[Operational] Internet Police

My question is what architectural recommendations will you make to your
employer if/when the US Govt compels our employers to accept our role as the
"front lines of this "cyberwar"?

I figure once someone with a relevant degree of influence in the govts
realizes that the "cyberwar" is between content/service controllers and
eyeballs. With involuntary and voluntary botnets as the weapons of "the
eyeballs", relying exclusively on a line of defense near to the content
(services) leaves a great expanse of "battlefield". I would expect the
content/service controllers to look for means to move the battleline as
close to the eyeballs as possible (this community) So... if/when our
employers are unable to resist the US Govt's demand that we "join in the
national defense", wouldn't this community be the ones asked to guard the
border?

Assuming the govt won't send federal agents into each of our NOCs, won't our
employers ask us "what can we do?"

If inspecting and correlating every single packet/flow for attack signatures
is not feasible (on scale), are there name/address registration/resolution
measures that could effectively lock-down the edge? ...will we look toward
China/Saudi Arabia/etc for lessons learned in there 'great firewalls' to
develop a distributed version where central control pushes policy out to the
edge (into the private networks that currently provide the dreaded "low
barrier for entry")?

Obviously the environment is created by layers 8/9, but I'm interested in
the layer 1-7 solutions that the community would consider/recommend.

-Michael

CALEA

done

Warfare isn't the correct metaphor.

Espionage/covert action is the correct metaphor.

How is "what to block" identified? ...by content key words? ..traffic
profiles / signatures? Deny all, unless flow (addresses/protocol/port) is
pre-approved / registered?

What does the technical solution look like?

Any solutions to maintain some semblance of freedom?

CALEA doesn't provide block. It provides full data dumps to the authorities. It's up to them to analyze, prove illegality, and seek warrants.

A single CALEA tap on a bot, for example, could provide the government with a bot controller, or with details of what a specific bot is doing.

A tap on the controller itself could show the large number of bots and their location, or provide the next step in backtracking the connection to the person using the controller.

On and On. Is it ideal? No. Is it possible to do within current law, until it crosses international boundaries, but even then there is some amount of recourse.

The law is designed to track down and prosecute people, not stop malicious activity. In order for the law to try and stop malicious activities (digital or real), it must place constraints on our freedoms. See TSA/Airport Security.

Jack

Let's put it this way.

1. If you host government agencies, provide connectivity to say a
nuclear power plant or an army base, or a bank or .. .. - you'd
certainly work with your customers to meet their security
requirements.

2. If you are a service provider serving up DSL - why then, there are
some governments (say Australia) that have blacklists of child porn
sites - and I think Interpol came up with something similar too. And
yes there's CALEA and a few other such things .. not much more that's
new.

Separating rhetoric and military metaphors will help you see this a
lot more clearly. As will not dismissing the entire idea with
contempt.

As a service provider for anything at all, you'll see your share of attacks.

Whether coordinated by 4chan or by comrade joe chan shouldnt really
matter, except at the level where you work with law enforcement etc to
coordinate a response that goes beyond the technical. [And ALL
responses to these are not going to restrict themselves to being
solvable by technical means].

--srs

And if I ever find the genius who came up with the "we are not the
internet police" meme ...

Obviously the environment is created by layers 8/9, but I'm interested in
the layer 1-7 solutions that the community would consider/recommend.

BGP blackhole communities is a good way to push the problem upstream,
assuming your provider will agree to it. In theory, that could also work
on a larger scale, but it becomes a matter of trust (as has been
discussed many times before .. "just because *you* say it's bad, doesn't
make it so").

Cheers,

Michael Holstein
Cleveland State University

And if I ever find the genius who came up with the "we are not the
internet police" meme ...

he died over a decade ago

In my ever-so-humble opinion, this is not primarily about copyrighted material; it is primarily about content control. Go to any country in the world; they have something they wish wasn't available on the net. It might be child pornography, pornography in general by some definition of that term or lack thereof, journalist reports regarding their country or certain events in their country, paparazzi photos of their leaders or their consorts, or comments or comics featuring important religious figures or violating local social norms (did you know that DSLRs are illegal in Kuwait unless one is a registered journalist?). The UN Al Qua'da Task Force would like to block all files that originate from Al Qua'da. During the US 2004 presidential elections, one of the candidates suggested using CleanFeed to suppress information about dog racing. It might be COICA, HADOPI, or some municipal court judge who has no idea what he is asking but makes a decree that <something> should go away. They are all, at the end of the say, talking about the same thing: "we don't care what other countries or other people think; in our country, <something> should not be available on the Internet."

