More federal management of key components of the Internet needed

Its starting already.

I don't mean to diss any of the root server operators, they all do a great
job. But in the past it seemed the federal agency sysadmins had the
most difficult job getting the budget approval for upgrades, and seemed
to always be behind the performance curve.

I don't understand how giving the US federal government management control
of key components of the Internet will make it more secure. What steps could
the US federal government take which non-governmental organizations aren't
or couldn't do? Putting a root name server on a military base isn't
really going to protect it from DDOS attacks.

Should root servers be located in the "middle" of backbones, instead of stub
networks? Or do networks naturally "grow" towards root servers?

http://www.idg.net/ic_958962_1793_1-1681.html
  "More federal management of key components of the Internet
  infrastructure is needed, Julian and Brady agreed. That could include
  tax incentives or direct federal funding for private companies and
  public organizations managing key DNS servers to secure their systems,
  all of which are currently operated as a free service by companies,
  government entities and non-profit organizations.

  "This showcases a specific vulnerability that requires the government to
  get involved," Julian said. "If you run a DNS server what is your
  monetary incentive to secure it? There is none. This is the number one
  area of focus that the government should have."

Hey, Sean, if it is against the law to yell FIRE in a crowded
movie theatre in America...

Why isn't it against the law to (s)Yell "FUD" at Congress ?

  :\

Sean Donelan wrote:

It's starting already.

  It started with the USA Patriot Act, the beginning paroxysms of
rigor mortis
of the American Constitutional Rights under a new regime, and the
"virtual" death of the Bill of Rights....

  This is just a continuation of an ongoing trend. (IMHO)

  Remember, after 10 years of being declared "paranoid", and an
"Enemy of the State", Abbie Hoffman was -absolutely right-!
(CoinTelPro)

  Did anyone notice that under the new laws,

    -== Watergate is perfectly LEGAL ? ==-

</rant- but, let that one sink in....really.>

  Yes, I know Susan... switching to on-topic.

I don't understand how giving the US federal government management control
of key components of the Internet will make it more secure.

  Neither do I. For example, I recently received a joint FBI/DOJ
letter...

(I believe if I leave out details, I am allowed to mention this
here...)

It informed me that, 10 MONTHS AGO, a list was found that had an
-email domain-
of ours, as a -possibly- affected -server-.
(There is no such actual server, it is only an e-mail domain.. )

  And, wanted me to see of there was any strange activity, somewhere
in a
4 MONTH time frame, that I could see....

  Oh, BTW, they had NO information on methodology, layer 3 protocol
affected,
ports, IP's.. and stated as such. -=Nothing=-

(Not even a valid server name)

And, ONLY, 10 MONTHS after the fact!
    
Why, do you know in Internet Years, that would be.....
  urrr.....that would be... carry the zero's...square the root,
  hrmmm...
   I would be DEAD ? :*

And these are the people that are going to -=improve=- security ?

How, by sentencing Perps to death by OLD AGE ?

What steps could
the US federal government take which non-governmental organizations aren't
or couldn't do? Putting a root name server on a military base isn't
really going to protect it from DDOS attacks.

Should root servers be located in the "middle" of backbones, instead of stub
networks? Or do networks naturally "grow" towards root servers?

http://www.idg.net/ic_958962_1793_1-1681.html
  "More federal management of key components of the Internet
  infrastructure is needed, Julian and Brady agreed. That could include
  tax incentives or direct federal funding for private companies and
  public organizations managing key DNS servers to secure their systems,
  all of which are currently operated as a free service by companies,
  government entities and non-profit organizations.

  "This showcases a specific vulnerability that requires the government to
  get involved," Julian said. "If you run a DNS server what is your
  monetary incentive to secure it? There is none.

  Wrong, the monetary incentive is that -=your=- system remains
operational,
and your network UP, and responding.... when others don't.

What, no one in congress associates "uptime" with a "monetary
advantage" in business ?

No WONDER they all bought from Enron.

* S *

(Just kidding)

This is the number one

  area of focus that the government should have."

