More federal management of key components of the Internet needed

Thu Oct 24 16:34:07 UTC 2002

Etaoin Shrdlu wrote (on Oct 24):
> There is not one single thing that goes on in airport "security" that
> contributes one whit to actual security.

Having, on more than one occasion been allowed to board an aircraft
in the US whilst accidentally carrying a Leatherman tool (complete
with locking blades), and most recently only 2 or 3 weeks ago,
I somewhat agree. I have friends who have managed to get on with
sewing kits, those credit-card-sized Swiss-army jobbies, and all manner
of other sharp pointy objects.

In contrast, I made the same mistake in London once when on my way to
Madrid, and never saw said tool again after it was confiscated.

The only thing I've ever been stopped for in the US was forgetting
my Palm was in my inside pocket when going through the metal detector.

At the opposite extreme, Madrid airport has a habit of asking me to
remove my belt and pass it through the xray machine, which I found a
little odd at the time.

That said, in my limited experience (and it may entirely be superficial)
countries with Government run airport security tend to be more thorough -
and that means Govt. employed people doing the job, not some 2-bit company
they found down the road that gave the "best value for money" - we don't
want cheap, we want security, without finger-pointing when it screws up.

I don't think this necessarily applies to the problems of attacks (of
the nature that started this discussion - sticking a few kilos of semtex
inside your server case, wiring it to the parallel port and hosting that
at 60 Hudson is very easy, but is a different discussion) on the Internet
however. Prevention probably works only when you stand a reasonable
chance of never letting the attack get near its target. In commercial
air travel, that means the airport, which is the earliest common point
before the aircraft. The Internet has no such common point, unless
you define it to mean "the networks" - and that covers a lot of ground. 

Also in my experience, attacks on the Internet (DoS) tend to scale with
the size of the target. If you happen to have a large unused line lying
around, someone, somewhere, will find a way to fill it for you. An
attack on my employers network a few nights ago was of a scale enough
to cause UUnet to call C&W, one of our upstreams, because t was of a
scale large enough for them to notice it, even considering the size
of the interconnects between them (and that's somewhat bigger than
what we have from C&W.)

If you spread the target over, say, 100 destinations, then the
attacker with his virus-driven DDoS network need only infect a small
percentage more machines and, given a command, will be able to mount
just as effective an attack on most if not all of those distributed
targets.

Protecting the targets therefore won't help, however big/distributed
you make the target - it may mitigate the effect of the attack, but it
did not prevent people from being affected. Governments should not be
allowed to say that even 1% of the population is an "acceptable loss"
if at the same time what they were trying to protect was considered to
be of important to national security (or under many other classification).
Government involvement here would only have marginal, if any, impact
over what we can achieve ourselves. My personal feeling is we can do it
quicker.

So the role left open for Government involvement is tracking and removing
attack sources and tracking and prosecuting the offenders responsible -
which is within their remit already...

The above are only examples that came to mind as I wrote this. If
Government can make these problems go away, I'd love to hear about
the method they would use. Meanwhile, we still have many attacks yet
to come.

Chris.
-- 
== chrisy at flix.net