Actually, no, they don't do the same thing at all. They report activity, and if you provide complete network dumps someone may, at some time, get around to trying to figure out what you saw.
WormRadar specifically looks for attacks, not just plain old traffic. When something known comes along, it logs it...that part is the same as DShield or myNetwatchman. But when something entirely new comes along, it packages it up and sends it off to Rog. He correlates reports of new things from the instant any one WormRadar node sees it. So, if 10 minutes later another node in a different region sees the same new thing, it gets logged and isn't reported as a new thing.
With a copy of the worm in his hands, Rog is capable (more than capable) of dissecting it and figuring out what it does, how it works, what we might expect from it, etc...
Finally, because of his AV contacts, he's able to get anything new into all of the right hands so everyone can get definitions to detect it.
So, you can spoof my networks to my ISP? How? I mean, as part of Point #7 in the proposal I stated that the ISPs would have to be able to provide sufficiently detailed logs to customers to prove they emitted attack traffic. Don't you think I'm going to want to see the logs from the router my router connects to? Now how exactly are you going to spoof traffic from my network on that router's interface to me?
Granted, if I have a root'd system in my network, that could certainly be used to cause me to incur fines with my ISP. But I'd really like to see people stop talking about spoofing.
Sigh, read Point #7 in the detailed section, it specifically covers the fact that customers are going to require verifiable information from their ISP to prove they've transgressed.
Besides, don't you think an ISP that had such a habit would quickly lose its customers, or be widely discussed?
If you just want to disagree with the whole plan, you don't have to come up with reasons, just say you think it stinks...;-]
I only removed liability from ISPs for dropping identified attack traffic, not for disconnecting alleged attackers incorrectly or levying fines against someone who is not guilty. Those liabilities would continue to exist for the ISP, and they would be responsible for determining how they will deal with their customers on such matters. These issues would all become part of the contract you have with your ISP, so you'd be able to decide against an ISP who does not provide you a way to refute their claims, should one exist in your area. Otherwise, the terms would be similar to the Acceptable Use Policies ISPs already have, and enforce.
No matter what the agreement with you, ISPs would be mandated to drop any attack traffic entering their networks. They may choose not to enforce fining of individuals at all, but instead make the service charge for connecting slightly higher (or no higher at all.) Since the fines are imposed by the ISPs on their own customers only, its a matter for them to work out with you.
False positives are an issue, and I explained in Point #7 of the plan that this has to be detailed sufficiently so consumers are able to verify claims made by their ISP against them.
While your vacation scenario is possible, it misses the point. Yes, someone may well be fined while they are away on their vacation. But let's imagine that those same people left their electric space heater on, with a towel over it, just before leaving. The house burns down, causes other homes to burn, and then they return from vacation. Are they not responsible?
Bottom line, you want to avoid the scenario you propose, simply turn your computer off while you're away. Otherwise, assuming what you suggested actually happened, slap yourself upside the head for not turning the computer off.
Finally, I must point out again, there is no law governing user compliance or fines. The only law I propose is that ISPs must drop attack traffic. Everything to do with the ISP customers is a contractual arrangement between you and them, and is therefore refutable in civil court. It would be handled no differently than any violation of an AUP would be handled, IMO.
Seems you didn't read the entire article. The whole idea is that ISPs would block the attacks, period, once they've been identified. Problem is, just blocking attacks isn't enough, we want to stop the attacks from eminating continually.
So they block the attack attempt by Computer X, and then fine the owner of Computer X for having to block it. That owner will then clean Computer X so it no longer attacks. Attack eventually stops.
As for ISPs deciding what they do and don't like, they already have that right in their Acceptable Use Policies. If they want to add in there that they will not permit file sharing, that's their right. You can then choose whether or not to continue being with an ISP who has that in their AUP or not.
My proposal only has to do with an independent body's determination of what an "attack" is. Its not intended to become a censorship protocol.
Should we make OS' which don't allow users to invoke a program of their chosing?
