[OT] fix Everything, Was: Site defaced - what next?

Sun Aug 8 19:48:01 EDT 2004

On Mon, Aug 09, 2004 at 03:51:12AM +0900, Derek Martin wrote:
> On Sun, Aug 08, 2004 at 01:06:05PM -0400, Jeff Kinz wrote:
> > Never attribute to malice that which can be adequately explained by
> > stupidity. 
> It's incomplete though.  What if there's ample evidence of malice?
Well, thats a different story, of course.
> 
> > > In the case of both the attack on the WTC and the Federal Building,
> > > we know that federal law enforcement agents had prior knowledge, but
> > > did nothing to stop the attacks.  
> 
> > 	Assumes a willful act instead of a typical bureaucratic SNAFU
> > like the one that destroyed Challenger.  I think the latter is more likely.
> 
> I don't; it doesn't explain why the ATF paged its employees and told
> them to stay home.  

Derek, because I know you to be a very sincere person I have to believe
that you heard this from a source you trust.  I am not familiar with
these facts.  Do you have a reference on these events?

> They had to know the jig was up...  
Accepting that the ATF did tell its employees to stay home, it does not
follow that the reason for this was the ATF's pre-knowledge of what was
about to happen.  It is one of multiple possible explanations.

Until there is actual evidence of said conspiracy,  this is 
a conjecture, and one which has emotional appeal to many people in our
generation due to Vietnam, Watergate, Monica and etc...

Experience has taught me that Hanlons razor often applies even when 
deliberate actions seem to be the only possible explanation.

> 
> Rather than
> responding to it appropriately, they simply evacuated the office.
> However, additional reports indicated that they responded within 5
> minutes of the actual bombing in full riot gear.  Law enforcement
> experts stated that it normally takes 30 minutes to respond, most of
> which is just preparing gear...  I don't think ineptitude adequately
> explains this.

This certainly makes your case stronger.  I would like to have
information about this from some additional verifiable sources before
I can accept it.

> > And for any enforcement effort to work, a technological solution is also
> > required.  It needs to work automatically, in real time and has to be
> > part of each ISP's infrastructure.  
> 
> Sorry, but I am really offended by the idea of law inforcement having
> the capability to spy on virtually everyone on the planet in real
> time...  

I didn't say, or mean, "law" enforcement. I was thinking about something
more along the lines of a cooperative effort between ISP's (or other
entities with virtual property on the web which is being attacked)
to automate (to some degree), the detection and reporting of various
attacks/attack patterns. This would facilitate both identifying the
attackers and taking countermeasures. If Police or others need to be
involved, that would be at the discretion of the ISP or the attacked
party.

For example, everyone here who has a cable connection can attest to the
numbers of attacks just randomly rattling the doorknobs on our systems
each day, just to see if we left any doors open. (Aka, "are running a
windows box"). I have done some experiments with scripts automating
the capturing the IP's of these probes and doing some traceback style
investigation.

The effort stopped rather quickly when I realized I could not really
trace them back past their first point of "Apparent" origin, (The IP
the probes seems to originate from) because I could not access that
node to see if they were just using it as temporary base to work from
and were actually located somewhere else, or worse, were bouncing their
efforts through multiple intermediate dummy sites like the hackers Mr.
Kroll?(Cuckoo's Egg) had so much fun tracking down.

To do that requires the cooperation of the abuse team of the ISP
whose network the probe is coming from.  How likely is that?

"beep beep" ( aka "A phone rings" )

"Hello, ComMax network NOC, Bill speaking"

"Hello Bill, I'm a customer and I see a sasser virus style probe coming 
from a dynamic IP on your network and I was wondering if you could trace
down the owner of the account logged into that IP and get them too -

"CLICK"
bzzt     bzzt    bzzt.

Seriously, though these attacks are too numerous and too fleeting to be
dealt with by hand.  However, If the ISP has a service port and an API
which a cooperating ISP could use to perform backtraces in real time as
the attacks were running then it would become practical to do things
like:

  Identify and isolate infected PC's
  (The ISP could even sell them a sterilization CD, boots to its own
  (OS, and decontaminates the PC.  It could be a new revenue stream.)

  Identify persons who are actually initiating attacks, using zombie
  pools etc to do DDOSing etc. (This would be much rarer, I'm sure)

> I'm going to have to strenuously object to anything remotely
> similar to this kind of approach to solving the problem.  Forcing
> businesses to become an extention of law enforcement is the WRONG
> solution.
I quite agree and that wasn't what I meant.
> 
> > Or were you thinking that we can harden each individual system?
> 
> Yes.  They should come that way by default.  The average user has no
> need to be running services which bind to external interfaces on their
> desktop machine; but Windows (and lots of Unix-alikes too) have them
> that way.  Internet exploder and it's ugly step-cousins CAN be
> redesigned to be much more secure by default.

All true.  Can it be made to happen in the PC mass market 

> > > Sad, but true.  So, let's keep law enforcement out of cyberspace as
> > > much as possible then, shall we?
> > 
> > Agreed, but - how much is "as much as possible" when most cyber user's
> > are nearly clueless? And willfully intend to remain so?
> 
> Again, the solution is to push the responsibility back where it
> belongs: on the vendor.  "As much as possible" can be mostly.  It is
> possible for people to write good software.  DJB proved it with qmail
> and DJBDNS.  We are clever -- we can write tools (and have already) to
> help us do so.  But as others have argued in the past, there's no
> economic incentive for the vendors to bother, so they don't.

It sounds like the only thing that will work is to somehow create an
economic incentive.
> 
> > > Microsoft is a most visible and most hated example of this, and hence
> > > they are a big target.  But they are not alone.  Until we as consumers
> > > hold responsible software companies who sell poor quality software,
> > > and force them to write better software, the situation will not
> > > change.
> > Hmm - can/will the consumers actually do anything about this?  How do we 
> > catalyze this effort?  DRM awareness day at Best Buy in Nashua?
> 
> Grass roots, I guess...  We need laws that allow the commercial
> software vendors to be held responsible.  Nothing else will work.
> Period.  The potential thread of losing their shirts on liability
> lawsuits will force the vendors to do a better job.

   Or convince them to move to friendlier legal climates in other
   countries?
> 
> Ok, even with my liberal interpretation of what is and istn' on-topic
> here, I think this thread has only a tenuous connection to it, so I'm
> gonna stop here.  Plus there's another accursed mosquito in my room,
> so I'm going to have to spend some time hunting it down before I can
> go to bed safely...  Sigh.

Good Hunting!

-- 
Linux/Open Source.  Now all your base belongs to you, for free.
============================================================
Idealism:  "Realism applied over a longer time period"
============================================================
"The most absurd notion ever is that the Lord of Creation, Ruler of the
Universes, wants the adoration of His creatures, and can be swayed by
their prayers. Yet this fantasy, without a shred of evidence to bolster
it, pays all the expenses of the oldest, least productive industry in
all history."               ( Stolen from RAH and then mangled a bit.)

Jeff Kinz, Emergent Research, Hudson, MA.