[In the message entitled "Re: Nato warns of strike against cyber attackers" on Jun 8, 16:03, "J. Oquendo" writes:]
All humor aside, I'm curious to know what can anyone truly do at the end
of the day if say a botnet was used to instigate a situation. Surely
someone would have to say something to the tune of "better now than
never" to implement BCP filtering on a large scale. Knobs, Levers, Dials
and Switches: Now and Then (please sir, may I have some more ?) is 7
years old yet I wonder in practice, how many networks have 38/84
filtering. I'm wondering why it hasn't been implemented off the shelf in
some of the newer equipment. This is not to say "huge backbones" should
have it, but think about it, if smaller networks implemented it from the
rip, the overheard wouldn't hurt that many of the bigger guys. On the
contrary, my theory is it would save them headaches in the long run...
Guess that's a pragmatic approach. Better that than an immediate
pessimistic one.
It's really way, way past time for us to actually deal with compromised
computers on our networks. Abuse desks need to have the power to filter
customers immediately on notification of activity. We need to have tools to
help us identify compromised customers. We need to have policies that
actually work to help notify the customers when they are compromised.
None of this needs to be done for free. There needs to be a "security
fee" charged _all_ customers, which would fund the abuse desk.
With more than 100,000,000 compromised computers out there, it's really
time for us to step up to the plate, and make this happen.
None of this needs to be done for free. There needs to be a "security
fee" charged _all_ customers, which would fund the abuse desk.
With more than 100,000,000 compromised computers out there, it's really
time for us to step up to the plate, and make this happen.
Or you should send the bill to the company that created the software
that facilitated to get so many computers compromised, some folks in
Redmond have a large chunk of money on the bank.
None of this needs to be done for free. There needs to be a "security
fee" charged _all_ customers, which would fund the abuse desk.
With more than 100,000,000 compromised computers out there, it's really
time for us to step up to the plate, and make this happen.
Or you should send the bill to the company that created the software
that facilitated to get so many computers compromised, some folks in
Redmond have a large chunk of money on the bank.
My .02
Seems like it's come full circle again
(http://irbs.net/internet/nanog/0412/0109.html) and I can always recall
Rob Thomas' take on this (http://irbs.net/internet/nanog/0412/0222.html)
"Filtering out bogons removes yet one more potential source of badness.
Does it remove all badness? Of course not. We win by degrees. Removing
any tool from the bad persons' toolkit is useful." Not forgetting Mark
Andrews "Any operator not implemting BCP 38 is potentially aiding and
abetting some criminal. BCP 38 is over 10 years old. There is no excuse
for not having equipment in place to handle the processing needs of BCP 38."
ISP's could actually offset the charges to customers with helpdesks to
re-coup some equipment costs while maintaining a clean network. As for
the "blame the software" comment, irrelevant. If bad hosts were
minimized, there would likely be less compromises irrespective of the
vendor of the software. Statistically I would think the number of
compromises would go down but at the same time I believe the criminals
would get smarter. That's just the nature of the beast.
Problem is, there's no financial penalties for providers who ignore abuse coming from their network.
DNSbl lists work only because after a while, providers can't ignore their customer complaints and exodus when they dig deep into the bottom line.
We've got several large scale IP blocks in place in the AHBL due to this exact problem - providers know there's abuse going on, they won't terminate the customers or deal with it, because they are more then happy to take money.
Legit customers get caught in the cross-fire, and they suffer - but at the same time, those legit customers are the only ones that will be able to force a change on said provider.
They contact us, and act all innocent, and tell people we're being unreasonable, neglecting to tell people at the same time that the 'unreasonable' DNSbl maintainer only wants for them to do a simple task that thousands of other providers and administrators have done before.
I realize your fond of punishing all of us to subsidize the ignorant, but I would rather see those with compromised machines pay the bill for letting their machines get compromised than have to subsidize their ignorant or worse behavior.
Problem is, there's no financial penalties for providers who ignore
abuse coming from their network.
DNSbl lists work only because after a while, providers can't ignore
their customer complaints and exodus when they dig deep into the
bottom line.
We've got several large scale IP blocks in place in the AHBL due to
this exact problem - providers know there's abuse going on, they won't
terminate the customers or deal with it, because they are more then
happy to take money.
Legit customers get caught in the cross-fire, and they suffer - but at
the same time, those legit customers are the only ones that will be
able to force a change on said provider.
They contact us, and act all innocent, and tell people we're being
unreasonable, neglecting to tell people at the same time that the
'unreasonable' DNSbl maintainer only wants for them to do a simple
task that thousands of other providers and administrators have done
before.
I know it's akin to Apples and Oranges but maybe a "network forfeiture"
(http://www.lectlaw.com/def/f054.htm) clause be drafted. Surely there
should be no outcry for stating: "If your network is dirty, its gone
including all your equipment" I wonder how fast some network operators
would have their networks. Again, re-visiting re-hashed threads: Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?
(Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?) Surely a
vast majority have to be tired of the garbage coming from your own
networks and others. I can tell you I'm tired of my phone ringing
because some tollfraudster keeps thinking he's making uber calls when
he's stuck in one of my honeypots.