If not, how do IT Professionals prevent some home user from double-clicking on the "document_all.pif" attachment in a SoBig.F message? After all, its just an application, for all we know the user may have a valid reason to use email this way.
And if someone does double-click on a SoBig.F attachment, can you honestly call them "innocent"? What were they thinking it was?
I've had a "Safe Email Practices" web page FAQ up for years. The only failure is that I haven't had it widely published such that consumers are aware of the few points it makes.
Our "failure" is that we have been unable to get consumers to pay attention before they are exploited.
Most people don't have to do anything to avoid fines. They simply need to continue practicing the safe networking principles they already practice. They don't need to update, patch, use AV, or any other product in order to avoid fines. They only need to prevent unauthorized access to NICs and think before they double-click on anything. A free personal firewall in its default configuration does the trick just fine.
As far as the revenue, I don't know where you got the impression it would go into tax coffers. If you believe that, I have a bridge to sell you. Try reading the proposal again.
You ask about your rejection responses being used as part of a DDoS attack and whether that would make you liable to fines.
Quite simply, no. Firstly, the attack causing your rejection responses shouldn't reach you if its been "identified", the ISP would be dropping it before it ever got close to your network. Secondly, unless the response packets were "identified" as an attack, they wouldn't be subjected to fines. Valid responses to packets would not likely ever be "identified" as an attack.
There are already existing laws to deal with the miscreants who create malware. If you have any decent suggestions as to how that can be done better than it already is, I for one would love to hear them.
Here's one possible side-effect of the penalties, however. If ISPs log all attack traffic, it may become more possible to trace attacks back to their original source.
You missed the point of the idea completely. Yes, today, if you put a new computer on the network then it may well quickly be infected with something, be it Blaster, Code Red, Slammer.
The reason that happens is because nobody is stopping the on-going, yet very old, attacks from continuing.
If ISPs were mandated to drop identified attack traffic, the likelihood of you being attacked quickly when placing a new PC on the network is near nil. That's the whole idea.
From that point forward you enable automatic updates and learn how not to open virus attachments.
The monies don't go to the Government, they go to ISPs, so that ISPs can finance the job of stopping attacks from spreading. Where'd you get the impression the money would go to the Government?
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
The idea didn't originate in Government, nor is it in any way being sponsored by anyone in Government...at this point. It is my personal proposal to deal with the current situation.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Lol, only when you can get it, not all rural locations like mine have such luxuries. I'd be happier to get water, sewage, and natural gas before they bring cable here.
Cheers,
Russ
Since you are concerned with how they will react to you, I suggest you allow someone else to approach them. Hushmail is one way, but another is to disclose the details to me. As the NTBugtraq Editor, I frequently approach Vendors with exploits that are, at the time, unpublished. I phone them, find the appropriate person to speak with (usually within their Management, not tech support) and apprise them of the issue. With the right person's email in hand, I forward the issue to them (from my address, with your information completely removed). I expect, and get, a reaction within 2 business days, and then move on to the resolution phase. I get them to explain how long it will take to fix, and why, and keep after them monitoring the progress of the fix. When a fix is ready, I get a copy before they go public to test.
Of course throughout this process I send you a copy of all communication with the Vendor. In your case, I'd ask them how they would react to the person who discovered the issue, so you'd be able to see what their reaction would be. You're free to jump in the communication any time you want.
I seek no credit in the affair, and any publication of the issue would bear your name (or nym, whatever you prefer).
Once the fix is done, you can write up any explanation you deem appropriate. I encourage people to do this responsibly, and not disclose sample exploit code and/or complete details on how to exploit the issue. It should be easy to describe the issue sufficiently to provide an accurate indication of the threat without such details, but its your call. Again, you can use your own address to send the write up, or I can do it for you.
Throwing a tantrum?? Come on, how many times must one be diplomatic before you can get fed up? How many messages must I receive from subscribers indicating their unhappiness over the problems before I speak out on their, and my, behalf?
