The process of reforming the US Patent Office appears to be fairly straight forward. Unfortunately, it requires political commitment.
The heart of the US Patent problems are both conceptual and economic. But the problems are easy to understand.
First, we have adopted the idea that more patents are better than fewer patents. This idea has been proven false. We believed that US Patents were a license to create. But, this is not true. US Patents are nothing more than a license to hire lawyers and sue a competitor. They don't guarantee creation or progress. They only guarantee legal action. A little legal action is necessary, but a lot destroys economies.
Since we believed that more Patents were better, in the last couple decades we have 'reformed' the US patent process to maximize the creation of patents.
We need to a admit we are wrong. Once we have managed to do that, reform is fairly easy. Reform should address:
1) Running the US Patent Office as a cost-recovery operation is a mistake.
Currently most of the revenue of the US Patent Office comes from GRANTING patents. See the USPTO FY 2013 President's Budget page 37: www.uspto.gov/about/stratplan/budget/fy13pbr.pdf "..More than half of all patent fee collections are from issue and maintenance fees, which essentially subsidize examination activities."
This means that, regardless of merit, about 1/3 of all patent applications must be granted in order to fund the US Patent Office. This economy creates unavoidable pressure to grant many patents that should not otherwise be considered. It also creates economic pressure that greatly decreases the time that can be devoted to examination.
Reform could come in many forms, but the simplest and most reliable would be to eliminate and unify the Patent office fees into a single filing fee. This fee would provide no guarantee of receiving a patent, only a guarantee that your patent would be considered. This would free the Patent Office to be able to deny poor patents.
2) Granting too many Patents is a mistake.
Currently, we expand the number of patent examiners based on demand. See the USPTO FY 2013 President's Budget, page 60, Gap Assessment: "Meeting this commitment assumes efficiency improvements brought about by reengineering many USPTO management and operational processes (e.g., the patent examination process) and systems, and hiring about 3,000 patent examiners in the two-year period FY 2012 and FY 2013 (including examiners for Three-Track Examination)."
Again, the assumption is, more patents are better, even if it means decreasing examination, and increasing the number of untrained examiners. Poor quality is an inevitable result of this patent process.
The resulting flood of patents creates patent thickets. These thickets eliminate competition and stagnate markets.
Reform would require somehow limiting the number of granted patents in a field. This could be accomplished several ways. The easiest would be to restrict the number of Patent examiners. If you eliminate the idea of cost recovery, then the natural process of limited congressional funding would probably suffice to limit the examination staff. Patent quotas would also work, but an PTO quota would be subject to regulatory capture. Patent Quotas would work best if they were set by Congressional Act.
3) It is a mistake to grant all patents that meet minimum standards.
A review of recent Patent Law will reveal that the minimum standard for granting a patent has consistently shifted downwards during the past few decades. We must abandon the idea that any patent that meets minimum standards is granted. Over time, the standard always de
The security group at USU documents, blocks and reports attack. It is part of our security response. We feel it is a cost effective part of our security posture. We have been doing it for 5 years.
We detect, document, block and report SSH portscans and SSH password guessing. We also have several SSH honeypots setup to collect lists of attack credentials. We check the honeypots to see if a USU credential has been exposed. A while ago, the FBI came by and asked about 9 IP addresses used in a hostile government sponsored attack. We were able to document that they had been detected and blocked. We were also able to provide the credentials that the attackers used.
When we first started reporting attack, the response was very poor. But now, about 1/3 of the abuse reports (to non-Chinese sources) result in confirmed, remote resolution. Now, almost all ISP's, CERTs, and large organizations are eager to receive a polite, accurate, and detailed abuse report. It is the easiest (and most common) way to learn that you have a compromised system.
As you have noticed, the hardest part is determining the proper point of contact. Most of the time, we can find one by carefully searching the whois and DNS information.
USU IT Security attempts to document all attacking IPs on Singsing. This accomplishes 3 primary goals:
* It creates memory of how USU is attacked. We need to know how we are attacked, so our defenses are anchored in reality.
* It blocks attacking IPs at the USU border. We can specify a duration that is appropriate to the occasion.
* It notifies the owner/ISP of the computer that they are attacking USU. Usually they are also innocent victims.
Lately (March 2012), at least 1/3 of the abuse reports (to non-Chinese sources) appear to result in remote resolution.
In addition, documenting/blocking/reporting has important secondary benefits:
* Once a week, summary reports go out to our peers across the state, and to the FBI.
* It keeps USU IT Security from developing the habit of ignoring attack.
* Blocking attackers gives us a great deal of satisfaction. (Normally, we can't get no.)
* It sends a message to attackers, that USU is not cheap, soft pickings.
* We have demonstrated a couple times that the number of attacks drop off sharply a couple weeks after we begin religiously reporting attacking IPs.
Finally, we are convinced that reporting of compromise/attack is one of the few pathways that can lead to a more secure internet.
* Computer owners/admins must know about their compromise to make sound decisions.
* The current hacking environment is controlled by the economics of hacking. Reporting attack/compromise increases the risk/cost of hacking and decreases the reward.
* If we help others to know they have problems, maybe someday, somebody will have similar mercy on us.
Nobody at the US Air Force seems to be thinking strategically.
There are 2 major problems with offensive cyberwar:
The USA has the most to lose. We are the most dependent on the Internet. It doesn't matter who initiates a cyberwar act, the USA will take the most damage. And, any cyberwar act by the US legitimises all other cyberwar activity. The USA has nothing to gain and everything to lose by offensive cyberwar preparation. This is why Schneier is advocating cyberwar treaties: https://www.schneier.com/blog/archives/2012/06/cyberwar_treati.html
US offensive cyberwar preparations make the US internet more vulnerable. The NSA calls this effect the "Equities Issue". In order to create an offensive capability, we have to rob resources from our defence. In order to have an attack surface, we have to weaken our defences to create a vulnerability. For example, in order to have a "0 day" vulnerability, we have to chose to not disclose or fix it.
Granted, we can do some things to improve our defences without destroying ourselves. But, attempts at creating offensive cyberwar capability are careful and meticulous preparations for suicide. Any clear-thinking opponent will swiftly realize that they have everything to gain and nothing to lose.
A good part of the ongoing patent mess is caused by the funding model of the US Patent Office. The problems become fairly obvious if you read the proposed 2013 US Patent and Trademark Office budget proposal at: www.uspto.gov/about/stratplan/budget/fy13pbr.pdf
Here are a few of the problems in the funding model:
Page 37 of the budget: "..More than half of all patent fee collections are from issue and maintenance fees, which essentially subsidize examination activities."
They charge a small, fairly trivial fee to file, and a much larger fee once your patent is granted. The ratio is about 3 to 1.
Because Issue fees subsidise all other aspects of the P.O., they HAVE to approve roughly 1/3 of all patent applications to stay afloat.
Page 12 of the budget: Currently they are backing up patent applications much faster than they clear them. 506924 patents filed last year. 669625 backlogged patents. So, they are currently trying to clear 1,176,549 patents using about 6600 examiners (178 patents per examiner per year.)
Page 60 of the budget: "Gap Assessment: Meeting this commitment assumes efficiency improvements brought about by reengineering many USPTO management and operational processes (e.g., the patent examination process) and systems, and hiring about 3,000 patent examiners in the two-year period FY 2012 and FY 2013 (including examiners for Three-Track Examination)."
