NSP-SEC

Misses, Misters,

I would want to inform you that the security of the Internet, that is discussed in the NSP-SEC mailing-list [0] by a selected group of vendors (Cisco, Juniper & Arbor) [1] and operations contacts of the big ISPs [2] :

1) applies the "Security through Obscurity" paradigm that has been proven inefficient [3]. To quote [4] :

"Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures."

First question : Why was I able to find this mail on the Internet if it should be kept secret ?

2) includes [5]

a) Spammers (Rodney Joffe) [6] [7]

b) Freelancers (Gadi Evron) [8] [9]

Second question : Do you still ask yourself why the Internet is so insecure ? [10]

Best Regards,

Guillaume FORTAINE

[0] http://puck.nether.net/mailman/listinfo/nsp-security
[1] http://www.confickerworkinggroup.org/wiki/pmwiki.php/SP/ServiceProviders
[2] http://docs.google.com/viewer?url=http://www.cisco.com/web/ME/exposaudi2009/assets/docs/isp_security_routing_and_switching.pdf
[3] http://en.wikipedia.org/wiki/Security_through_obscurity
[4]
http://lists.ausnog.net/pipermail/ausnog/2007-April/000397.html
[5]
http://www.google.com/search?hl=en&source=hp&q="nsp-sec"+site:mailman.nanog.org&aq=f&aqi=&aql=&oq=&gs_rfai=&esrch=FT1
[6] http://mailman.nanog.org/pipermail/nanog/2008-October/004724.html
[7] http://www.iadl.org/RodneyJoffe/rodneyjoffe.html
[8] http://mailman.nanog.org/pipermail/nanog/2009-November/015354.html
[9] http://il.linkedin.com/in/gadievron
[10] http://caislab.kaist.ac.kr/77ddos/

Hello,

Few people actually care about nsp-sec so what exactly are you getting at?

Why respond to an obvious troll?

Regards,
-drc

I might argue the "few" comment, but I think it's better not to reply to Guillaume so people who are smart enough to not see his posts (which would be quite a bit more than a "few") will not be force to see them.

Although I have to admit I am impressed at how quickly he has managed to piss off, alienate, and pretty much guarantee lasting animosity from, well, pretty much every significant person on the 'Net. Perhaps we should lump Guillaume in with $HE_WHO_MUST_NOT_BE_NAMED[*]?

Could you argue, if possible, please ?

I look forward to your answer,

Best Regards,

Guillaume FORTAINE

> Few people actually care about nsp-sec so what exactly are you getting at?

I might argue the "few" comment, but I think it's better not to reply to Guillaume so people who are smart enough to not see his posts (which would be quite a bit more than a "few") will not be force to see them.

I would say that, in general, more people care about NANOG than
nsp-security, although nsp-security is a worthwhile resource for those
who are dealing with backbone-level problems (which is a minority of the
people on NANOG, who generally are managing single
typically-not-multihomed sites for the most part).

Although I have to admit I am impressed at how quickly he has managed to piss off, alienate, and pretty much guarantee lasting animosity from, well, pretty much every significant person on the 'Net. Perhaps we should lump Guillaume in with $HE_WHO_MUST_NOT_BE_NAMED[*]?

Ugh, that IADL guy. I blackholed his entire IP block at edge because I
got tired of receiving his crap.

And yeah, I'm surprised Guillaume can actually post here still.