I've spoken with many people at Microsoft about Windows Update for over 5 years now, none of that has worked. Wait until Longhorn is released and Windows Update Next Generation gets released. You'll see it addresses many of the problems I've outlined. My complaint is that in the meantime we suffer with what they've given us. Instead of building something for the next OS, deliver the solutions to our problems with this version.
Of course we know Microsoft doesn't do that, which is why the Trustworthy Computing Initiative is failing, IMNSHO.
Yup, you're right, that wasn't in the original. The line should read;
"See for yourself, have a look at my previous musings and then tell me what's been fixed or improved."
Shame someone at Slashdot can't correct it for accuracy, no doubt someone's going to eventually tell me I said what was posted here...;-[
Cheers,
Russ - NTBugtraq Editor
Actually, I have made suggestions as to how Windows Update could be better. The second link in my post pointed to an article I wrote last year to NTBugtraq with suggestions. That message was discussed widely within Microsoft according to people there I have spoken with, yet despite that, WU continues to suck.
Almost everything I said in this recent message is a suggestion. They need to be more informative about the activities of the application. What's the point of doing a scan and saying you need no patches if it failed in the process and recorded a message in an obscure log on your machine? The suggestion is it shouldn't do that, it should say on the web page that the scan failed, and, provide something more of an explanation than an 8-digit error message.
Read my message again with that mindset and I think you'll see many suggestions.
Slashdot Mirror
Actually, no, they don't do the same thing at all. They report activity, and if you provide complete network dumps someone may, at some time, get around to trying to figure out what you saw.
WormRadar specifically looks for attacks, not just plain old traffic. When something known comes along, it logs it...that part is the same as DShield or myNetwatchman. But when something entirely new comes along, it packages it up and sends it off to Rog. He correlates reports of new things from the instant any one WormRadar node sees it. So, if 10 minutes later another node in a different region sees the same new thing, it gets logged and isn't reported as a new thing.
With a copy of the worm in his hands, Rog is capable (more than capable) of dissecting it and figuring out what it does, how it works, what we might expect from it, etc...
Finally, because of his AV contacts, he's able to get anything new into all of the right hands so everyone can get definitions to detect it.
So, you can spoof my networks to my ISP? How? I mean, as part of Point #7 in the proposal I stated that the ISPs would have to be able to provide sufficiently detailed logs to customers to prove they emitted attack traffic. Don't you think I'm going to want to see the logs from the router my router connects to? Now how exactly are you going to spoof traffic from my network on that router's interface to me?
Granted, if I have a root'd system in my network, that could certainly be used to cause me to incur fines with my ISP. But I'd really like to see people stop talking about spoofing.
Sigh, read Point #7 in the detailed section, it specifically covers the fact that customers are going to require verifiable information from their ISP to prove they've transgressed.
Besides, don't you think an ISP that had such a habit would quickly lose its customers, or be widely discussed?
If you just want to disagree with the whole plan, you don't have to come up with reasons, just say you think it stinks...;-]
I only removed liability from ISPs for dropping identified attack traffic, not for disconnecting alleged attackers incorrectly or levying fines against someone who is not guilty. Those liabilities would continue to exist for the ISP, and they would be responsible for determining how they will deal with their customers on such matters. These issues would all become part of the contract you have with your ISP, so you'd be able to decide against an ISP who does not provide you a way to refute their claims, should one exist in your area. Otherwise, the terms would be similar to the Acceptable Use Policies ISPs already have, and enforce.
No matter what the agreement with you, ISPs would be mandated to drop any attack traffic entering their networks. They may choose not to enforce fining of individuals at all, but instead make the service charge for connecting slightly higher (or no higher at all.) Since the fines are imposed by the ISPs on their own customers only, its a matter for them to work out with you.
False positives are an issue, and I explained in Point #7 of the plan that this has to be detailed sufficiently so consumers are able to verify claims made by their ISP against them.
While your vacation scenario is possible, it misses the point. Yes, someone may well be fined while they are away on their vacation. But let's imagine that those same people left their electric space heater on, with a towel over it, just before leaving. The house burns down, causes other homes to burn, and then they return from vacation. Are they not responsible?
