Cyber Commander Says It's 'Not Realistic' To Shut Down Internet

An anonymous reader links to a report on Washington Examiner: It simply would not be possible to shut down areas of the Internet that terrorists use to conduct malicious activity, the head of U.S. Cyber Command told a Senate panel on Tuesday. "In a very simplistic way, people ask why can't we shut down that part of the Internet. ... Why are we not able to infiltrate that more?" Sen. Joe Manchin, D-W.Va., asked Cyber Command leader Adm. Mike Rogers during a hearing on the agency's budget for fiscal 2017. Manchin maintained it was a common question from his constituents. "I've had people ask me, can't you just stop it from that area of the world where all the problems are coming, be it Syria or in parts of Iraq or Iran," he said. "I'm not just trying to find an answer, because that question is asked like shut her down, like you do your telephone, but it doesn't work that way," Manchin concluded.

Yes it is

If Kim K can do it!!

Resilient by design

[FrankHaynes]

Knuckleheads. ARPAnet and MilNet were designed to be resilient against centralized attack and outages.

"THE INTERNET IS DOWN!! THE INTERNET IS DOWN!!"

Re:Resilient by design

[Austerity+Empowers]

centralized attack and outages.

On network infrastructure. I'm not sure they envisioned such wildly insecure and widespread endpoints, even within government (and military!) walls. They envisioned bombs taking out data-centers. They clearly didn't envision the low orbit ion cannon.

Re:Resilient by design

[phishybongwaters]

That's not the same thing as denying CountryA from accessing the internet. The internet, because of routing, can continue on just fine, but we totally have the power to block or restrict regions from this network, without destroying the network.

Re:Resilient by design

Simple people always want simple answers to complex problems.

Such people will be left behind.

Re:Resilient by design

[fustakrakich]

"THE INTERNET IS DOWN!! THE INTERNET IS DOWN!!"

Yeah, well, with three strikes, it will be in your house. Service provision is conveniently accomplished through a small number of big corporations that will be more than happy to flip the switch and turn off your internet.

Re:Resilient by design

[guruevi]

No we don't. The Internet considers censoring as damage and routes around it. Each country has telephone lines and satellite communications. If you shut down the "Internet" from routing through it's common carriers (fiber etc) someone can hang a few thousand 56k modems on their phone systems and call in to their neighbors or even through the censoring country and connect all their traffic that way. Same goes for satellite, just bounce it around a few times and it can come from anywhere.

That's how Syrians and Iranians were still able to connect after their countries shut down their internets.

Re:Resilient by design

[Locke2005]

"The Net interprets censorship as damage and routes around it" -- John Gilmore

Re:Resilient by design

[GLMDesigns]

Unless they kill you first. (Not condoning or desiring such an outcome for any of us)

But there are people out there who strap bombs on their bodies and kill non-combatants in order to create a better, more just world. (In their demented minds)

Re: Resilient by design

This, right here. These cyber cops could learn from their real life counterparts. Things like planting evidence(Beiber mp3s) and just DMCA the terrorists offline!

Re:Resilient by design

[Ungrounded+Lightning]

ARPAnet and MilNet were designed to be resilient against centralized attack and outages

During the evolution from those networks to the current, commercialized, information utility, much of that design was abandoned. We have migrated from an everything-is-redundantly-multiconnected, route around failures, survive a nuclear exchange system to a hierarchy, with a distinction between core and edge, where loss of certain boxes can shut down 10,000 to 100,000 end user sites.

(That's why those boxes are designed with internal reduncancy, like a telephone exchange. And I know them intimately, having spent over a decade designing parts of them.)

The core/backbone does retain some of the features of the Internet's cold-war-survival origin (though the transition to fiber and physical ring layouts made that more vulnerable to multipoint failures, as well.) So some of it still has part of the old robustness.

Then there are new services which added new dependencies (and sometimes new surprises when something goes down or goes away and a lot of stuff breaks).

And to top it off, the discussion is not about government actors managing to taking the net down, but identifying and surgically cutting off a designated portion of it.

So arguing from the characteristics of the robust-against-nukes network design we once had - and haven't had for decades - isn't particularly germaine.

Re:Resilient by design

[Ungrounded+Lightning]

... someone can hang a few thousand 56k modems on their phone systems and call in to their neighbors ...Same goes for satellite, just bounce it around a few times and it can come from anywhere.

WiFi is good for a LONG way, and a lot of bandwidth, too, especially if you use an old big-ugly-dish satellite antenna reflector at one or both ends.

(Then there's OpenBTS and the like for bringing up cellphones - and bridging them to VoIP - when the government has spiked that network...)

Re:Resilient by design

[Hognoxious]

The Internet considers censoring as damage and routes around it.

Nice one. Never heard that before.

routing through it's common carriers

One, that should be "its". Two, "common carrier" doesn't mean what you think it does.

Same goes for satellite, just bounce it around a few times and it can come from anywhere.

That's how Syrians and Iranians were still able to connect after their countries shut down their internets.

Right. Personal satellite ownership is almost universal in those countries.

Re:Resilient by design

[Gr8Apes]

On network infrastructure. I'm not sure they envisioned such wildly insecure and widespread endpoints, even within government (and military!) walls.

Considering that the original version of the internet had your computer hooked directly to the backbone or pretty close to it with no security features at all as firewalls etc hadn't been developed yet, I'd say they couldn't have envisioned anything else. LAN/MAN/WAN etc were just descriptions of how degraded your connectivity became (across a LAN it was OK, WAN could be a 12Kbps link)

Re:Resilient by design

[guruevi]

Actually personal satellite dishes and even 2 way transponders for satellites are quite common in the Middle East. That's the primary way that people there get TV and the more rich also get data and phone communication that way. Al Jazeera for example is primarily satellite based broadcasting.

Re:Resilient by design

[guruevi]

The internet you use may be walled gardens. I like my TCP/IP though, perhaps I'm one of the few that still remembers that we still have an Internet without Facebook and Google.

Re:Resilient by design

Except the government doesn't control AT&T, T-Mobile,Sprint, Level3, Akamai, Cogent, Verizon, CenturyLink, Cox, Comcast, TW, and a few hundred other ISPs in the U.S. alone.

