In practice, we haven't seen a ballot initiative in years. In the last decade, we have seen a constant stream of state legislation tightening the restrictions on ballot initiatives.
I believe that the Utah legislature is attempting to avoid a repeat of the 2000 Civil Forfeiture Initiative. In 2000, Utah voters voted overwhelmingly for a initiative that placed common-sense limits on Civil Forfeiture. The most important reform required that income from seized assets be delivered to the School funds. It took the Legislature 4 years to repeal it and return Utah to the business of Policing for Profit: http://www.instituteforjustice.org/index.php?option=com_content&task=view&id=3289&Itemid=165
In recent years, attempts to achieve ethics reform by Utah ballot initiative have been blocked by the many hurtles imposed by current law. They include: 1) You have to get more signatures than 10% of the vote cast for Governor IN 26 of the 29 counties. Miss that total in one county, and you are blocked. 2) You have 1 year to collect signatures. If your 10% in 26 counties is not certified by the end of the year, you have to start over. 3) You are blocked if the Lieutenant Governor thinks your initiative is patently unconstitutional; nonsensical; or if he determines that the Initiative contains more than one subject.
So, years since we have seen a ballot initiative. Don't expect to see another one in my lifetime.
My crystal ball, my Magic 8-ball, and my Steve Jackson Tarot deck all agree that the USA has deliberately shackled innovation for the last 10 years. I don't know why. But the signs are unmistakable, even for those who can't sense the aether.
There was no question what would happen when the US Patent Office was changed to fee based financing. The flood of junk patents, and their suppressing effects on innovation are a surprise to no-one. In the intervening years, there has been ample opportunity to revert.
Similarly, for years we have encouraged monopolies and cartels that we know will suppress innovation.
The demotivating effect of the H1B Visa program can't be a surprise to anybody. Chaining the technological elite into lives of indentured servitude has always suppressed innovation.
So, the current course of technological stagnation is a deliberate choice.
The US won't change pathways until we unmake this choice.
That sounds like a great idea, with one exception: risk of false positives.
We have been doing this for years. The process is fairly mature. So, of course there is more to it that I mentioned in the first message. We have gotten pretty good at telling the difference between compromise and false positives. But, we still get false positives. We had some last week.
We have a process for dealing with false positives. When they happen, we immediately re-instate access. If we have collected a fee, we immediately refund the fee. We contact the owner and apologize. We invite them over to our offices to inspect our processes and offer advice on how we can do better. We share the details of the false positive among the security group. We make sure that this form of false positive doesn't happen again.
Is there an appeal process, or similar?
We have an appeal process. We recognize that activities that look like compromise may be perfectly legit if you are testing your own equipment. We encourage researchers to run honey-pots, they just need to tell us about it. When the compromise is interesting, we offer to waive the fee, if the owner will let us do forensics on the system. We don't charge the fee if the owner can offer a scrap of proof that they had taken effective steps to mitigate the problem prior to our intervention.
We also have an escalated form of incident response for when the system is particularily important or sensitive. Most people prefer to just pay the $25 and not have to do the forensics, analysis, and meetings that are required by the elevated incident response.
Alternatively, do you let people know even slightly prior to disconnecting them? Disconnect first and ask questions (or rather, charge money) later might be a good approach in some situations, but I can't imagine the typical univeristy infection event is one of those.
Once we have determined compromise, we immediatly start incident response. That includes suspending the network access. Frequently, their first indication of a problem is when we call/email them and tell them that we have suspended their network access.
Compromise always gets worse, the longer it lasts. Malware aggregates. More info gets exposed. It is always best to act quickly.
The hardest part of this whole process was ensuring that every computer has a listed owner with up-to-date contact info.
For that matter, how do you disconnect people?
We have a variety of tools available. We use the ones that are appropriate for the situation:
If the compromise is idle and the computer is doing DHCP, we alter the DHCP response so all web browsing results in a "You are compromised! Call the ServiceDesk!" response. If the computer is hard-coding an IP, or attacking external IPs, we also null-route it's IP. If it's an autonomous bot that is attacking locally, we also turn off wall-jacks and suspend it's wireless access.
All of these administrative actions can be overcome, but getting around them is a pain. Some people take a couple weeks, but they always realize that it is easier to resolve the compromise than to try to get around the blocks.
The net effect has been positive for the university community. They complain about the reconnect fee, but they are glad to be treated as IT equals. They understand that they are responsible for making sure that their systems are secure. We feel we have better security from our entire community as a result.
My university does a lot of space research. We have put up a fair number of shuttle payloads. WISE (http://www.sdl.usu.edu/news/press/2009/dec14-wise-launch ) was one of ours. We also do a bunch of biotech research. We draw a LOT of attention from the Chinese. Lately we have also drawn a fair amount of attention from take-the-money-and-run hackers. So far, we have survived. We think having an engaged community really helps.
Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug.
IN A TIMELY MANNER.
You forgot the bit that's at the core of the disclosure debate. Virtually everybody in the security industry agrees on the principles of disclosure. All the flames are over the timing.
In one corner, we have Microsoft. They appear to believe in full disclosure, once the disclosure will have no adverse effects on stock price or profitability.
In another corner, we have a tiny handful of scum sucking, mercenary security researchers who believe that disclosure will happen just as soon as they get paid. And the terms of that disclosure will be whatever the purchaser wants.
In the other corners, and carpeting the entire floor, are all the rest of the security community. They believe that full disclosure must happen in a time-frame that minimizes damage to the user community. They just can't agree on when that might be.
This lack of a concensus has made it easy for Microsoft to define the current terms of disclosure. The result has been suppression of disclosure for longer and longer periods. The inevitable consequence is more and more '0' day exploits.
"World-wide there has been a significant increase over the past three years in the number of people discovering zero-day vulnerabilities, as measured by multiple independent teams discovering the same vulnerabilities at different times. Some vulnerabilities have remained unpatched for as long as two years."
To demonstrate this issue they enumerated the history of MS08-031:
For example, MS08-031 (Microsoft Internet Explorer DOM Object Heap Overflow Vulnerability) was discovered independently by three researchers. The first researcher submitted remote IE 6/7 critical vulnerability on Oct 22, 2007. A second independent researcher submitted the same vulnerability on April 23, 2008. A third independent researcher submitted the same vulnerability on May 19, 2008. All three submissions outlined different approaches of auditing and finding the same vulnerability.
What goes unstated is while 3 'responsible' researchers disclosed to Microsoft and waited and waited, unknown numbers of hackers also discovered the vulnerabilities and exploited them.