I have for what, 20 years? been begging for vendors to provide clean
service.
But there is no hurry, the world government (spare me the the tin hats
thing. Have you noticed what is going on in Washington lately?) will
take care of it.
Actually, the real problem is that if providers *don't* start doing
something to remediate abuse originating within their customer base -- and
begin policing themselves -- I don't think they will like someone else
(e.g. the gummint) forcing them to do something (which actually may be
worse).
The opportunity for providers to address this problem by policing
themselves is being overshadowed by the real possibility that the
government may step in and force them to do so, unfortunately.
It's really way, way past time for us to actually deal with compromised
computers on our networks. Abuse desks need to have the power to filter
customers immediately on notification of activity. We need to have tools to
help us identify compromised customers. We need to have policies that
actually work to help notify the customers when they are compromised.
None of this needs to be done for free. There needs to be a "security
fee" charged _all_ customers, which would fund the abuse desk.
With more than 100,000,000 compromised computers out there, it's really
time for us to step up to the plate, and make this happen.
Problem is, there's no financial penalties for providers who ignore abuse coming from their network.
Problem is there's no financial liability for producing massively exploitable software.
No financial penalty for operating a compromised system.
No penalty for ignoring abuse complaints.
Etc.
Imagine how fast things would change in Redmond if Micr0$0ft had to pay the cleanup costs for each and every infected system and any damage said infected system did prior to the owner/operator becoming aware of the infection.
None of this needs to be done for free. There needs to be a "security
fee" charged _all_ customers, which would fund the abuse desk.
With more than 100,000,000 compromised computers out there, it's really
time for us to step up to the plate, and make this happen.
Or you should send the bill to the company that created the software
that facilitated to get so many computers compromised, some folks in
Redmond have a large chunk of money on the bank.
My .02
Seems like it's come full circle again
(http://irbs.net/internet/nanog/0412/0109.html) and I can always recall
Rob Thomas' take on this (http://irbs.net/internet/nanog/0412/0222.html)
"Filtering out bogons removes yet one more potential source of badness.
Does it remove all badness? Of course not. We win by degrees. Removing
any tool from the bad persons' toolkit is useful." Not forgetting Mark
Andrews "Any operator not implemting BCP 38 is potentially aiding and
abetting some criminal. BCP 38 is over 10 years old. There is no excuse
for not having equipment in place to handle the processing needs of BCP 38."
ISP's could actually offset the charges to customers with helpdesks to
re-coup some equipment costs while maintaining a clean network. As for
the "blame the software" comment, irrelevant. If bad hosts were
minimized, there would likely be less compromises irrespective of the
vendor of the software. Statistically I would think the number of
compromises would go down but at the same time I believe the criminals
would get smarter. That's just the nature of the beast.
It's not irrelevant. If it were, apache would be more frequently exploited than IIS. It isn't.
None of this needs to be done for free. There needs to be a "security
fee" charged _all_ customers, which would fund the abuse desk.
With more than 100,000,000 compromised computers out there, it's really
time for us to step up to the plate, and make this happen.
Or you should send the bill to the company that created the software
that facilitated to get so many computers compromised, some folks in
Redmond have a large chunk of money on the bank.
I'm still truly amazed that no one has sic'd a lawyer on Microsoft for creating an "attractive nuisance" - an operating system that is too easily hacked and used to attack innocent victims, and where others have to pay to clean up after Microsoft's mess.
For instance, if you build a pool in your backyard, and you don't properly fence it, and kids illegally trespass on your property to get in to your pool, and they get hurt, you will be sued and will be held liable. You built this dangerous thing, and you didn't properly secure (fence it), and it's your responsibility even when someone *illegally* gains access and hurts themselves (or others). There are numerous other examples of "attractive nuisances" where individuals and companies are held liable for injuries caused by people who illegally gained access to improperly secured property and items. Why hasn't *someone* brought this up with Microsoft and Windows?
Do you honestly believe that if 80% of the world's consumer computers were
*not* MS operating systems, that the majority of computers would still not
be targeted?
Please, be for real -- the criminals go after the entrenched majority. If
it were any other OS, the story would be the same.
Problem is there's no financial liability for producing massively exploitable software.
No financial penalty for operating a compromised system.
No penalty for ignoring abuse complaints.
Etc.
Imagine how fast things would change in Redmond if Micr0$0ft had to pay the cleanup costs for each and every infected system and any damage said infected system did prior to the owner/operator becoming aware of the infection.
It isn't Microsoft. It once was, but Vista and Windows 7 are really solid, probably much better than Linux or Mac OS. (Note that I run NetBSD and Mac OS; I don't run Windows not because it's insecure but because it's an unpleasant work environment for me.)
Microsoft is targeted because they have the market. If Steve Jobs keeps succeeding with his reality distortion field, we'll see a lot more attacks on Macs in a very few years. It's also Flash and Acrobat Reader. It's also users who click to install every plug-in recommended by every dodgy web site they visit. It's also users who don't install patches, including those for XP (which really was that buggy). There's plenty of blame to go around here....
