Pointer, Public Policy issue - from Bill Stearns - Security

This is a discussion on Pointer, Public Policy issue - from Bill Stearns - Security ; Too good to miss... If you're not reading http://isc.sans.org/diary.html , you should be every day. It is posted blog style and archived, so the page I see now may be different when you view it later. The linked pdf has ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Pointer, Public Policy issue - from Bill Stearns

  1. Pointer, Public Policy issue - from Bill Stearns

    Too good to miss...

    If you're not reading http://isc.sans.org/diary.html , you should be every
    day. It is posted blog style and archived, so the page I see now may be
    different when you view it later. The linked pdf has the message. Here
    is Bill's posting from the sans site:

    Office of Cyber Public Health?
    Published: 2007-06-14,
    Last Updated: 2007-06-14 05:02:03 UTC
    by William Stearns (Version: 1)

    Joe St. Sauver, security and spam researcher at the University of
    Oregon, points out that botnets are a symptom; the cause is infected
    systems. We can't clean up the bots without cleaning up the infected
    systems first.

    His paper for the Anti-Phishing Working Group is here
    http://www.uoregon.edu/~joe/ecrime-s...ime-summit.pdf

    As you read it, ask yourself these questions. If you think his proposal
    wouldn't work, what would you recommend instead? Would your proposal be
    more likely to succeed? Why?

    -- Bill


  2. Re: Pointer, Public Policy issue - from Bill Stearns

    Oh, for ghod's sake.

    Go to http://www.craphound.com/spamsolutions.txt and fill out the
    appropriate boxes.


  3. Re: Pointer, Public Policy issue - from Bill Stearns

    Nico wrote:

    > Oh, for ghod's sake.


    I have to believe that Messers Stearns and St. Sauver were quite serious
    in what they wrote. Also, that they are not entirely ignorant of that
    which they speak, as I am also not entirely. Other readers should also
    not be ignorant of this, and that is why I posted the pointer.

    Please be so considerate as to post your comments directly to SANS, where
    they will be moderated and posted if worthy of posting (unless, of course
    they have some special significance to this NG). There are some new
    comments posted there today.

    The original link to the 'diary' that you trimmed without note is

    http://isc.sans.org/diary.html

    The link to Mr. St. Sauver's (pdf) article therein contained is

    http://www.uoregon.edu/~joe/ecrime-s...ime-summit.pdf

    > Go to http://www.craphound.com/spamsolutions.txt and fill out the
    > appropriate boxes.


    This is an exceptionally moribund and negative text. It is surely
    a recipe for a self-fulfilling prophecy for failure. I suggest that you
    yourself go to that text and 'fill out the appropriate boxes'. Send it to
    the original publishers and see what success you find.


  4. Re: Pointer, Public Policy issue - from Bill Stearns

    responder wrote:

    > Nico wrote:
    >
    >> Oh, for ghod's sake.

    >
    > I have to believe that Messers Stearns and St. Sauver were quite serious
    > in what they wrote. Also, that they are not entirely ignorant of that
    > which they speak, as I am also not entirely. Other readers should also
    > not be ignorant of this, and that is why I posted the pointer.
    >
    > Please be so considerate as to post your comments directly to SANS, where
    > they will be moderated and posted if worthy of posting (unless, of course
    > they have some special significance to this NG). There are some new
    > comments posted there today.
    >
    > The original link to the 'diary' that you trimmed without note is
    >
    > http://isc.sans.org/diary.html
    >
    > The link to Mr. St. Sauver's (pdf) article therein contained is
    >
    > http://www.uoregon.edu/~joe/ecrime-s...ime-summit.pdf
    >
    >> Go to http://www.craphound.com/spamsolutions.txt and fill out the
    >> appropriate boxes.

    >
    > This is an exceptionally moribund and negative text. It is surely a
    > recipe for a self-fulfilling prophecy for failure. I suggest that you
    > yourself go to that text and 'fill out the appropriate boxes'. Send it to
    > the original publishers and see what success you find.


