I presume this CNN article falls within the "Internet operational and technical issues" (especially security) criteria of the NANOG AUP,
in terms of "operat[ing] an Internet connected network",
especially where Chertoff refers to " like an anti-aircraft weapon, shoot down an [Internet] attack before it hits its target".
http://www.cnn.com/2008/TECH/10/04/chertoff.cyber.security/index.html
Homeland Security seeks cyber counterattack system
WASHINGTON (CNN) -- First, there was "Einstein," the federal government's effort to protect itself from cyber attacks by limiting the number of portals to government computer systems and searching for signs of cyber tampering.
Then Einstein 2.0, a system now being tested to detect computer intrusions as they happen.
And in the future? Perhaps Einstein 3.0, which would give the government the ability to fight back.
Homeland Security Secretary Michael Chertoff on Friday said he'd like to see a government computer infrastructure that could look for early indications of computer skullduggery and stop it before it happens.
The system "would literally, like an anti-aircraft weapon, shoot down an attack before it hits its target," he said. "And that's what we call Einstein 3.0."
Tony Patti wrote:
I presume this CNN article falls within the "Internet operational and technical issues" (especially security) criteria of the NANOG AUP,
in terms of "operat[ing] an Internet connected network",
especially where Chertoff refers to " like an anti-aircraft weapon, shoot down an [Internet] attack before it hits its target".
<snip>
The system "would literally, like an anti-aircraft weapon, shoot down an attack before it hits its target," he said. "And that's what we call Einstein 3.0."
<snip>
http://en.wikipedia.org/wiki/Iran_Air_Flight_655
I'm not sure that this may not be veering into political OT, but, to the
extent that proactive and automated reaction tools are being considered,
even as benign as internal blackhole route generation, it may be worth
discussing cases where, for various reasons, an automated defense system did
not operate and people died.
From a technical perspective, the Iran Air shootdown probably would not have
happened, rather like Chernobyl, if there hadn't been humans in the loop
overriding safeguards and making determinations of threats. In particular,
if one wanted to look at a technical parallel that actually might be useful
in network operations, part of the Iran Air disaster was that the decisions
were all being made at one point, the ship that actually fired the missiles.
Think centralized routing. Now, there's a military technique called
Cooperative Engagement Capability that I liken to link state routing; it's a
distributed computation model where each participating ship, radar aircraft,
etc., gets the sensor information from the others, and the decisionmaking
can become much more precise. In the Iran Air incident, at least one other
U.S. ship had radar tracking on the airliner and was trying to warn that it
was not a valid target. I'm saying this technically and from a standpoint
of fault analysis avoidance, not politics. Just as the USS Vincennes'
captain caused a disaster by deciding to fire on a very questionable target,
the USS Stark took missile hits because the captain had not turned on the
missile defenses. The one SCUD hit in the Gulf War that caused major
casualties was not engaged at all, apparently from a mixture of one radar
being down for maintenance while the backup had not received a software
patch to deal with a clock synchronization bug; the bug caused the radar to
decide the incoming missile was an artifact and it was removed from the
target list.
Less seriously, my first reaction to Chertoff's statement is that the
antiaircraft barrage already exists, is called Windows XP Pro Service Pack
3, which is sufficiently fanatical on my machine that its uninstaller
committed suicide.
Bad idea,
The rogue government would use hospitals and power stations, to "cyber
human shield" against the counter attack.
You guys are living in cloud cuckoo land. The rogue government
wouldn't have their bot nets in home computers that you could shut
down easily.
Read my rant about it all with the link below that I typed in May 2008
to stop the "Afcyber" idea going through.
http://lists.grok.org.uk/pipermail/full-disclosure/2008-May/062517.html
All the best,
n3td3v
There is no need to attack the attacking computers.. this would be a
mostly useless process and you'd always miss some. if the 'attacks'
could not be filtered the 'external' to that nations links would be
'cut' the internet would be segmented and would could all go back to
our regularly planed days.
I have a big problem with politicians making technical decisions that
may look good at the politicial level but make no sense at the technical
level.