So, the plan is to streamline the process even more and hire many more inexperienced patent examiners, and make them work faster.
So, we have a monstrous machine for issuing patents. It has to issue patents to stay alive. It is currently in severe pain because it can't issue patents fast enough. The current plan is 'fix' the situation by issuing patents faster and cheaper.
If congress really wanted to improve the quality of granted patents, the fixes seem fairly obvious:
CHARGE ALL THE FEES UP FRONT on application.
Don't tolerate modification after submission. This just allows people to game the system.
One nation should never respect another nation's patents. This just lets a bad patent system wage war on everybody's economy.
Incoming patents should be ranked on the quality of the patent application. Grade them on the curve, and only process the top few percent.
Score incoming patents on the clarity of the invention description. Only the most clear should be approved. Unclear descriptions enable patent war.
Score incoming patents on the precision of their claims..
Score incoming patents on their lack of originality. Only the most original should survive.
Total up the scores and quickly reject all but the best applications.
A society should only pay for as many patent examiners as they can afford. More examiners always yields more patents. More patents are not better than fewer, higher quality patents.
Our (that is, the US's) Cyberweapons threaten ourself more than any other target. We are the most dependent on the internet We have the most to lose. We wave these weapons of self-mutilation around in the hopes that our intimidated foes will not force us to destroy ourself.
We just need to be patient, and keep publishing good code.
It takes decades to teach Government new tricks. At this point, it is barely aware that software exists. But, it is learning. It just takes time and lots of informed input.
Judge Alsup (the current judge in Oracle vs Google) is an example for our future. Once Government is seeded with individuals that understand software, we will finally see changes that make sense.
It is inevitable that eventually the Patent Office will acknowledge Free and Open Source Software (FOSS) as a partner. Both have the same general objective: To Advance Art and Science. Patents are an ancient tool. Patents are a poor tool for software. Patents are optimised for the physical world. FOSS is a modern tool that is optimised to properly handle societies need to advance the art and science of Software.
In the field of software, FOSS is a superior solution. FOSS provides all the goals of patents without the enormous costs of patents. FOSS provides: Publication; Implementation; and Motivation. FOSS creates stable and enduring infrastructure. All cheap and self organising. And without a crippling burden on the legal system.
The end-game is certain. Eventually Patents will not constrain FOSS. Probably we will see a statement along the lines of: FOSS has an automatic license to all patents. Therefore FOSS can not be sued for patent infringement. The only bit of uncertainty is the time-frame. It could be decades. It could be centuries.
The future for proprietary software is less simple. Proprietary software appears to be in need of patents. Proprietary software doesn't Publish. Society can't inspect Proprietary implementations. Society can't learn from and extend Proprietary software. And, any Proprietary software infrastructure can vanish in the blink of a vendor's eye. There are good reasons to keep Proprietary Software shackled to the Patent Office.
I'm not super in-favor of our patent system either. I'm just wondering if you realize what you are saying. "A legislative act disabling every patent granted for the last 20 years" is simply throwing out every patent ever granted. More or less. Keep in mind that patents don't last very long.
I'm allowing the immense scope of the problem to intimidate me.
I read the US Patent Office 2013 budget proposal: www.uspto.gov/about/stratplan/budget/fy13pbr.pdf I didn't believe what it said, so then I read the Patent Office fee structure: http://www.gpo.gov/fdsys/pkg/PLAW-112publ29/content-detail.html (see section 11).
The fee structure is all wrong. When you submit a patent application, you pay a small fee and cause the Patent Office to do a very expensive process. The process is documented on page 58 of the Budget Proposal. The Patent Office only collects more money if it approves the patent.
They discuss this problem on page 37: "..More than half of all patent fee collections are from issue and maintenance fees, which essentially subsidize examination activities."
The fee structure demands that REGARDLESS OF MERIT, the patent office has to approve about 1/3 of all patents submitted to it.
The Budget Proposal repeatedly discusses the problem of improving the quality of approved patents, but none of their proposals will cause businesses to submit better patent applications. Instead, they propose streamlining the evaluation process and hiring more patent examiners. See the Gap Assessment on Page 60.
So, we have this immense machine. It is central to our economy. It can only survive by approving patents. It is currently in pain because it can't approve patents fast enough. It is currently creating about 200,000 patents per year. You have to go to court to find out if a patent is valid, and what it covers. It costs about $20,000,000 to go to court. 200,000 * $20,000,000 = $4,000,000,000,000 (4 Trillion dollars) just in court costs. AND that is just this years patents.
When I think about giving this kind of money and influence to patent lawyers, I'm scared shitless.
That is why I think it would be better to just disable all existing patents and start over.
.. I suspect we can ultimately fix almost all our patent problems by returning the patent office to central funding. Funding the patent office from patent fees has got to be our greatest mistake.
I have spent an instructive afternoon reviewing the nature of US Patent Office Funding:
* www.uspto.gov/about/stratplan/budget/fy13pbr.pdf (United States Patent and Trademark Office FY 2013 President's Budget)
My initial impression that there was a 'greatest funding mistake' is way too optimistic. There is just no bottom to the Patent's office barrel of broken funding bits. But, let me list just a few:
* Congress loves to steal the Patent office fees to fund other stuff.
* Page 37 of the budget: "..More than half of all patent fee collections are from issue and maintenance fees, which essentially subsidize examination activities." They charge a small fee to file, and a much larger fee once your patent is granted. The ratio is about 3 to 1. Roughly 1/3 of all patent applications are granted. So, inherent in the design is a perverse financial incentive to grant patents regardless of the merits.
* Page 12 of the budget: Currently they are backing up patent applications much faster than they clear them. 506924 patents filed last year. 669625 backlogged patents. So, they are currently trying to clear 1,176,549 patents using about 6600 examiners (178 patents per examiner per year.)
* Page 60 of the budget: "Gap Assessment: Meeting this commitment assumes efficiency improvements brought about by reengineering many USPTO management and operational processes (e.g., the patent examination process) and systems, and hiring about 3,000 patent examiners in the two-year period FY 2012 and FY 2013 (including examiners for Three-Track Examination)." So, the plan is to streamline the process even more and hire many more inexperienced patent examiners. Yea! More crap patents!
So, we have a monstrous machine for issuing patents. It has to issue patents to stay alive. It is currently in severe pain because it can't issue patents fast enough. We need to 'fix' the situation by issuing patents faster.
Seems like the real fix would be:
* Collect most of the money up front.
* Force simpler patent applications
* Say no a lot more often.
* And slap any silly congresscritter that thinks this should be a money-making operation.
The patent debate has fallen victim to 2 big lies:
1) Patents are good. More patents are more good.
2) Patents belong to the patent holder.
Patents are monopolies. Years ago, they were monopolies of action. Modern software and business method patents are monopolies of action, expression, and speech.
Monopolies are expensive. They damage free markets. They always drive up the cost of goods and services. They are taxes on market places. We have forgotten that patents are monopolies. Somehow the patent lawyers have convinced us that patents are a measure of innovation. This great lie has blinded us to the fact that patents actually measure the decay and destruction of free markets.