  I think they should be focusing on terrorist activity, if you ask
me.

  * shrug *

.Richard.

-= FUD! it isn't a sales tool, it's a way of Managing a Nation. =-

"God Bless America, and the American Constitution."

I leave you with the Oath of Office of the American President:

     "I do solemnly swear (or affirm) that I will
     faithfully execute the Office of the
     President of the United States, and will to
     the best of my ability, preserve, protect and
     defend the -=constitution=- of the United
     States."

Ok. One last Quote, from U2:

  "A Politicians Promise on the Day of Election"

This last quote is complete non-sense. The major reason an operator would
want to keep a root server secure and available is, in my mind atleast,
the stigma associated with running a poor service. Something that EVERYONE
on the Internet could notice as a problem is a very large burden to bear.

Gov't requirements or management of this system is a non-starter, its not
going to increase the security or availability of the systems in the
least.

-Chris "I should have slept through yesterday" Morrow.

Why isn't it against the law to (s)Yell "FUD" at Congress ?

Wouldn't do any good, they don't know any better. Few if any
Congresscritters are techno-literate -- I spent 3 years on the Hill, saw it
first hand....and it's not gotten much better.

The only language most Congresscritters understand is $$$$ and how it
relates to their staying elected by keeping their constituients somewhat
happy and impressed with their performance.

I don't understand how giving the US federal government management control
of key components of the Internet will make it more secure.

<Sean's Rant about FBI info request removed>

Remember this is the same 'cybercrime agency' that when I-Love-Y0U was
released, simply posted a NIPC warning saying "A New Virus Has Been Detected
in the Philippenes." -- I was about to make sure my immunization records
were up to date. Even after I called them from my NOC, and told them that
the security community had already dissected the worm and there were sigs
and coutnermeasures available, they didn't update the warning on NIPC.GOV
for like 5 hours.

A screenshot of that particular example of NIPC's expertise is immortalized
here: http://www.infowarrior.org/articles/NIPC.jpg

Commentary I did about NIPC's warning capability is here, if you're
interested. http://www.infowarrior.org/articles/2000-06.html

And these are the people that are going to -=improve=- security ?

Hardly. They have a hard enough time passing information from one squad to
another within the FBI, they're never going to be able to survive and
interoperate in the Information Age against high-tech threats that move at
packet speed. And don�t get me started about Infragard.....ugh...

I think they should be focusing on terrorist activity, if you ask
me.

Good idea, since they still haven't got that task down yet, either.
Remember, the FBI - before and after its 2002 reorg - is, thanks to its
internal culture, UNABLE to work well with outsiders, be they cops, the CIA,
or ISP security teams. This has the unfortunate effect of severely torking
those folks in the FBI that are intelligent and want to make a difference,
but thanks to the system, their initiative is constrained by the 'status
quo'. I feel sorry for some of these folks, they really do try, but the
system there prevents them from being effective, thus partially explaining
the mess the FBI and NIPC is in at the moment in responding to terrorism or
hacker threats.

re: The "DNS Attack" -- I'm hearing all this talk about DNS-on-CD that was
some sort of research project that would be used during a loss of the roots.
Anyone have any add'l info on what this is/was?

Cheers from DC,

Rick
Infowarrior.org

I don't understand how giving the US federal government management control
of key components of the Internet will make it more secure.

  It worked for airline security.

Oh, did it now?

Just to paraphrase Seans very professional language:
Before the US government proposes to unilaterally
take responsibility for a particular service it should
consider its track record of providing parts of
that particular service in the past.
Not to mention that the service serves the World and
not just the US.

Daniel

Hi,

  "This showcases a specific vulnerability that requires the government to
  get involved," Julian said. "If you run a DNS server what is your
  monetary incentive to secure it? There is none. This is the number one
  area of focus that the government should have."

This last quote is complete non-sense. The major reason an operator would
want to keep a root server secure and available is, in my mind atleast,
the stigma associated with running a poor service.

Unfortunately, this has not been the case historically. Stigma has taken a
back seat to fiscal and/or bureaucratic realities (and the requests of the
people on the front lines trying to fix the situation).

