I'll be happy to be proven wrong). Oh, there are so many things that are not going to happen, aren't there? And because of that we shouldn't even bother suggesting regulation as a solution to anything because the big companies won't let it happen? It took a few decades, but eventually people figured out that tobacco killed people, and some of the biggest financial interests in the world ended up being legislated against. That process is not finished, the rearguard action is not played out, but the setup is not the cosy little we'll do whatever we want and you can't stop us that we had in the fifties. The Mafia in Italy seemed indomitable a few decades ago. It had the whole country (and large chunks of the US and other countries) in its grip, apparently unchallengeable. But the Mafia in Italy is now dying under the weight of courageous police and judges and a legal system that in spite of itself tries to do the will of the people. Little by little the changes were made, little by little the structures the Mafia depended upon were taken away. Including, most importantly, the belief amongst Italians that the Mafia was untouchable. Your argument seems to be if we do X, it won't work. This is true for almost any X, because our field, like many other specialist fields, is a kind of ecosystem. Many factors have reached a kind of equilibrium, and it's really hard to look at any one factor and say fix that without seeing how so many other factors would work against the change. Try thinking about what *could* happen rather than what *can't* happen. What legislator is going to vote for software liability reforms that will ruin major software companies? When their own staff and experts will be willing to state that outcome, in no uncertain terms? Why do you assume these laws will ruin anyone? Noone is seeking to destroy software companies, any more than the people who demanded accountability from auto manufacturers or pharmaceutical companies wanted to put them out of business. People want cars and medicine, and are prepared to pay for them. But if the car is defective or the medicine proves harmful, people want recourse in law. Same for software. When the company screws up, people should be able to take them to court and have a realistic chance of success if their grievance is real. It is that simple. Yet when we read of yet another buffer overflow exploit in a Microsoft product we just sigh and update our virus checkers, because Microsoft has *zero* obligation in law to produce software that has no such flaws. There is no other product group I know of where a known *class* of defect would be permitted to continue to exist without very serious liability issues arising. What are the outcomes here? We pass such legislation, it doesn't magically fix things. It just means that companies like Adobe and Microsoft are suddenly on the hook for huge liabilities if they continue to sell their current products. Do we expect them to *stop* selling Windows, etc.,? You assume it all happens at once. You assume the change will be large. You assume there is no grace period. You assume a lot, then act as if it must be so. That's the problem, isn't it. If we were serious about it, we could approach the problem differently: rather than trying to tackle it from a marketplace point of view, perhaps we could instead tackle it from a regulatory point of view. Could we mandate that the next generation of browsers must have certain qualities? It's an interesting discussion, and in some way parallels the car safety examples I provided earlier. Mandating specific qualities in that sense leads to legislation that is out of date before the ink is dry. No - you mandate only that products must be fit for their intended purpose, and you declare void any attempts to contract away this requirement. Just like with other products! And then you let the system and the market work out the rest. I certainly agree, but it isn't going to be wished away in a minute. To do so would effectively destroy some major technology companies. You do a great line in straw men. Who said it would take a minute? Not I. Not anyone. People are just trying to point out that while it may be difficult, it's not impossible. We are also trying to point out the places where effective positive change could be made. in a way) That's one of the reasons I had predicted more appliance-like computers, and now they seem to be appearing in the form of app-running devices like the iPad. From a network operator's point of view, that's just great, because the chance of a user being able to do something bad to the device is greatly reduced. There is no reduction in the chance that the manufacturer will screw up, making their product vulnerable to attack. But even if all iPads turn out to be totally crackable, Apple will still have no obligation at all to fix
Re: Nato warns of strike against cyber attackers
On 6/9/2010 14:37, Karl Auer wrote: [good stuff] Try thinking about what *could* happen rather than what *can't* happen. Even better: Think here is what I can do. And then do it. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Nato warns of strike against cyber attackers
