Re: Cyberterrorism [was: Re: NSA wiretap, Friday night]

responder <no@xxxxxxxxxxxx> wrote:
Kevin the Drummer wrote:
[snip]
So, what can WE do [to improve cyber security]?

Whether any particular illicit activity is most correctly
called criminal or terrorist

I suppose that there is overlap in the protection schemes between
those two classes of attackers.

1. Keep your own systems in order, updated and secure so you
don't become part of the problem.

Of course! Gotta worry about the other folks tho. You cover
that below some.

2. Use a (firewall) log aggregation service

Yup.

3. Advocate (gently) for computer and network security, to
people you know personally, especially if they are doing unsafe
things.

I already do.

4. ... I think that there needs to be a generally accepted
and acceptable standard that if a connected computer is
compromised, it should be disconnected.

That would need to be somehow seen as a benefit to the end user.
Before the explosion in spam having someone else filter one's
email would have been wholly unacceptable. Now it's seen as an
absolute need. Having one's computer disconnected needs to be
seen as a need and managed well enough so as to provide a good
way back to a connected usable system.

In order for such a system to be uniformly applied in a
fundamentally non-punitive and non-disruptive way, the enforcer
role must be essentially separated from from the discretion of
the ISP.

I *think* I agree with that. I wonder if it's really needed tho.
Wouldn't someone move from one ISP to another if it was really
bad at their original ISP?

I wonder if someone could subscribe to an as of yet non-existent
service that would inspect their traffic for troubles and do the
shutdown?

I wonder if there is some way, sort of like your proxy idea, to
have a brown-out of the connection?

I expect that technical issues would be minimal, initial set
up costs relatively low, and initial and ongoing costs to be
reimbursed to the government authority

Does it really require government intervention? Can't it be
a fee service paid to a 3rd party, or even the original ISP?
Considering your original NSA thread, do you really want the
gov't involved at all?

Detection of compromised machines could be done the same way
and by the same people who now do so: namely log aggregation
services. Additional or alternate strategies could also be
used, but would not seem to be necessary.

Should their be any detection of client machine components to see
if they are have vulnerabilities? For example, if someone is
running a really bad version of IE or Exchange, should the user
be alerted by email that their service will be restricted (brown
out or disconnect) after some number of minutes or days?

A "Standard Operating Procedure" would be developed to specify
what actions would happen and when they would happen. This
procedure would be drafted with the input of all users and
providers. This SOP would then be enforced by the statute.
And the statute could authorize a procedure for modification of
the SOP.

I can see that it could escalate to the above extent. But,
the black-hats are very adaptive and fast. I'm not sure that
a statute could keep up. Just imagine how fast Symantec could
respond if their were a statute governing what they provide.

The essential elements are: (1) the ISP is notified (as now)
of a compromised machine and then notifies the customer _and_
the coordinating authority. The customer's identity would
need to be included for the plan to be effective, but that
information need not be retained indefinitely or necessarily
reported to others. (There could be a "mandatory disconnection"
of one day to be assured that the customer did indeed get the
message, which could also be waived at the customer's request
for reason and with some restrictions.)

(2) The ISP hosts a (paid) proxy server on their premises that
is built and maintained as specified in the SOP. When the
customer is reconnected (for reason or need or when repaired)
his connection is proxied through this server for a (specified)
few days. This allows the ISP time to know that the machine is
clean, certify this to the CA and resume a normal connection.

The proxy server would be built to some standard to minimize
or mitigate the transmission of malware vectors by the
(previously?) compromised machine(s). And it would allow
(limited?) connection for the need or convenience of the
customer.

[snip]

What do you think? Is this doable? Is it advisable? Are
there other suggestions that are better?

I think that's a starting place. Maybe something like this would
make a good research project at a university. Universities
would also make a good proving ground, and the ISP (the school)
is small enough to be adaptive to such a system while it's in
development.

Thoughts from other folks?

--
PLEASE post a SUMMARY of the answer(s) to your question(s)!
Show Windows & Gates to the exit door.
Unless otherwise noted, the statements herein reflect my personal
opinions and not those of any organization with which I may be affiliated.
.

Relevant Pages

  • Re: Cyberterrorism [was: Re: NSA wiretap, Friday night]
    ... uniform rule to disconnect compromised machines. ... Wouldn't someone move from one ISP to another if it was really bad at ... but only obeying the terms of a statute ... needs the connection open, the ISP can open it through the proxy server. ...
    (comp.os.linux.security)
  • Re: Cyberterrorism [was: Re: NSA wiretap, Friday night]
    ... separated from from the discretion of the ISP. ... disconnection time could be minimized or eliminated when the machine is ... notifies the customer _and_ the coordinating authority. ... his connection is proxied through ...
    (comp.os.linux.security)
  • Re: Plusnet failing....
    ... >> Well my 2Mb ADSL connection has been up and down now for 10 days ... > Plusnet have passed it to BT - you didn't wait 72 hours before your next ... > (or A N Other isp) to sort out as it will Plusnet. ... > FWIW, I am a customer of Plusnet, *not* a fanboy. ...
    (uk.telecom.broadband)
  • Re: DSL connection
    ... upgraded to a different speed from the same ISP. ... rate and the connection seemed to be slugish at times. ... You state that you have no router, nor any security systems that would interfere ...
    (microsoft.public.windowsxp.network_web)
  • Re: Is there a minimum dialup speed that Vista can cope with?
    ... I no longer ring Eircom ... internet/phone bundle with another ISP, UTV (Eircom just rakes in the line ... I'm keeping modem logs because the line quality fluctuates many times ... hardware/software to fail with this slow connection. ...
    (microsoft.public.windows.vista.networking_sharing)