The second lie is actually more pernicious, since it blocks our pathway forward. Patents actually belong to society, not the patent holder. Patents are restrictions imposed on EVERYBODY BUT the patent holder. Patents are voluntarily imposed on a society, by that society, for the good of the society. If a patent was the property of the patent holder, it would be worthless, since no patent holder has the ability to enforce a patent. Only society has the ability to enforce a patent.
Since patents belong to society, then they can (and ultimately must) be managed for the good of society.
Once we dispel these 2 grand deceptions, the way forward is fairly clear:
First, we must stop the hemorrhaging. Our society can't tolerate a patent office that produces enormous numbers of crappy patents. The damage to our economy is literally in the trillions of dollars. A limited nuclear exchange on US soil would be less expensive. We must shutdown the patent office until we can figure out how to restructure it to produce limited numbers of high quality patents.
Second, we must produce a method to cheaply dispose all our toxic, crap patents. Litigating them would destroy us. We need a cheaper way to get rid of them. The best would be an executive order (or legislative act) disabling every patent granted (or in process) for the last 20 years.
I suspect we can ultimately fix almost all our patent problems by returning the patent office to central funding. Funding the patent office from patent fees has got to be our greatest mistake.
It's pure paranoia to think that a web (HTTP) crawler is doing something malicious by looking for open HTTP servers. That is like saying that a SMTP crawler looking for open mail relays to add to a blacklist is doing something malicious by scanning networks looking for open SMTP servers.
Well, yah. But:
We have closely monitored our part of the internet for years. No other search engine behaves like this.
A University really, REALLY doesn't want anybody indexing all the things that respond to TCP/80. Again, Yandex is the only one trying.
They pay me good money for that paranoia.
And, yes, we also react to any other form of external vulnerability analysis, including TCP/25 scanning. It's funny. There is an endless number of hackers willing to find our vulnerabilities, but they almost never give us a chance to fix the problems. It's amazing the number of people trying to make a buck out of our misfortune. Here was a fun one: https://it.wiki.usu.edu/20120101_China_Test
I have seen Yandex searching wide ranges of IPs for web servers. See: https://it.wiki.usu.edu/20111007_BeEvil
You may want to give some thought to blocking the Russian Google-wanna-be Yandex.
They may have have flipped their 'Evil' bit.
In 2012, you should not find public web servers by scanning for TCP/80 and TCP/443.
If you want to find public web servers, you spider the web. Or ask Google.
If you scan the internet for TCP/80 and TCP/443, you will find private management interfaces. You find printers, routers, switches, control systems, web cams, network attached storage devices, and work-flow services. You will probably find more SCADA devices than actual public web servers. The results of this search are of great interest to the hacking community. It has very limited utility for anybody else.
This is not trustworthy internet behavior.
Thanks for the link to Macaulay on Copyright. It is extremely relevant. His summation was amazingly prescient:
"And you will find that, in attempting to impose unreasonable restraints on the reprinting of the works of the dead, you have, to a great extent, annulled those restraints which now prevent men from pillaging and defrauding the living."
This is the modern copyright wars in a nutshell. Copyright can NOT exist in defiance of common sense. It must be reasonable or it will destroy our respect for the law. If we wish to continue as a lawful nation, we must restore reason to copyright.
Reason would look like:
Copyright should last 20 years.
Things that can't be copied (IE works with effective technical copying restrictions) are not subject to copyright.
And, either no punishment for non-commercial copying or the punishment is limited to just the actual cost of buying a copy.
But, when negotiating with a crazy opponent, you can't begin with reason.
Our initial negotiating position must be:
Copyright is only granted to works submitted to the Library of Congress.
Mandatory licensing. Anybody can get a copy from the Library of Congress at any time for $1
I remember the Michaelangelo virus. Lets see..
Yep. I still have a copy. I suppose I ought to throw that old box of floppies away. I've still got: Michaelangelo, Stealth, Stoned.. I used to use them to test and calibrate virus checkers.
A month before Michaelangelo triggered, we did some sampling and determined that it was on hundreds of University computers. So, a couple dozen of us had a hectic month chasing it down and eliminating it. It was everywhere. President's office. Multiple Deans. Tons of Researchers and Faculty. If we ignored it, then the loss would have been immense.
Come March 6th and we only lost 2 computers. We all breathed a big sigh of relief.
Next day, the University paper complained that we had over-rated the threat. I told them I had copies of the virus. I would be glad to put it back on their computers and change the date. Didn't get any takers.
Security is full of no-win situations. Sometimes, the best you can do is keep them alive to complain.
I am also security @ public.edu. Our approach to security and network monitoring is similar to the parent's. At one point, I made a YouTube video on USU's approach to security monitoring: https://www.youtube.com/watch?v=dQc5FU_jqCk
Basically, we feel that you can't have good thinkers, or great researchers if you tighten the screws too tight.
Miles
Given two equal SSH daemons, both fully updated but one on a random high port, the one listening on 22 will log hundreds or thousands of attempts per day, the one on a random port will log *zero*. Which do you think makes log auditing easier to look for truly dangerous threats?
I can second this. For years I have monitored the SSH activity at my university. Today we had 30K+ active devices and hundreds of SSH servers. I use Snort rules to detect SSH negotiation on non-standard ports. We have NEVER had an attack against a SSH server using a properly obscured SSH port. Of course, we don't depend on obscurity. Here is a snippet from our guide to setting up a SSH server: https://it.wiki.usu.edu/ssh_description
We try to use multiple overlapping security layers to protect SSH:
Set your firewall to limit the vulnerable scope of SSH to a few trusted hosts.
Set your firewall to prevent credential guessing by rate-limiting connections to the SSH port.
The SSH Port is treated as a shared secret. Only interesting, targeted attacks find the SSH server.
The SSH server should not allow known usernames including root. The attacker must find a username.
The admin is trained to create good passwords for his usernames.
SSH users are taught to verify the identity of their systems when they first connect.
System admins must regularly review the activity of their SSH servers.
USU IT Security monitors all SSH connections, including ones on non-standard ports. We follow up on interesting connections.
USU has SSH Honeypots that help us respond to SSH attack.
When we reviewed the SSH activity today, we found 2 compromised systems. One had sprouted an SSH server on port 8080 and had a large community of hackers connecting to it. The other had bot C&C running over an SSH connection to the Netherlands. This review is easy when we don't look at all the crap on TCP/22.
I need an app that will help me track abusive policemen.
At this point, it seems like there is a much greater need to track abusive policemen than sex offenders. After all, if a sex offender causes problems, you call the police and they get put away. But if you are abused by a policeman, then calling the police just gets you more abuse.
Comprehensive IT Epidemiology could provide us with meaningful ways to compare various approaches to security.
The problem is, nobody wants to share. It's too embarrassing.
Maybe if I start?
I do IT security for USU. From March 2009 to March 2010 some of our Infection rates were:
* Conficker: 15/12677 =.00118 or about 12/10K per year. 1/10K per month.
* Torpig: 20/12677 =.00158 or about 16/10K per year. 1.3/10K per month.
* Mebroot: 5/12677 =.00039 or about 4/10K per year..33/10K per month.
Now, if only I could get stats from other institutions, and compare their security measures.
It would be heavenly to be able to perform meaningful evaluations on the effectiveness of our various security measures.
