Create an Account
username: password:
 
  MemeStreams Logo

Draft of National Stratedy To Security Cyperspace (RE: Bush Administration Propose System for Monitoring Internet)
search
Home Agent Weblogs Social Network Post Help About

Rattle
Picture of Rattle
Rattle's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Rattle's topics
Arts
  Literature
   Sci-Fi/Fantasy Literature
  Movies
  Music
Business
  Tech Industry
  Telecom Industry
Games
Health and Wellness
Holidays
Miscellaneous
  Humor
  MemeStreams
   Using MemeStreams
Current Events
  War on Terrorism
  Elections
Recreation
  Travel
Local Information
  SF Bay Area
   SF Bay Area News
Science
  Biology
  History
  Nano Tech
  Physics
  Space
Society
  Economics
  Futurism
  International Relations
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
    Surveillance
   Intellectual Property
  Media
   Blogging
  Military
  Security
Sports
Technology
  Biotechnology
  Computers
   Computer Security
    Cryptography
   Cyber-Culture
   PC Hardware
   Computer Networking
   Macintosh
   Linux
   Software Development
    Open Source Development
    Perl Programming
    PHP Programming
   Spam
   Web Design
  Military Technology
  High Tech Developments

support us

Get MemeStreams Stuff!


 
Draft of National Stratedy To Security Cyperspace (RE: Bush Administration Propose System for Monitoring Internet)
Topic: Society 7:07 am EST, Dec 21, 2002

If you are an ISP, big or small, you have dealt with issues tracking attacks. Its fustrating as hell. It usually takes hours to get talking to someone with clue sitting on top of the network the attack is coming from. Sometimes it takes hours for someone to talk to you.. :) When language barriers or large time differences come into play, it gets even harder. Attackers can use this to their advantage, especially if they are limiting themselves to a small time window for their attack. Everyone who has spent time working at ISPs has dealt with this, myself included.

A solution to this problem _is_ necessary. Its a "facilitation of communication" problem at its heart, not a "monitoring" problem. At the molment, I still have the taste in my mouth given by the Barlow articles I blogged earlier, so I have my doubts as to the intelligence community ability to solve this problem for us given their past record and methods of operations. The better route may be for the ISP/communication providers to come up with a cross-communication strategy themselves.

As long as the intelligence people have a way to request/demand information from the ISPs/comm providers (given some sort of thumbs up from a judge) about activity of a given user/ip/whatever, and get it fast, then they will most likely be happy. If they cannot achieve their end goals, they will create a solution for us. They would be very happy if the commercial sector solved the problem for them. It would remove their incentive to turn the screws.

If there was some central US NOC structure.. And it had a staff that rotated between people working in all the ISPs that parcticipated, the government had its folks there, and it was open for review.. And it acted as a communication center between ISPs and not just the ISPs and the TLAs. That would be sweet! Now, on the other hand, if there was some NOC in Langley connected to a bunch of sniffers sitting in every ISP, that was clouded in secrecy, that would not be nice. That would suck. If the latter would up happening, I picture people like Decius, Renka, and myself standing between racks of core/access routers and a bunch of spooks with black boxes going "No! No! Fuck you! This is bullshit!" and getting arrested cognitive dissident style, and being proud of it. I have no fear of that happening really. Not only would be be completely unconstutitional, but I am confident there are more then enough people in the ISP community willing to take a personal blow to keep it from happening.

So, while the users get pissed about this.. The ISPs should be communicating with each other, about how to communicate with each other. I'm sure there are a bunch of NANOG people coming to the same conclusions.

All the comments below are from Decius. They are in line with my views, and they point several things I don't, so I'm just going to leave them appended to this.

This is where I would normally put a page break.. :)

OK, time to replace news paper sensationalism with a
little down to earth fact.

First off, the author of the story everyone is forwarding
around is John Markoff. This is the guy who brought you
the Kevin Mitnick fiasco. Just keep that in mind and don't
forget to bring along a few grains of salt.

I'm linking here the September version of the document.