Just this week, a dozen well managed, fully patched, WinXP (with.NET installed) computers at my institution were compromised by clicking on a major news site (http://www.ksl.com/index.php?nid=148&sid=9814436).
Microsoft would have us believe that this is acceptable. But really, would immediate, full disclosure be any worse?
Maybe the route some universities have taken of fines and downtime for those caught spreading malware or spam, knowingly or not, is what we need.
I do IT security for one of those universities. Our IT is extremely decentralized. There are some central services. The network is managed centrally. But the majority of the computers are managed by individuals, departments, and colleges in whatever way they see best.
We charge a reconnect fee as part of our standard network security incident response. When we determine that a system is compromised, we disconnect it, and notify the owner. We reconnect it as soon as the owner pays the reconnect fee. The fee is $25 for the first reconnect and $50 for each reconnect after the first time. The fee is not kept by Security. It is transfered to the university Service desk.
It may sound silly, but we can demonstrate that the reconnect fee is our single, most effective security measure. We have detailed data on detected compromise for years before and after the beginning of the reconnect fee. When we started imposing the reconnect fee, our rate of detected compromise dropped to 1/10th the prior level. We believe that prior to the reconnect fee, people really felt that there was no reason to worry about compromise.
In the years that we have been doing this, it has always amazed me that such a small irritation can lead to so much behavioral change.
Charging the entire university for each compromise would not have the same effect. By charging the university entity that owns the compromised computer, we change that entity's behavior. Even when we are effectively moving money from 1 pocket to another. The reconnect fee is always an unanticipated expense. The reconnect fee is always an irritant. In effect, we have created an institutional pain response to compromise. We can tell it is still working, because the university's community is still complaining about it. Once they stop complaining, we may have to up the fee.
I imagine most of us are saying: "Not a problem. I don't have anything China wants."
I wish. This is what hacking looks like now. If you haven't noticed, you haven't been paying attention.
We asked ourself, which 10 computers would cause us the greatest loss if they were compromised. When we took a hard look at their network traffic, we found an otherwise indetectable compromise. It appears to have been in place for at least 3 months. Just patiently listening and waiting.
You may want to try the same exercise.
Organized crime has demonstrated (http://www.ren-isac.net/alerts/banking-attacks_technical_201001.html) that patient, disciplined attacks yeild great monetary rewards.
The Chinese have demonstrated that patient, disciplined attacks are virtually unstoppable.
What more could any hacker want?
The most fragile secret is a successful economic model. Once it gets out, EVERYBODY copies it.
Learn how to defend yourself if you want to survive.
Bottom line is, the attacker doesn't need to get back to the passwords by cracking the hashes. The attacker can just directly use the hashes.
Being targetted by these guys is like standing in the middle of a crowd of pick-pockets. No matter what you do, they are going to get stuff. You are lucky get get out with your teeth.
I wish I could attribute the saying, but here is how I've heard it said: If your law requires a police state to enforce, then your law is a bad law.
The very fact that these meetings were held in secret was a dead giveaway that nothing in our interests is going on in there.
Whoever is doing this is focused on an immediate benefit. This is short-sighted thinking at it's finest. Open processes and democracy work because it directly benefits the law makers. When there is a bad/unpopular law, the guilt and blame gets spread around. It is pointless to kill the lawmakers, because they are everybody.
But, closed processes and secret lawmaking have an entirely different economy. It is obvious who to blame. Just get the list of people participating in the secret process. It is also obvious how to rectify that situation. And, in one or two quick steps we are back to the politics of the great merchant houses. The lawmakers end up being so unpopular that they can't go out or taste untested food. They lose almost as much freedom as the people they are enslaving.
It's not hard to see the big picture. It's obvious the end result is bad for everybody. What kind of short-term payoff could be so tempting?
That brief was a fun read. And very accessible. Everybody should have a look.
I have to wonder though, if it is good strategy to call the judge an idiot in such clear and ringing tones. What is the end goal? Are they trying to get the judge to do something stupid, so it will be easier to overturn later?
Don't laugh, I swear Microsoft used this tactic during their big antitrust case.
I do IT Security for a university. One of my projects is to do some rudimentary traffic analysis of our SSH sessions.
I look for the negotiation between SSH server and client and log connections. Since the negotiation is port independent, I can log the start of SSH sessions, no matter what port they are on. This allows me to:
1) Notice if important systems have sprung a new SSH backdoor. 2) Notice if important systems are SSH'ing out to weird places. 3) Check with local sys-admins and say things like: 'Looks like the Chinese have found your supersecret SSH port. Again. You have proved that TCP/222 and TCP/2222 are not good choices. Maybe this time you want to borrow my HexDice?'
Anywho, my rudimentary traffic analysis can be defeated if you change the SSH negotiation. It can be hindered if you just leave the connections running for days at a time.
So, if you want to annoy people like me, you may want to leave the connections up.
Then, I would say somebody with a large botnet is doing reconnissance on you.
I'm sure you have incoming port 137 blocked. So that traffic is outgoing. I expect that will be your Windows hosts responding to their probes.
They are probably attempting to find your end-hosts and your switching infrastructure.
Your clients shouldn't respond to the probes. If they are, make them stop. Your servers probably have to respond. If you have not already, you should make very sure that your switching infrastructure can't bleed packets to the outside world. Yah, I know, people tell you to send out 'fragmentation needed' but, you might have to chose between big packets and survival. Be nice if you only need to bleed 'Fragmentation needed' to a few specific external hosts and could discard it (and everything else from your switching infrastructure.)
One way you can you can mess with their heads (assuming they care about your switching infrastructure) is to modifying your border to discard any packet with a low hop-count. The apparent radius of the internet is currently a little over 16 hops. Nothing legit (except traceroute) generates packets with less than a 32 TTL. So, you can arbitrarily discard any packet at your border with a TTL of 8 to 12.
It messes up your ability to trouble-shoot your network from the outside using traceroute but if the choice is that or survival...
I've never been mapped by anything that big. We would see it in our darknet (non-allocated IP) sensors. Lucky you. Brace for impact..
I expect they will get to my institution eventually.
We've seen an explosion in hacker activity in the last week. All kinds of crap. The most unsettling is a series of compromises that carefully scan a locally attached/24 for 139, 445, 3389, 5900 8080, 40080. C&C appears to be innoculous accesses to local Akamai hosts. Almost impossible to spot.
Nice visualization. Wonder if there is some way to do it in real time.