I just find it a bit hypocritical to say voluntary when they intend to use force.
We have a mess. The right laws may help, but, the wrong ones will make it a lot worse.
Personally, I think the government's best contribution would be to provide central coordination. Here's two examples:
1) They could provide a central clearinghouse for attack information. My institution is attacked hundreds of times a day. Thousands if you count the Confickers. Every day we collect lists of attacking computers. Just by ourselves, we could eliminate much of the internet's attacking bots, if we could get anybody to listen to us. The government could help in several ways. Once we proved ourselves, they could vouch for us. They could provide a central repository for this info so anybody could check to see if they are a bot. They could pass credible info back to the owners.
2) Security NEEDS Metrics: https://it.wiki.usu.edu/SecurityPerformanceMetric Bot Epidemiology can provide us with useful measurements that demonstrate the actual effectiveness of a security regime. But nobody is publishing the info. And, everybody who is currently measuring seems to have their own agendas. We need an cybersecurity CDC. Maybe a CSCBC. A central, accurate source of historical infection rates. Searchable by CIDR.
Interesting definition of voluntary. Once you wade through 22 pages or fluff, you find (in the middle of the page numbered 12):
"These voluntary codes of conduct, developed through multi-stakeholder processes.. Once these codes have been developed to and companies have committed to follow them, relevant law enforcement agencies, such as Federal Trade Commission (FTC) and State Attorneys General, could enforce them,.." [Next page] "The FTC's role in challenging both deceptive and unfair acts or practices in the data security area is vital so that companies' voluntary efforts to implement specific cybersecurity best practices are backed by a legal obligation to implement reasonable and appropriate security."
So, you volunteer to obey whatever laws are implemented. Hmm. That sounds like my dad's description of life in the military.
I think the Commerce department wants more laws regulating the internet. But, they want the appearance of accepting input.
You shouldn't trust my opinion any more than you should trust this guy's opinion. What good is security if you can't make up your own mind?
That's the fundamental problem with secrecy. You can't have security if you can't do meaningful evaluations. Secrecy blinds evaluation. Secrecy isolates security from it's community.
Is the US so dependent on secrecy that we must sacrifice security to have secrecy?
HoneyPots can be an important layer. But you need the other layers. We use the following layers to protect SSH (https://it.wiki.usu.edu/ssh_description )
1.) The firewall limits the vulnerable scope of SSH to a few trusted hosts. 2.) The firewall can also be used to prevent credential guessing by rate-limiting connections to the SSH port. 3.) The SSH Port is treated as a shared secret. Only interesting, targeted attacks find the SSH server. 4.) The SSH server should not allow known usernames including root. The attacker must find a username. 5.) The admin is trained to create good passwords for his usernames. 6.) SSH users are taught to verify the identity of their systems when they first connect. 7.) System admins must regularly review the activity of their SSH servers. 8) Security monitors all SSH connections, including ones on non-standard ports. We follow up on connections that seem interesting. 9.) USU has SSH HoneyPots that help us respond to SSH attack.
SSH HoneyPots give us several benefits:
1) They make it easy to automate blocking SSH attackers, with virtually no chance of false positives. Some patterns of attack are designed to bypass Fail2ban, but the HoneyPots have to problem handling them.
2) We notify remote ISPs (and remote managers) that they have attacking systems. This is surprisingly effective. When we started (6 years ago) less than 1 notify in 8 seemed to have any effect. Now about 1/2 of the notifications seem to be have an effect. And remember, virtually every one of those attacking computers belongs to an innocent victim. Notification helps them, and it improves the overall security of the internet. We have also confirmed that notifications drive away some attackers.
3) We collect and analyze guessed credentials. - If they meet our complexity requirements, they are added to our central black-list. - Patterns of credentials reveal patterns of attack and patterns of attackers. It's a Heisenberg thing. An attacker both changes the target, and reveals information about himself. Password guessing reveals a lot of information. Virtually every attack has been a unique combination of credentials. You can do cluster analysis against the combinations. You can find relationships between attacks and IPs. You can track how these relationships change over time. You can correlate this information with your other intelligence. The FBI came to us and asked about some attacking IPs. Almost all of them had hit our SSH HoneyPots. We were able to pass all this intelligence back to them.
Our SSH Honeypots (and several other SSH servers) now have the following banner:
--- USU tracks internet abuse. We have SSH honeypots that automate the process of detection, notification, and blocking. These honeypots also collect credentials and analyze them.
If this system is a honeypot, your access will be reported as abuse. Your credentials will be logged. Your IP address will be blocked.
If you believe that your access has been misidentified as abuse, please contact USU IT Security at security@usu.edu or 435-797-1804. ---
I went through a similar process. You will only survive if you work hard.
Start looking at packets now. You must eat, sleep, and breath packets to survive. Use Wireshark and TCPDump. Don't let anybody abstract away any of the layers. You have to understand every network layer from 1 to 4 before you can begin. You have to be able to think like a packet.
Physically touch and diagram every piece of network equipment. You must be able to draw a map of your network from memory. DRAW the map, verify it's accuracy and keep it in a safe place. When something goes wrong, you will forget everything and that map will become very important to you.
You can have reliability or complexity. You can't have both. Educate yourself, then educate your boss. Make sure he understands that any complexity will reduce reliability. If you can't agree on the level of reliability and complexity, find another job.
Don't believe salesmen. Cisco sales are worst. They will destroy you in a minute if it means a sale. Divide all Cisco performance figures by 3 to get YOUR performance. At your size, you should be able to mostly avoid Cisco. Avoid them as much as possible. If your network design is simple, HP and Foundry (now Brocade) switches will consistently outperform Cisco, dollar for dollar.
Don't believe vendor performance figures. Evaluate equipment based on your own measurements.
READ THE BUGFIXES for the current and previous versions of your firmware. There are always more bugs. Future bugs will tend to occur in the same feature sets that gave rise to previous bugs.
Wait till you have a year or two of experience before tackling the following feature sets:
1) Redundancy. Redundancy is Cisco slang for: "I sold unnecessary equipment to a gullible customer." Redundancy is hard. In spite of everything you have heard, redundancy virtually always reduces reliability. Simple network designs, based on simple equipment will almost always be more reliable than redundant ones. Don't experiment with redundancy until you completely understand your network. Then only deploy redundancy after extensive testing.
2) VLANs. VLANs are a simple idea that enable you to create limitless complexity. Once you start, you will not stop until you have created a network that you can not understand or debug.
3) Multicast. You are not a true network person, until you loath and despise multicast. Wait till you fully understand why you hate multicast, before you depend on it.
Surprisingly, you should not hesitate to play with IPv6 (in a non-production environment of course). Nobody else understands all the implications of IPv6. It is one of the few areas where you will not be at a disadvantage:)
We dumped our Cisco gear years ago after attending a presentation on OpenBGP (in which the presenter talked about routing his Internet2 connection with a P4) and we haven't looked back since. And the equivalent Cisco machines for our border routers cost an order of magnitude more.
My institution also dumped Cisco. It is USU - Utah's land-grant university. We have about 30K students/faculty/staff and about 200 buildings.) Our experience has been very positive.
Years ago, we did a cost analysis and decided that Cisco didn't make financial sense. We could do everything we needed with cheaper, commodity devices.