Something that EVERYONE
on the Internet could notice as a problem is a very large burden to bear.

Actually, not really, since the most popular caching server homes into the
name server that responds the fastest. Poorly performing name servers don't
get asked questions, so no one really notices they suck unless they look.

Gov't requirements or management of this system is a non-starter, its not
going to increase the security or availability of the systems in the
least.

That's very true. However, it seems to me politicians must be seen doing
"something", regardless of whether the something makes a whole lot of sense
technically.

Rgds,
-drc

Err. One should not post mail after long airplane flights and no sleep.

Unfortunately, this has not been the case historically. Stigma has taken a
back seat to fiscal and/or bureaucratic realities (and the requests of the
people on the front lines trying to fix the situation).

What I meant was that fiscal and/or bureaucratic realities overrode both
stigma and the requests of people on the front lines trying to fix the
situation.

Rgds,
-drc

Yeah... removing shoes and "randomly" searching peace activists while
allowing to carry on glass bottles containing unknown liquids on board.

Holding air companies liable for lax security could've been a lot more
efficient.

--vadim

Alan Hannan wrote:

> I don't understand how giving the US federal government management control
> of key components of the Internet will make it more secure.

  It worked for airline security.

Sure, searching Ray Charles makes me feel much safer. Asking me whether any
one helped me packed my bags or handed me a package always shows whether or
not I should be trusted to get on the plane. Stopping a little boy from
taking on a toy with a 1 inch long gun makes me feel safer too. These are
the same people who can't be trusted to make sure that your luggage flies
the same flight you do. Puh-leeze.

There is not one single thing that goes on in airport "security" that
contributes one whit to actual security.

...and surely you aren't suggesting that you want those same people to run
the root servers. I'm just glad they aren't all in the US (so that there
can be no preemptive strike by some poser-crazed congress critter).

I saw in a forum on ExtremeTech (where they had an article ranting
about how the internet was almost brought to it's
knees)http://www.extremetech.com/article2/0,3973,646157,00.asp that
after the root servers attack the gTLD's were attacked as well, taking
out .biz, .info, and .gov ... can anyone verify if anything happened?

*********** REPLY SEPARATOR ***********

Once upon a time, Jeff Shultz <jeffshul@wvi.com> said:

I saw in a forum on ExtremeTech (where they had an article ranting
about how the internet was almost brought to it's
knees)http://www.extremetech.com/article2/0,3973,646157,00.asp that
after the root servers attack the gTLD's were attacked as well, taking
out .biz, .info, and .gov ... can anyone verify if anything happened?

Well, since the gTLD servers don't serve .biz, .info, or .gov (and those
three zones are served by three different sets of servers), it sounds
bogus.

Etaoin Shrdlu wrote (on Oct 24):

There is not one single thing that goes on in airport "security" that
contributes one whit to actual security.

Having, on more than one occasion been allowed to board an aircraft
in the US whilst accidentally carrying a Leatherman tool (complete
with locking blades), and most recently only 2 or 3 weeks ago,
I somewhat agree. I have friends who have managed to get on with
sewing kits, those credit-card-sized Swiss-army jobbies, and all manner
of other sharp pointy objects.

In contrast, I made the same mistake in London once when on my way to
Madrid, and never saw said tool again after it was confiscated.

The only thing I've ever been stopped for in the US was forgetting
my Palm was in my inside pocket when going through the metal detector.

At the opposite extreme, Madrid airport has a habit of asking me to
remove my belt and pass it through the xray machine, which I found a
little odd at the time.

That said, in my limited experience (and it may entirely be superficial)
countries with Government run airport security tend to be more thorough -
and that means Govt. employed people doing the job, not some 2-bit company
they found down the road that gave the "best value for money" - we don't
want cheap, we want security, without finger-pointing when it screws up.

