RE: [fw-wiz] The home user problem returns
From: Paul Melson (pmelson_at_gmail.com)
To: "'Mason Schmitt'" <email@example.com>, "'Marcus J. Ranum'" <firstname.lastname@example.org> Date: Mon, 12 Sep 2005 13:22:26 -0400
Subject: Re: [fw-wiz] The home user problem returns
> > With the current state of Internet software, it's pointless. It'd be
> > meaningful to encourage ISPs to filter traffic if there were
> > end-to-end authenticated links going on, and nothing else. If you want
> > to push things back far enough, intellectually, the problem is that
> > anonymous Internet access is being offered. That's the underlying
> YES!!! And the fact that there are groups that are working hard at
> anonymity bothers me. I know that there's always the concern about Big
> worse and far more plausible, abuse of any large scale
> that get setup in the future.
?! <Paul makes Scooby Doo noise> ?!
I fear that you and Marcus have mistaken privacy for anonymity. Just
because something isn't transparent end-to-end, doesn't mean it's anonymous.
The disparate bureaucratic systems that possess the information necessary to
track an action back to an individual over the Internet are representative
of the way we decentralize control of commodities and assets in general. I
don't know that that's a bad thing.*
Also, I find it a little presumptuous that you should be trusted to know my
information because I somehow show up on your radar. I think it should be
up to me as to whether or not I'm willing to trade my information for access
to something you have in the name of accountability. I want to decide when
I'm willing to make that trade.
Imagine the fallout if anybody had everybody's information available just by
asking the right questions. Look at how directories like whois databases
have been abused by spammers and hackers over the past 15 years. I doubt
that ubiquitous "accountability" on the Internet is a path to improved
security at all, but I definitely have concerns about how it would be abused
* There is a whole different rant about the assumption of the need for
unfettered connectivity between organizations (even ISPs) and the rest of
the Internet that is underlying to this discussion. It has been my
experience that networks are often attacked from other networks that they
had literally no business communicating with.
The connection back to what I said above is that if you can define and
document the traffic that traverses a network, you can establish
accountability in a much more effective manner. You don't even necessarily
need to establish the identity of an individual if you can establish
responsibility for that traffic before it's even allowed.
Imagine with me for a moment a magical land of unicorns and faeries where
businesses and their network admins are so effectively cooperative that
simple router ACLs are reflective of business communication and nothing
else. Imagine some businesses turning off their Internet connection
altogether. Now imagine shrinking the scope of all of your network security
efforts down to that scale, that traffic, and those applications that are
core to business processes only. Now imagine half of us infosec vendors and
proselytizers being out of a job and having to find work herding trolls.
Seriously, I would gladly herd trolls if it meant never having to hear about
how my bank got hacked by Russian teenagers.
firewall-wizards mailing list