So, for the next couple years, all upgrades/replacements were to simpler structures. To non-proprietary protocols. And to non-Cisco equipment. We have been Cisco-Free for about 7 years.
Our network is about 1/3 the price of equivalent Cisco provisioned equipment. We have substantially fewer outages than our peers with Cisco equipment. We have a faster, more reliable network than our peers. And security seems to be increased as well.
Of course, a lot of that is due to simpler, more robust network designs. But, I blame that on Cisco as well. Cisco architecture always prefers proprietary complexity over robust simplicity. The Cisco approach to device failure is either replace with a more expensive and complex device, or implement complex redundancy.
The hardest part was beating off the attacks from Cisco Sales. These attacks were vicious. They lied (even more than usual for Cisco sales droids.) They tried their best to discredit us. First they approached the head of IT. Then the VP for Business. Then the president.
Finally, they went to the Board of Regents. They said we were incompetent. They said our actions were endangering the future of our institution. Amazingly, the Regents looked at our documentation and backed us.
It only happened because we carefully documented our actual needs, and upper management was willing to trust us. I get the impression that most management would fold under the pressure we saw.
I wonder if it's time to do the same analysis for Oracle. They are smelling ripe. Oracle appears to believe that they own us. Lately, they have gone from asking what we need, to telling us what we will do. Their current pricing is not based on competition, but on our ability to pay. The more they believe they control us, the more they will charge. Eliminating Oracle will be hard, but not as hard as Cisco was. And, we may have the necessary talent to pull it off.
Prior Chinese attacks against USU governments, corporations and infrastrusture have been covered up or downplayed. The US government doesn't want to offend the Chinese. The US Corporations don't want to lose the Chinese markets. There is a little talk now and then, but it is regarded as isolated incidents. Even Google's loud public protests and the later WikiLeaks disclosures keep being downplayed as unimportant past history.
At my institution, the attacks have been unending. A week-long break around the 20th Anniversary of the Student Uprising and then again during the Olympics.
If RSA (with the government's help) determine that China is responsible, then we will probably have to wait for another whistleblower to find out. The likely response in that event will be to cover it up again.
I suspect that the Chinese have a bit of a conundrum. They have created a monster. Thousands of people trained to attack IT infrastructure. Even if they wanted to stop, you can't just lay them off. They need to eat. They have a marketable skill. They are going to attack something. Maybe the Chinese could get away with killing them all. But if the choice is continuing to attack the West or destroying their valuable tool, it's going to take a LOT to want to destroy their attack capability.
I used to worry how we would deal with all the US torturers created during the glory days of Gitmo. But that problem will be a piece of cake compared to the problems we will face if we follow the example of the Chinese. Disposing of nukes will be easy compared to disposing of intelligent, talented, skilled destroyers of IT.
Slashdot Mirror
The heart of the US Patent problems are both conceptual and economic. But the problems are easy to understand.
First, we have adopted the idea that more patents are better than fewer patents. This idea has been proven false. We believed that US Patents were a license to create. But, this is not true. US Patents are nothing more than a license to hire lawyers and sue a competitor. They don't guarantee creation or progress. They only guarantee legal action. A little legal action is necessary, but a lot destroys economies.
Since we believed that more Patents were better, in the last couple decades we have 'reformed' the US patent process to maximize the creation of patents.
We need to a admit we are wrong. Once we have managed to do that, reform is fairly easy. Reform should address:
Currently most of the revenue of the US Patent Office comes from GRANTING patents. See the USPTO FY 2013 President's Budget page 37: www.uspto.gov/about/stratplan/budget/fy13pbr.pdf "..More than half of all patent fee collections are from issue and maintenance fees, which essentially subsidize examination activities."
Also, if you examine the fee structure in Public Law 112 - 29 - Leahy-Smith America Invents Act, you see that patent application fees are 1/3 or less that the Issue fee. See: http://www.gpo.gov/fdsys/pkg/PLAW-112publ29/content-detail.html
This means that, regardless of merit, about 1/3 of all patent applications must be granted in order to fund the US Patent Office. This economy creates unavoidable pressure to grant many patents that should not otherwise be considered. It also creates economic pressure that greatly decreases the time that can be devoted to examination.
Reform could come in many forms, but the simplest and most reliable would be to eliminate and unify the Patent office fees into a single filing fee. This fee would provide no guarantee of receiving a patent, only a guarantee that your patent would be considered. This would free the Patent Office to be able to deny poor patents.
Currently, we expand the number of patent examiners based on demand. See the USPTO FY 2013 President's Budget, page 60, Gap Assessment: "Meeting this commitment assumes efficiency improvements brought about by reengineering many USPTO management and operational processes (e.g., the patent examination process) and systems, and hiring about 3,000 patent examiners in the two-year period FY 2012 and FY 2013 (including examiners for Three-Track Examination)."
Again, the assumption is, more patents are better, even if it means decreasing examination, and increasing the number of untrained examiners. Poor quality is an inevitable result of this patent process.
The resulting flood of patents creates patent thickets. These thickets eliminate competition and stagnate markets.
Reform would require somehow limiting the number of granted patents in a field. This could be accomplished several ways. The easiest would be to restrict the number of Patent examiners. If you eliminate the idea of cost recovery, then the natural process of limited congressional funding would probably suffice to limit the examination staff. Patent quotas would also work, but an PTO quota would be subject to regulatory capture. Patent Quotas would work best if they were set by Congressional Act.
A review of recent Patent Law will reveal that the minimum standard for granting a patent has consistently shifted downwards during the past few decades. We must abandon the idea that any patent that meets minimum standards is granted. Over time, the standard always de
We provide instructions to our users to help them setup and manage their SSH servers: https://it.wiki.usu.edu/ssh_description
We detect, document, block and report SSH portscans and SSH password guessing. We also have several SSH honeypots setup to collect lists of attack credentials. We check the honeypots to see if a USU credential has been exposed. A while ago, the FBI came by and asked about 9 IP addresses used in a hostile government sponsored attack. We were able to document that they had been detected and blocked. We were also able to provide the credentials that the attackers used.
When we first started reporting attack, the response was very poor. But now, about 1/3 of the abuse reports (to non-Chinese sources) result in confirmed, remote resolution. Now, almost all ISP's, CERTs, and large organizations are eager to receive a polite, accurate, and detailed abuse report. It is the easiest (and most common) way to learn that you have a compromised system.
As you have noticed, the hardest part is determining the proper point of contact. Most of the time, we can find one by carefully searching the whois and DNS information.
Our rational for documenting and reporting attack is given at: https://it.wiki.usu.edu/SingSingRational It includes:
USU IT Security attempts to document all attacking IPs on Singsing. This accomplishes 3 primary goals:
Lately (March 2012), at least 1/3 of the abuse reports (to non-Chinese sources) appear to result in remote resolution.
In addition, documenting/blocking/reporting has important secondary benefits:
Finally, we are convinced that reporting of compromise/attack is one of the few pathways that can lead to a more secure internet.
Miles
Granted, we can do some things to improve our defences without destroying ourselves. But, attempts at creating offensive cyberwar capability are careful and meticulous preparations for suicide. Any clear-thinking opponent will swiftly realize that they have everything to gain and nothing to lose.