You have to shut down a whole lot of them before the Internet as a whole starts to even notice. Look at the big fiber cuts in Seattle and San Francisco. Most people didn't even notice there was a problem much less a big problem.

Killing the Internet in Estonia is much easier than a country the size of the U.S.

Then comes the reasoning for it. What scenario would result in us wanting to kill the Internet? If there was some super virus people would disconnect themselves until those that are better secured tell them how to cope. Unless you're afraid of Skynet there's really not reason to cut the entire country off of the Internet and cripple our way of life.

Re:Resilient by design

[vux984]

No we don't. The Internet considers censoring as damage and routes around it

Not so much anymore.

Even I had a 100Mbp connections and my neighbor across the border had the same, and we decided to connect them, we'd be able to cross browse, but the internet at large would still be pretty much down because we can't advertise the route.

And even if we could, the amount of traffic that might try to come through might overwhelm and render the link so saturated as to be useless for all but the simplest tasks. (e.g. anything that needed a tcp connection would suffer too much packet loss to work... )

The internet's designed to be reslient to damage in the sense that it can route around it if we want to, with dynamic routing, redundant links, route advertising etc etc but the control over that stuff is mostly pretty centralized now. And most sites are little more than endpoints that couldn't link two parts of he network back together even if they wanted to had the physical resources and connections and cables to do it, they still can't advertise the routes etc. My packets will never find that link.

To completely black out the internet would be hard, after all two guys could even pass packets using smoke signals in theory...but how much bandwidth is that? :) But to take it 99.9% down would be relatively trivial.

Re:Resilient by design

[rtb61]

So it simply needs a core change in internet protocols, a design changed from all allowed and only some blocked to all blocked and only some allowed. Pretty much what it needs to be to be considered as suitable as an internet for minors, this versus an internet for adults. Basically with an all blocked and only some allowed network, unless it is verified, checked and audited, it's traffic is blocked by default at routers, this means you can not route around that block because you only can route to other blocks. Without having been allowed prior to access, you simply can not gain access. You are in affect requiring licensing of any individual IP and Mac address, prior to it's use and only those specific ones are allowed through the network and this can also incorporate known initial access points and follow on routes (a defined possible legal trail, to block spoofing with impossible to connect in reality routes, just falsely identified traffic). With current investment in infrastructure, no longer possible except for a new parrallel restricted network, say one suitable for minors.

Re:Resilient by design

I came here to make sure that this was the first comment... and it should be. The the exact purpose was for it to be able to be fault tolerant in the event of a nuclear war, etc.

Re: Resilient by design

You don't understand how tcpip and routing work.

Re:Resilient by design

[lgw]

You can still "turn off the internet" for a country you don't like, but it will require bombs to be thorough. Or for an island nation, there will be few enough cables to cut.

Obviously, TFA was distinguishing between a routing-only solution and military action, but I'm, not sure how legitimate that is. At some point (as dependence on the internet increases) taking a nation off the internet becomes just as much an act of war as sending your navy to blockade trade, at which point you might as well include some military action in your planning. Any country with natural or politically-imposed physical-layer bottlenecks between it and its neighbors is vulnerable.

Re:Resilient by design

where loss of certain boxes can shut down 10,000 to 100,000 end user sites

only if you use npm. *badum-tiss*

thank you, i'll be here all week.

Re: Resilient by design

And you don't understand how power work. Power, backed by big money and legions of men with guns. No technology can resurrect you once you've been shot through the head multiple times. No computer can raise you from the mass grave. Your thoughts do not exist without the flesh, and Power can tear that flesh apart in seconds. Think about it.

Re: Resilient by design

A simple person with an axe can put an end to the life of a nuclear physicist any time. The pieces of the scientists will be left behind.

Re:Resilient by design

[drinkypoo]

You're talking about creating a trusted network, and that will never work. Never, ever, ever. It will never work because all you have to do to compromise it is exploit a trusted host, and that is guaranteed to happen.

Re:Resilient by design

[eam]

I think he was referring to personal satellites.

Re:Resilient by design

[TemporalBeing]

No we don't. The Internet considers censoring as damage and routes around it

Not so much anymore.

Even I had a 100Mbp connections and my neighbor across the border had the same, and we decided to connect them, we'd be able to cross browse, but the internet at large would still be pretty much down because we can't advertise the route.

So Country A blocks Country B; Country B then gets to Country A via Country C, or via C-D-E-F.

The option is basically to block everything outside your borders - in which case the Internet becomes an Intranet - or allow everything because if even one Allowed external entity has a route to someone you don't want to have access then that someone can get access to your network.

And that's not taking into account hopping via Sat-Com or Modems, etc as mentioned in the thread, which is yet another way to dial-in via routing around the problem area.

And yes, this was by design due to Cold War concerns by CIA, NSA, DoD, etc.

Re:Resilient by design

[TemporalBeing]

ARPAnet and MilNet were designed to be resilient against centralized attack and outages

During the evolution from those networks to the current, commercialized, information utility, much of that design was abandoned. We have migrated from an everything-is-redundantly-multiconnected, route around failures, survive a nuclear exchange system to a hierarchy, with a distinction between core and edge, where loss of certain boxes can shut down 10,000 to 100,000 end user sites.

(That's why those boxes are designed with internal reduncancy, like a telephone exchange. And I know them intimately, having spent over a decade designing parts of them.)

The core/backbone does retain some of the features of the Internet's cold-war-survival origin (though the transition to fiber and physical ring layouts made that more vulnerable to multipoint failures, as well.) So some of it still has part of the old robustness.

Then there are new services which added new dependencies (and sometimes new surprises when something goes down or goes away and a lot of stuff breaks).

And to top it off, the discussion is not about government actors managing to taking the net down, but identifying and surgically cutting off a designated portion of it.

So arguing from the characteristics of the robust-against-nukes network design we once had - and haven't had for decades - isn't particularly germaine.

You seem to have missed the resiliency of the Internet on 9/11 and how even though several major core backbone connections running under Twin Towers were completely severed almost no one noticed.