A liability scheme, with penalties on users and vendors, is certainly worth considering. Such a scheme would also have side-effects -- think of the effect on open source software. It would also be a lovely source of income for lawyers, and would inhibit new software development. The tradeoff may be worth while -- or it may not, because I have yet to see evidence that *anyone* can produce really secure software without driving up costs at least five-fold.
I agree the miscreants go for the bigger bang for the buck. That said, earlier versions of Windows really were soft targets. I don't know enough about Win7 to comment, but I respect Steve and will accept his opinion. Let's hope MS keeps up the good work - I do not want to bash Windows (no matter how fun it is :), I want to stop being attacked.
But it is not -just- market share. There are a lot more Windows Mobile compromises, viruses, etc., than iOS, Symbian, and RIM. I think combined. Yet Windows Mobile has the lowest market share of the four. So unless that is spill over because Windows Mobile & Windows Desktop have the same vulnerabilities, it shows that market share is only one piece of the puzzle.
All that said, the biggest problem is users. Social Engineering is a far bigger threat than anything in software. And I don't know how we stop that. Anyone have an idea?
Actually, it *is* market-share. That's the "low-hanging fruit" for
criminals.
And educating users? That bus left the station long ago.
Let's not be distracted from the issue here -- ISPs. xSPs, and other
similar providers have a responsibility here that should not shirk, or pass
along.
Police your own backyards. Before someone else forces you to do so.
Problem is there's no financial liability for producing massively exploitable software.
No financial penalty for operating a compromised system.
No penalty for ignoring abuse complaints.
Etc.
Imagine how fast things would change in Redmond if Micr0$0ft had to pay the cleanup costs for each and every infected system and any damage said infected system did prior to the owner/operator becoming aware of the infection.
It isn't Microsoft. It once was, but Vista and Windows 7 are really solid, probably much better than Linux or Mac OS. (Note that I run NetBSD and Mac OS; I don't run Windows not because it's insecure but because it's an unpleasant work environment for me.)
Microsoft is targeted because they have the market. If Steve Jobs keeps succeeding with his reality distortion field, we'll see a lot more attacks on Macs in a very few years. It's also Flash and Acrobat Reader. It's also users who click to install every plug-in recommended by every dodgy web site they visit. It's also users who don't install patches, including those for XP (which really was that buggy). There's plenty of blame to go around here....
A liability scheme, with penalties on users and vendors, is certainly worth considering. Such a scheme would also have side-effects -- think of the effect on open source software. It would also be a lovely source of income for lawyers, and would inhibit new software development. The tradeoff may be worth while -- or it may not, because I have yet to see evidence that *anyone* can produce really secure software without driving up costs at least five-fold.
I agree the miscreants go for the bigger bang for the buck. That said, earlier versions of Windows really were soft targets. I don't know enough about Win7 to comment, but I respect Steve and will accept his opinion. Let's hope MS keeps up the good work - I do not want to bash Windows (no matter how fun it is :), I want to stop being attacked.
But it is not -just- market share. There are a lot more Windows Mobile compromises, viruses, etc., than iOS, Symbian, and RIM. I think combined. Yet Windows Mobile has the lowest market share of the four. So unless that is spill over because Windows Mobile & Windows Desktop have the same vulnerabilities, it shows that market share is only one piece of the puzzle.
All that said, the biggest problem is users. Social Engineering is a far bigger threat than anything in software. And I don't know how we stop that. Anyone have an idea?
Remove the users. The problem goes away. Just kidding on that. Really, the only way ahead is educating the users of the threats and all and maybe a "learning experience" is due for most of them.
I'm all for that, but, point is that people who fail to meet that standard are
currently getting a free ride. IMHO, they should pay and they should have
the recourse of being (at least partially) reimbursed by their at-fault software
vendors for contributory negligence.
I'm still truly amazed that no one has sic'd a lawyer on Microsoft for
creating an "attractive nuisance" - an operating system that is too
easily hacked and used to attack innocent victims, and where others have
to pay to clean up after Microsoft's mess.
Do you honestly believe that if 80% of the world's consumer computers were
*not* MS operating systems, that the majority of computers would still not
be targeted?
Targeted? Yes.
Successfully compromised? Less so.
Look at it this way... The vast majority of web servers are Apache, yet, IIS is compromised
far more often.
Yes, Micr0$0ft is a major contributor to the problem.
Please, be for real -- the criminals go after the entrenched majority. If
it were any other OS, the story would be the same.
If this were true, the criminals would be all over Apache and yet it is IIS that gets
compromised most often.
Open source should be basically covered by the equivalent of a good samaritan clause.
After all, the source is open, so, anyone who wants it fixed can fix it.
OTOH, non-open-source software which is subject to dependency on a vendor who got paid
for the software as a professional development house should carry a different standard of
liability.
Just as the mechanic you pay at the local garage is held to a higher standard of liability than
the shade-tree mechanic on your block that changes your oil for free.