I've done networking and security for a university for the last 10 years. I can guess what this kind of activity would be if it was at my institution. Basically, there are several reasons why every country in the world will suddenly talk to us. They include P2P/Gnutella's, P2P/Swarmcasting, Bittorrent, Skype, P2P-poisoning, P2P-misdirection, and hacker/bot activity.
When we have pulses like you are observing, it is usually BitTorrent.
The Gnutella P2P variants don't usually have that many peers. And, they tend to last for several hours or days.
The various Swarmcasting P2P variants look very similiar to BitTorrent, but again, the users tend to leave them running for hours or days.
A popular Torrent makes connections to hundreds of locations at once, and usually the local user shuts down in minutes (or an hour) when they get their file.
Skype won't be narrow bands. It will be every country in the world talking to you all the time. We have had computers promote themselves up the Skype infrastructure until they are constantly talking to over 600K peers. Of course, it is more normal to see a Skype node talking to 10K to 20K peers, but still Skype won't be bands. Skype raises the floor for the entire graph.
P2P-poisoning would closely match your bands. For several years we observed pulses where every member of a large P2P cloud would attempt to talk to a non-existing IP at our institution. Eventually, we realized that somebody was attempting to render the P2P cloud non-functional by poisoning the P2P community with info on non-existing peers. Of course, since this is a Denial of Service (DoS) attack, this is technically illegal, but we saw it happening for years. But, it appeared to stop a couple years ago (about the time Obama replaced Bush) and we haven't seen any evidence of it lately.
P2P-misdirection is where a cloud will attempt to confuse traffic analysis by throwing out random connections/packets to random IPs. Typically, this misdirection happens all the time, and not in bursts/bands.
Bot attack activity doesn't match your patterns either. We observe several types. None would look like your bands: - The spoofed attacks will look like every one of your IPs getting acks from a few remote IPs. - The mapping activity will look like a representative sample of your IPs getting traffic from a few dozen IPs. - An incoming DoS would have a few of your IPs get (spoofed) traffic from everywhere, but it would be sustained. - Portscans will only involve a handful of remote IPs. - The Tag-team SSH password guessing is close. During the last week, we observed about 3000 sources located all over. But, it happens all the time (in the aggregrate), not in bursts. And the sources this week are concentrated in Italy, Poland, Eastern Europe, Colombia, and Brazil. They aren't really all over the world.
So, I'm guessing it is BitTorrent. But, your situation may be way different from mine.
Your perspective is too short term. If some office of the government is attempting to control the limits of action of the MPAA, the MPAA's next step is to achieve control of that office. It's called Bureaucratic Capture ( http://www.chiark.greenend.org.uk/pipermail/ukcrypto/1998-March/040535.html ) and it's the best possible outcome from the point of view of the MPAA.
Continually asking for the same thing is one of the first steps. Eventually the MPAA will get everything they want and much more. The process is slow, but almost inevitable.
Many groups fault civil libertarians for being unflexible. But, in these conflicts and on long timescales, you have to be unflexible on defense and relentless on offense. It's like fighting with a one-way ratchet. Once you go on defense, you always lose ground. You have to refuse to yeild until you can get back on offense.
> I noticed on the Linksys' log that the laptop was making seemingly random connections to high-numbered ports on various IPs.
There is probably more than 1 thing going on here.
The machines are probably hacked. If they are, they will have some kind of a control channel. However, C&C is frequently subtle and hard to spot.
The behavior you describe is typical of a number of P2P VOIP applications. Skype is the most likely alternative.
If it is Skype, your chance of compromise is actually increased. I have observed attackers gathering lists of Skype peers (and BitTorrent peers as well.) They appear to believe that these lists provide a fruitful source of vulnerability for further attack.
The RIAA is only incidentally a criminal organization. The law is just an inconvenient encumberance.
The real purpose of the RIAA is to make money. Lots of money. To do this, they have become an evangelical organization. They are trying to create and perpetuate a repressive belief system.
In action, they closely resemble an inquisition.
They are trying to create and enforce a belief system. Any tactic is justified if it will maintain their orthodox beliefs. These beliefs don't have to make sense. They just have to be valued.
* Copyright infringement equals piracy.
* Copying music is the same as theft of tangible property.
* Unapproved distribution of an idea requires infinite punishment.
These are not rational thoughts. They are elements of a repressive belief system.
I didn't know the patent office observed the April's Fool tradition. This explains EVERYTHING. Their calendars probably say "April Fools!" instead of "Wednesday".
It must be a joke. There is no way a business method patent on outsourcing can survive post Bilski.
Look around. Have you TRIED to buy a PC game lately? We are standing in the middle of a charred wasteland. There is nothing to see but the bodies of the dead PC game development studios. There are thousands of PC games. Virtually all of them are unsupported. Almost all of the PC Game developers have left the industry. 4 years ago, there were lots of new games. Now there are a tiny handful.
Blizzard has several unsupported games. Microsoft has lots. Stardock's GalCiv for OS2 is unsupported. Stardock is winding down support for GalCiv 1. Stardock is phasing out support for Stardock Central (not a game, but it runs ok under Wine, while Impulse doesn't.)
All the evidence of the last 10 years says that any given game will be unsupported in a year or two.
I like computer games. I have been buying games for years. I spent over $1000 for my Atari800 games. I spent over $1500 for my Amiga games. I spent that much for just MSDOS games. I have spent at least $2000 for Windows games. I have purchased many of the commercial games available for Linux.
I want to play my computer games. I still go back to games that I purchased years ago. Most of the time, I can use emulation/virtualization to enjoy a good game as long as I like.
At this point I have hundreds of data-points that show that the normal state of a game is unsupported. The normal state of a game developer is shutdown.
As far as I can tell, any game that requires on-line activation might as well be a rental. Just as soon as I start to like it, it will become unsupported. I would like to play Spore, but there appears to be no point. As soon as I start to enjoy it, it will be gone. The same thing goes for most of the current crop of 'activation required' games.
Fortunately, I already own a LOT of really good games that I can play however I want, anytime I want. The last week, I have been playing Starships Unlimited 3. Plays great in Wine! if you like turn-based strategy, you should pick up a copy from: http://apezone.com/starshipsunlimited.php before they go out of business.
Yep. That's the Cisco I know and loath. If you can't convince the literate, just move up the org chart.
Years ago, at my institution (150+ buildings, about 15K active IP addresses,) we did a cost analysis of our Cisco addition and decided that it was unnecessary. We could do everything we needed with cheaper, commodity devices.
