Q: What do ISPs really think about security issues?

Gadi Evron ge at linuxbox.org
Fri Jan 11 14:31:44 UTC 2008


On Fri, 11 Jan 2008, Suresh Ramasubramanian wrote:
>
> All of it translates to
>
> 1. X more mailing lists to sign up to (lots and lots more email, great)
> 2. X more conferences to attend (more miles, yay, that's plat for this
> year taken care of)
> 3. A sizeable amount of reinvention of the wheel too
>
> Fun, isn't it?

To begin, I hate my inbox too. I want the same thing. And yes, I know a 
serious part of your inbox problem comes from me and mine--all I can 
offer in reparations is beer. I also dislike the fact many people are 
clueless, but I do like the fact clueless people are starting to get 
clued by, to a level, re-inventing the wheel.

This email is long, I am giving you my take. What I want to see is not 
necessarily your thoughts on my philosophy, but rather what YOU think 
should be done. What would MAKE a difference in the fighting, for you?

Suresh, you *know* I am with you and that there is nothing more important 
to me that information sharing and cooperation. Now let me correct that to 
recent times, that *used* to be the most important consideration, whether 
some of those in need never share back or give feedback only meant we 
only shared some of what we have, rather than all of it--not that we won't 
share.

Getting cooperation inside industries, then between them, then with 
academics, then with law enforcement, then with policy makers. It's been a 
rocky ride.. but well worth it.

The first ammendment to this was the understanding that 'diversity is 
good', meaning; not to get upset when others choose to double resources 
and not cooperate. Diversity truly is great:

 	* It lets new blood in
 	* It creates new political presences (not necessarily powers) that
 	  we need to cope with, making us less close-minded
 	* Helps create and foster a community
 	* Proves time and again that what we believe to be evil may have
 	  been bad once, but is actually pretty good in the current
 	  landscape--we got set in our ways and set taboos (sharing virus
 	  samples outside the AV world, sharing C&C information, listening
 	  in on bad guys, etc.)

Letting efforts run free enforces a sort of Darwinian selection as far as 
their methods and people, but more importantly it pushes the successful 
ones up to our sand box.. if only we can protect them from people like us 
long enough.

Naturally, diversity is not *always* good, which is the second ammendment 
to the thinking process.

Moving on, these subjects are in fact mainstream, no longer discussed in 
rants by few looney people such as us. This brought some good, and 
naturally some bad.. but when affecting change one has to remember people 
need to decide for themselves and they in turn let us be successful in 
protecting them. Our accomplishments aside we kept what we were working 
on so secret that:

 	* Administrators didn't have the knowledge or tools to cope (and
 	  they could help)
 	* Public awareness was non existent (which we are suffering from
 	  now)
 	* Political awareness was non existent (which we are suffering
 	  from now)

It is not about an holier than thou attitude, it's about understanding 
that the Internet is truly the only functioning anarchy, and that "doing" 
by itself makes a difference. New people who come along and will try their 
own way, and a sort of non-committal Darwinian seclusion or capitalism 
(not necessarily monetary) will determine their success. We can't stop 
them so may as well help them, yes?

As to current existing mail tornados of too many places to be and to 
see... we get less and less over time, but it is what it is, and it is 
about human nature. Human nature, social structures, etc.--nuff said.

Meeting the new crowd is always good, but seeing how they not only 
re-invent the wheel on the how to cope, but rather in their whole thinking 
process, I am slightly concerned. We HAVE information sharing, we HAVE 
cooperations. What the Internet, and we, need, is to move to the next 
level, whatever that may be--of course I have my ideas about that.

That means moving from good-will based relationships to something more 
substantial, as the criminal side has moved on long ago to billions in 
revenue, R&D teams, outsourcing, and kinetic [support] operations (from 
fraud to throat-cutting).

We are of course limited to what we *can* do:

 	* Physical world efforts (law enforcment getting better,
 	  conferences to bring people together)
 	* Intelligence gathering

Non operational:

 	* Political outreach ("there is no cyber-crime problem")
 	* Awareness raising

We may have achieved a LOT on our end, but at the end of the day we 
have made exactly a dent in the criminals' operations, and no more. We 
make that dent once in a while and they move on, evolving. In retrospect 
we haven't made any difference on their side, and they won.

Won what, you may ask. The war? We never really fought, it is a false 
argument that we did, and as one of the many people who are doers out 
there and gave a chunk of their lives to this 'fighting' I can say that 
and not offend myself.

Our fighting has been (mostly) limited to getting slapped, and writing 
analysis about it.

What I'd like to see? Here's three items on a strategic level rather than 
tactical, which I can go on about forever (you know I like to hear my own 
voice, right? :) )

 	* People working to bridge the tech-policy gap between people like
 	  us and policy makers (who following Estonia *are* writing
 	  policy which will affect us)
 	* In a situation where we don't start a war not we, but rather the
 	  Internet can't win--actively fight back
 	* These efforts stopping to be a volunteer-based 'thing' and
 	  moving to people who should be doing it (not people like me)

> Listening is, of course, important. As is coming in with an open mind
> and without a holier than thou attitude .. especially if the attitude
> is combined with the sort of URGENT!! TAKE THIS PHISHER DOWN NOW!!"
> abrasiveness nobody else really appreciates.
>
> That, by the way, is why I'm glad to see more and more organizations
> holding collocated / joint meetings .. across, to use some igov jargon
> (and for want of a better word) "stakeholder communities" .. banks
> talking to ISPs talking to LE / regulators talking to independent
> researchers etc.

Indeed!
Thing is, most stop at the talking stage, which they get off their chest 
and will do again 6 months from now.

The Internet is not gonna die tomorrow, it is already IPv6 in Asia. :P

Taking a step back from security, from my niche, in which I am extremely 
worried--as long as people can download their pr0n and argue over Captain 
Kirk, I am happy. Thing is, all these millions of incidents every moment 
are nothing but background noise.

WE CAN'T handle them, we can just jump at big ones. As long as things 
remain this way, my hollistic-view self will be happy, but as the 
awareness decreases and the background noise increases--we will eventually 
be "only useless" rather than "mostly useless" in bottom line net effect 
on the criminals. That of course unless we understand we need to do 
something drastically different than what failed us so far, even if it did 
help us get organized.

What ISPs can do? They can do a lot more than they do now. That is also a 
false statement as people can always do more. ISPs may be a part of the 
solution, but they are not the solution. We can affect how techies work, 
but the business folks are the ones making the decisions and making 
fighting criminals make business sense is not always the best use of our 
time.

ISPs? Some of the best and smarted people in the world work at ISPs. 
Unfortunately, also some of the stupidest.

> --srs
>



More information about the NANOG mailing list