Mel Brooks gave a good summary of our current situation: https://www.youtube.com/watch?v=Z_JOGmXpe5I
Miles
Why are there too many patents in the USA?
A good part of the ongoing patent mess is caused by the funding model of the US Patent Office. The problems become fairly obvious if you read the proposed 2013 US Patent and Trademark Office budget proposal at: www.uspto.gov/about/stratplan/budget/fy13pbr.pdf
Here are a few of the problems in the funding model:
So, we have a monstrous machine for issuing patents. It has to issue patents to stay alive. It is currently in severe pain because it can't issue patents fast enough. The current plan is 'fix' the situation by issuing patents faster and cheaper.
If congress really wanted to improve the quality of granted patents, the fixes seem fairly obvious:
Miles
Our (that is, the US's) Cyberweapons threaten ourself more than any other target. We are the most dependent on the internet We have the most to lose. We wave these weapons of self-mutilation around in the hopes that our intimidated foes will not force us to destroy ourself.
What could go wrong?
ALL Praise Irony and His Prophet Mel!
Miles
We just need to be patient, and keep publishing good code.
It takes decades to teach Government new tricks. At this point, it is barely aware that software exists. But, it is learning. It just takes time and lots of informed input.
Judge Alsup (the current judge in Oracle vs Google) is an example for our future. Once Government is seeded with individuals that understand software, we will finally see changes that make sense.
It is inevitable that eventually the Patent Office will acknowledge Free and Open Source Software (FOSS) as a partner. Both have the same general objective: To Advance Art and Science. Patents are an ancient tool. Patents are a poor tool for software. Patents are optimised for the physical world. FOSS is a modern tool that is optimised to properly handle societies need to advance the art and science of Software.
In the field of software, FOSS is a superior solution. FOSS provides all the goals of patents without the enormous costs of patents. FOSS provides: Publication; Implementation; and Motivation. FOSS creates stable and enduring infrastructure. All cheap and self organising. And without a crippling burden on the legal system.
The end-game is certain. Eventually Patents will not constrain FOSS. Probably we will see a statement along the lines of: FOSS has an automatic license to all patents. Therefore FOSS can not be sued for patent infringement. The only bit of uncertainty is the time-frame. It could be decades. It could be centuries.
The future for proprietary software is less simple. Proprietary software appears to be in need of patents. Proprietary software doesn't Publish. Society can't inspect Proprietary implementations. Society can't learn from and extend Proprietary software. And, any Proprietary software infrastructure can vanish in the blink of a vendor's eye. There are good reasons to keep Proprietary Software shackled to the Patent Office.
Miles
I'm not super in-favor of our patent system either. I'm just wondering if you realize what you are saying. "A legislative act disabling every patent granted for the last 20 years" is simply throwing out every patent ever granted. More or less. Keep in mind that patents don't last very long.
I'm allowing the immense scope of the problem to intimidate me.
I read the US Patent Office 2013 budget proposal: www.uspto.gov/about/stratplan/budget/fy13pbr.pdf I didn't believe what it said, so then I read the Patent Office fee structure: http://www.gpo.gov/fdsys/pkg/PLAW-112publ29/content-detail.html (see section 11).
The fee structure is all wrong. When you submit a patent application, you pay a small fee and cause the Patent Office to do a very expensive process. The process is documented on page 58 of the Budget Proposal. The Patent Office only collects more money if it approves the patent.
They discuss this problem on page 37: "..More than half of all patent fee collections are from issue and maintenance fees, which essentially subsidize examination activities."
The fee structure demands that REGARDLESS OF MERIT, the patent office has to approve about 1/3 of all patents submitted to it.
The Budget Proposal repeatedly discusses the problem of improving the quality of approved patents, but none of their proposals will cause businesses to submit better patent applications. Instead, they propose streamlining the evaluation process and hiring more patent examiners. See the Gap Assessment on Page 60.
So, we have this immense machine. It is central to our economy. It can only survive by approving patents. It is currently in pain because it can't approve patents fast enough. It is currently creating about 200,000 patents per year. You have to go to court to find out if a patent is valid, and what it covers. It costs about $20,000,000 to go to court. 200,000 * $20,000,000 = $4,000,000,000,000 (4 Trillion dollars) just in court costs. AND that is just this years patents.
When I think about giving this kind of money and influence to patent lawyers, I'm scared shitless.
That is why I think it would be better to just disable all existing patents and start over.
Miles
.. I suspect we can ultimately fix almost all our patent problems by returning the patent office to central funding. Funding the patent office from patent fees has got to be our greatest mistake.
I have spent an instructive afternoon reviewing the nature of US Patent Office Funding:
My initial impression that there was a 'greatest funding mistake' is way too optimistic. There is just no bottom to the Patent's office barrel of broken funding bits. But, let me list just a few:
So, we have a monstrous machine for issuing patents. It has to issue patents to stay alive. It is currently in severe pain because it can't issue patents fast enough. We need to 'fix' the situation by issuing patents faster.
Seems like the real fix would be:
Miles
Patents are monopolies. Years ago, they were monopolies of action. Modern software and business method patents are monopolies of action, expression, and speech.
Monopolies are expensive. They damage free markets. They always drive up the cost of goods and services. They are taxes on market places. We have forgotten that patents are monopolies. Somehow the patent lawyers have convinced us that patents are a measure of innovation. This great lie has blinded us to the fact that patents actually measure the decay and destruction of free markets.
The second lie is actually more pernicious, since it blocks our pathway forward. Patents actually belong to society, not the patent holder. Patents are restrictions imposed on EVERYBODY BUT the patent holder. Patents are voluntarily imposed on a society, by that society, for the good of the society. If a patent was the property of the patent holder, it would be worthless, since no patent holder has the ability to enforce a patent. Only society has the ability to enforce a patent.
Since patents belong to society, then they can (and ultimately must) be managed for the good of society.
Once we dispel these 2 grand deceptions, the way forward is fairly clear:
I suspect we can ultimately fix almost all our patent problems by returning the patent office to central funding. Funding the patent office from patent fees has got to be our greatest mistake.
Miles
It's pure paranoia to think that a web (HTTP) crawler is doing something malicious by looking for open HTTP servers. That is like saying that a SMTP crawler looking for open mail relays to add to a blacklist is doing something malicious by scanning networks looking for open SMTP servers.
Well, yah. But:
And, yes, we also react to any other form of external vulnerability analysis, including TCP/25 scanning. It's funny. There is an endless number of hackers willing to find our vulnerabilities, but they almost never give us a chance to fix the problems. It's amazing the number of people trying to make a buck out of our misfortune. Here was a fun one: https://it.wiki.usu.edu/20120101_China_Test
Miles
I have seen Yandex searching wide ranges of IPs for web servers. See: https://it.wiki.usu.edu/20111007_BeEvil You may want to give some thought to blocking the Russian Google-wanna-be Yandex. They may have have flipped their 'Evil' bit. In 2012, you should not find public web servers by scanning for TCP/80 and TCP/443. If you want to find public web servers, you spider the web. Or ask Google. If you scan the internet for TCP/80 and TCP/443, you will find private management interfaces. You find printers, routers, switches, control systems, web cams, network attached storage devices, and work-flow services. You will probably find more SCADA devices than actual public web servers. The results of this search are of great interest to the hacking community. It has very limited utility for anybody else. This is not trustworthy internet behavior.