"fighting back" implies that your own facilities will be busy pinging
thousands of bots to death around the world. Yeah, smart. Looks good
during a politician's speech, but in reality, what good does "fighting
back" do when the remote computers won't be hurt by it ?
I think the speech would have far more credibility if the politician had
used terms such as "dynamic protection against attacks" where the
network would reconfigure itself dynamically to block attacks etc etc.
Jean-Fran�ois Mezei wrote:
I have a big problem with politicians making technical decisions that
may look good at the politicial level but make no sense at the technical
level.
Works in the financial world, doesn't it.
Yes, they put these bizarre ideas out there to see what public opinion
is, they don't have a chance in hell of implementing it.
The system "would literally, like an anti-aircraft weapon, shoot down an
attack before it hits its target," he said. "And that's what we call
Einstein 3.0."
Oh dear.
I cringe whenever I read such a massacre of correct English like this.
If it's going to "literally" shot down an attack like an AA weapon, are
they planning on physically launching projectiles at compromised machines
across the world and destroying them?
That really *would* be something worth seeing.
B
I'm surprised that no one has made a Skynet reference yet, perhaps because
such a reference would be trite and predictable. I'm feeling trite and
predictable this morning, so allow me to be the first. Homeland Security is
planning to launch Skynet. I hope you guys have your nuclear bunkers
stocked with Ensure. We on this list might be all that's left after
Judgement Day.
If it's going to "literally" shot down an attack like an AA weapon, are
they planning on physically launching projectiles at compromised machines
across the world and destroying them?
Bill, they're probably planning on physically launching explosive
projectiles at compromised users.
/me dons his tinfoil hat
Steve
system(Einstein 3.0)
If it's going to "literally" shot down an attack like an AA weapon, are
they planning on physically launching projectiles at compromised machines
across the world and destroying them?
Bill, they're probably planning on physically launching explosive
projectiles at compromised users.
/me dons his tinfoil hat
Steve
[Howard C. Berkowitz]
Not being able to resist, they may be thinking of physically launching
compromised users at the assumed servers. As the circus owner pleaded with
the Man Shot Out of the Cannon not to leave the show, he pointed out "It's
very difficult to find a man of your caliber."
(While that's Pythonesque rather than canonical Python, is there an
equivalent to Godwin's Law for pythonisms? Alas, would it be applicable if
the pythonism were issued by a government official?)
Seriously, see U.S. Joint Publication 3-13, "Information Operations", p. 33
of the PDF at http://www.dtic.mil/doctrine/jel/new_pubs/jp3_13.pdf That is
intended, of course, for an actual war situation. The more open literature
on electronic warfare is also relevant to understand the less silly military
views -- and I emphasize a warfare situation, not a persistent spammer, may
the fleas of ten thousand camels infest his armpits.
Which is easier to shut down, an attack coming from a relatively small
number of /16s that belong to the government, or one coming from the
same number of source nodes scattered *all* over Comcast and Verizon
and BT and a few other major providers?
Hint 1: Consider the number of entry points into your network for the two
cases, especially if you are heavily peered with one or more of the source
ISPs. Consider also the "shoot self in foot" outcome if you decide to
block *all* of Comcast, Verizon, BT and the others....
Hint 2: If botnets in home computers were so easy to shut down, why are
there so many miscreants still using them for nefarious purposes?
William Hamilton wrote:
If it's going to "literally" shot down an attack like an AA weapon, are
they planning on physically launching projectiles at compromised machines
across the world and destroying them?
The politician saw the episode of Star Trek where "7 of 9" typed in a
few computer commands which caused some massive electrical jolt to be
emitted by the bad dude's keyboard a few light years away, knocking him
out. So they immediately think that they can do the same to incapacitate
those making attacks on USA govt systems 
Of course, this means the USA government will require all the world's
keyboards to be equipped with the 50,000 volt "this will shock you"
devices that only the uSA government can trigger
In other words, the politician's words should be included in some comic
book, but shouldn't be discussed seriously.
"The system "would literally, like an anti-aircraft weapon, shoot down
an attack before it hits its target," he said. "And that's what we call
Einstein 3.0."
