On Tue, 30 Apr 2002 15:49:46 PDT, james woodyatt <jhw(_at_)wetware(_dot_)com>
said:
with care and consideration. For those who choose to abuse these
privileges, let us dedicate ourselves to developing the necessary
tools to combat the abuse and punish the abuser.
I'd like to see a more thoughtful statement about what kind of tools the
Internet Society favors for countering Internet abuse. The final
sentence in the paragraph above seems under-clear to me.
It's under-clear because those of us who do network security and similar
don't have a better idea of how to phrase it better. There's no clear-cut
and obvious way to phrase it for the legal profession, and we're still
working on how ot make the network itself abuse-proof.
As a personal statement of conviction, I would say that I favor tools
that empower individuals cooperating in large numbers to make the
decisions about who should be punished and to what extent. When such
tools are efficacious, I think the Internet Society should favor them.
It's much better when abusers are driven from the network because they
can't attract buyers for their services, than when the cops have to run
them off as a menace to the whole Internet.
Now, although this may *sound* like a good idea, and has shown some
limited areas of success (tools like MAPS and ORBS, or Vipul's Razor,
for instance), there's some *very* tricky issues lurking here:
1) Remember that MAPS and ORBS do *NOT* reject spam mail. They merely
maintain a database for you to consult and make your *OWN* decisions
regarding whether *YOU* wish to reject a given piece of mail. This
is a very important legal distinction, and necessary in most countries
so that the people running the database don't end up in legal trouble,
both civil and criminal, for conspiracy and restraint-of-trade.
2) Take a good close look at the last piece of spam you received, and
ask yourself who to "punish" - keeping in mind that it could be
a "joe job" (disguised to look like somebody else did it), or possibly
even the result of a Klez/SirCam style worm. Also, remenber that any
given user may only get 2 or 3 copies *at most* to work with, so you
need a way to aggregate stuff (see Vipul's Razor or any of the
IDS systems that have a 'network management' interface). This brings
us to point 3:
3) Let's say that we decide that 3,000 reports of a given sPam is enough
to "flag" a site as an offender (remember that even if only 1% of the
users *report* it, that's over a quarter million spams...). This leads to
an interesting Denial of Service attack: Large Corporation A sends 10,000
workers home with forged spam for them to "report", causing B-Corp Ltd's
main e-mail gateway to get flagged as a spamhaus. If you don't think this
*WILL* happen, note that the corporation responsible for 'astroturfing' in
the Jargon File was caught trying to stack an online poll recently...
4) Although there are corners of the world that have corrupt judges
and police, or concept of "justice" that may be greatly at odds with
your own, most parts of the world have a workable definition of "due
process". Although a grass-roots "we dont want it" campaign *might*
be good enough to stop spammers, it certainly won't cut it in the
cybercrime arena (and I speak here as somebody who at least once a week
was accused of doing slow portscans of people. Oddly enough, the UDP
source port was always 123, and the machine was the A record that the
CNAME ntp-2.vt.edu pointed at. Go figure ;) This is certainly *not* the
sort of thing you want IWF (Idiot With Firewall) users doing, there
needs to be some clued and trained investigators, due process, and all
that stuff.
5) Instead of finding a way to punish the bad guys, consider rewarding
the good guys instead. (Warning: shameless plug - see disclosure below)
See if your organization can specify "must be hardened against the SANS/FBI
Top 20 list", or "scores at least a 7 on the apppropriate Center for Internet
Security benchmark *out of the box*", or similar. Make it a lot harder for
the bad guys. If you have a reason to not like the SANS or CIS lists,
feel free to use some other criterion and demand safer systems from vendors.
6) Patch and secure the systems you've got - no sense in being a target. ;)
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
Disclosure: I was heavily involved in producing the SANS/FBI Top 20 list,
and have been involved in the CIS benchmark process as well. I don't
get any financial benefit from it, only the knowledge that every time
a system gets tightened down, the net gets a bit safer....