So, for the next couple years, all upgrades/replacements were to simpler structures. To non-proprietary protocols. And to non-Cisco equipment. We have been Cisco-Free for about 4 years.
The hardest part was beating off the attacks from Cisco Sales. These attacks were vicious. They lied (even more than usual for Cisco sales droids.) They tried their best to discredit us. First they approached the head of IT. Then the VP for Business. Then the president.
Finally, they went to the Board of Regents. They said we were incompetent. They said our actions were endangering the future of our institution. Fortunately, the Regents decided to let us try it.
It has worked out great for us. Our capability is up. Our reliability is way up. Our security is up. Our costs are down (about 1/2 the price of equivalent Cisco.)
But, it only happened because upper management was willing to trust us. I get the impression that most management would fold under the pressure we saw.
I have been collecting computer games for a long time. I spent over $1000 for games for my Atari 800. I spent over $1500 for games for my Amiga. I spent over $1500 for just MSDOS games. I have spent over $2000 for Windows games.
I play most of my games in some kind of emulated or virtual environment. Not because I want to. It is because I HAVE to.
The normal state of a game is to be for an unsupported OS. At this point, Microsoft has made a powerful argument (via DirectX10) that they consider only Vista to be a supported gaming OS.
The normal state of a game developer is to be out of business.
It is pointless for me to purchase a game with functioning DRM. It will only be playable for a blink of an eye. If I hear that a game has DRM, or a copy-protection scheme that is tied to the existence of a company, I will not buy it. Nor will I miss it. I have a LOT of good games. Games that I can play whenever and however I want.
Now, excuse me, I have a game of Master of Magic to get back to.
I am at a medium sized university (~24K students.) I have worked here for over 25 years.
You have to understand that a university is not a business. Ultimately, they are not steered or directed like a business. If you wish to help your institution, you need to understand it.
Universities exist for 3 grand goals: 1) Self preservation. A university exists, to continue to exist. 2) Illumination. A university exists to light the world. To make the world a better place. 3) Education. A university exists to create thinking, critical minds.
A university must balance all three of these objectives. It may chose to favor 1 over the others in the short term, but in the long term, all three must balance.
All universities have a core of leadership. This core has the greatest influence at a university. These are the people who are giving their lives to the university. If you pay attention, you can learn who they are. If you want to be one of them, you have to tell your bosses: "I will work here even if you don't pay me." And you have to mean it. Then you have to back it up with a decade or so of valuable service.
So, if you wish to change things at your institution, you need to rephrase your discussion. It can't be, FOSS is cheap, easy and secure. It must be: We can use FOSS to make a better university. Be prepared to talk about it. A lot. Be prepared to demonstrate over and over.
I have been trying to steer my university towards FOSS for the last 10 years. So far, my greatest success has been that I have influenced many of the next generation of staff to use FOSS tools.
Now, people at my institution have learned that when you ask a proprietary problem solver to solve a new problem, you end up purchasing a new tool. When you ask a FOSS problem solver to solve a new problem, you get a month or so of activity, followed by a solution to the problem. You also get a more capable FOSS tool user.
Universities REALLY value capable minds. Having a process that creates more capable minds is a powerful long term strategy for increasing FOSS adoption.
Finally, it is impossible to overvalue the benefit of an active, motivated FOSS user group. Everyplace is different, but your greatest bang-per-buck might be to make sure that there are cookies and pop at every FOSS user group meeting.
This campaign is looking more and more like an inquisition. It is the effort of a group to enforce their belief system. Any tactic is justified if it will maintain their orthodox beliefs.
These beliefs don't have to make sense. They just have to be valued. Copyright infringement equals piracy. Copying music is the same as theft of tangible property. Unapproved distribution of an idea requires infinite punishment. These are not rational thoughts. They are elements of a repressive belief system.
We should just expect that the enforcement of this belief system would behave like an inquisition. It always has in the past.
Inquisitions tend to accumulate incredible power. This needs to be stopped fast.
I thought that my legislators were 'World Class' crazy (Utah).
It looks like we aren't even playing in the big leagues.
This level of crazy is a delicate balancing act. You have to be dumb enough to think that this is a good idea, but somehow manage to keep from drowning in the shower.
Is there any way to tell if the responsible parties have indoor plumbing? How do they avoid rain?
I think you are letting possible threats discourage you from handling present threats.
I think that the most important part of my universities security response is that we analyse and document each attack. This helps us to respond to reality instead of perception.
Our response to these bulk attacks is a little more that a simple block. - We analyse and document the attack. - We share our analysis with our local security peers. - We have a good working relationship with the local FBI office. We share our analysis with them. - We block at our border, but we block with a time-out that is appropriate for the nature of the attack. - We do our best to notify and warn the owner of the attacking box. - We provide credible, timely log info to ISP's. We include functional contact info. We followup any inquiries. This informs ISPs of attack/compromise within their responsibility. It also improves our working relationship with ISPs.
This response has increased my university's ability to respond to attack. It has also greatly reduced the amount and effectiveness of observed attack.
Border blocks are not an effective response for all kinds of attacks. But they are part of an effective strategy for many kinds of attacks.
In this attack, an IP is a functional identifier that binds directly to an attacking computer. Response is reasonable, possible, and frequently successful.
Remember, the attacker is trying to get enough reward to justify 3 kinds of risk: 1) The risk of loosing the effectiveness of a pwowned computer. 2) The risk of loosing an pwowned computer and it's associated resources. 3) The risk that a pwowned computer might lead somebody back to the hacker. Remember, hackers have lots of enemies. Many of a hacker's enemies are very smart and well motivated.
Ultimately, we just need to have enough success on our responses to make an attack unprofitable. Attacking hackers exist in a very fragile ecological nitch. There aren't that many of them.
And, if I can help a grandma recover from her computer's compromise, that is also a good thing.
Slashdot Mirror
In theory, the citizens of Utah could repeal this bad law via ballot initiative. Here is a good summary of the current law concerning Utah Ballot initiatives: http://ballotpedia.org/wiki/index.php/Laws_governing_the_initiative_process_in_Utah
In practice, we haven't seen a ballot initiative in years. In the last decade, we have seen a constant stream of state legislation tightening the restrictions on ballot initiatives.