Which is to say that they think that they should be in control of some bit of content. Content control, which they might well decry when others do it and respond very poorly when you point out their own actions.

I would note that in many cases similar laws already exist in the various countries' legal systems. For some reason, rather than enforcing the existing law of the land, they feel compelled to make a new law that is specific to the Internet. I asked a lawyer advocating yet another such a law about this once, trying to find out why she thought that was necessary. Her response was that the existing law of the land had been found in court after court and jurisdiction over jurisdiction to be unimplementable and unenforceable; a certain famous statement about the definition of obscenity comes to mind, and very appropriately. "If I have the law, it gives me one more chance to argue the case in court". A case she freely admitted that she would very likely lose.

If your boss comes to you and asks you to be part of it, my suggestion (I am not a lawyer, and this is not legal advice) would be to first ask him whether he has a court order. If you are obligated to comply, you are obligated to comply. But in any event, I would suggest that he read http://www.washingtonpost.com/wp-dyn/content/article/2010/12/08/AR2010120804038.html. I suspect we will be reading similar articles about some 70 sites that have been taken down recently, and in some cases they may take whoever-did-it to court and win a judgement. The Internet routes around failure, and people who think they can control content are notorious for failing.

That's not a political viewpoint; some of those things that folks would like to go away probably should. From a very pragmatic and practical perspective, any technical mechanism that has been proposed is trivially defeated. The first implementers of DKIM were the spammers. What does CleanFeed do with https or encrypted BitTorrent? DNS Blocking is very interesting in a DNSSEC world, and is trivially overcome by purchasing a name in another TLD - or a thousand of them. Null routes block access to specific addresses; move the content, and the null route is a waste of bits. Look at how successful we have been in erasing botnets from our memory, or viruses, or spam.

The way to address these things is not to childishly wish there was a magic silver bullet that would make the problem go away. If it's against the law, and in most cases the content that folks want to control is, go arrest the guy.

That's not to say that you couldn't use technologies like CleanFeed or Lawful Intercept, if you use them lawfully, to gather forensic evidence. But that's a far cry from pretending to make the content go away.

"Low intensity conflict" may be more correct.

Once upon a time, Fred Baker <fred@cisco.com> said:

did you know that DSLRs are illegal in Kuwait unless one is a registered journalist?

Did you know that they are not?

http://thenextweb.com/me/2010/11/30/kuwait-dslr-ban-does-not-exist-after-all/

This is like the people attacking EasyDNS because they took
wikileaks.org down. Oops, except it wasn't, it was EveryDNS.

I read it on the Internet so it must be true!

[CALEA] is designed to track down and prosecute people, not stop malicious activity.

Right.

In order for the law to try and stop malicious activities (digital or real), it must place constraints on our freedoms. See TSA/Airport Security.

Or, more relevant to NANOG, see COICA (http://www.gpo.gov/fdsys/pkg/BILLS-111s3804rs/pdf/BILLS-111s3804rs.pdf).

Regards,
-drc

All due respect to him, but I didnt want to kick his teeth in or
anything, merely ask if he'd like to reconsider it, given the new
security threats we all face that have outdated that meme.

mikea <mikea@mikea.ath.cx> writes:

The problem is that non-ironic use of the appellation 'cyber-' is generally inversely proportional to actual clue, so it should be avoided at all costs.

;>

Butlerian Jihad.
    
                -Bill

He also said "The Internet works because a lot of people cooperate to
do things together"

Remove the "together" and there is no Internet.

-J

In reality DoS threats/execution of those threats/ 'pwning' / website vandalism are all forms of terrorism. An easily pronounceable version with a 'net-' 'e-' or even 'cyber-' prefix..... is difficult.

I thought "e-*" was so yesterday, wouldn't this be "i-*" or to be more
complete "i-* 2.0"