On June 8, 2010 at 21:05 fergdawgs...@gmail.com (Paul Ferguson) wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, Jun 8, 2010 at 8:59 PM, JC Dill jcdill.li...@gmail.com wrote: I'm still truly amazed that no one has sic'd a lawyer on Microsoft for creating an attractive nuisance - an operating system that is too easily hacked and used to attack innocent victims, and where others have to pay to clean up after Microsoft's mess. Do you honestly believe that if 80% of the world's consumer computers were *not* MS operating systems, that the majority of computers would still not be targeted? Ah, the disinformation reply... MAYBE IF [please read thru before replying because I probably cover most knee-jerk responses eventually]: a) Microsoft hadn't ignored well-known techniques for dividing secure vs insecure operations in their kernel thus allowing any email script you're reading to do whatever it wants including, e.g., re-writing the boot blocks. b) Microsoft hadn't made the first and usually only newly created user root on a new system so it'd be easier to install applications they bought and administer the system and save them understanding that they sometimes have to type in a separate adminstrator's password. But the extra typing and forgetting that password of course would detract from the user experience. c) Microsoft hadn't distributed, for decades, systems with graphics libraries which relied on injecting raw machine code into the kernel to speed up operations like scrolling a window (which used to be very slow without this, as one example), and got their third-party vendors so hooked on this technique that they screamed bloody murder every time MS even hinted that they might remove it. It took generations of OLE, X controls, .NET, etc to get rid of this, if it's even completely gone now. d) Microsoft hadn't ignored all these basic security practices in operating systems which were completely well understood and implemented in OS after OS back to at least 1970 if not before because they saw more profit in, to use a metaphor, selling cars without safety glass in the windshields etc, consequences be damned. e) Microsoft hadn't made tens if not hundreds of billions off the above willful negligence for decades (if you include the first warning when viruses became rampant in the late 80s, plus a decade of infected zombie bots starting in the late 90s) after they knew full well the disasterous consequences, causes, and fixes. f) The fact that Microsoft began putting exactly the fixes the above implies with, generously, XP SP2, but not seriously until Vista (general release: January 30, 2007) which is tantamount to an admission of guilt. Such as separating Administrator from User and the privileges thereof. Then, and only then, MAYBE their mere market dominance would be a plausible reason. But for those of us who actually UNDERSTAND operating systems and how their security works (or doesn't) and what the problems have been specifically statistics and probabilities and hand waves just can't trump KNOWING AND UNDERSTANDING THE FACTS AND HOW THESE THINGS WORK! Blaming Microsoft OS's vulnerability to viruses and zombification on their market dominance would be like blaming the running out of IPv4 addresses on cisco's market dominance. It has a certain appeal to the ignorant, but anyone who knows anything about the actual causes and history knows there's not one grain of truth to it. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: Nato warns of strike against cyber attackers
On Jun 9, 2010, at 8:26 AM, Brielle Bruns wrote: On 6/9/10 6:27 AM, Jorge Amodio wrote: Going back then to a previous question, do we want more/any regulation ? Laws and regulation exist because people can't behave civilly and be expected to respect the rights/boundries/property others. CAN-SPAM exists because the e-mail marketing business refused to self regulate and respect the wishes of consumers/administrators Which is good, because it certainly eliminated most of the SPAM. -- NOT! FDCPA exists because the debt collectors couldn't resist the temptation to harass and intimidate consumers, and behave ethically. And of course, it has caused them all to do so, now, right? -- NOT! It's just a matter of time, and really unavoidable. The thing is, these industries have no one to blame but themselves. In all cases, these laws/regulation only came into affect AFTER situations got out of control. Software has been out of control for a long time and I hope that the gov't will start by ruling the not responsible for our negligence or the damage it causes clauses of software licenses invalid. That would actually be a major positive step because it would allow consumers to sue software manufacturers for their defects and the damages they cause leading to a radical change in the nature of how software developers approach responsibility for quality in their products. Right now, most consumer operating systems are unsafe at any speed. Lately, the courts have been ruling that companies like LimeWire are