"And you will find that, in attempting to impose unreasonable restraints on the reprinting of the works of the dead, you have, to a great extent, annulled those restraints which now prevent men from pillaging and defrauding the living."
This is the modern copyright wars in a nutshell. Copyright can NOT exist in defiance of common sense. It must be reasonable or it will destroy our respect for the law. If we wish to continue as a lawful nation, we must restore reason to copyright.
Reason would look like:
But, when negotiating with a crazy opponent, you can't begin with reason.
Our initial negotiating position must be:
Miles
I remember the Michaelangelo virus. Lets see.. Yep. I still have a copy. I suppose I ought to throw that old box of floppies away. I've still got: Michaelangelo, Stealth, Stoned.. I used to use them to test and calibrate virus checkers. A month before Michaelangelo triggered, we did some sampling and determined that it was on hundreds of University computers. So, a couple dozen of us had a hectic month chasing it down and eliminating it. It was everywhere. President's office. Multiple Deans. Tons of Researchers and Faculty. If we ignored it, then the loss would have been immense. Come March 6th and we only lost 2 computers. We all breathed a big sigh of relief. Next day, the University paper complained that we had over-rated the threat. I told them I had copies of the virus. I would be glad to put it back on their computers and change the date. Didn't get any takers. Security is full of no-win situations. Sometimes, the best you can do is keep them alive to complain.
I am also security @ public .edu. Our approach to security and network monitoring is similar to the parent's. At one point, I made a YouTube video on USU's approach to security monitoring: https://www.youtube.com/watch?v=dQc5FU_jqCk
Basically, we feel that you can't have good thinkers, or great researchers if you tighten the screws too tight.
Miles
Given two equal SSH daemons, both fully updated but one on a random high port, the one listening on 22 will log hundreds or thousands of attempts per day, the one on a random port will log *zero*. Which do you think makes log auditing easier to look for truly dangerous threats?
I can second this. For years I have monitored the SSH activity at my university. Today we had 30K+ active devices and hundreds of SSH servers. I use Snort rules to detect SSH negotiation on non-standard ports. We have NEVER had an attack against a SSH server using a properly obscured SSH port. Of course, we don't depend on obscurity. Here is a snippet from our guide to setting up a SSH server: https://it.wiki.usu.edu/ssh_description
We try to use multiple overlapping security layers to protect SSH:
When we reviewed the SSH activity today, we found 2 compromised systems. One had sprouted an SSH server on port 8080 and had a large community of hackers connecting to it. The other had bot C&C running over an SSH connection to the Netherlands. This review is easy when we don't look at all the crap on TCP/22.
Miles
I need an app that will help me track abusive policemen.
At this point, it seems like there is a much greater need to track abusive policemen than sex offenders. After all, if a sex offender causes problems, you call the police and they get put away. But if you are abused by a policeman, then calling the police just gets you more abuse.
I have a much greater need to track Tony Boloney http://www.addictinginfo.org/2011/10/19/tony-bologna-with-a-side-of-pepper-spray-docked-10-vacation-days-videos/ than some random kink.
Abusive police we have with us always. We can't get rid of them. Our only defense is to track them and keep our distance.
Miles
Security DESPERATELY needs meaningful metrics. Infection rates would be a good start.
I did some thinking on this a year ago: https://it.wiki.usu.edu/SecurityPerformanceMetric
Comprehensive IT Epidemiology could provide us with meaningful ways to compare various approaches to security.
The problem is, nobody wants to share. It's too embarrassing.
Maybe if I start?
I do IT security for USU. From March 2009 to March 2010 some of our Infection rates were:
* Conficker: 15/12677 = .00118 or about 12/10K per year. 1/10K per month. .00158 or about 16/10K per year. 1.3/10K per month. .00039 or about 4/10K per year. .33/10K per month.
* Torpig: 20/12677 =
* Mebroot: 5/12677 =
Now, if only I could get stats from other institutions, and compare their security measures.
It would be heavenly to be able to perform meaningful evaluations on the effectiveness of our various security measures.
Miles
What about MY Pride? MY Respect?
I thought Utah had a great year. Our wacky legislature tried their best, but not one of our efforts made the cut: http://www.dumblaws.com/laws/united-states
Well, I guess all we can do is cut educational funding some more and wait till next year.
Miles
I just find it a bit hypocritical to say voluntary when they intend to use force.
We have a mess. The right laws may help, but, the wrong ones will make it a lot worse.
Personally, I think the government's best contribution would be to provide central coordination. Here's two examples:
1) They could provide a central clearinghouse for attack information. My institution is attacked hundreds of times a day. Thousands if you count the Confickers. Every day we collect lists of attacking computers. Just by ourselves, we could eliminate much of the internet's attacking bots, if we could get anybody to listen to us. The government could help in several ways. Once we proved ourselves, they could vouch for us. They could provide a central repository for this info so anybody could check to see if they are a bot. They could pass credible info back to the owners.
2) Security NEEDS Metrics: https://it.wiki.usu.edu/SecurityPerformanceMetric Bot Epidemiology can provide us with useful measurements that demonstrate the actual effectiveness of a security regime. But nobody is publishing the info. And, everybody who is currently measuring seems to have their own agendas. We need an cybersecurity CDC. Maybe a CSCBC. A central, accurate source of historical infection rates. Searchable by CIDR.
Miles
Interesting definition of voluntary. Once you wade through 22 pages or fluff, you find (in the middle of the page numbered 12):
"These voluntary codes of conduct, developed through multi-stakeholder processes.. Once these codes have been developed to and companies have committed to follow them, relevant law enforcement agencies, such as Federal Trade Commission (FTC) and State Attorneys General, could enforce them, .."
[Next page]
"The FTC's role in challenging both deceptive and unfair acts or practices in the data security area is vital so that companies' voluntary efforts to implement specific cybersecurity best practices are backed by a legal obligation to implement reasonable and appropriate security."
So, you volunteer to obey whatever laws are implemented. Hmm. That sounds like my dad's description of life in the military.
I think the Commerce department wants more laws regulating the internet. But, they want the appearance of accepting input.
Miles
I do security for a mid-sized university.
You shouldn't trust my opinion any more than you should trust this guy's opinion. What good is security if you can't make up your own mind?
That's the fundamental problem with secrecy. You can't have security if you can't do meaningful evaluations. Secrecy blinds evaluation. Secrecy isolates security from it's community.
Is the US so dependent on secrecy that we must sacrifice security to have secrecy?
Miles
HoneyPots can be an important layer. But you need the other layers. We use the following layers to protect SSH (https://it.wiki.usu.edu/ssh_description )
1.) The firewall limits the vulnerable scope of SSH to a few trusted hosts.
2.) The firewall can also be used to prevent credential guessing by rate-limiting connections to the SSH port.
3.) The SSH Port is treated as a shared secret. Only interesting, targeted attacks find the SSH server.
4.) The SSH server should not allow known usernames including root. The attacker must find a username.
5.) The admin is trained to create good passwords for his usernames.
6.) SSH users are taught to verify the identity of their systems when they first connect.
7.) System admins must regularly review the activity of their SSH servers.
