If you are an ISP, big or small, you have dealt with issues tracking attacks. Its fustrating as hell. It usually takes hours to get talking to someone with clue sitting on top of the network the attack is coming from. Sometimes it takes hours for someone to talk to you.. :) When language barriers or large time differences come into play, it gets even harder. Attackers can use this to their advantage, especially if they are limiting themselves to a small time window for their attack. Everyone who has spent time working at ISPs has dealt with this, myself included.

A solution to this problem _is_ necessary. Its a "facilitation of communication" problem at its heart, not a "monitoring" problem. At the molment, I still have the taste in my mouth given by the Barlow articles I blogged earlier, so I have my doubts as to the intelligence community ability to solve this problem for us given their past record and methods of operations. The better route may be for the ISP/communication providers to come up with a cross-communication strategy themselves.

As long as the intelligence people have a way to request/demand information from the ISPs/comm providers (given some sort of thumbs up from a judge) about activity of a given user/ip/whatever, and get it fast, then they will most likely be happy. If they cannot achieve their end goals, they will create a solution for us. They would be very happy if the commercial sector solved the problem for them. It would remove their incentive to turn the screws.

If there was some central US NOC structure.. And it had a staff that rotated between people working in all the ISPs that parcticipated, the government had its folks there, and it was open for review.. And it acted as a communication center between ISPs and not just the ISPs and the TLAs. That would be sweet! Now, on the other hand, if there was some NOC in Langley connected to a bunch of sniffers sitting in every ISP, that was clouded in secrecy, that would not be nice. That would suck. If the latter would up happening, I picture people like Decius, Renka, and myself standing between racks of core/access routers and a bunch of spooks with black boxes going "No! No! Fuck you! This is bullshit!" and getting arrested cognitive dissident style, and being proud of it. I have no fear of that happening really. Not only would be be completely unconstutitional, but I am confident there are more then enough people in the ISP community willing to take a personal blow to keep it from happening.

So, while the users get pissed about this.. The ISPs should be communicating with each other, about how to communicate with each other. I'm sure there are a bunch of NANOG people coming to the same conclusions.

All the comments below are from Decius. They are in line with my views, and they point several things I don't, so I'm just going to leave them appended to this.

This is where I would normally put a page break.. :)... [ Read More (0.8k in body) ]

OK, time to replace news paper sensationalism with a
little down to earth fact.

First off, the author of the story everyone is forwarding
around is John Markoff. This is the guy who brought you
the Kevin Mitnick fiasco. Just keep that in mind and don't
forget to bring along a few grains of salt.

I'm linking here the September version of the document.

On the whole, this document is excellent. As a computer
security professional I would strongly support this set
of proposals. In fact, the general outline reminds me of
the set of recommendations I gave South Korea's "Cyber
Terror" Response Center two years ago. Of course, its much
more detailed and far better. I only had a 45 minute talk
given through translators. However, I strongly agree that
this is the correct direction for us to be moving in.

Furthermore, it should be noted that the need to protect
personal privacy and liberty are specifically underlined
through out the document. These concerns form a much more
significant part of the document then the text in question,
and the government correctly observes that often privacy,
liberty, and infrastructural security can be improved
simultaneously, and that improvements in one area often
assist the other.

This is the specific text in question:

] ISPs, hardware and software vendors, IT
] security-related companies, computer emergency
] response teams, and the ISACs, together, should
] consider establishing a Cyberspace Network
] Operations Center (Cyberspace NOC), physical or
] virtual, to share information and ensure
] coordination to support the health and reliability
] of Internet operations in the United States.
] Although it would not be a government entity and
] would be managed by a private board, the Federal
] government should explore the ways in which it
] could cooperate with the Cyberspace NOC.

My answer is a resounding YES. I've been responsible for
security for a large ISP. Almost every attack occurs
across multiple networks, and it is very important to
be able to rapidly coordinate between different networks.
However, in the past, efforts to build such organizations
have failed. ISPs do a good job of sharing ideas about
technical problems and up to date information on outages
through forums like nanog, but for various reasons, attempts
to get REAL TIME access to engineers at other ISPs for
security emergencies have failed. I suspect that this is
because providing real time assistance to a competitor in
an emergency is not something most ISPs feel highly
motivated to do.

Currently, if you track a security problem into another ISP's
network, you are left sitting on hold at their customer
service department. You get a level one tech who d... [ Read More (0.4k in body) ]