responsible for their products being used for piracy/downloading because they knew what was going on, but were turning a blind eye. This is a positive step, IMHO, but, now companies like Apple and Micr0$0ft need to be held to similar standards. Why not apply the same standards to ISPs? If it can be shown that you had knowledge of specific abuse coming from your network, but for whatever reason, opted to ignore it and turn a blind eye, then you are responsible. I agree. When I see abuse from my network or am made aware of it, I isolate and drop on my edge the IPs in question, then investigate and respond. Most times, it takes me maybe 10-15 minutes to track down the user responsible, shut off their server or host, then terminate their stupid self. Yep. A little bit of effort goes a long way. But, if you refuse to put in the effort (I'm looking at you, GoDaddy Abuse Desk), then of course the problems won't go away. Agreed. Owen
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
On June 9, 2010 at 07:39 jmamo...@gmail.com (Jorge Amodio) wrote: 1. Should ISPs be responsible for abuse from within their customer base? Not sure, ISPs role is just to move packets from A to B, you need to clearly define what constitutes abuse and how much of it is considered a crime. If I call your home every five minutes to harass you over the phone is ATT responsible ? Actually, that might be in their purview. The example I would use is if someone called you to sell you swamp land in Florida or otherwise try to swindle you is that the phone company's responsibility, to ensure the honesty of all phone transactions? -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: Nato warns of strike against cyber attackers
On 6/9/2010 15:56, Owen DeLong wrote: On Jun 9, 2010, at 8:26 AM, Brielle Bruns wrote: On 6/9/10 6:27 AM, Jorge Amodio wrote: Going back then to a previous question, do we want more/any regulation ? Laws and regulation exist because people can't behave civilly and be expected to respect the rights/boundries/property others. CAN-SPAM exists because the e-mail marketing business refused to self regulate and respect the wishes of consumers/administrators Which is good, because it certainly eliminated most of the SPAM. -- NOT! It is actually an outstanding example of something of something I spoke of here earlier. Without any exception that I know of, regulations are written to protect the entrenched. CAN-SPAM was written to protect spammers, not to prevent anything important to them. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
Again, apples and oranges to a degree. Car owners don't receive a use at your own risk disclaimer either. Yet some Toyota owners faced horrifying instances of subpar prechecks. GM recalled a million or so cars and the list will always go on and on. Mistakes happen period and when mistakes DON'T happen Murphy's Law does. I can speak for any software vendor but I can speak about insecurity and exploitability of software. That too is what it is from any standpoint be it anywhere in Redmond to any other location. Look at Sun's horrible misstep with telnet: Note, however, that in all of these cases, the car manufacturers were liable and did have to take action to resolve the issues. WHY are software companies not held to these same standards? There's no need for new law, just for the judiciary to wake up and stop granting them a bizarre and unreasonable exemption from the existing laws. Owen
Re: Nato warns of strike against cyber attackers
On Jun 9, 2010, at 2:05 PM, Larry Sheldon wrote: On 6/9/2010 15:56, Owen DeLong wrote: On Jun 9, 2010, at 8:26 AM, Brielle Bruns wrote: On 6/9/10 6:27 AM, Jorge Amodio wrote: Going back then to a previous question, do we want more/any regulation ? Laws and regulation exist because people can't behave civilly and be expected to respect the rights/boundries/property others. CAN-SPAM exists because the e-mail marketing business refused to self regulate and respect the wishes of consumers/administrators Which is good, because it certainly eliminated most of the SPAM. -- NOT! It is actually an outstanding example of something of something I spoke of here earlier. Without any exception that I know of, regulations are written to protect the entrenched. CAN-SPAM was written to protect spammers, not to prevent anything important to them. Actually, as much as it would make so much more sense if that were the case, it simply isn't true. CAN-SPAM was written to be a compromise that was supposed to allow consumers to opt out of receiving SPAM and prevent SPAMMERs from sending unwanted messages. Sadly, of course, it hasn't done either one. Owen -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Nato warns of strike against cyber attackers
Your humor has me roflmao -henry From: Paul Vixie vi...@isc.org To: na...@merit.edu Sent: Wed, June 9, 2010 10:14:34 AM Subject: Re: Nato warns of strike against cyber attackers d...@bungi.com (Dave Rand) writes: ... With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen. +1. -- Paul Vixie KI6YSY
Re: Nato warns of strike against cyber attackers