William

Misses, Misters,

You forgot the ballers, shot callers, brawlers, those who dippin' in
the benz with the spoilers. [0]

I would want to inform you that the security of the Internet, that is
discussed in the NSP-SEC mailing-list [0] by a selected group of vendors
(Cisco, Juniper & Arbor) [1] and operations contacts of the big ISPs [2] :

I personally believe that that U.S. Americans are unable to do so
because, uh, some people out there in our nation don't have maps and,
uh, I believe that our, uh, education like such as in South Africa
and, uh, the Iraq, everywhere like such as, and, I believe that they
should, our education over here in the U.S. should help the U.S., uh,
or, uh, should help South Africa and should help the Iraq and the
Asian countries, so we will be able to build up our future, for our
children. [1]

1) applies the "Security through Obscurity" paradigm that has been proven
inefficient [3]. To quote [4] :

When the Sun shines upon Earth, 2 - major Time points are created on
opposite sides of Earth - known as Midday and Midnight. Where the 2
major Time forces join, synergy creates 2 new minor Time points we
recognize as Sunup and Sundown. The 4-equidistant Time points can be
considered as Time Square imprinted upon the circle of Earth. In a
single rotation of the Earth sphere, each Time corner point rotates
through the other 3-corner Time points, thus creating 16 corners, 96
hours and 4-simultaneous 24 hour Days within a single rotation of
Earth - equated to a Higher Order of Life Time Cube. [2]

First question : Why was I able to find this mail on the Internet if it
should be kept secret ?

ELMSFORD 12 GALAXIES CESJROGENICAL ERGONOMICS NBC: XOXPHROZENIGUL
COVERAGE WASPROVENIKIL ADMONISHMENTS MINUSCULE STRATOSPHERICAL [3]

Second question : Do you still ask yourself why the Internet is so insecure
? [10]

http://www.youtube.com/watch?v=GkMvKeX7erI [4]

I am also curious [5], is OBESUS [6] the new IASON [7]? Are you Peter
and Karin Dambier [8]?

Drive Slow [9],

Paul WALL [10]

[0] http://www.lyricsmode.com/lyrics/p/p_diddy/all_about_the_benjamins.html
[1] Caitlin Upton - Wikipedia
[2] Time Cube - Wikipedia
[3] Frank Chu - Wikipedia
[4] List of recurring The Simpsons characters - Wikipedia
[5] Curious Definition & Meaning - Merriam-Webster
[6] http://mailman.nanog.org/pipermail/nanog/2010-March/019518.html
[7] http://iason.site.voila.fr/
[8] http://www.peter-dambier.de/
[9] Drive Slow - Wikipedia
[10] Paul Wall - Wikipedia

nsp-security was originally formed out of the dissatisfaction with
other so-called private collaborative channels back when it was formed
a number of years ago. There are many more lists and groups that have
since formed along the same lines. The existence of nsp-security is no
secret and there has been a small number of "leaks", that is, mail
primarily, that was not meant to be forwarded or copied outside the list
that had been. Its been far from perfect from both a secretive
standpoint and policy standpoint, but compared to what existed before
it, it has proved useful from time to time. The ISP Security BoF/Track
meetings at NANOG grew out of the nsp-security effort and those are
open to any NANOG attendee.

One thing groups like this has perhaps most helped with is building
one-to-one relationships between colleagues. Groups like nsp-security
help you to learn who the trusted and reliable contacts are at various
organizations. An ongoing area of work is to build better closed,
trusted communities without leaks. Its still an ongoing problem. Thats
why many times really sensitive work gets done in even smaller ad-hoc
groups or on a one-to-one basis.

John

I'd like to nominate this for the Best of Nanog 2010.

In a message written on Fri, Mar 19, 2010 at 02:50:37AM -0700, Paul WALL wrote:

Have you ever considered that public transparency might not be a bad
thing? This seems to be the plight of many security people, that they
have to be 100% secretive in everything they do, which is total
bullshit.

Just saying.

William

Amen to that. As the Jargon File says, "C|N>K". Unfortunately, I was
eating breakfast, and it was corn flakes not coffee. Ouch.

I thnk I'd settle for operators with Integrity. those who do what
  they say.

--bill

There are some out there......Infragard?....(shrugs shoulders)......

It is clear that our security would be much improved if our politicians
had to operate out in the open.

If we had that, no secrecy would be needed.