Re:Resilient by design

[vux984]

So Country A blocks Country B; Country B then gets to Country A via Country C, or via C-D-E-F.

You are attacking the wrong problem. Country A doesn't want to block traffic from country B reaching country A. Country A wants to take country B off the internet entirely; and country A is already engaged militarily with B so it has options that include doing stuff IN country B.

So country A physically destroys the big fiber optic bundles at the borders and disables the satellite uplinks of country B by military force.

Country B is now pretty effectively cut off from A, C, D, E, F...

Re:Resilient by design

[TemporalBeing]

So Country A blocks Country B; Country B then gets to Country A via Country C, or via C-D-E-F.

You are attacking the wrong problem. Country A doesn't want to block traffic from country B reaching country A. Country A wants to take country B off the internet entirely; and country A is already engaged militarily with B so it has options that include doing stuff IN country B.

So country A physically destroys the big fiber optic bundles at the borders and disables the satellite uplinks of country B by military force.

Country B is now pretty effectively cut off from A, C, D, E, F...

Except Country A cannot necessarily or even practically prevent Country B from having connections with any other Country (C, D, E, F). Country A can sever connections between Country A and Country B, but that will not prevent connections between Country B and Country C, D, E, or F. Country A can realistically only isolate itself.

A good example of how this really plays out and how difficult it is to really maintain such an enforcement is the Great Firewall of China. Now they're 99% of the example in that they do want some but very censored traffic to come in and go out.

Alternatively, look at the Middle East where Sat-Comm is a norm - all you have to do is have an account with an appropriate Sat Com vendor and there's NOTHING that Country A can do to prevent your traffic from crossing into their borders; or switch from SatCom to Cellular and it's not very different - just means you have someone sitting close to a border with enough cellular modems to make the same kind of service available without having physical links, and it's near impossible to really prevent them or block the RF, etc.

So no, my example is spot on when you look at reality.

Re:Resilient by design

[vux984]

Except Country A cannot necessarily or even practically prevent Country B from having connections with any other Country (C, D, E, F).

We simply aren't talking about the same thing.

You are trying to deny internet access to individuals in country B. And yes, that is extremely difficult to do.

I am talking about denying internet access to the country at large. And that is relatively easy to do. Because those few individuals near the border with satellites that didn't get bombed, or within cellular coverage range (perhaps via custom antenna configurations) they are JUST getting access for themselves and an extremely small local group. They aren't restoring the "internet" to that country. The internet is still down for pretty much everybody. That is the point I am making, that "the internet *can't* route around this damge".

Individuals being able to get themselves connected as consumer endpoints from inside a particular country is simply not even slightly the same thing as creating a new internet link to that country.

The "Great firewall of china" is completely unrelated.

just means you have someone sitting close to a border with enough cellular modems to make the same kind of service available without having physical links, and it's near impossible to really prevent them or block the RF, etc.

Unless that someone is able to establish a connection to the countries internet infrastructure and advertise the route all he's done is given himself and maybe his little local group internet access. And you are right, that's all but impossible to stop, but I'm talking about actually bringing the country back online (actually having internet access) with these "guerrilla" links and that doesn't work. Its just a few endpoints.

So no, my example is spot on when you look at reality.

As I said, we seem to be talking about achieving different goals.

Re:Resilient by design

[TemporalBeing]

Except Country A cannot necessarily or even practically prevent Country B from having connections with any other Country (C, D, E, F).

We simply aren't talking about the same thing.

You are trying to deny internet access to individuals in country B. And yes, that is extremely difficult to do.

I am talking about denying internet access to the country at large. And that is relatively easy to do. Because those few individuals near the border with satellites that didn't get bombed, or within cellular coverage range (perhaps via custom antenna configurations) they are JUST getting access for themselves and an extremely small local group. They aren't restoring the "internet" to that country.

Says who? They could set that up and have a connection running to be a provider for the country at large. Heck, the government could do it and provide internet to everyone. I didn't say a thing about *who* did it, just that it could be done - meaning *anyone* could do it, and thus restore connectivity.

Or take Mesh Networking into account (802.11s), and again it's accessible to anyone within range of the mesh network - hence the country at large, even if the country at large is routing through a couple Mesh Network devices connected to a few Sat Com devices (run from any where in the country) and Cell Modems around the border. Sure, performance is going to be poor but it wouldn't take much to restore *some* level of connectivity.

just means you have someone sitting close to a border with enough cellular modems to make the same kind of service available without having physical links, and it's near impossible to really prevent them or block the RF, etc.

Unless that someone is able to establish a connection to the countries internet infrastructure and advertise the route all he's done is given himself and maybe his little local group internet access. And you are right, that's all but impossible to stop, but I'm talking about actually bringing the country back online (actually having internet access) with these "guerrilla" links and that doesn't work. Its just a few endpoints.

Again, it's just a matter of *who* is doing it. If the Country wanted to provide the service, they'll find a way to provide the service, even if it's just for government use - which is one of the reasons why Country A may want to block Country B from being on the Internet - to prevent Country B's government from nefarious acts against Country A via the Internet. The fact that Country B can put a Sat Com in place to run those attacks over completely negates the issue of cutting the fibre servicing the residents. If they want to do it they'll find a way - even placing people to do so into Country C if necessary.

So no, my example is spot on when you look at reality.

As I said, we seem to be talking about achieving different goals.

No, you're missing the point.

Re: Resilient by design

Then all the traffic has to go through that single machine, so it greatly hinders malicious activity.

Re:Resilient by design

[vux984]

I didn't say a thing about *who* did it, just that it could be done - meaning *anyone* could do it

That's a really weird definition of 'anyone' can do it. Most people CANNOT do it, and the people who can do it all belong to very specific organizations. That is pretty much the opposite of 'anyone'.

Further, even if they've got the ability to advertise new routes locally, good luck being able to get whatever entity they are connected to wirelessly to advertise the route. Best case, the small number of people who might be able to get the domestic internet to route packets along adhoc routes still aren't going to be able to get their foreign counterparts to advertise those ad hoc routs, so no packets are coming back.