I believe that the Utah legislature is attempting to avoid a repeat of the 2000 Civil Forfeiture Initiative. In 2000, Utah voters voted overwhelmingly for a initiative that placed common-sense limits on Civil Forfeiture. The most important reform required that income from seized assets be delivered to the School funds. It took the Legislature 4 years to repeal it and return Utah to the business of Policing for Profit: http://www.instituteforjustice.org/index.php?option=com_content&task=view&id=3289&Itemid=165
In recent years, attempts to achieve ethics reform by Utah ballot initiative have been blocked by the many hurtles imposed by current law. They include:
1) You have to get more signatures than 10% of the vote cast for Governor IN 26 of the 29 counties. Miss that total in one county, and you are blocked.
2) You have 1 year to collect signatures. If your 10% in 26 counties is not certified by the end of the year, you have to start over.
3) You are blocked if the Lieutenant Governor thinks your initiative is patently unconstitutional; nonsensical; or if he determines that the Initiative contains more than one subject.
So, years since we have seen a ballot initiative. Don't expect to see another one in my lifetime.
Miles
My crystal ball, my Magic 8-ball, and my Steve Jackson Tarot deck all agree that the USA has deliberately shackled innovation for the last 10 years. I don't know why. But the signs are unmistakable, even for those who can't sense the aether.
There was no question what would happen when the US Patent Office was changed to fee based financing. The flood of junk patents, and their suppressing effects on innovation are a surprise to no-one. In the intervening years, there has been ample opportunity to revert.
Similarly, for years we have encouraged monopolies and cartels that we know will suppress innovation.
The demotivating effect of the H1B Visa program can't be a surprise to anybody. Chaining the technological elite into lives of indentured servitude has always suppressed innovation.
So, the current course of technological stagnation is a deliberate choice.
The US won't change pathways until we unmake this choice.
Miles
> but still believing that plants obtain most of their mass from the soil rather than from the atmosphere..
I may be a hick from a cow college, but most of the mass of my plants is water. Water that is sucked up from the soil via a root-system.
Granted, the atmosphere moves the water around, but the plant gets it's water (and thus most of it's mass) from the soil.
Miles
That sounds like a great idea, with one exception: risk of false positives.
We have been doing this for years. The process is fairly mature. So, of course there is more to it that I mentioned in the first message. We have gotten pretty good at telling the difference between compromise and false positives. But, we still get false positives. We had some last week.
We have a process for dealing with false positives. When they happen, we immediately re-instate access. If we have collected a fee, we immediately refund the fee. We contact the owner and apologize. We invite them over to our offices to inspect our processes and offer advice on how we can do better. We share the details of the false positive among the security group. We make sure that this form of false positive doesn't happen again.
Is there an appeal process, or similar?
We have an appeal process. We recognize that activities that look like compromise may be perfectly legit if you are testing your own equipment. We encourage researchers to run honey-pots, they just need to tell us about it. When the compromise is interesting, we offer to waive the fee, if the owner will let us do forensics on the system. We don't charge the fee if the owner can offer a scrap of proof that they had taken effective steps to mitigate the problem prior to our intervention.
We also have an escalated form of incident response for when the system is particularily important or sensitive. Most people prefer to just pay the $25 and not have to do the forensics, analysis, and meetings that are required by the elevated incident response.
Alternatively, do you let people know even slightly prior to disconnecting them? Disconnect first and ask questions (or rather, charge money) later might be a good approach in some situations, but I can't imagine the typical univeristy infection event is one of those.
Once we have determined compromise, we immediatly start incident response. That includes suspending the network access. Frequently, their first indication of a problem is when we call/email them and tell them that we have suspended their network access.
Compromise always gets worse, the longer it lasts. Malware aggregates. More info gets exposed. It is always best to act quickly.
The hardest part of this whole process was ensuring that every computer has a listed owner with up-to-date contact info.
For that matter, how do you disconnect people?
We have a variety of tools available. We use the ones that are appropriate for the situation:
If the compromise is idle and the computer is doing DHCP, we alter the DHCP response so all web browsing results in a "You are compromised! Call the ServiceDesk!" response.
If the computer is hard-coding an IP, or attacking external IPs, we also null-route it's IP.
If it's an autonomous bot that is attacking locally, we also turn off wall-jacks and suspend it's wireless access.
All of these administrative actions can be overcome, but getting around them is a pain. Some people take a couple weeks, but they always realize that it is easier to resolve the compromise than to try to get around the blocks.
The net effect has been positive for the university community. They complain about the reconnect fee, but they are glad to be treated as IT equals. They understand that they are responsible for making sure that their systems are secure. We feel we have better security from our entire community as a result.
My university does a lot of space research. We have put up a fair number of shuttle payloads. WISE (http://www.sdl.usu.edu/news/press/2009/dec14-wise-launch ) was one of ours. We also do a bunch of biotech research. We draw a LOT of attention from the Chinese. Lately we have also drawn a fair amount of attention from take-the-money-and-run hackers. So far, we have survived. We think having an engaged community really helps.
Miles
Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug.
IN A TIMELY MANNER.
You forgot the bit that's at the core of the disclosure debate. Virtually everybody in the security industry agrees on the principles of disclosure. All the flames are over the timing.
In one corner, we have Microsoft. They appear to believe in full disclosure, once the disclosure will have no adverse effects on stock price or profitability.
In another corner, we have a tiny handful of scum sucking, mercenary security researchers who believe that disclosure will happen just as soon as they get paid. And the terms of that disclosure will be whatever the purchaser wants.
In the other corners, and carpeting the entire floor, are all the rest of the security community. They believe that full disclosure must happen in a time-frame that minimizes damage to the user community. They just can't agree on when that might be.
This lack of a concensus has made it easy for Microsoft to define the current terms of disclosure. The result has been suppression of disclosure for longer and longer periods. The inevitable consequence is more and more '0' day exploits.
In September 2009, SANS released an excellent State-of-the-Internet on the top cyber security threats: http://www.sans.org/top-cyber-security-risks/ One of their points was:
"World-wide there has been a significant increase over the past three years in the number of people discovering zero-day vulnerabilities, as measured by multiple independent teams discovering the same vulnerabilities at different times. Some vulnerabilities have remained unpatched for as long as two years."
To demonstrate this issue they enumerated the history of MS08-031:
For example, MS08-031 (Microsoft Internet Explorer DOM Object Heap Overflow Vulnerability) was discovered independently by three researchers. The first researcher submitted remote IE 6/7 critical vulnerability on Oct 22, 2007. A second independent researcher submitted the same vulnerability on April 23, 2008. A third independent researcher submitted the same vulnerability on May 19, 2008. All three submissions outlined different approaches of auditing and finding the same vulnerability.
