warfare and the Internet [was: ICANN opens up Pandora's Box of new TLDs]

Sat Jun 28 05:49:27 UTC 2008

I forgot to change the subject line, apologies.

On Sat, 28 Jun 2008, Gadi Evron wrote:

> On Fri, 27 Jun 2008, Tomas L. Byrnes wrote:
>> 
>> I just know who should be held for further processing @ the gate.
>
> This is getting off-topic, so let's continue the discussion for a couple more 
> emails to see if we can bring it back on-topic to network operations, and 
> then stop if not?
>
>> Which is good enough, in this case.
>> 
>> "What is the object of defense? Preservation. It is easier to hold
>> ground than take it. . .  defense is the stronger form of waging war"
>> 
>> Carl Von Clausewitz
>
> Which, while valid in many cases, some of them on the Internet, is in most 
> online cases--false. This is a statement by someone much lesser than 
> Clausewitz--me.
>
> It is however, an educated opinion, and chronologically up to date.
>
> Attack is a much easier form of fighting, online (let's leave war out of it). 
> For the sake of logic I will base this on two discussion points:
>
> In security, all you need to attack is one hole, one vulnerability. As a 
> defender you need to defend against everything, anywhere. This is why risk 
> analysis exists, which brings us to another point from Karl--
>
> Changing the words to fit our needs, Clausewitz also believed wars are won by 
> numbers, if you have more you win (Think the American Civil War). Strategy 
> starts when you have less numbers, by where you choose to apply your 
> forces--where it counts. Tying it with the point above is the basics of risk 
> analysis in military terms.
>
> In security and information warfare, whlle numbers are "nice to have" and 
> make operations larger and more sophisticated--they are not necessary, our 
> rivals may be just a kid the same as they can be a nation-state. The cost of 
> entry is low, anonymity is potentially (under the right conditions) assured.
>
> In my article for the Georgetown Journal of International Affairs on the war 
> in Estonia, I mentioned how Martin van Creveld said decades ago how we will 
> be facing "organizations" rather than just countries. He was laughed at and 
> later obviously vidincated (think terrorism as one example).
>
> Today it's much worse than that, and I state the game can be played by 
> individuals, ad-hoc groups and populations (not necessarily under any flag or 
> leadership, think Estonia).
>
> 	Gadi.
>
>
>> 
>> 
>>> -----Original Message-----
>>> From: Gadi Evron [mailto:ge at linuxbox.org]
>>> Sent: Friday, June 27, 2008 8:33 PM
>>> To: Tomas L. Byrnes
>>> Cc: Christopher Morrow; Roger Marquis; nanog at nanog.org
>>> Subject: RE: ICANN opens up Pandora's Box of new TLDs
>>> 
>>> On Fri, 27 Jun 2008, Tomas L. Byrnes wrote:
>>>> These issues are not separate and distinct, but rather related.
>>>> 
>>>> A graduated level of analysis of membership in any of the sets of:
>>>> 
>>>> 1: Recently registered domain.
>>>> 
>>>> 2: Short TTL
>>>> 
>>>> 3: Appearance in DShield, Shadowserver, Cyber-TA and other
>>> sensor lists.
>>>> 
>>>> 4: Invalid/Non-responsive RP info in Whois
>>>> 
>>>> Create a pretty good profile of someone you probably don't want to
>>>> accept traffic from.
>>>> 
>>>> Conflation is bad, recognizing that each metric has value, and some
>>>> correlation of membership in more than one set has even
>>> more value, as
>>>> indicating a likely criminal node, is good.
>>>> 
>>>> YMMV.
>>>> 
>>>> I guess, if you have perfect malware signatures, code with
>>> no errors,
>>>> and vigilance the Marines on the wire @ gitmo would envy, you can
>>>> accept traffic from everywhere.
>>> 
>>> Not quite, because you still won't know who to send the Marines to
>>> kill.
>>> The Internet is perfect for plausible deniability.
>>> 
>>>  	Gadi.
>>> 
>>>> 
>>>> 
>>>> 
>>>>> -----Original Message-----
>>>>> From: Christopher Morrow [mailto:morrowc.lists at gmail.com]
>>>>> Sent: Friday, June 27, 2008 7:23 PM
>>>>> To: Roger Marquis
>>>>> Cc: nanog at nanog.org
>>>>> Subject: Re: ICANN opens up Pandora's Box of new TLDs
>>>>> 
>>>>> On Fri, Jun 27, 2008 at 4:32 PM, Roger Marquis <marquis at roble.com>
>>>>> wrote:
>>>>>> Phil Regnauld wrote:
>>>>>> apply even cursory tests for domain name validity. Phishers and
>>>>>> spammers will have a field day with the inevitable namespace
>>>>>> collisions. It is, however, unfortunately consistent with ICANN's
>>>>>> inability to address other security issues such as fast
>>> flush DNS,
>>>>>> domain tasting (botnets), and requiring valid domain contacts.
>>>>>> 
>>>>> 
>>>>> Please do not conflate:
>>>>> 
>>>>> 1) Fast flux
>>>>> 2) Botnets
>>>>> 3) Domain tasting
>>>>> 4) valid contact info
>>>>> 
>>>>> These are separate and distinct issues... I'd point out
>>> that FastFlux
>>>>> is actually sort of how Akamai does it's job (inconsistent dns
>>>>> responses), Double-Flux (at least the traditional DF) isn't though
>>>>> certainly Akamai COULD do something similar to Double-Flux (and
>>>>> arguably does with some bits their services. The particular form
>>>>> 'Double-Flux' is certainly troublesome, but arguably
>>> TOS/AUP info at
>>>>> Registrars already deals with most of this because #4 in your list
>>>>> would apply... That or use of the domain for clearly illicit ends.
>>>>> Also, perhaps just not having Registrar's that solely deal in
>>>>> criminal activities would make this harder to accomplish...
>>>>> 
>>>>> Botnets clearly are bad... I'm not sure they are related
>>> to ICANN in
>>>>> any real way though, so that seems like a red herring in the
>>>>> discussion.
>>>>> 
>>>>> Domain tasting has solutions on the table (thanks drc for
>>>>> linkages) but was a side effect of some
>>>>> customer-satisfaction/buyers-remorse
>>>>> loopholes placed in the regs... the fact that someone figured out
>>>>> that computers could be used to take advantage of that
>>> loophole on a
>>>>> massive scale isn't super surprising. In the end though,
>>> it's getting
>>>>> fixed, perhaps slower than we'd all prefer, but still.
>>>>> 
>>>>>> I have to conclude that ICANN has failed, simply failed,
>>>>> and should be
>>>>>> returned to the US government.  Perhaps the DHL would at
>>>>> least solicit
>>>>>> for RFCs from the security community.
>>>>> 
>>>>> I'm not sure a shipping company really is the best place
>>> to solicit...
>>>>> or did you mean DHS? and why on gods green earth would you
>>> want them
>>>>> involved with this?
>>>>> 
>>>>> -chris
>>>>> 
>>>>> 
>>>> 
>>>> 
>>> 
>> 
>> 
>