Again, it's just a matter of *who* is doing it. If the Country wanted to provide the service, they'll find a way to provide the service, even if it's just for government use

Providing individuals internet service really has nothing to do with the internet's ability to route around damage though.

No, you're missing the point.

I'm definitely not missing the point that I am making.
I see what you are saying, but you are simply talking about something else entirely.

Lets try this another way.

The internet is like a spiderweb. And every node can communicate with every other along various paths. If I then cut a portion off the web off, then I have two separate webs. That can't communicate with eachother.

You on the other hand are making the argument that it's easy for anyone on the cut off half to throw a line over to the first half and get some service for themselves, and/or some others is absolutely correct. But it still doesn't create a bridge between the two webs again. They might have service but the other web is still cut off.

The number of people who have the ability to actually connect them back together is pretty small. Both sides of the connection have to have the ability advertise routes; and that's pretty rarefied these days.

Re:Resilient by design

except that the point isn't really to deny internet to the entire country, but the Radical groups using it as a base of operations. Or a small group of people. Which you have already admitted is almost impossible.

Re:Resilient by design

[Coren22]

How would that effect the sat connections, or even wifi connection that could be setup to route around the damaged undersea cables? I have worked with people doing 25 mile 802.11 hops using a pizza box antenna, it is quite doable. So, unless the country is Australia, I think it won't be an issue getting linkups through your blockade.

Re:Resilient by design

[TemporalBeing]

I didn't say a thing about *who* did it, just that it could be done - meaning *anyone* could do it

That's a really weird definition of 'anyone' can do it. Most people CANNOT do it, and the people who can do it all belong to very specific organizations. That is pretty much the opposite of 'anyone'.

Further, even if they've got the ability to advertise new routes locally, good luck being able to get whatever entity they are connected to wirelessly to advertise the route. Best case, the small number of people who might be able to get the domestic internet to route packets along adhoc routes still aren't going to be able to get their foreign counterparts to advertise those ad hoc routs, so no packets are coming back.

If you want to go there, then you obviously missed the headlines last year that a lot of the Internet infrastructure is open to attack simply because it's extremely trusting that when someone advertises a route they actually own that route. Don't recall if that was fixed or not, but it was actually used to subvert some routes IIRC.

Again, it's just a matter of *who* is doing it. If the Country wanted to provide the service, they'll find a way to provide the service, even if it's just for government use

Providing individuals internet service really has nothing to do with the internet's ability to route around damage though.

Actually it does because the routes that allow one to from A to B to C may be able to be comprised of A->D->C or A->B->D->E->C. The route may not be the most efficient (A->C) but if it can be made it will be made. Which is the entire point of this thread. You can only isolate yourself - if A has no routes out of A then C can never be reached, but once A has a route outside of A (B) then if C is reachable via that route then there is ultimately nothing A can do to prevent users within A to get to C.

No, you're missing the point.

I'm definitely not missing the point that I am making. I see what you are saying, but you are simply talking about something else entirely.

Lets try this another way.

The internet is like a spiderweb. And every node can communicate with every other along various paths. If I then cut a portion off the web off, then I have two separate webs. That can't communicate with eachother.

You on the other hand are making the argument that it's easy for anyone on the cut off half to throw a line over to the first half and get some service for themselves, and/or some others is absolutely correct. But it still doesn't create a bridge between the two webs again. They might have service but the other web is still cut off.

The number of people who have the ability to actually connect them back together is pretty small. Both sides of the connection have to have the ability advertise routes; and that's pretty rarefied these days.

As someone who has done networks, only one side really needs to know about the other. If you don't care about data connecting outside in, then advertising the route on the inside only is quite sufficient - that's typically how NAT works, and the external entity will be able to gain the route back to the source even if it's not entirely advertised both directions.

Unfortunately, you just cut your own argument down. If there is a line that allows two nodes to connect to each other then the only limit is the transmission rate of that line to provide the entire route. That's *how* the Internet works. It may not be efficient, but it does work - and (more importantly) has been *proven* to work.

Re:Resilient by design

[vux984]

Actually it does because the routes that allow one to from A to B to C may be able to be comprised of A->D->C or A->B->D->E->C

I can't tell if I'm not explaining it well, or if you are just being dense. Lets try again, with a specific example.

Lets say your home is on Comcast cable for internet.
Lets say ALL of comcasts perring links get cut. Everyone on comcast loses their internet. You're internet goes down. Your still getting an ip address from comcast, you can ping other comcast users, but you can't reach anything outside the comcast network. With me so far?

Lets say *I* happen to have both comcast cable and verizon wireless internet. So I still have internet.

There is absolutely nothing I can do to share that link back to comcast and give all those comcast users internet. I simply cannot configure my gear to automagically let comcast know that hey I've still got internet, feel free to route some packets through me; so that suddenly you and all comcasts customers have some internet access again.

If comcast has a million customers, and 100,000 of them have random other connections, dialup, sateliite,ceullar, whatever, they all can get internet access, their really is no practical way for them bring *comcast* back 'online' by somehow 'sharing' those links.

As someone who has done networks, only one side really needs to know about the other

Sort of. Yes, I realized myself after posting that you could use NAT to get around the inability to advertise routes on the 'other side', but to ad-hoc a whole major ISP or whole country of ISPs via multiple consumer NAT points is not practical. For starters the NAT tables would be enormous with millions of hosts behind them and you'd need a lot more than regular consumer gear which again limits who can actually build functional links again.

But sure, yes, with the right hardware, and cooperation from carrier engineers something could be done. This doesn't defeat my argument, it demonstrates how centralized it is.

Its not completely centralized, but its obviously not peer to peer either, nor can it easily become peer to peer in the event the big centrallized links got knocked down.

Re:Resilient by design

[TemporalBeing]

Actually it does because the routes that allow one to from A to B to C may be able to be comprised of A->D->C or A->B->D->E->C

I can't tell if I'm not explaining it well, or if you are just being dense. Lets try again, with a specific example.

Lets say your home is on Comcast cable for internet. Lets say ALL of comcasts perring links get cut. Everyone on comcast loses their internet. You're internet goes down. Your still getting an ip address from comcast, you can ping other comcast users, but you can't reach anything outside the comcast network. With me so far?

