Hi Everyone,
I'm pleased to announce that the Voice Operators' Group has found an excellent home.
Our web site, www.voiceops.org has a good home (thanks Scott!), while Jared, Daniel, and all the great folks over at nether.net are hosting our list server.
If VoiceOps can do for voice anything close to what NANOG has done for IP, we'll all owe much to the people that are making this happen.
email: voiceops-subscribe@voiceops.org
web: https://puck.nether.net/mailman/listinfo/voiceops
Thanks,
David Hiers
CCIE (R/S, V), CISSP
ADP Dealer Services
2525 SW 1st Ave.
Suite 300W
Portland, OR 97201
o: 503-205-4467
f: 503-402-3277
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
Governments already license stock brokers, pilots, commercial drivers, accountants, engineers, all sorts of people whose mistakes can be measured in the loss of hundreds of lives and millions of dollars.
http://sip-trunking.tmcnet.com/topics/security/articles/63218-bill-give-president-emergency-power-internet-raises-concerns.htm
Good times....
David Hiers
CCIE (R/S, V), CISSP
ADP Dealer Services
2525 SW 1st Ave.
Suite 300W
Portland, OR 97201
o: 503-205-4467
f: 503-402-3277
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
"'The power company allowed their network security to be comprimised by a
single Windows computer connected to the Internet in the main control
facility, so we unplugged the entire Internet to mitigate the attack,'
said Senator Rockefeller, the author of the bill that enabled the
President to take swift action after an unknown hacker used the Internet
to break into Brominion Power's main control facility and turn off the
power to the entire East Coast. 'It will remain unplugged and nobody in
the US will be allowed to connect to the Internet until the power is back
on and this hacker is brought to justice.'
Authorities are having a difficult time locating the hacker due to the
unavailability of the Internet and electricity, and cannot communicate
with lawmakers via traditional means due to the outage. A formal request
to turn the power and Internet back on was sent on a pony earlier this
afternoon to lawmakers in DC."
Can't wait.
Beckman
It would appear as though your employer should be amongst the first to
apply...
http://www.baselinemag.com/c/a/Tools-Security�hold/ADP-Duped-Into-Disclosing-Data/
-Dave (who long ago learned to not post contentious stuff from his
employers' e-mail)
I'm trying really hard to find my "paranoia hat", and just to relieve
some boredom I read the entire bill to try to figure out where this was
all coming from....
"(2) may declare a cybersecurity emergency and order the limitation or
shutdown of Internet traffic to and from any compromised Federal
Government or United States critical infrastructure information system
or network;"
Now, I'm sorry, but that doesn't say anything about shutting down the
entire Internet. Yes, I understand the idea that since they COULD
possibly deem the entire Internet (that Al Gore created?) a critical
infrastructure, it would seem simple enough to put a provision in to
prevent that. But IMHO the point is to involve people outside the
government (read the parts on establishing the committee and voting on
rules/regs) as opposed to dictating to them.
And it's no different than it is today for groups that have to connect
to/from particular agencies within the government. There's already
plenty of rules in place about that.
So if someone hacks the electric grid, does it not make sense to unplug
that portion of the infrastructrure from the Internet until the problem
is fixed? (e.g. shut down traffic to/from) I think someone wrote an
article after WAY over-thinking this whole thing and everyone else jumps
on the bandwagon.
So I'm open to hearing about things if I missed them. Reading Senate
Bills isn't all that exciting, so it's possible I zoned out a bit, but
can someone explain to me where this thought process is coming from?
Thanks!
Scott
Peter Beckman wrote:
... this whole issue reminded me of:
http://www.youtube.com/watch?v=iRmxXp62O8g
and
http://www.youtube.com/watch?v=wrQUWUfmR_I
On the more serious note: the vagueness of some terms and definitions is
what concerns me, for example. I am not sure if the problem could be fixed,
though, under a mechanism fundamentally very litigious - thus so very likely
to produce laws with potential for [lots of] interpretations (by paid
specialists, of course).
***Stefan Mititelu
http://twitter.com/netfortius
http://www.linkedin.com/in/netfortius
* Scott Morris:
I'm trying really hard to find my "paranoia hat", and just to relieve
some boredom I read the entire bill to try to figure out where this was
all coming from....
"(2) may declare a cybersecurity emergency and order the limitation or
shutdown of Internet traffic to and from any compromised Federal
Government or United States critical infrastructure information system
or network;"
Wouldn't this mean you're allowed to set emergency ACLs only if a
cybersecurity emergency has been declared by the President?
I must have missed the phrasing that says "nobody else can make an
independent decision regarding any security measure above and beyond the
minimum standards"...
I'll go back and look for that.
Scott
Florian Weimer wrote:
The EFF summed up the problems with the bill's current text quite well
I believe (without any tin-foil hats required): "The Cybersecurity Act
is an example of the kind of dramatic proposal that doesn't address
the real problems of security, and can actually make matters worse by
weakening existing privacy safeguards – as opposed to simpler,
practical measures that create real security by encouraging better
computer hygiene." -
http://www.eff.org/deeplinks/2009/04/cybersecurity-act
$0.02
~Chris
I don't know, but #2 reads more like: If the president orders it,
compromised federal websites or federal websites under attack can be
ordered off the internet. That doesn't look to me like they can shut you
down or require you to be a certified cyber-security person.
--Curtis
Having met more than a few people in government IT, all jokes aside,
I think they're pretty well equipped to know when and if they need to
disconnect from the Internet, even without an executive order. Like
many things in Washington, this all may be an attempt to put the "public"
at ease by demonstrating the "we're from the government and we're here
to help principle" with regard to Internet security but honestly...
If the President wanted to disconnect the working parts of the US
Government (beside the Judicial and Legislative branches) from the
Internet all it would take is an executive order.
The more troubling parts of this bill had to do with the President,
at his discretion, classifying parts of public networks as "critical
infrastructure" and so on.
jy
currently living overseas and finding all of this very amusing...
The more troubling parts of this bill had to do with the President,
at his discretion, classifying parts of public networks as "critical
infrastructure" and so on.
Whatever your opinion, get involved. Let your representatives know about your better ideas.
currently living overseas and finding all of this very amusing...
If any other country has solved the problem of protecting
Internet/data/cyber/critical/etc infrastructures and have some great ideas, it would be great to hear what those ideas are and how they did it.
> The more troubling parts of this bill had to do with the President,
> at his discretion, classifying parts of public networks as "critical
> infrastructure" and so on.
Whatever your opinion, get involved. Let your representatives know
about your better ideas.
I strongly second this. To quote a bumper sticker/slogan I've seen,
"if you didn't vote, you shouldn't complain". Some prominent
politicians have proposed something that we -- including me -- believe
to be a bad idea, not just on ideological grounds but because we think
that it won't accomplish its purported goals and may even be
counterproductive. I don't see a lot of network operators in Congress
-- if you know better, you really need to tell them.
Some folks on this list -- and I know there are a few, very
specifically including myself -- spend more than a little bit of time
not just worrying about public policy issues, but actually spending
time and effort on the subject. (I'm in D.C. right now, largely
because of a policy-related meeting on Tuesday.) I'll misuses a
security slogan I've seen on mass transit facilities in the New York
area: if you see something, say something. If no one tells Congress
that this is a bad idea, how should they know?
> currently living overseas and finding all of this very amusing...
If any other country has solved the problem of protecting
Internet/data/cyber/critical/etc infrastructures and have some great
ideas, it would be great to hear what those ideas are and how they
did it.
Indeed.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
I strongly second this. To quote a bumper sticker/slogan I've seen,
"if you didn't vote, you shouldn't complain". Some prominent
politicians have proposed something that we -- including me -- believe
to be a bad idea, not just on ideological grounds but because we think
that it won't accomplish its purported goals and may even be
counterproductive. I don't see a lot of network operators in Congress
-- if you know better, you really need to tell them.
we need an easy way to click and opine, a la moveon.org, and other
social and political orgs. maybe forwardon.org?
randy
+1
I operate a Maine ISP/ASP, and Senator Snowe is my lobbying target.
Steven M. Bellovin wrote:
randy,
moveon is a maine-based org. it is an effective, fund raising, partisan organization. it is much more than a click-and-opine vehicle, it puts hundreds of thousands of dollars into competitive races, and has a competent political director.
to create a "NagOn" we would have to hire or appoint a political director, and a financial director, and charge each with framing the issue, and executing a seven figure plan, and a communications director, to put the message with the money in targeted media markets, and finally, to show teeth, drop the margin of error, or on the order of high five, low six figures, in targeted congressional races, for challengers and incumbants.
in about a year after starting down this path, the "Congressman, its NagOn on line one" conversation would be slightly different from today, and in several years time, more so.
eric
Randy Bush wrote:
"A journey of a thousand miles begins with a single step."
I don't know that a NagOn is the best way or the only way to make
progress. I do know that the most likely source of that kind of
funding is (many of) our employers, who may not have technical
excellence on the top of their lists. But I'm even more certain that
if technical people never speak up, their message will never be heard,
except perhaps by accident.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
Department of the Interior had *how* many court-ordered disconnections?
I believe that this is exactly the kind of thing that the US ISOC
Chapters should be (and are to varying degrees) involved in --
providing legitimate technical information and expert analysis of
local, state and federal policies which impact the Internet, to those
making the policies. The global ISOC already does this for ICANN and
other international organizations, it seems fitting that the chapters
do more of this here inside the USA.
I encourage everyone with even a fleeting interest in tech-policy to
seek out their local ISOC chapter
(http://www.isoc.org/isoc/chapters/list.php?region=worldwide&status=A)
and let them know that you care. I can tell you as the founding chair
of the Colorado chapter that my largest hurdle today is getting active
members to participate - I have funding, etc, just no help... (I
invite everyone to contact me directly with suggestions and ideas in
this vein - I have some vehicles in place to start making this happen
quickly with a bit of help)
</soapbox>
~Chris