On Wed, 2010-06-09 at 12:08 -0500, Joe Greco wrote: That's not going to happen (but I'll be happy to be proven wrong). Oh, there are so many things that are not going to happen, aren't there? And because of that we shouldn't even bother suggesting regulation as a solution to anything because the big companies won't let it happen? Thankfully, I'm going to stop reading this right here, because you're attributing to me something I didn't say. I said that rewriting the liability laws to outlaw draconian EULA's wasn't going to happen. I'm fairly certain that regulation, on the other hand, is likely to be the solution that ends up working, and I said so much earlier. So since I'm not interested in rehashing the issues for you, I'm going to go take the evening off. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Nato warns of strike against cyber attackers
On 6/9/2010 14:37, Karl Auer wrote: [good stuff] Try thinking about what *could* happen rather than what *can't* happen. Even better: Think here is what I can do. And then do it. Some of us already do: Implement BCP38 Implement spam scanning for e-mail Have a responsive abuse desk Reload - not repair - any compromised systems Sponsor resources to combat spam many more etc. Some of us have been doing what you suggest for so long that we've become a bit skeptical and cynical about it all, especially when we see that in the last decade, BCP38 filtering still isn't prevalent, abuse desks are commonly considered to be black holes, and people still talk about disinfecting a virus-laden computer. There is only so much you can do, short of getting out a Clue by Four and going around hitting people with it. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Nato warns of strike against cyber attackers
On 6/9/2010 18:04, Joe Greco wrote: On 6/9/2010 14:37, Karl Auer wrote: [good stuff] Try thinking about what *could* happen rather than what *can't* happen. Even better: Think here is what I can do. And then do it. Some of us already do: Implement BCP38 Implement spam scanning for e-mail Have a responsive abuse desk Reload - not repair - any compromised systems Sponsor resources to combat spam many more etc. Some of us have been doing what you suggest for so long that we've become a bit skeptical and cynical about it all, especially when we see that in the last decade, BCP38 filtering still isn't prevalent, abuse desks are commonly considered to be black holes, and people still talk about disinfecting a virus-laden computer. There is only so much you can do, short of getting out a Clue by Four and going around hitting people with it. I am sorry nto report that doing the right thing rarely gets any ink. But it is still the right thing, and you have to keep doing it--if for no reason better than being able to live with your self. Thanks for what you do. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: Nato warns of strike against cyber attackers
Cyber Threats Yes, But Is It Cyber War? http://www.circleid.com/posts/20100609_cyber_threats_yes_but_is_it_cyberwar/ -J
Re: Nato warns of strike against cyber attackers
Jorge Amodio wrote: So NANOGer's, what will be the game plan when something like this happens, will you be joining NATO and pulling fiber. I wonder when all types of warm-fuzzy filtering will be drafted into networking: Thou shall re-read RFC4953 lest you want Predator strikes on your NAP locations... We have a large supply of tin hats on stock ... My .02 All humor aside, I'm curious to know what can anyone truly do at the end of the day if say a botnet was used to instigate a situation. Surely someone would have to say something to the tune of better now than never to implement BCP filtering on a large scale. Knobs, Levers, Dials and Switches: Now and Then (please sir, may I have some more ?) is 7 years old yet I wonder in practice, how many networks have 38/84 filtering. I'm wondering why it hasn't been implemented off the shelf in some of the newer equipment. This is not to say huge backbones should have it, but think about it, if smaller networks implemented it from the rip, the overheard wouldn't hurt that many of the bigger guys. On the contrary, my theory is it would save them headaches in the long run... Guess that's a pragmatic approach. Better that than an immediate pessimistic one. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E
Re: Nato warns of strike against cyber attackers
