RE: [fw-wiz] The home user problem returns

From: Paul Melson (
Date: 09/12/05

  • Next message: Paul Melson: "RE: [fw-wiz] The home user problem returns"
    To: "'Mason Schmitt'" <>, "'Marcus J. Ranum'" <>
    Date: Mon, 12 Sep 2005 11:26:18 -0400

    -----Original Message-----
    Subject: Re: [fw-wiz] The home user problem returns

    > > With the current state of Internet software, it's pointless. It'd be
    > > meaningful to encourage ISPs to filter traffic if there were
    > > end-to-end authenticated links going on, and nothing else. If you want
    > > to push things back far enough, intellectually, the problem is that
    > > anonymous Internet access is being offered. That's the underlying
    > YES!!! And the fact that there are groups that are working hard at
    maintaining that
    > anonymity bothers me. I know that there's always the concern about Big
    Brother, or
    > worse and far more plausible, abuse of any large scale
    trust/authentication systems
    > that get setup in the future.

    ?! <Paul makes Scooby Doo noise> ?!

    I fear that you and Marcus have mistaken privacy for anonymity. Just
    because something isn't transparent end-to-end, doesn't mean it's anonymous.
    The disparate bureaucratic systems that possess the information necessary to
    track an action back to an individual over the Internet are representative
    of the way we decentralize control of commodities and assets in general. I
    don't know that that's a bad thing.*

    Also, I find it a little presumptuous that you should be trusted to know my
    information because I somehow show up on your radar. I think it should be
    up to me as to whether or not I'm willing to trade my information for access
    to something you have in the name of accountability. I want to decide when
    I'm willing to make that trade.

    Imagine the fallout if anybody had everybody's information available just by
    asking the right questions. Look at how directories like whois databases
    have been abused by spammers and hackers over the past 15 years. I doubt
    that ubiquitous "accountability" on the Internet is a path to improved
    security at all, but I definitely have concerns about how it would be abused
    and exploited.


    * There is a whole different rant about the assumption of the need for
    unfettered connectivity between organizations (even ISPs) and the rest of
    the Internet that is underlying to this discussion. It has been my
    experience that networks are often attacked from other networks that they
    had literally no business communicating with.

    The connection back to what I said above is that if you can define and
    document the traffic that traverses a network, you can establish
    accountability in a much more effective manner. You don't even necessarily
    need to establish the identity of an individual if you can establish
    responsibility for that traffic before it's even allowed.

    Imagine with me for a moment a magical land of unicorns and faeries where
    businesses and their network admins are so effectively cooperative that
    simple router ACLs are reflective of business communication and nothing
    else. Imagine some businesses turning off their Internet connection
    altogether. Now imagine shrinking the scope of all of your network security
    efforts down to that scale, that traffic, and those applications that are
    core to business processes only. Now imagine half of us infosec vendors and
    proselytizers being out of a job and having to find work herding trolls.

    Seriously, I would gladly herd trolls if it meant never having to hear about
    how my bank got hacked by Russian teenagers.

    firewall-wizards mailing list

  • Next message: Paul Melson: "RE: [fw-wiz] The home user problem returns"