Lets say *I* happen to have both comcast cable and verizon wireless internet. So I still have internet.

There is absolutely nothing I can do to share that link back to comcast and give all those comcast users internet. I simply cannot configure my gear to automagically let comcast know that hey I've still got internet, feel free to route some packets through me; so that suddenly you and all comcasts customers have some internet access again.

If comcast has a million customers, and 100,000 of them have random other connections, dialup, sateliite,ceullar, whatever, they all can get internet access, their really is no practical way for them bring *comcast* back 'online' by somehow 'sharing' those links.

Well, depends on the policies - namely around whether you have a public IP or and ability to run as a server; most ISPs allow people to run as servers primarily to please gamers. It's actually easier now to get a public IP and server allowance for consumers than it has generally been in the past. And so technically yes you can. That doesn't mean Comcast would be happy about it, but then for your scenario - they'll probably be wanting to talk to improve things because they won't be happy about not being able to get their own direct line to Verizon, etc.

You can advertise your gateway If (a) you advertise back to Comcast (either by issuing the appropriate BGP or calling them up and working out a deal) or (b) you advertise to people directly (via word of mouth) that they can use you as a gateway (slow expansion but it will work), then yes you can become a gateway for people to get Internet access from outside of Comcast to. It's not difficult, though it may require people to do specific setups, it's still not difficult to do.

Now if you're a business with an SLA with Comcast and you do that...Or if you're a government entity...

As someone who has done networks, only one side really needs to know about the other

Sort of. Yes, I realized myself after posting that you could use NAT to get around the inability to advertise routes on the 'other side', but to ad-hoc a whole major ISP or whole country of ISPs via multiple consumer NAT points is not practical. For starters the NAT tables would be enormous with millions of hosts behind them and you'd need a lot more than regular consumer gear which again limits who can actually build functional links again.

But sure, yes, with the right hardware, and cooperation from carrier engineers something could be done. This doesn't defeat my argument, it demonstrates how centralized it is.

Its not completely centralized, but its obviously not peer to peer either, nor can it easily become peer to peer in the event the big centrallized links got knocked down.

So all of that is solvable by how you design your network - how many resources are employed. NAT isn't required - it's just one example. My point was never that the solution would have the best scalability...just that it would work even if providing a very slow connection. And if the Powers That Be (e.g a dictator) really wanted to restore Internet service to the country, then these kinds of solutions could be employed to do so.

What you're arguing is that it's not a *scalable* solution, but scalability doesn't matter - if it's just one individual doing it, y

Crappy headline - forgot "areas of"

[xxxJonBoyxxx]

>> It's 'Not Realistic' To Shut Down Internet
>> not be possible to shut down areas of the Internet that terrorists use

Big difference. Unfortunately, I see these kind of inquiries leading to a "why don't we have a great big 'murican firewall" train of thought in a year or two.

Re:Crappy headline - forgot "areas of"

[SJHillman]

We can have Nigeria pay for it.

Re:Crappy headline - forgot "areas of"

Well the wealthy Nigerian prince can afford it.

Re:Crappy headline - forgot "areas of"

[ganjadude]

not until we help him get his money back. im on my way to western union right now!!!

Re:Crappy headline - forgot "areas of"

[sims+2]

China has one why can't we have one too?

I'm being sarcastic.

Re:Crappy headline - forgot "areas of"

... why can't we have one too?

Most countries already do, it's just far smaller than the Great firewall of China, so their government can ignore it.

Re:Crappy headline - forgot "areas of"

And if it does go down, India will do tech support.

Shut it down?

That's the one thing the Internet was designed to resist the most.

It's a question of politics

Can't you just stop immigration from that area of the world where all the problems are coming, be it Syria or in parts of Iraq or Iran," fix that for the Sen...

Re:It's a question of politics

[GLMDesigns]

Why be an AC?

That is a rational proposition.

Re:It's a question of politics

because some people would view that as racist.

Outsourced hackers

Why would the West shut down Internet to Russia, Turkey, etc? That's where all their outsourced hackers are from. They would lose all plausible deniability.

Cheaper to change foreign policy

Maybe if you stop droning, wholesale bombing, propping up dictators, invasions under false pretence, and unconditional support of Israel--you won't need to shut down the internet or turn your country into a fascist state. Then you also won't have to drink the koolaid that arms and security companies are selling you, companies that have dollar signs in their eyes each time one of these places seeks retribution for said violence. So called extremism does not emerge from a vacuum, rather ongoing injustice. You start there, then you can focus on something else. Imagine if instead of the Iraq invasion of '03 all that money was used on renewable energy. You could tell them to keep their damn oil. Instead, you repeat the mistakes made by the British over a century ago and armies before that. Instead, more of the same.

Cyber Commander, seroiusly

Is there really such a thing?
I mean really, Cyber Commander?
How about, umm umm.. supreme internet commandant
How about supreme leader of that internet thingy?
President of public/private pondering.
How about supreme being of internet awareness..
Escalation point?
President pooper-skooper
sphincterella
Skrew it, lets just pull the plug on the whole darn thingy.. Where is the light switch?
how about sphincter-commander.. sounds like it may have the same weight as Cyber Commander..

Re: Cyber Commander, seroiusly

you must be new here...

here is an article about the air force cyber command recruiting from back in 2008

Re: Cyber Commander, seroiusly

I wonder if his official rank is commodore 64?

Re: Cyber Commander, seroiusly

[Hognoxious]

It's a pretty decent file manager for android. Has a samba plugin that works!

RFC 1149 - alternative physical medium

A Standard for the Transmission of IP Datagrams on Avian Carriers
https://www.ietf.org/rfc/rfc1149.txt

Wait, what?

US military not all powerful? Come again? WAHT?!?1?

YEs, it does work that way

[phishybongwaters]

Yes, you can knock countries and regions off the internet. But you really can't do it without collateral damage. It depends 100% on the infrastructure supporting their access. You want to knock europe off? Cut the link cables. You want to knock Iran off? Take out their links. It will never be 100% effective but you can do it to some extent. the internet isn't some magical fog, it requires hardware, be that radio towers, access points, or plain old cables. That infrastructure can be taken out. The issue is, by design, the internet can survive that. But you totally can remove a country from the internet for the most part.