[In the message entitled Re: Nato warns of strike against cyber attackers on Jun 8, 16:03, J. Oquendo writes:] All humor aside, I'm curious to know what can anyone truly do at the end of the day if say a botnet was used to instigate a situation. Surely someone would have to say something to the tune of better now than never to implement BCP filtering on a large scale. Knobs, Levers, Dials and Switches: Now and Then (please sir, may I have some more ?) is 7 years old yet I wonder in practice, how many networks have 38/84 filtering. I'm wondering why it hasn't been implemented off the shelf in some of the newer equipment. This is not to say huge backbones should have it, but think about it, if smaller networks implemented it from the rip, the overheard wouldn't hurt that many of the bigger guys. On the contrary, my theory is it would save them headaches in the long run... Guess that's a pragmatic approach. Better that than an immediate pessimistic one. It's really way, way past time for us to actually deal with compromised computers on our networks. Abuse desks need to have the power to filter customers immediately on notification of activity. We need to have tools to help us identify compromised customers. We need to have policies that actually work to help notify the customers when they are compromised. None of this needs to be done for free. There needs to be a security fee charged _all_ customers, which would fund the abuse desk. With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen. --
Re: Nato warns of strike against cyber attackers
None of this needs to be done for free. There needs to be a security fee charged _all_ customers, which would fund the abuse desk. With more than 100,000,000 compromised computers out there, it's really time for us to step up to the plate, and make this happen. Or you should send the bill to the company that created the software that facilitated to get so many computers compromised, some folks in Redmond have a large chunk of money on the bank. My .02
Re: Nato warns of strike against cyber attackers
Brielle Bruns wrote: Problem is, there's no financial penalties for providers who ignore abuse coming from their network. DNSbl lists work only because after a while, providers can't ignore their customer complaints and exodus when they dig deep into the bottom line. We've got several large scale IP blocks in place in the AHBL due to this exact problem - providers know there's abuse going on, they won't terminate the customers or deal with it, because they are more then happy to take money. Legit customers get caught in the cross-fire, and they suffer - but at the same time, those legit customers are the only ones that will be able to force a change on said provider. They contact us, and act all innocent, and tell people we're being unreasonable, neglecting to tell people at the same time that the 'unreasonable' DNSbl maintainer only wants for them to do a simple task that thousands of other providers and administrators have done before. I know it's akin to Apples and Oranges but maybe a network forfeiture (http://www.lectlaw.com/def/f054.htm) clause be drafted. Surely there should be no outcry for stating: If your network is dirty, its gone including all your equipment I wonder how fast some network operators would have their networks. Again, re-visiting re-hashed threads: http://www.mail-archive.com/na...@merit.edu/msg50472.html (http://www.mail-archive.com/na...@merit.edu/msg50472.html) Surely a vast majority have to be tired of the garbage coming from your own networks and others. I can tell you I'm tired of my phone ringing because some tollfraudster keeps thinking he's making uber calls when he's stuck in one of my honeypots. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E
Re: Nato warns of strike against cyber attackers
On 6/8/2010 15:44, J. Oquendo wrote: Brielle Bruns wrote: Problem is, there's no financial penalties for providers who ignore abuse coming from their network. DNSbl lists work only because after a while, providers can't ignore their customer complaints and exodus when they dig deep into the bottom line. We've got several large scale IP blocks in place in the AHBL due to this exact problem - providers know there's abuse going on, they won't terminate the customers or deal with it, because they are more then happy to take money. Legit customers get caught in the cross-fire, and they suffer - but at the same time, those legit customers are the only ones that will be able to force a change on said provider. They contact us, and act all innocent, and tell people we're being unreasonable, neglecting to tell people at the same time that the 'unreasonable' DNSbl maintainer only wants for them to do a simple task that thousands of other providers and administrators have done before. I know it's akin to Apples and Oranges but maybe a network forfeiture (http://www.lectlaw.com/def/f054.htm) clause be drafted. Surely there should be no outcry for stating: If your network is dirty, its gone including all your equipment I wonder how fast some network operators would have their networks. Again, re-visiting re-hashed threads: http://www.mail-archive.com/na...@merit.edu/msg50472.html (http://www.mail-archive.com/na...@merit.edu/msg50472.html) Surely a vast majority have to be tired of the garbage coming from your own networks and others. I can tell you I'm tired of my phone ringing because some tollfraudster keeps thinking he's making uber calls when he's stuck in one of my honeypots. I have for what, 20 years? been begging for vendors to provide clean service. But there is no hurry, the world government (spare me the the tin hats thing. Have you noticed what is going on in Washington lately?) will take care of it. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml