RE: Attn MCI/UUNet - Massive abuse from your network

I am not a lawyer. I am not aware of the law that requires uunet to
go to court to prevent spammers who are not their direct customers from using their network. Spammers use many differnt means to send their spam. Most ISPs use AUP's to prevent spamming but afaik no isp has successfully sued a spammer and recovered any reasonable percentage of their expenses in fighting this same spam. When that becomes a method to pay for combating spam I am sure most ISPs will pursue it. This is a money issue.

NSP/ISP have shareholders who desire a return on their investment.

When I notify the abuse team at uunet of a spammer they act promptly shutting down any account that I can show is being used for spam.

Chris is a very trusted and active member of the NSP community, to his credit is a detailed document on blackhole filtering one of the primary tools used by other NSP/ISP's for stopping bad traffic. AFAIK he can not authorize legal action against spammers.

donald.smith@qwest.com my opinions are mine and do not reflect qwest policy.

their network.

Doctrine of attractive nuisance

>I am not a lawyer. I am not aware of the law that requires uunet to
>go to court to prevent spammers who are not their direct customers from using
their network.

Doctrine of attractive nuisance

When I worked for IBM back in the '60s, on many occasions during my 7 years there I heard
upper management say that they were proud to be with a company that tried to be a "Good Corporate Citizen ".
One branch manager had a cube on his desk which had printed on each side the(ir) manifesto of Corporate Social Responsibility.

From the AOL theft article:

"The revelations come as AOL and other Internet providers have ramped up their efforts to track down the purveyors of spam, which
has grown into a maddening scourge that costs consumers and businesses billions of dollars a year."

Perhaps those Corporate Citizens who can do something to ensure the viability of E-mail, should.

--Michael

From the AOL theft article:
"The revelations come as AOL and other Internet providers have
ramped up their efforts to track down the purveyors of spam, which
has grown into a maddening scourge that costs consumers and
businesses billions of dollars a year."

Interesting. An insider at a network operator steals
a copy of some interesting operational data and sells
it to a 3rd party with an interest in doing nasty things
with said data.

And if Homeland Security really does require all outages
to be reported to a clearing house where only network
operations insiders can get access to it, then what?
Will someone sell this to a terrorist organization?

Better to leave all this information semi-public as
it is now so that we all know it is NOT acceptable
to build insecure infrastructure or to leave infrastructure
in an insecure state. Fear of a terrorist attack is
a much stronger motive for doing the right thing
than a government order to file secret reports to
a secret bureaucratic agency.

--Michael Dillon

Well said sir!

                            Scott C. McGrath

Has anyone noticed that the DHS plan is probably closer to the current
status of things than the FCC one is?

AFAIK, Currently this information _isn't_ required to be publicly
reported. The FCC wants it to be.

DHS would prefer that it be semi-public at best - just like Michael
Dillion wants.

Three options:
1. Status quo - no gov't reporting requirements
2. FCC proposal - completely public reporting requirements
3. DHS proposal - limited access reporting requirements

Food for thought: Could an analyst, looking at outage reports over a
period of time, build a schematic that would demonstrate that if you
took out n points, you'd kill x% of data traffic in and out of
$pickyourmetropolitanarea?

If this analyst were working for Bin Ladin....

Some ad hoc terrorists, in a country crawling with US troops, with a
communications infrastructure nowhere as advanced as the USA just
managed to coordinate a multiple bomb attack simultaneously.

What could they do here with the right information?

Should we hand them this information freely?

At least if someone in this "clearing house" sells it to the
terrorists, they will have had to work for it a bit, instead of having
us hand it to them on a silver platter, as the FCC seems to want.

Let the flames continue.

** Reply to message from Scott McGrath <mcgrath@fas.harvard.edu> on
Fri, 25 Jun 2004 11:22:51 -0400 (EDT)

Food for thought: Could an analyst, looking at outage reports over a
period of time, build a schematic that would demonstrate that if you
took out n points, you'd kill x% of data traffic in and out of
$pickyourmetropolitanarea?

If this analyst were working for Bin Ladin....

Yes an analyst could do this. Our job is to make sure
that he can't get a very large x% without also requiring
a large investment in n attack points.

Consider bin Laden's organization in 2000. They
had a plan to commandeer 10 airliners and attack
10 targets in the USA including things like the CIA
headquarters. Resource constraints caused them to
back off to 4 targets. We already win because
the targets are not all in the same city block.

Next, the attack day arrived and the 4 teams
went to work. But only two of them achieved
100% objective. One team failed entirely when
they lost control of their weapon. And the third
team hit a glancing blow to the target that
damaged less than a fifth of the building. And
it turned out that they hit a less critical part
of the Pentagon as well. This is a typical result
of a military or terrorist operation. It is very
hard to plan and execute 100% effective coordinated
attacks against a large number of targets. On
9/11 the terrorists had no problem making 4 big booms
and getting attention. But they missed the Whitehouse
entirely and only did minor damage to the military
headquarters.

Remember, that packet switched networking
originated with the desire to build a telecom
network that could survive massive destruction
on the scale of a nuclear war, but continue to
function. If we apply that kind of thinking to
planning network deployment then there should be
little extra risk from terrorist knowing where
the vulnerable points are. Spread the risk
by spreading the vulnerable points.

Some ad hoc terrorists, in a country crawling with US troops, with a
communications infrastructure nowhere as advanced as the USA just
managed to coordinate a multiple bomb attack simultaneously.

Iraq currently has a cellphone network that is
more advanced than the USA, i.e. it's all GSM.
But in fact, all they really needed to pull this
off was a quiet pub and some accurate watches that
could be synchronized prior to the attacks. Better
go back and watch those old spy movies again...

--Michael Dillon

** Reply to message from Brad Knowles <brad.knowles@skynet.be> on Fri,
25 Jun 2004 18:14:43 +0200

> At least if someone in this "clearing house" sells it to the
> terrorists, they will have had to work for it a bit, instead of having
> us hand it to them on a silver platter, as the FCC seems to want.

  Not true. If the information is forced to be completely in the
open, then everyone knows it's not insecure and no one depends on the
fact that it was supposed to be kept secret. This is a case where
you are more secure the more open the information is -- indeed, as we
are in most cases, which is why we have the age-old security mantra
of "security through obscurity is not secure".

Do you realize that the basic element of security, the password, is
based on the entire premise you just dismissed? And yet we still use
them - and depend on the fact that they are supposed to be kept secret.

The problem with being totally open about infrastructure is that there
are some vulnerabilities that simply cannot or will not be fixed -
wires sometimes have to run across bridges, redundant pumping stations
are too expensive... in these cases is it not better to hide where
these vulnerabilities are?

The problem with your point is that even if the information is forced
to be completely in the open, that is no guarantee that it will be
fixed, and people _do_ depend on this stuff, regardless of its
reliability or security.

Do you really think that if we publish all the insecurities of the
Internet infrastructure that anyone is gonna stop using it, or
business, government, and private citizens are going to quit depending
on it?

Security through obscurity is not secure - but sometimes it's all you
have.

** Reply to message from Michael.Dillon@radianz.com on Fri, 25 Jun 2004
17:12:45 +0100

Remember, that packet switched networking
originated with the desire to build a telecom
network that could survive massive destruction
on the scale of a nuclear war, but continue to
function. If we apply that kind of thinking to
planning network deployment then there should be
little extra risk from terrorist knowing where
the vulnerable points are. Spread the risk
by spreading the vulnerable points.

I thought the old "nuclear survivable" argument was killed off years
ago - I seem to rember it being refuted in "Where Wizards Stay Up Late."

Packet switched networking originated with a desire to see if it would
work....

And you are welcome to assume the expense of spreading the vulnerable
points.

Jeff Shultz wrote:

** Reply to message from Brad Knowles <brad.knowles@skynet.be> on Fri,
25 Jun 2004 18:14:43 +0200

At least if someone in this "clearing house" sells it to the
terrorists, they will have had to work for it a bit, instead of having
us hand it to them on a silver platter, as the FCC seems to want.

Not true. If the information is forced to be completely in the open, then everyone knows it's not insecure and no one depends on the fact that it was supposed to be kept secret. This is a case where you are more secure the more open the information is -- indeed, as we are in most cases, which is why we have the age-old security mantra of "security through obscurity is not secure".

Do you realize that the basic element of security, the password, is
based on the entire premise you just dismissed? And yet we still use
them - and depend on the fact that they are supposed to be kept secret.

The problem with being totally open about infrastructure is that there
are some vulnerabilities that simply cannot or will not be fixed -
wires sometimes have to run across bridges, redundant pumping stations
are too expensive... in these cases is it not better to hide where
these vulnerabilities are?

Not really. Security through obscurity in some circumstance can
help, but rarely when it comes to something like that. When it
comes to wires crossing a bridge or pumping stations, anyone who
tries hard enough will find out pretty easily. You end up with
two groups knowing where the vulnerabilities are, the handful of
"good guys" who oversee the resources and the bad guys.

It strikes me as similar to the outcry from the locksmith community
when the vulnerabilities of various master key mechanisms were
widely published. Who knew about the vulnerabilities? The "good
guy" locksmiths who used the vulnerabilities to break into your
office when you lost your keys (and sold you the locks) all knew,
and the bad guys who broke into your office to steal stuff knew.
Who didn't know? The consumer who was unable to make an informed
decision about the security of the various choices of key-lock
mechanisms he had available.

So the problem with the pumping station or the wires over the
bridge are that the limited number of experts know, the bad
guys know, but other people who should know (the network engineer
judging the reliability of his links or the civil engineer
deciding the capacity for an emergency water tower for an
industrial site) may not understand the true vulnerability
of the system.

But that doesn't mean we shouldn't put a fence around the
pumping station or a padlock on the door because a key is
just "security through obscurity" through some convoluted
logic.

The problem with your point is that even if the information is forced
to be completely in the open, that is no guarantee that it will be
fixed, and people _do_ depend on this stuff, regardless of its
reliability or security.

Somethings cannot be and should not be "fixed." Making the
public water supply invulnerable to earthquake damage is not
practical. Individuals have the responsibility (even if most
don't) to keep a few days supply of potable water available
in the inevitable, but unlikely on any given day, event of
a powerful earthquake.

Making various infrastructure invulnerable to every foreseeable,
let alone unforeseeable, attack is not practical either. But
those who are affected by the failure of any piece of
infrastructure need to know how reliable it is and plan
accordingly.

Do you really think that if we publish all the insecurities of the
Internet infrastructure that anyone is gonna stop using it, or
business, government, and private citizens are going to quit depending
on it?

Of course not. But they may be better able to quantify their
risks in depending on the 'Net and make contingency plans where
it is prudent. The real world is about risk management; even
the US federal government has given up on a risk avoidance
model and moved to risk management.

Security through obscurity is not secure - but sometimes it's all you
have.

But it is worse than nothing when you obscure the truth from
people who should know. If the vulnerability is exploited,
the impact is worse than if those who should have known had had
the ability to plan for the contingency.

Do you really think that if we publish all the insecurities of the
Internet infrastructure that anyone is gonna stop using it, or
business, government, and private citizens are going to quit depending
on it?

That is a totally foolish statement in today's world. The incentive for
fixing the problem is going to be the competition's ability to say that
they do not suffer from the specified problem. Market forces will push
on the area of problem and force a solution.

To take away the exposure limits the incentive to fix the problem.
Companies are not going to spend $$ on something that does not
directly effect the income. Reporting your problems to someone
who doesn't effect the income isn't going to result in the fixing of
any problems.

One only has to look at the telephone history to see that.

Jerry

Anybody with a Rand McNally map of Manhattan can connect the dots for themselves.

Unless you're proposing that we issue Soviet-style maps that show the Brooklyn
Bridge between Williamsburg Bridge and Queens-Midtown Tunnel.

Or did you mean we should make the Brooklyn Bridge invisible so we can't
see it? There's this magician looking for another prime-time TV special, you know???