    Amplifying my own message:

    Here is another indicator of interest of attempt to 'disrupt botnet
    activities'. Scroll to the title 'FBI Headline: Operation BOT ROAST',
    dated Wednesday, June 13, 2007.

    http://www.f-secure.com/weblog/

  5. Re: Pointer, Public Policy issue - from Bill Stearns

    On Thu, 14 Jun 2007 03:29:15 -0400, responder wrote:

    > Joe St. Sauver, security and spam researcher at the University of
    > Oregon, points out that botnets are a symptom; the cause is infected
    > systems. We can't clean up the bots without cleaning up the infected
    > systems first.
    >
    > His paper for the Anti-Phishing Working Group is here
    > http://www.uoregon.edu/~joe/ecrime-s...ime-summit.pdf
    >
    > As you read it, ask yourself these questions. If you think his proposal
    > wouldn't work, what would you recommend instead? Would your proposal be
    > more likely to succeed? Why?


    If he wants gov. controlled (and it would end up gov. "controlled")
    Internet, he can go to China. I hear they do a pretty good job of
    censoring their citizens there. As soon as you allow government to filter
    based on content, it becomes a content-filter, and that equates to
    censorship. It's no different than filtering radio or television
    broadcasts (which I believe that, the US gov. at least, would have already
    done to the Internet if it were not an international entity).

    The author makes frequent allusions to the 'Net as similar to heath care,
    but it is not. Not the US, nor anyone else, would die if the Internet as a
    whole was shut down. Surprising we lived centuries before without it.

    The solution is to make it costlier to allow abuse to exist than it is to
    clean it up. Make damage done to a computer system, whether it's hacking
    or whatnot, a cost that is passed on down the line to it hits the person
    ultimately responsible for that offending system: the user. Watch then how
    fast they learn to secure themselves. Pull their plug until they do. The
    key points are 1) assign a monetary value to abuse and charge it against
    the ISP that in turn will want to off load that onto the customer causing
    the trouble and 2) deny service until they're secure. Why can't you
    connect today? well, because you've been turned into a spam-cannon and the
    Internet at large doesn't want to include you if that's what you're
    putting out there.

    Those places in the world that are not willing to be responsible for the
    damage they cause, you don't allow their traffic. Or you do, but you
    heavily restrict what they can connect to. I already do this with places
    known not to accept abuse reports from myself, or those that bounce my
    mail. If your operating system doesn't allow you to do this easily, you
    probably need to change operating system. But it's the user's choice, who
    he'll allow to connect to him or correspond with.

    The hardest part of a solution like this would likely be attaching a cost
    to the abuse. Maybe it needs to a sue-able offense? Maybe there needs to
    be a few basic laws created, or old ones updated for the Internet of
    today? I'm not sure; but I garantee that it's better and less restrictive
    than turning the whole thing over to the government.


    --
    [RBL:Just A Bad Idea] Do not use DNS-RBL; Demand your ISP stop.
    Tell RoadRunner/Adelphia, Netzero,etc: don't trash your mail.
    http://www.ifn.net/classic/rblstory.htm
    http://theory.whirlycott.com/~phil/a...d/rbl-bad.html
    Finger my user name at host atr2.ath.cx for mail addr, gpg, etc.


  6. Re: Pointer, Public Policy issue - from Bill Stearns

    jayjwa wrote:

    [...]

    > The hardest part of a solution like this would likely be attaching a cost
    > to the abuse. Maybe it needs to a sue-able offense? Maybe there needs to
    > be a few basic laws created, or old ones updated for the Internet of
    > today? I'm not sure; but I garantee that it's better and less restrictive
    > than turning the whole thing over to the government.


    The bulk of what I trimmed is a good and intelligent suggestion. The
    problem is that there is no tasked group to pursue and implement punitive
    sanctions against abusers, just as there is apparently no organized
    consensus of the need to do so.

    While we lived long before without internet, it has quickly become an
    indispensable part of essential infrastructure. I do share your aversion
    to total government control. Development of consensus alternatives needs
    community discussion and involvement.

    Those who think this need not be a personal concern to them are in denial.
    Thanks for your intelligent consideration and thanks for writing. I will
    continue to try to read and answer as I am able, should you or others
    continue the discussion.

    To those whose own news servers do not carry the original messages in this
    thread, I would suggest google groups (groups.google.com).

+ Reply to Thread