Correct me if I'm wrong, but doesn't even a basic firewall or ACL
provide the same functionality? Drop the packet, drop the attack? I'm in
the wrong business if implementing a firewall can net me $millions$ by
using appropriate buzzwords.....
Ken Matlock
Network Analyst
(303) 467-4671
matlockk@exempla.org
Matlock, Kenneth L wrote:
"The system "would literally, like an anti-aircraft weapon, shoot down
an attack before it hits its target," he said. "And that's what we call
Einstein 3.0."
Correct me if I'm wrong, but doesn't even a basic firewall or ACL
provide the same functionality? Drop the packet, drop the attack? I'm in
the wrong business if implementing a firewall can net me $millions$ by
using appropriate buzzwords.....
It sounds like the first step for such a firewall vendor would be to pay the appropriate license fees for the Einstein name and likeness...
Then a little IP address geo-location coupled to the launch system and you're set. Any collateral damage would be no worse than the sort that's been caused by real anti-aircraft weapons.
Matthew Kaufman
matthew@eeph.com
http://www.matthew.at
Which is easier to shut down, an attack coming from a relatively small
number of /16s that belong to the government, or one coming from the
same number of source nodes scattered *all* over Comcast and Verizon
and BT and a few other major providers?
Hint 1: Consider the number of entry points into your network
for the two cases, especially if you are heavily peered with one or more
of the source ISPs.
The Federal Government (through its "Trusted Internet
Connection" initiative) is trying to limit the number
of entry points into the US Government networks.
(As I recall from 4000 interconnects to around 50,
where both numbers have a high percentage of politics
in the error bar.)
Assuming you were on an advisory panel, what advice would you give
the US Government how to protect and defend its networks and ability
to maintain service?
Most government networks and services depend on private network operators
at some level.
Here is my take on this, recycling something I answered in similar
context earlier today. Too many companies and individuals rely far
too heavily on a false and outdated concept of the definition of
"minimum requirements" when it comes to security. They tend to
think they need to implement the minimum requirements and all will
be fine. This is evident in almost all security management material
I read where the goal is to offer a "mininum" set of requirements
to meet guidelines and regulatory controls.
What about exceeding the minimum requirements for a change. I
associate "minimum requirements" with laziness especially when it
comes to security. If companies structured their business a little
better, it could be more beneficial for them to speak out and
capitalize on security costs instead of worrying about the ROI on
implementing security technologies and practices.
This whole consensus about security not "making money" is flawed
and the more people stick with their confirmation and status quo
biases, the more businesses will NOT dish out for security causing
headaches and financial misery along the way, it's self-induced.
Can't wholly blame managers, a lot has to be weighed on the
organizations around the world whose wordings have been taken out
of context: e.g. "Under the proposal being considered, an
independent audit would ensure that their networks are secure,"
he explained. "This audit process would work across business
sectors, and would require companies to meet a minimum standard
of security competency."
(http://www.net-security.org/secworld.php?id=1731)
Many have taken the attitude to implement enough to meet MINIMUM
standards and this seems to be enough for them. Then some wonder
why systems get compromised. Concepts are taken out of context.
Just because an organization makes a recommendation on what
should be a "minimum", shouldn't mean companies or governments
should put in solely enough to meet compliance and guidelines.
Businesses and governments in this day and age should be going
above and beyond to protect not only themselves, but their clients,
infrastructure, investors, etc. Until then, we'll see the same,
putting out *just* enough to flaunt a piece of paper: "Minimum
requirements met" and nothing more. How is this security again?
How is minimizing the connection points going to really stop
someone from launching exploit A against a machine that hasn't
been properly patched? Might stop someone from somewhere in
China or so, but once an alternative entry point is found, that
vulnerability is still ripe for the "hacking".
It's like any other field - the customer wants more than the minimum, they'll
have to pay more. Almost all contractors will at least act like they're trying
to meet the local building codes, because that's a minimum requirement. It's
the rare contractor indeed who will throw in the upgraded appliance package
and real marble flooring for free...
(I think you'll find that if somebody is actually willing to *pay* for more
security, there's plenty of outfits who are more than happy to make it happen)