On the whole, this document is excellent. As a computer
security professional I would strongly support this set
of proposals. In fact, the general outline reminds me of
the set of recommendations I gave South Korea's "Cyber
Terror" Response Center two years ago. Of course, its much
more detailed and far better. I only had a 45 minute talk
given through translators. However, I strongly agree that
this is the correct direction for us to be moving in.

Furthermore, it should be noted that the need to protect
personal privacy and liberty are specifically underlined
through out the document. These concerns form a much more
significant part of the document then the text in question,
and the government correctly observes that often privacy,
liberty, and infrastructural security can be improved
simultaneously, and that improvements in one area often
assist the other.

This is the specific text in question:

] ISPs, hardware and software vendors, IT
] security-related companies, computer emergency
] response teams, and the ISACs, together, should
] consider establishing a Cyberspace Network
] Operations Center (Cyberspace NOC), physical or
] virtual, to share information and ensure
] coordination to support the health and reliability
] of Internet operations in the United States.
] Although it would not be a government entity and
] would be managed by a private board, the Federal
] government should explore the ways in which it
] could cooperate with the Cyberspace NOC.

My answer is a resounding YES. I've been responsible for
security for a large ISP. Almost every attack occurs
across multiple networks, and it is very important to
be able to rapidly coordinate between different networks.
However, in the past, efforts to build such organizations
have failed. ISPs do a good job of sharing ideas about
technical problems and up to date information on outages
through forums like nanog, but for various reasons, attempts
to get REAL TIME access to engineers at other ISPs for
security emergencies have failed. I suspect that this is
because providing real time assistance to a competitor in
an emergency is not something most ISPs feel highly
motivated to do.

Currently, if you track a security problem into another ISP's
network, you are left sitting on hold at their customer
service department. You get a level one tech who doesn't
understand why you are calling them if you aren't a customer.
This could be a serious hassle in the event of an
unprecidented security emergency.

Now, Markoff says:

] The government report was first released in draft
] form in September, and described the monitoring center,
] but it suggested it would likely be controlled by
] industry. The current draft sets the stage for the
] government to have a leadership role.
]
] The new proposal is labeled in the report as an
] "early-warning center" that the board says is required
] to offer early detection of Internet-based attacks as
] well as defense against viruses and worms.

It would sure be nice if I could see a copy of this...
However, the article goes on to argue that what they
want to do is install a carnivore type system in every
ISP which will provide a central location with information
about real time network traffic.

The problem with the quotations, is that until the new
draft is released, they are completely speculative. At a
low level, an intrusion detection system works the same
way as carnivore. However, at a high level, the sort of
information what extracts from it is very different.

It is possible to imagine an IDS on every network,
controlled by the FBI, which they can log into and sniff
from if they need to. But, such a system has not been
proposed. It probably won't be proposed. And if it was
proposed, it wouldn't be enacted, because it would be
illegal.

In fact, any coordinated effort to have IDS systems
automatically share information with authorities about
suspicious packets including source and destination
address information would be unconstitutional on its
face.

THIS WILL NOT HAPPEN WITHOUT A CONSTITUTIONAL AMENDMENT.

Furthermore, IDS systems tend to be extremely noisey,
and prone to false positives. If they did this, it would
be totally ineffective, because there would simply be
too much information for them to handle.

The reason they want ISPs to coordinate is because they
cannot handle the complexity of this in a centralized
way. Having the government involved is a good idea
because previous efforts to make this happen in the
industry without government involvement have failed. The
government has interests in this from a nation security
standpoint that the ISPs, as businesses, don't have on
their own.

As an ISP, if I determine that my network is under
attack, and I want assistance, then I can go to a
NOC like this with the information that I have. "Please
tell network XYZ to stop sending SYN packets to me."

Establishing a central NOC will facilitate this, because
you can rest assured that the people who can act on
the information you have will get it, and you don't
have other ISPs and low level tech support people
between you and the solution to your problem.

So, basically, lets wait until they actually make a
proposal before jumping the gun here.

Draft of National Stratedy To Security Cyperspace (RE: Bush Administration Propose System for Monitoring Internet)

Thread [3] - Reply


  
 
Powered By Industrial Memetics		RSS2.0