I don't think this necessarily applies to the problems of attacks (of
the nature that started this discussion - sticking a few kilos of semtex
inside your server case, wiring it to the parallel port and hosting that
at 60 Hudson is very easy, but is a different discussion) on the Internet
however. Prevention probably works only when you stand a reasonable
chance of never letting the attack get near its target. In commercial
air travel, that means the airport, which is the earliest common point
before the aircraft. The Internet has no such common point, unless
you define it to mean "the networks" - and that covers a lot of ground.

Also in my experience, attacks on the Internet (DoS) tend to scale with
the size of the target. If you happen to have a large unused line lying
around, someone, somewhere, will find a way to fill it for you. An
attack on my employers network a few nights ago was of a scale enough
to cause UUnet to call C&W, one of our upstreams, because t was of a
scale large enough for them to notice it, even considering the size
of the interconnects between them (and that's somewhat bigger than
what we have from C&W.)

If you spread the target over, say, 100 destinations, then the
attacker with his virus-driven DDoS network need only infect a small
percentage more machines and, given a command, will be able to mount
just as effective an attack on most if not all of those distributed
targets.

Protecting the targets therefore won't help, however big/distributed
you make the target - it may mitigate the effect of the attack, but it
did not prevent people from being affected. Governments should not be
allowed to say that even 1% of the population is an "acceptable loss"
if at the same time what they were trying to protect was considered to
be of important to national security (or under many other classification).
Government involvement here would only have marginal, if any, impact
over what we can achieve ourselves. My personal feeling is we can do it
quicker.

So the role left open for Government involvement is tracking and removing
attack sources and tracking and prosecuting the offenders responsible -
which is within their remit already...

The above are only examples that came to mind as I wrote this. If
Government can make these problems go away, I'd love to hear about
the method they would use. Meanwhile, we still have many attacks yet
to come.

Chris.

That said, in my limited experience (and it may entirely be superficial)
countries with Government run airport security tend to be more thorough -
and that means Govt. employed people doing the job, not some 2-bit company
they found down the road that gave the "best value for money" - we don't
want cheap, we want security, without finger-pointing when it screws up.

The London airport that found and confiscated your leatherman tool is run by a publicly traded company, BAA Plc (http://www.baa.co.uk), not the government, as are pretty much all of the airports in the UK.

There are local, UK and European airline security regulations, but the security people are paid for, employed by and answer to the airport company, not the government. BAA even sells airport security consulting services. Poor security is bad for business if you're an airport.

Cheers,

Mathew

>Alan Hannan wrote:
>>
>> > I don't understand how giving the US federal government management control
>> > of key components of the Internet will make it more secure.
>>
>> It worked for airline security.
>
>Sure, searching Ray Charles makes me feel much safer. Asking me whether any
>one helped me packed my bags or handed me a package always shows whether or
>not I should be trusted to get on the plane. Stopping a little boy from
>taking on a toy with a 1 inch long gun makes me feel safer too. These are
>the same people who can't be trusted to make sure that your luggage flies
>the same flight you do. Puh-leeze.
>
>There is not one single thing that goes on in airport "security" that
>contributes one whit to actual security.

Amazingly enough, Admiral James M. Loy - the new COO of the Transportation Security Administration, shows strong signs of having a clue WRT security, see:

<http://www.cnn.com/2002/US/08/23/loy.cnna/&gt;

In an opinion piece by Joseph Perkins (San Diego Union-Tribune columnist, the article ran in the SF Chronicle on 10/21 but I can't find it online anywhere), it lists a bunch of the present stupid rules, and then goes on to say:

  So those dictates and others like them, included on Loys' not-so-
  facetiously named "Stupid Rule List," have been thrown out. The
  litmus test in each case, he explained, is whether a rule substantively
  contributes to security or primarily to longer airport lines.

There are several online references to this list, see:

<http://www.apfa.org/public/articles/News-Events/STUPID_RULES.HTML&gt;
<http://www.washingtonpost.com/wp-dyn/articles/A32246-2002Oct15.html&gt;

ObNetwork Operations: Does this mean I can once again carry a cable crimper tool with me in my carry on luggage (one was confiscated at SFO a few months ago, the cable cutting blades were deemed a "potential weapon")?

jc