Avalanche botnet takedown

Ronald F. Guilmette rfg at tristatelogic.com
Thu Dec 1 22:58:16 UTC 2016


In message <20161201124527.9BE453FD at m0087798.ppops.net>, 
surfer at mauigateway.com wrote:

>What is your suggestion to keep the sky from falling?

My full answer, if fully elaborated, would bore you and everybody else
to tears, so I'll try to give you an abbreviated version.

It seems to be that it comes down to three things... acceptance, leadership,
and new thinking.

Acceptance
	We, the people of this planet, including end users, small ISPs,
	big ISPs, Tier-1 providers, ICANN, and all of the dangling tentacles
	that derive their authority and power therefrom, law enforcement
	globally, and judicial systems globally, have to begin by accepting
	the undeniable reality that traditional law enforcement and judicial
	processes have already been utterly overwhelmed by the new phenomenon
	of international cybercrime, *and*, more importantly, that they always
	will be.  If a teenager can hack your bank account in ten minutes,
	but it takes three years to bring him to trial, after which he
	gets a slap on the write and probation... well... any idiot can
	see that this is an ongoing recipie for disaster on a grand scale.
	(And in a way, announcements like the one today about a small
	handful of Internet criminals being busted are actually a bad
	thing, becase they only serve to perpetuate this comforting but
	incredibly incorrect mass delusion that traditional law enforcement
	has the new world of cyberspace well in hand.  They don't, and never
	will.  And in fact they are just falling further and further behind
	with each passing year.)

Leadership
	This has to come from the folks at the top of the food chain, the
	Tier-1 providers, and sadly, they have become like the banks...
	everybody hates them, but we all know that we can't live without
	them, and they are free to make money hand over fist while showing
	no signs of accountability whatsoever.  (And don't kid yourself
	that there is anything even remotely like independence in any of
	the bits and pieces, starting from ICANN on down, that currently
	pass for what is laughingly called "Internet Governance".  All of
	these structures take their cue, and their marching orders, from
	the Internet industry, and the industry, such as it is, can't change
	a damn thing without buy-in from the Tier-1 providers.)

	Unfortunately, in this just-past election, one party's Presidential
	candidate was criticized for being "too close to the banks", in
	particular, Goldman Sachs, and the other one has just selected a
	former Goldman Sachs banker pal of his to run the treasury
	department in the new administration.  This shows that without a
	massive sea change in the level of anger among the general populace,
	nothing will change, ever.  And so it is also with the Internet
	industry.  End users and consumers need to wake up and start actively
	demanding that the industry grow up, grow a pair, and stop just
	sitting idly by while the current ongoing hacking free-for-all
	claims new victims every goddamn day.  When and if that ever happens,
	perhaps one or more CEOs of Tier-1 providers will finally wake up,
	smell the coffee, and understand that over a time horizon longer than
	this coming quarter, they need to start showing some leadership,
	and help guide the whole industry towards a better and safer future.

New Thinking
	Even miltary men have, for some time now, been calling cyberspace
	"a new domain of battle, like air, land, sea, and space".  Why then
	do our law enforcement and judicial systems, worldwide, fail to
	also and likewise accept and begin to deal with this new reality?

	Everywhere on earth, law enforcement, judicial systems, and
	governments are, by and large, still trying to pretend that
	cybercrime is a strictly a local matter.  It isn't, and hasn't
	been, for about 30 years now.

	Internationalized legal structures are hard to assemble, but they
	are not hardly without precedent.  Why should there not be an
	international Internet equivalent of the "Law of the Sea"?

	It is quite common for cybercrimes to cross national borders, and yet
	I personally have so far never heard of a single instance in which
	any cybercriminal has been brought before the International Criminal
	Court in the Hague to stand trial.  Why not?  Russia and China may
	(and indeed do) seem to have more than a little reluctance to allow
	extradition of their cybercriminals to the U.S. to stand trial.  OK
	then.  What will be their excuse if we instead say that such defendants
	should be rendered unto, and be brought before the bar in The Hague?

	Are ISPs, by and large, so absolutely desperate for new clients that
	they absolutely and positively MUST sell connectivity to any homo
	sapien who can successfully fog a mirror?  If I go to my local
	cable TV provider and I ask them to give me new service, but also
	tell them that I *do not* want to first give them a big fat "security
	deposit", they will say "Ok.  No problem.  Just give us a minute
	whil we check your credit rating."  If that comes back green, then
	they give me service... no big deposit required.  On the other hand
	if it comes back orange or red, then I have to pony up a big deposit...
	which, depending on my behavior, I might not ever get back... before
	they will sell me service.

	Contrast this to Internet service.  If you reach out and hack my
	router, and if I am on the ball, I can and will report you to your
	(current) ISP, giving the exact date and time of the incident and your
	IP address.  In the rare circumstance where (a) this is not your
	first offense while on your current ISP and also (b) your ISP is
	below-average greedy and (c) your ISP is below-average incompetent
	and (d) your current ISP is below-average irresponsible, then you
	-may-... I stress -may-... actually lose your current connectivity.
	But even in that very rare case, of course, you can just waltz down
	the street, the same day, to the next convenient ISP and start all
	over again, barely missing a beat.

	So, when is this industry going to grow up, realize that creative
	individuals, given a single DHCP connection, even perhaps one with
	relatively low bandwidth, can get on and cause $tens of millions of
	dollars worth of either theft or damage?  When is the industry going
	to start admitting to itself that individual end-lusers can be
	dangerous, sometimes even to the tune of $tens of millions of dollars?
	In short, when is this industry going to start vetting people, at
	least a little bit, before giving out connectivity to any Tom, Dick,
	or Harry who shows up on the doorstep with five dollars burning a
	hole in his pocket?  Where is the equivalent of the "credit rating"
	for Internet users?  If I'm running a mom-n-pop ISP, where do I go
	if I want to find out whether or not this unsavory-looking individual
	who slept in my doorway last night is or isn't a guy who has already
	been tossed off his prior two ISPs for gross misbehavior?

	Maybe its time for the industry to create a registry of such people.
	(And don't hand me all of that bleeding heart crap about personal
	privacy, government survelliance, etc. etc. etc.  You'll only serve
	to make it evident to all that you're in the same camp with the
	wacko Second Amendment wingnuts and/or the equally wacko Any Rand
	extremist devotees.  Time to grow up and realize that if you want
	to participate in, and obtain benefit from, a civilized society,
	then society has a fair right to ask you to give up a little bit of
	something in return.  That's the bargain.  Take it or leave it.  If
	you don't like it, then get the flock off the Internet and go live
	in a cave someplace.  And don't let the door hit you in the ass on
	your way out.  You will not be missed.  And besides all of that,
	you're probably carrying around five credit cards in your walet as
	we speak.  So it's more than a liitle disingenuous for you to whine
	about personal privacy as you are checking your credit score five
	times a day.)

Believe it or not, -that- is the -short- version of my solution to the
Internet's problem(s).


Regards,
rfg


More information about the NANOG mailing list