But anyone who thinks publishing everything we learn about the miscreants is a Good Idea, has never tried to take out a botnet or snow-shoe spammer or ....

Secrecy sucks. If you think those keeping secrets enjoy it[*], you just haven't been bored to tears by working one of these issues. Seriously, most of the work is mind numbingly horrible, and I have nothing but the utmost respect for people who do it on a regular basis. (In case it is not clear, I do not have to do it often, and for that I think whatever ghods there may be.)

Put another way: Do not dis those that make the Internet safer for you. They spend time, effort, and money - frequently their own - and risk much more (ever been sued by a spammer?). In return, they often get nothing. Before you question (and to be clear, I am not saying you should not question), offer to help and see things from their side.

Congratulations. You found an example of a mailing list where applying a
standard disclaimer by default *does* make sense, which then got forwarded
*by a coordination team leader at a national CERT* to an appropriate forum
so that action could be taken, but failed to take the disclaimer off the
bottom of that posting.

Double bonus points for finding a posting that discussed something *really*
sensitive, like "we've seen bots connecting to...". You *do* realize that
there's an estimated 140,000,000 bots on the net, right, and as a result,
some operation lists have *dozens* of "bots spotted connecting to" postings
*per day*.

And you wonder why you have a hard time being taken seriously.

I'd like to second/third/whatever that nomination as well.

Epic win. Not only did it make me fall off the chair laughing, but I highly doubt Fortaine will understand why its so funny.

Paul, remind me if I ever get into politics, that I hire you as a consultant for speeches.

When the Sun shines upon Earth, 2 - major Time points are created on
opposite sides of Earth - known as Midday and Midnight. Where the 2
major Time forces join, synergy creates 2 new minor Time points we
recognize as Sunup and Sundown. The 4-equidistant Time points can be
considered as Time Square imprinted upon the circle of Earth. In a
single rotation of the Earth sphere, each Time corner point rotates
through the other 3-corner Time points, thus creating 16 corners, 96
hours and 4-simultaneous 24 hour Days within a single rotation of
Earth - equated to a Higher Order of Life Time Cube. [2]

[2] Time Cube - Wikipedia

Uhhh, yeah... WOW man, like FARM OUT man!

The best thing I've learned on NANOG all year is this message about
Gene Ray. And as an added bonus that led me to the
Peirce quincuncial projection which is actually something useful
to know about.

--Michael Dillon

That's fine, in theory, but in practice it doesn't work.

Part of the issue is that information that could be considered sensitive generally has to have a level of trust for both the sender(s) and receiver(s), and that level of trust is generally not possible in an open forum. By "level of trust" I mean that if I have sensitive intel about an ongoing incident (attack, pwnd box, etc) I need to have some assurance that the information gets to people who can and will act on it, and keep that information confidential. nsp-sec has worked to build that level of trust (in general, work pretty good success) through the vetting process that every potential participant goes through.

Is it a perfect system? No, but it does serve a useful and important purpose.

Many security people have to keep things quiet for the same reasons, in addition to (not an all-inclusive list):
1. They might be under NDA or be employed at a company that has a policy against any sort of "unapproved disclosures"
2. The sources of various bits of intel is confidential and releasing unfiltered information could compromise that source.
3. Releasing unfiltered information could compromised intel gathering methods, potentially rendering them useless for further action.

"The likelihood that a secret will be kept goes down by the square of the number of people who know it" -- source unknown
"The likelihood that a meeting will be productive goes down by the square of the number of people who attend" -- me

jms

If we had that, no secrecy would be needed.

But anyone who thinks publishing everything we learn about the miscreants is a Good Idea, has never tried to take out a botnet or snow-shoe spammer or ...

Me, an evolvable malware :

http://docs.google.com/viewer?url=http://www.genetic-programming.org/hc2009/3-Noreen/Noreen-Presentation.ppt

Best Regards,

Guillaume FORTAINE