What goes unstated is while 3 'responsible' researchers disclosed to Microsoft and waited and waited, unknown numbers of hackers also discovered the vulnerabilities and exploited them.
Just this week, a dozen well managed, fully patched, WinXP (with .NET installed) computers at my institution were compromised by clicking on a major news site (http://www.ksl.com/index.php?nid=148&sid=9814436).
Microsoft would have us believe that this is acceptable. But really, would immediate, full disclosure be any worse?
Miles
Maybe the route some universities have taken of fines and downtime for those caught spreading malware or spam, knowingly or not, is what we need.
I do IT security for one of those universities. Our IT is extremely decentralized. There are some central services. The network is managed centrally. But the majority of the computers are managed by individuals, departments, and colleges in whatever way they see best.
We charge a reconnect fee as part of our standard network security incident response. When we determine that a system is compromised, we disconnect it, and notify the owner. We reconnect it as soon as the owner pays the reconnect fee. The fee is $25 for the first reconnect and $50 for each reconnect after the first time. The fee is not kept by Security. It is transfered to the university Service desk.
It may sound silly, but we can demonstrate that the reconnect fee is our single, most effective security measure. We have detailed data on detected compromise for years before and after the beginning of the reconnect fee. When we started imposing the reconnect fee, our rate of detected compromise dropped to 1/10th the prior level. We believe that prior to the reconnect fee, people really felt that there was no reason to worry about compromise.
In the years that we have been doing this, it has always amazed me that such a small irritation can lead to so much behavioral change.
Charging the entire university for each compromise would not have the same effect. By charging the university entity that owns the compromised computer, we change that entity's behavior. Even when we are effectively moving money from 1 pocket to another. The reconnect fee is always an unanticipated expense. The reconnect fee is always an irritant. In effect, we have created an institutional pain response to compromise. We can tell it is still working, because the university's community is still complaining about it. Once they stop complaining, we may have to up the fee.
Miles
I imagine most of us are saying: "Not a problem. I don't have anything China wants."
I wish. This is what hacking looks like now. If you haven't noticed, you haven't been paying attention.
We asked ourself, which 10 computers would cause us the greatest loss if they were compromised. When we took a hard look at their network traffic, we found an otherwise indetectable compromise. It appears to have been in place for at least 3 months. Just patiently listening and waiting.
You may want to try the same exercise.
Organized crime has demonstrated (http://www.ren-isac.net/alerts/banking-attacks_technical_201001.html) that patient, disciplined attacks yeild great monetary rewards.
The Chinese have demonstrated that patient, disciplined attacks are virtually unstoppable.
What more could any hacker want?
The most fragile secret is a successful economic model. Once it gets out, EVERYBODY copies it.
Learn how to defend yourself if you want to survive.
Miles
.. Root the box, and you might be able to recover the cached passwords from it.
Almost. The iSec paper mentioned, but didn't explain 'Pass The Hash' attacks. See the excellent SANS paper at: http://www.sans.org/reading_room/last.php
Bottom line is, the attacker doesn't need to get back to the passwords by cracking the hashes. The attacker can just directly use the hashes.
Being targetted by these guys is like standing in the middle of a crowd of pick-pockets. No matter what you do, they are going to get stuff. You are lucky get get out with your teeth.
Miles
I wish I could attribute the saying, but here is how I've heard it said: If your law requires a police state to enforce, then your law is a bad law.
The very fact that these meetings were held in secret was a dead giveaway that nothing in our interests is going on in there.
Whoever is doing this is focused on an immediate benefit. This is short-sighted thinking at it's finest. Open processes and democracy work because it directly benefits the law makers. When there is a bad/unpopular law, the guilt and blame gets spread around. It is pointless to kill the lawmakers, because they are everybody.
But, closed processes and secret lawmaking have an entirely different economy. It is obvious who to blame. Just get the list of people participating in the secret process. It is also obvious how to rectify that situation. And, in one or two quick steps we are back to the politics of the great merchant houses. The lawmakers end up being so unpopular that they can't go out or taste untested food. They lose almost as much freedom as the people they are enslaving.
It's not hard to see the big picture. It's obvious the end result is bad for everybody. What kind of short-term payoff could be so tempting?
Miles
That brief was a fun read. And very accessible. Everybody should have a look.
I have to wonder though, if it is good strategy to call the judge an idiot in such clear and ringing tones. What is the end goal? Are they trying to get the judge to do something stupid, so it will be easier to overturn later?
Don't laugh, I swear Microsoft used this tactic during their big antitrust case.
Miles
I do IT Security for a university. One of my projects is to do some rudimentary traffic analysis of our SSH sessions.
I look for the negotiation between SSH server and client and log connections. Since the negotiation is port independent, I can log the start of SSH sessions, no matter what port they are on. This allows me to:
1) Notice if important systems have sprung a new SSH backdoor.
2) Notice if important systems are SSH'ing out to weird places.
3) Check with local sys-admins and say things like: 'Looks like the Chinese have found your supersecret SSH port. Again. You have proved that TCP/222 and TCP/2222 are not good choices. Maybe this time you want to borrow my HexDice?'
Anywho, my rudimentary traffic analysis can be defeated if you change the SSH negotiation. It can be hindered if you just leave the connections running for days at a time.
So, if you want to annoy people like me, you may want to leave the connections up.
Miles
Then, I would say somebody with a large botnet is doing reconnissance on you.
I'm sure you have incoming port 137 blocked. So that traffic is outgoing. I expect that will be your Windows hosts responding to their probes.
They are probably attempting to find your end-hosts and your switching infrastructure.
Your clients shouldn't respond to the probes. If they are, make them stop. Your servers probably have to respond. If you have not already, you should make very sure that your switching infrastructure can't bleed packets to the outside world. Yah, I know, people tell you to send out 'fragmentation needed' but, you might have to chose between big packets and survival. Be nice if you only need to bleed 'Fragmentation needed' to a few specific external hosts and could discard it (and everything else from your switching infrastructure.)
One way you can you can mess with their heads (assuming they care about your switching infrastructure) is to modifying your border to discard any packet with a low hop-count. The apparent radius of the internet is currently a little over 16 hops. Nothing legit (except traceroute) generates packets with less than a 32 TTL. So, you can arbitrarily discard any packet at your border with a TTL of 8 to 12.
It messes up your ability to trouble-shoot your network from the outside using traceroute but if the choice is that or survival...
I've never been mapped by anything that big. We would see it in our darknet (non-allocated IP) sensors. Lucky you. Brace for impact..
I expect they will get to my institution eventually.
We've seen an explosion in hacker activity in the last week. All kinds of crap. The most unsettling is a series of compromises that carefully scan a locally attached /24 for 139, 445, 3389, 5900 8080, 40080. C&C appears to be innoculous accesses to local Akamai hosts. Almost impossible to spot.
Thanks for the heads-up.
Miles
Nice visualization. Wonder if there is some way to do it in real time.
I've done networking and security for a university for the last 10 years. I can guess what this kind of activity would be if it was at my institution. Basically, there are several reasons why every country in the world will suddenly talk to us. They include P2P/Gnutella's, P2P/Swarmcasting, Bittorrent, Skype, P2P-poisoning, P2P-misdirection, and hacker/bot activity.
When we have pulses like you are observing, it is usually BitTorrent.
The Gnutella P2P variants don't usually have that many peers. And, they tend to last for several hours or days.
The various Swarmcasting P2P variants look very similiar to BitTorrent, but again, the users tend to leave them running for hours or days.
A popular Torrent makes connections to hundreds of locations at once, and usually the local user shuts down in minutes (or an hour) when they get their file.
Skype won't be narrow bands. It will be every country in the world talking to you all the time. We have had computers promote themselves up the Skype infrastructure until they are constantly talking to over 600K peers. Of course, it is more normal to see a Skype node talking to 10K to 20K peers, but still Skype won't be bands. Skype raises the floor for the entire graph.
P2P-poisoning would closely match your bands. For several years we observed pulses where every member of a large P2P cloud would attempt to talk to a non-existing IP at our institution. Eventually, we realized that somebody was attempting to render the P2P cloud non-functional by poisoning the P2P community with info on non-existing peers. Of course, since this is a Denial of Service (DoS) attack, this is technically illegal, but we saw it happening for years. But, it appeared to stop a couple years ago (about the time Obama replaced Bush) and we haven't seen any evidence of it lately.
P2P-misdirection is where a cloud will attempt to confuse traffic analysis by throwing out random connections/packets to random IPs. Typically, this misdirection happens all the time, and not in bursts/bands.
Bot attack activity doesn't match your patterns either. We observe several types. None would look like your bands:
- The spoofed attacks will look like every one of your IPs getting acks from a few remote IPs.
- The mapping activity will look like a representative sample of your IPs getting traffic from a few dozen IPs.
- An incoming DoS would have a few of your IPs get (spoofed) traffic from everywhere, but it would be sustained.
- Portscans will only involve a handful of remote IPs.
- The Tag-team SSH password guessing is close. During the last week, we observed about 3000 sources located all over. But, it happens all the time (in the aggregrate), not in bursts. And the sources this week are concentrated in Italy, Poland, Eastern Europe, Colombia, and Brazil. They aren't really all over the world.
So, I'm guessing it is BitTorrent. But, your situation may be way different from mine.
Miles
Your perspective is too short term. If some office of the government is attempting to control the limits of action of the MPAA, the MPAA's next step is to achieve control of that office. It's called Bureaucratic Capture ( http://www.chiark.greenend.org.uk/pipermail/ukcrypto/1998-March/040535.html ) and it's the best possible outcome from the point of view of the MPAA.
Continually asking for the same thing is one of the first steps. Eventually the MPAA will get everything they want and much more. The process is slow, but almost inevitable.
Many groups fault civil libertarians for being unflexible. But, in these conflicts and on long timescales, you have to be unflexible on defense and relentless on offense. It's like fighting with a one-way ratchet. Once you go on defense, you always lose ground. You have to refuse to yeild until you can get back on offense.
Miles
> I noticed on the Linksys' log that the laptop was making seemingly random connections to high-numbered ports on various IPs.
There is probably more than 1 thing going on here.
The machines are probably hacked. If they are, they will have some kind of a control channel. However, C&C is frequently subtle and hard to spot.
The behavior you describe is typical of a number of P2P VOIP applications. Skype is the most likely alternative.
If it is Skype, your chance of compromise is actually increased. I have observed attackers gathering lists of Skype peers (and BitTorrent peers as well.) They appear to believe that these lists provide a fruitful source of vulnerability for further attack.
Miles
The RIAA is only incidentally a criminal organization. The law is just an inconvenient encumberance.
The real purpose of the RIAA is to make money. Lots of money. To do this, they have become an evangelical organization. They are trying to create and perpetuate a repressive belief system.
In action, they closely resemble an inquisition.
They are trying to create and enforce a belief system. Any tactic is justified if it will maintain their orthodox beliefs. These beliefs don't have to make sense. They just have to be valued.
* Copyright infringement equals piracy.
* Copying music is the same as theft of tangible property.
* Unapproved distribution of an idea requires infinite punishment.
These are not rational thoughts. They are elements of a repressive belief system.
Miles
I didn't know the patent office observed the April's Fool tradition. This explains EVERYTHING. Their calendars probably say "April Fools!" instead of "Wednesday".
It must be a joke. There is no way a business method patent on outsourcing can survive post Bilski.
http://en.wikipedia.org/wiki/In_re_Bilski
Miles
You have GOT to be kidding.
Look around. Have you TRIED to buy a PC game lately? We are standing in the middle of a charred wasteland. There is nothing to see but the bodies of the dead PC game development studios. There are thousands of PC games. Virtually all of them are unsupported. Almost all of the PC Game developers have left the industry. 4 years ago, there were lots of new games. Now there are a tiny handful.
Blizzard has several unsupported games. Microsoft has lots. Stardock's GalCiv for OS2 is unsupported. Stardock is winding down support for GalCiv 1. Stardock is phasing out support for Stardock Central (not a game, but it runs ok under Wine, while Impulse doesn't.)
All the evidence of the last 10 years says that any given game will be unsupported in a year or two.
Miles
This is Bad News for me.
I like computer games. I have been buying games for years. I spent over $1000 for my Atari800 games. I spent over $1500 for my Amiga games. I spent that much for just MSDOS games. I have spent at least $2000 for Windows games. I have purchased many of the commercial games available for Linux.
I want to play my computer games. I still go back to games that I purchased years ago. Most of the time, I can use emulation/virtualization to enjoy a good game as long as I like.
At this point I have hundreds of data-points that show that the normal state of a game is unsupported. The normal state of a game developer is shutdown.
As far as I can tell, any game that requires on-line activation might as well be a rental. Just as soon as I start to like it, it will become unsupported. I would like to play Spore, but there appears to be no point. As soon as I start to enjoy it, it will be gone. The same thing goes for most of the current crop of 'activation required' games.
Fortunately, I already own a LOT of really good games that I can play however I want, anytime I want. The last week, I have been playing Starships Unlimited 3. Plays great in Wine! if you like turn-based strategy, you should pick up a copy from:
http://apezone.com/starshipsunlimited.php
before they go out of business.
Miles
Yep. That's the Cisco I know and loath. If you can't convince the literate, just move up the org chart.
Years ago, at my institution (150+ buildings, about 15K active IP addresses,) we did a cost analysis of our Cisco addition and decided that it was unnecessary. We could do everything we needed with cheaper, commodity devices.
So, for the next couple years, all upgrades/replacements were to simpler structures. To non-proprietary protocols. And to non-Cisco equipment. We have been Cisco-Free for about 4 years.
The hardest part was beating off the attacks from Cisco Sales. These attacks were vicious. They lied (even more than usual for Cisco sales droids.) They tried their best to discredit us. First they approached the head of IT. Then the VP for Business. Then the president.
Finally, they went to the Board of Regents. They said we were incompetent. They said our actions were endangering the future of our institution. Fortunately, the Regents decided to let us try it.
It has worked out great for us. Our capability is up. Our reliability is way up. Our security is up. Our costs are down (about 1/2 the price of equivalent Cisco.)
But, it only happened because upper management was willing to trust us. I get the impression that most management would fold under the pressure we saw.
Miles
I have been collecting computer games for a long time. I spent over $1000 for games for my Atari 800. I spent over $1500 for games for my Amiga. I spent over $1500 for just MSDOS games. I have spent over $2000 for Windows games.
I play most of my games in some kind of emulated or virtual environment. Not because I want to. It is because I HAVE to.
The normal state of a game is to be for an unsupported OS. At this point, Microsoft has made a powerful argument (via DirectX10) that they consider only Vista to be a supported gaming OS.
The normal state of a game developer is to be out of business.
It is pointless for me to purchase a game with functioning DRM. It will only be playable for a blink of an eye. If I hear that a game has DRM, or a copy-protection scheme that is tied to the existence of a company, I will not buy it. Nor will I miss it. I have a LOT of good games. Games that I can play whenever and however I want.
Now, excuse me, I have a game of Master of Magic to get back to.
Miles
I am at a medium sized university (~24K students.) I have worked here for over 25 years.
You have to understand that a university is not a business. Ultimately, they are not steered or directed like a business. If you wish to help your institution, you need to understand it.
Universities exist for 3 grand goals:
1) Self preservation. A university exists, to continue to exist.
2) Illumination. A university exists to light the world. To make the world a better place.
3) Education. A university exists to create thinking, critical minds.
A university must balance all three of these objectives. It may chose to favor 1 over the others in the short term, but in the long term, all three must balance.
All universities have a core of leadership. This core has the greatest influence at a university. These are the people who are giving their lives to the university. If you pay attention, you can learn who they are. If you want to be one of them, you have to tell your bosses: "I will work here even if you don't pay me." And you have to mean it. Then you have to back it up with a decade or so of valuable service.
So, if you wish to change things at your institution, you need to rephrase your discussion. It can't be, FOSS is cheap, easy and secure. It must be: We can use FOSS to make a better university. Be prepared to talk about it. A lot. Be prepared to demonstrate over and over.
I have been trying to steer my university towards FOSS for the last 10 years. So far, my greatest success has been that I have influenced many of the next generation of staff to use FOSS tools.
Now, people at my institution have learned that when you ask a proprietary problem solver to solve a new problem, you end up purchasing a new tool. When you ask a FOSS problem solver to solve a new problem, you get a month or so of activity, followed by a solution to the problem. You also get a more capable FOSS tool user.
Universities REALLY value capable minds. Having a process that creates more capable minds is a powerful long term strategy for increasing FOSS adoption.
Finally, it is impossible to overvalue the benefit of an active, motivated FOSS user group. Everyplace is different, but your greatest bang-per-buck might be to make sure that there are cookies and pop at every FOSS user group meeting.
Miles
This campaign is looking more and more like an inquisition. It is the effort of a group to enforce their belief system. Any tactic is justified if it will maintain their orthodox beliefs.
These beliefs don't have to make sense. They just have to be valued. Copyright infringement equals piracy. Copying music is the same as theft of tangible property. Unapproved distribution of an idea requires infinite punishment. These are not rational thoughts. They are elements of a repressive belief system.
We should just expect that the enforcement of this belief system would behave like an inquisition. It always has in the past.
Inquisitions tend to accumulate incredible power. This needs to be stopped fast.
Miles
I thought that my legislators were 'World Class' crazy (Utah).
It looks like we aren't even playing in the big leagues.
This level of crazy is a delicate balancing act. You have to be dumb enough to think that this is a good idea, but somehow manage to keep from drowning in the shower.
Is there any way to tell if the responsible parties have indoor plumbing? How do they avoid rain?
Miles
I think you are letting possible threats discourage you from handling present threats.
I think that the most important part of my universities security response is that we analyse and document each attack. This helps us to respond to reality instead of perception.
Our response to these bulk attacks is a little more that a simple block.
- We analyse and document the attack.
- We share our analysis with our local security peers.
- We have a good working relationship with the local FBI office. We share our analysis with them.
- We block at our border, but we block with a time-out that is appropriate for the nature of the attack.
- We do our best to notify and warn the owner of the attacking box.
- We provide credible, timely log info to ISP's. We include functional contact info. We followup any inquiries. This informs ISPs of attack/compromise within their responsibility. It also improves our working relationship with ISPs.
This response has increased my university's ability to respond to attack. It has also greatly reduced the amount and effectiveness of observed attack.
Border blocks are not an effective response for all kinds of attacks. But they are part of an effective strategy for many kinds of attacks.
In this attack, an IP is a functional identifier that binds directly to an attacking computer. Response is reasonable, possible, and frequently successful.
Remember, the attacker is trying to get enough reward to justify 3 kinds of risk:
1) The risk of loosing the effectiveness of a pwowned computer.
2) The risk of loosing an pwowned computer and it's associated resources.
3) The risk that a pwowned computer might lead somebody back to the hacker. Remember, hackers have lots of enemies. Many of a hacker's enemies are very smart and well motivated.
Ultimately, we just need to have enough success on our responses to make an attack unprofitable. Attacking hackers exist in a very fragile ecological nitch. There aren't that many of them.
And, if I can help a grandma recover from her computer's compromise, that is also a good thing.
Miles