8) Security monitors all SSH connections, including ones on non-standard ports. We follow up on connections that seem interesting.
9.) USU has SSH HoneyPots that help us respond to SSH attack.
SSH HoneyPots give us several benefits:
1) They make it easy to automate blocking SSH attackers, with virtually no chance of false positives. Some patterns of attack are designed to bypass Fail2ban, but the HoneyPots have to problem handling them.
2) We notify remote ISPs (and remote managers) that they have attacking systems. This is surprisingly effective. When we started (6 years ago) less than 1 notify in 8 seemed to have any effect. Now about 1/2 of the notifications seem to be have an effect. And remember, virtually every one of those attacking computers belongs to an innocent victim. Notification helps them, and it improves the overall security of the internet. We have also confirmed that notifications drive away some attackers.
3) We collect and analyze guessed credentials.
- If they meet our complexity requirements, they are added to our central black-list.
- Patterns of credentials reveal patterns of attack and patterns of attackers. It's a Heisenberg thing. An attacker both changes the target, and reveals information about himself. Password guessing reveals a lot of information. Virtually every attack has been a unique combination of credentials. You can do cluster analysis against the combinations. You can find relationships between attacks and IPs. You can track how these relationships change over time. You can correlate this information with your other intelligence. The FBI came to us and asked about some attacking IPs. Almost all of them had hit our SSH HoneyPots. We were able to pass all this intelligence back to them.
Our SSH Honeypots (and several other SSH servers) now have the following banner:
---
USU tracks internet abuse. We have SSH honeypots that automate
the process of detection, notification, and blocking. These
honeypots also collect credentials and analyze them.
If this system is a honeypot, your access will be reported as abuse.
Your credentials will be logged. Your IP address will be blocked.
If you believe that your access has been misidentified as abuse,
please contact USU IT Security at security@usu.edu or 435-797-1804.
---
Miles
I went through a similar process. You will only survive if you work hard.
Start looking at packets now. You must eat, sleep, and breath packets to survive. Use Wireshark and TCPDump. Don't let anybody abstract away any of the layers. You have to understand every network layer from 1 to 4 before you can begin. You have to be able to think like a packet.
Physically touch and diagram every piece of network equipment. You must be able to draw a map of your network from memory. DRAW the map, verify it's accuracy and keep it in a safe place. When something goes wrong, you will forget everything and that map will become very important to you.
You can have reliability or complexity. You can't have both. Educate yourself, then educate your boss. Make sure he understands that any complexity will reduce reliability. If you can't agree on the level of reliability and complexity, find another job.
Don't believe salesmen. Cisco sales are worst. They will destroy you in a minute if it means a sale. Divide all Cisco performance figures by 3 to get YOUR performance. At your size, you should be able to mostly avoid Cisco. Avoid them as much as possible. If your network design is simple, HP and Foundry (now Brocade) switches will consistently outperform Cisco, dollar for dollar.
Don't believe vendor performance figures. Evaluate equipment based on your own measurements.
READ THE BUGFIXES for the current and previous versions of your firmware. There are always more bugs. Future bugs will tend to occur in the same feature sets that gave rise to previous bugs.
Wait till you have a year or two of experience before tackling the following feature sets:
1) Redundancy. Redundancy is Cisco slang for: "I sold unnecessary equipment to a gullible customer." Redundancy is hard. In spite of everything you have heard, redundancy virtually always reduces reliability. Simple network designs, based on simple equipment will almost always be more reliable than redundant ones. Don't experiment with redundancy until you completely understand your network. Then only deploy redundancy after extensive testing.
2) VLANs. VLANs are a simple idea that enable you to create limitless complexity. Once you start, you will not stop until you have created a network that you can not understand or debug.
3) Multicast. You are not a true network person, until you loath and despise multicast. Wait till you fully understand why you hate multicast, before you depend on it.
Surprisingly, you should not hesitate to play with IPv6 (in a non-production environment of course). Nobody else understands all the implications of IPv6. It is one of the few areas where you will not be at a disadvantage :)
Miles
We dumped our Cisco gear years ago after attending a presentation on OpenBGP (in which the presenter talked about routing his Internet2 connection with a P4) and we haven't looked back since. And the equivalent Cisco machines for our border routers cost an order of magnitude more.
My institution also dumped Cisco. It is USU - Utah's land-grant university. We have about 30K students/faculty/staff and about 200 buildings.) Our experience has been very positive.
Years ago, we did a cost analysis and decided that Cisco didn't make financial sense. We could do everything we needed with cheaper, commodity devices.
So, for the next couple years, all upgrades/replacements were to simpler structures. To non-proprietary protocols. And to non-Cisco equipment. We have been Cisco-Free for about 7 years.
Our network is about 1/3 the price of equivalent Cisco provisioned equipment. We have substantially fewer outages than our peers with Cisco equipment. We have a faster, more reliable network than our peers. And security seems to be increased as well.
Of course, a lot of that is due to simpler, more robust network designs. But, I blame that on Cisco as well. Cisco architecture always prefers proprietary complexity over robust simplicity. The Cisco approach to device failure is either replace with a more expensive and complex device, or implement complex redundancy.
The hardest part was beating off the attacks from Cisco Sales. These attacks were vicious. They lied (even more than usual for Cisco sales droids.) They tried their best to discredit us. First they approached the head of IT. Then the VP for Business. Then the president.
Finally, they went to the Board of Regents. They said we were incompetent. They said our actions were endangering the future of our institution. Amazingly, the Regents looked at our documentation and backed us.
It only happened because we carefully documented our actual needs, and upper management was willing to trust us. I get the impression that most management would fold under the pressure we saw.
I wonder if it's time to do the same analysis for Oracle. They are smelling ripe. Oracle appears to believe that they own us. Lately, they have gone from asking what we need, to telling us what we will do. Their current pricing is not based on competition, but on our ability to pay. The more they believe they control us, the more they will charge. Eliminating Oracle will be hard, but not as hard as Cisco was. And, we may have the necessary talent to pull it off.
Miles
China is behind this one too.
Prior Chinese attacks against USU governments, corporations and infrastrusture have been covered up or downplayed. The US government doesn't want to offend the Chinese. The US Corporations don't want to lose the Chinese markets. There is a little talk now and then, but it is regarded as isolated incidents. Even Google's loud public protests and the later WikiLeaks disclosures keep being downplayed as unimportant past history.
At my institution, the attacks have been unending. A week-long break around the 20th Anniversary of the Student Uprising and then again during the Olympics.
If RSA (with the government's help) determine that China is responsible, then we will probably have to wait for another whistleblower to find out. The likely response in that event will be to cover it up again.
I suspect that the Chinese have a bit of a conundrum. They have created a monster. Thousands of people trained to attack IT infrastructure. Even if they wanted to stop, you can't just lay them off. They need to eat. They have a marketable skill. They are going to attack something. Maybe the Chinese could get away with killing them all. But if the choice is continuing to attack the West or destroying their valuable tool, it's going to take a LOT to want to destroy their attack capability.
I used to worry how we would deal with all the US torturers created during the glory days of Gitmo. But that problem will be a piece of cake compared to the problems we will face if we follow the example of the Chinese. Disposing of nukes will be easy compared to disposing of intelligent, talented, skilled destroyers of IT.
Miles