Re:YEs, it does work that way

[mrbester]

If you cut the link cables to Europe are you cutting off Europe from you or are you really cutting yourself off from Europe?

Re:YEs, it does work that way

"I can easily removed north Korea and China and Iraq from the internet, it will require several thermonuclear devices, but I can assure the esteemed senators that after I am done no one from those countries will be able to access the internet for at least 40 half lives of plutonium." U.S. Cyber Command told a Senate panel on Tuesday.

Re:YEs, it does work that way

Yes

Re:YEs, it does work that way

[Whorhay]

While countries can be largely knocked off the internet by severing their physical connections, that isn't really the question at issue. The panel was asking about eliminating the ability for terrorists to organize and recruit over the internet, especially through the dark web. The reason this goal isn't the same as cutting off a country's access is that extremists aren't neatly limited to national boundaries and they certainly don't mind those borders when establishing websites for recruitment. It's the same basic problem that terrorists always pose, they are generally indistinguishable from the general public until such time as is too late.

Re:YEs, it does work that way

Europe only exists at the US' whim, and they know it. Look how they wrecked their own economies sanctioning Russia on Obama's orders. Look how they grounded diplomatic flights, on Obama's orders. They loved to talk tough once, but once the push comes to shove they will obey the US government's will.

Re:YEs, it does work that way

[techno-vampire]

You want to knock europe off? Cut the link cables.

That's not as easy as it looks. Europe has connections to the US across the Atlantic, to Africa across the Mediterranean and to Asia through Turkey, the Ukraine and Russia. And that's ignoring any satellite links.

Re:YEs, it does work that way

[wyHunter]

If the channel tunnel is closed, it means the Continent is isolated.

Re:YEs, it does work that way

[delt0r]

Err so i lived in Europe for a while. They have this thing called Radio waves that communicate to satellites. Sure it would be reduced bandwidth, but you would not cut us off. Of course most of us would take quite some time to notice since most of the internet Europe uses is also hosted in Europe.

Re:YEs, it does work that way

What was the last big internet innovation or company exclusively from Europe? I can't even think of one non-nerds would recognize.

Re: YEs, it does work that way

National Socialism. Oh, sorry, you meant internet- and tech-rated... Internet National Socialist tech?

Cyber Command?

[gstoddart]

God these self-aggrandizing titles are annoying.

He's not the "Cyber Commander", he's in charge of an entity whose purview is things related to the interwebs.

But let's stop treating him like he's the fucking Field Marshall of the internet.

Re:Cyber Command?

[inhuman_4]

All hail Web Marshall Mike Rogers, defender of the internets!

Re:Cyber Command?

[tnk1]

His title is Commander, US Cyber Command (USCYBERCOM), which is a unified sub-command of the US Military. Calling him "Cyber Commander" is a stupid journalistic oversimplification, it's not his actual title.

Of course, you can always tell government drones when they refer to "cyber" anything, but that is just the way it goes.

Re:Cyber Command?

Shortened to "CYBERCOM" and then misrepresented by the mediots.

Re:Cyber Command?

[jbmartin6]

I want to see him fight the Aquabat Commander

Re:Cyber Command?

[turbidostato]

"Calling him "Cyber Commander" is a stupid journalistic oversimplification"

As if calling him "Commander, USCYBERCOM" didn't sound stupid enough (isn't it something coming from Mattel?).

Those big boys and their expensive toys...

Re:Cyber Command?

[sociocapitalist]

His title is Commander, US Cyber Command (USCYBERCOM), which is a unified sub-command of the US Military. Calling him "Cyber Commander" is a stupid journalistic oversimplification, it's not his actual title.

Of course, you can always tell government drones when they refer to "cyber" anything, but that is just the way it goes.

Nonsense - his complete profile is right here and his title is definitely Cyber Commander: http://yugioh.wikia.com/wiki/C...

Sure you can...

[Etherwalk]

It's not easy, but it's certainly possible to mostly do that. It's just that it hurts more than it helps in most cases, because it hurts the legit stuff going on. You want to change this, you have to actually incentivize the leaders in those countries to crack down in an effective way.

Re:Sure you can...

But countries like Russia are dependent on cyber crime for survival.

Re:Sure you can...

It's possible to turn off stuff, but it's not possible to prevent terrorists from using alternate routes. It's like the streets. You can erect roadblocks, but they are not effective mechanisms for catching robbery suspects.

Re:Sure you can...

[AHuxley]

It also depends on how the US mil would do it in the USA. A legal sounding secret letter and all cell towers in a region of a state, city stop working except for emergency and select secure calls from a pre set list of allowed users.
All the talk of dark optical, dot com built redundancy is often just talk in many parts of the USA. A lot of physical optical might have been built out at some time but only a few active monopolies, cartels, duopolies really control all networks to keep the backhaul working in some regions with the wider national interconnects.
"First map of US fiber infrastructure reveals potential network redundancy issues" ( September 25, 2015,)
"Using multiple service providers to improve redundancy works only if the providers are not sharing fiber optic conduit space. Researchers suggest caution, as infrastructure sharing is common."
http://www.techrepublic.com/ar...
ie US political or mil request to a actual few owners and the local US telco network becomes a sneaker net.
https://en.wikipedia.org/wiki/...
All that would be left working would be any non US/NATO advanced handheld and other sat options with pre paid credit ie voice communications and uploading short vids, images. How many 2way sat providers would honour a request to turn off over the USA?
The only way for the US around that up link that would be mil grade jamming or the hunting down each user with working connected hardware once detected..
Consumer grade internet and telco system is easy for any owner to turn off at a national level. Getting images, video out via a sat uplink would then be a risk.

What are you, my dad?

[wardrich86]

I mean, who else makes threats to "shut down the internet"?

Re:What are you, my dad?

My aged mother called me a few years ago worried about the 2012 election because she'd heard from Glenn Beck or WND or some other equally reputable source that Obama was going to shut down the Internets just before the election and take over the world.

I assured her if he did, I would drive to the office and turn the series of tubes back on. It's a 9 minutes drive, so I promised to have it back in 10.

She's so brainwashed by right wing media that she to this day doesn't believe me, years after the 2012 election.

He's waiting for the 2016 election.

BGP

[Etherwalk]

Not really. The internet was designed to route around damage, not deliberate breakage. It's taken decades to get more secure, and it's still not really there. Any serious network routing guys here want to speculate about how easy deliberate breakage would be? What if you cut all the big pipes and used all the satellite connections to send bad routing updates all the time, for example? I haven't looked at this stuff in years, but vaguely remember stories of small BGP misconfigurations taking most of a country offline.

Re:BGP

[EmperorArthur]

Sure, you can broadcast bad routes. It's happened (on accident) in the past before. Typically backbone providers just filter the network sending those bad routes, and have everything fixed within a day. Worst case scenario is the US ends up being separated from the rest of the internet because nobody trusts us. A much more likely scenario is US free interconnects go away, and we end up having to pay for traffic to take whatever path the other networks deem best when going to the US.

If the US injects bad routing packets through other means, for example by injecting them into foreign satellite providers, then that's straight hacking. Sure the US does hack foreign systems, but this is slap in the face type stuff and would result in political retaliation.

tldr: Sending bad routing updates is not an option. It would backfire spectacularly.

Re:BGP

[Mogster]

One could potentially just NULL route the IPs

ip route a.b.c.d c.i.d.r NULL0

The routes wouldn't propagate to the rest of the Internet, yet traffic would be blocked at the border in both directions. Just convince the the bigger ISPs to add them to their border routers

What

Yes Kim K.

If they say it isn't...

[mschaffer]

If they say it isn't...you can bet they already have a plan that does.
Of course, it may not quite work.

Just shut down...

[RJFerret]

...the atmosphere, that's where the bad weather is.
...the oceans, that's where the garbage patches are.
...bacteria, that's where infections derive.
...brains, that's where ignorance thrives.

Isn't this like an embargo

[Okian+Warrior]

Yes, you can knock countries and regions off the internet. But you really can't do it without collateral damage.

I agree *completely* that doing this would be less effective than letting things stand.

But I have to ask, in a technical sense why *couldn't* we cut off conflict areas from the rest of the internet?

Taking Syria as an example, we could
1) Disable their top level domain.
2) Identify the .com and .edu websites hosted in Syria and route them to nowhere
3) Identify source connections from within Syria and automatically route *them* nowhere

On #3 above, Syria has only a handful of service providers, and the source address can be identified to belong to one of these. By IP address if nothing else.

Now, people can get around these problems in lots of ways, and some would say *easy* ways. Proxy servers and TOR come to mind. ...but these are generally not free, impose a technical barrier to implement that not everyone can handle, and can in general be detected.

Politically, it's like establishing an embargo on a country.

Taking the recent US embargo on Iran as an example, if the US sees a country violating the embargo (acting as a proxy so that Syrians can access outside the internet), then it can take political actions against the helping country. Just like the economic embargo on Iran.

Like an embargo, it won't help.

But even though it wouldn't *help*, I don't see why it couldn't be *done*.

Can anyone explain better, in a technical sense, why these steps can't be done?

Re:Isn't this like an embargo

Taking Syria as an example, we could
1) Disable their top level domain.
2) Identify the .com and .edu websites hosted in Syria and route them to nowhere
3) Identify source connections from within Syria and automatically route *them* nowhere

1 & 2 only works if you don't actually do them.
If you start to mess with the TLD then the root servers will be abandoned in favor of more independent name services, and it will not just be the target (Syria) that starts looking for alternatives.
Look at what happened with GPS. Suddenly everyone realized that they couldn't rely on it and Russia, China and Europe made their own positioning systems.

Geo-blocking doesnt require gr8 firewall-o-murca!!

[tommyatomic]

Route-poison traffic to and from location X. People forget that valid Internet communication is 2way. Sure they might be able to broadcast out but not being able to receive in effectively cuts them off. Their internet will get awfully quiet.

The thing is that "head of U.S. Cyber Command" is not saying is that cutting off the internet also cuts off easy common communication for any intelligence resources the US has in that area.

In this instance a communications blackout works against both parties.

Re: 'murican - you think it's funny, but it's not

Time to lay this one to rest, along with Samurai Repairman and Chevy Chase as Gerald Ford doing pratfalls.

'murican, new-cue-lar. Not funny anymore. Let it go.

*Ironic that the capcha to post this is: 'tiring'. Indeed, capcha, indeed.

Trump Will Find A Way

We'll build a wall and make them pay for it! It'll be the greatest wall ever built! And, he'll be more presidential while he does it!

Trump 2016!!!

Fishing Boats Do It

[njhunter]

How is it the US says it can't but a boat anchor can take down most of the Middle East? (http://abcnews.go.com/Technology/story?id=4267160)

Re:Fishing Boats Do It

[delt0r]

It "disrupts" and soon the damage is routed around, as it did in this case. Most countries have more than one cable as well. Also A whole country doesn't really work since presumably the terrorist are already in your country and well the Internets within the country are working just fine.

Re:Block malicious sources easily

Sell it to CYBERCOM APK!!!

Go you good thing you!!!

typical helpdesk conversation

This is pretty much off topic.

"THE INTERNET IS DOWN!! THE INTERNET IS DOWN!!"

Helpdesk: "Have you tried going to google.com?"

Customer: "Oh, that's coming up fine."

Block malicious sources easily

APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.bing.com/search?q=%...

Less power/cpu/ram+ IO use vs. local DNS servers + addons w/ less security issues vs. DNS + routers. Less complex vs firewalls (needing layered filtering drivers - hosts don't + firewalls block less used IP addresses, hosts block more used host-domain names) complimenting 'em. Antivirus = reactive. Hosts = FAR more proactive, blocking infection BEFORE you get it. Gets its data from 10 reputable security community sites.

* My program protects hosts vs. corruption in usermode (effectively 'locks' hosts vs. writes) & kernelmode threats (via updates).

APK

P.S. - Hosts get you more speed (hardcodes + adblocks) & faster vs. addons, security (vs. bad sites/dns security issues), reliability (vs. downed/poisoned dns), & anonymity (dns requestlogs/trackers) vs. other "so-called -solutions'" w/ what you natively have. Unlike Adblock/UBlock/Ghostery, hosts != blockable by ClarityRay/BlockIQ... apk

Cyber Commander

Thats the coolest title I have ever heard. I hope he has a robot arm

It's free to everyone... apk

"Traditional" security measures prove defective or penetratable. Hosts shore up & compliment DNS + firewalls (more proactively vs. antivirus & use less resources + moving parts vs. firewalls + blocking more used domain/host names vs. IP addresses (less used in threats by far), antivirus slowing & bloat, & browser addons (which hosts do far more for less than faster) - By far!

When 'detractors' (listed below) can validly technically prove me absolutely wrong? Then, they have a point...

That's NOT ever going to happen (or it would have by now & it hasn't).

All they have is their effete moddowns or illogical off topic ad hominem attacks on me (attack the messenger but NOT his message).

APK

P.S.=> It astounds I get downmodded! I'm on topic too & I know it's inferior competitors (dns, routers, addon/extension makers), webmasters (due to ads I block that are FULL of threats), advertisers especially & malware makers

Re:It's free to everyone... apk

because you're full of shit no matter what the subject

Re:It's free to everyone... apk

You've done better? Prove it instead of projecting your inadequacy in illogical ad hominem attacks on him. He does a good thing. You don't. Do nothing dime a dozen dolts like you do nothing but troll off topic like obvious losers you are that can't prove him wrong validly.

Re:Block malicious sources easily

[TroII]

How is a HOSTS file with hundreds of lines worth of

0.0.0.0 1326154.fls.doubleclick.net
0.0.0.0 1330903.fls.doubleclick.net
0.0.0.0 1359940.fls.doubleclick.net
0.0.0.0 ad.terra.doubleclick.net
0.0.0.0 dp.g.doubleclick.net ...

just to block one ad provider, an improvement in any way over a DNS server with one entry for

zone "doubleclick.net" IN { type master; notify no; file "blackhole.rev"; };

Not only is DNS far more efficient... When DoubleClick adds 10 new ad servers tomorrow, I already have them blocked, whereas you have to find them in the first place and add them to your HOSTS file and then update your HOSTS file across all your machines.

How many lines long is your HOSTS file now, anyway...?

Partial list of DNS security issues

https://slashdot.org/comments.... I have 400++ more in router DNS settings + IP stack settings for DNS by malware & /. restricts my posting all! There's not that many on hosts & exploits you MAY find on hosts won't work vs. my program locking hosts in usermode either (or kernelmode due to updating hosts typically). Hosts = less moving parts complexity + resource use since you omit ALL of DNS' parts (as well as room for breakdown) too. Migrating hosts via a domain admin script = easy too across an entire LAN & my program gets what to block from 10 security community sources for you automatically.

APK

P.S.=> You the user also have DIRECT easy control of your hosts blocklist (most users won't "get that" mishmash you post for rules in DNS locally setup eating more power too as easily as hosts) - try that with remote DNS which hosts are also FAR faster than... apk

no! moneygram!

nt :)

No shit

[softnewsit]

You don't say, cyber-commander!

DNS = gigabytes of RAM, lol... apk

You asked how much hosts eat? About 10-13mb initially using my program & see subject + -> http://www.bing.com/search?q=d...

APK

P.S.=> What I found VERY funny is your name "TROLL", as it fits you! A whole 10 posts to your name too with that NEW 7 digit trolling account too - do you realize how STUPID you look after both my posts by this point? Everyone else reading does, lol... you fail! apk

cheers

I think people in America need to get used to fact that they are not god. In the coming times more than ever. cheers.

Re:cheers

If America doesn't get to play god, then who will? Probably someone even less desirable.

Terrifying

head of U.S. Cyber Command

Their mission statement, with emphasis mine:

"USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries."

This is terrifying. They get to decide who they think their "adversary" is, and then they will attempt to deny them freedom in cyberspace.

Hopefully the Internet is capable of routing around any damage they cause. At least, that was the original goal of the Internet.

Re:Geo-blocking doesnt require gr8 firewall-o-murc

[hey!]

This is a very good point; however by "area" they don't necessarily mean "geographic area". Let's say you cut off Syria and northern Iraq from the Internet; that doesn't stop ISIS operatives in Europe from using the Internet. It doesn't even really stop Syrians from getting data from to those sites using some kind of gateway (e.g. POTS or packet radio). It just means they won't be streaming Netflix.

Of course you can't shut down terrorist

[p51d007]

On the internet. If you did, the global "military industrial complex" wouldn't have anything to do. ;)

Re: Geo-blocking doesnt require gr8 firewall-o-mur

No netflix might be enough on its own to discourage European recruits...

The Govt needs taxes.

[speedlaw]

When the Federal Government MADE ME post my taxes monthly on a website, and said I could no longer go physically to my bank, and pay a teller, I knew that the internet was here to stay. If the internet was "shut down", then most of your small businesses could not pay their withholding taxes, as the Govts have pulled banks back from that job.

LOL! Not Fallin' for it.

[BrendaEM]

Nope, not going to buy into it. Just like there was no domestic spying. The government has no off switch, until the use it.

Other /.'ers disagree outnumbering you

his hosts program is actually pretty good by xenotransplant

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

I like your host file system by Karmashock

I find your hosts file admirable by vel-ex-tech

APK is kinda right. I've given up on JS based adblocking and gone to blackholing in /etc/hosts, just like it was back in the 90s. The computational load has gotten intolerable for any ad-blocking using JS. I've tried his hosts file generating software. It works by bmo

APK is totally right on this count. Adblock Plus on Firefox mobile is a dog on older, or lower end, phones. A hostfile based adblocker makes for a much better experience in this context by chihowa

I find your hosts file admirable by vel-ex-tech

I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon

I support APK's stand on the hosts file by Trax3001BBS

Re: 'murican - you think it's funny, but it's not

Merkins it is then.

It's easy

[jaq1an]

just cut one of the tubes ;)