Bottom line, you want to avoid the scenario you propose, simply turn your computer off while you're away. Otherwise, assuming what you suggested actually happened, slap yourself upside the head for not turning the computer off.
Finally, I must point out again, there is no law governing user compliance or fines. The only law I propose is that ISPs must drop attack traffic. Everything to do with the ISP customers is a contractual arrangement between you and them, and is therefore refutable in civil court. It would be handled no differently than any violation of an AUP would be handled, IMO.
Seems you didn't read the entire article. The whole idea is that ISPs would block the attacks, period, once they've been identified. Problem is, just blocking attacks isn't enough, we want to stop the attacks from eminating continually.
So they block the attack attempt by Computer X, and then fine the owner of Computer X for having to block it. That owner will then clean Computer X so it no longer attacks. Attack eventually stops.
As for ISPs deciding what they do and don't like, they already have that right in their Acceptable Use Policies. If they want to add in there that they will not permit file sharing, that's their right. You can then choose whether or not to continue being with an ISP who has that in their AUP or not.
My proposal only has to do with an independent body's determination of what an "attack" is. Its not intended to become a censorship protocol.
If not, how do IT Professionals prevent some home user from double-clicking on the "document_all.pif" attachment in a SoBig.F message? After all, its just an application, for all we know the user may have a valid reason to use email this way.
And if someone does double-click on a SoBig.F attachment, can you honestly call them "innocent"? What were they thinking it was?
I've had a "Safe Email Practices" web page FAQ up for years. The only failure is that I haven't had it widely published such that consumers are aware of the few points it makes.
Our "failure" is that we have been unable to get consumers to pay attention before they are exploited.
Most people don't have to do anything to avoid fines. They simply need to continue practicing the safe networking principles they already practice. They don't need to update, patch, use AV, or any other product in order to avoid fines. They only need to prevent unauthorized access to NICs and think before they double-click on anything. A free personal firewall in its default configuration does the trick just fine.
As far as the revenue, I don't know where you got the impression it would go into tax coffers. If you believe that, I have a bridge to sell you. Try reading the proposal again.
Finally, someone who gets it!
You ask about your rejection responses being used as part of a DDoS attack and whether that would make you liable to fines.
Quite simply, no. Firstly, the attack causing your rejection responses shouldn't reach you if its been "identified", the ISP would be dropping it before it ever got close to your network. Secondly, unless the response packets were "identified" as an attack, they wouldn't be subjected to fines. Valid responses to packets would not likely ever be "identified" as an attack.
There are already existing laws to deal with the miscreants who create malware. If you have any decent suggestions as to how that can be done better than it already is, I for one would love to hear them.
Here's one possible side-effect of the penalties, however. If ISPs log all attack traffic, it may become more possible to trace attacks back to their original source.
You missed the point of the idea completely. Yes, today, if you put a new computer on the network then it may well quickly be infected with something, be it Blaster, Code Red, Slammer.
The reason that happens is because nobody is stopping the on-going, yet very old, attacks from continuing.
If ISPs were mandated to drop identified attack traffic, the likelihood of you being attacked quickly when placing a new PC on the network is near nil. That's the whole idea.
From that point forward you enable automatic updates and learn how not to open virus attachments.
The monies don't go to the Government, they go to ISPs, so that ISPs can finance the job of stopping attacks from spreading. Where'd you get the impression the money would go to the Government?
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
The idea didn't originate in Government, nor is it in any way being sponsored by anyone in Government...at this point. It is my personal proposal to deal with the current situation.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Lol, only when you can get it, not all rural locations like mine have such luxuries. I'd be happier to get water, sewage, and natural gas before they bring cable here. Cheers, Russ
Since you are concerned with how they will react to you, I suggest you allow someone else to approach them. Hushmail is one way, but another is to disclose the details to me. As the NTBugtraq Editor, I frequently approach Vendors with exploits that are, at the time, unpublished. I phone them, find the appropriate person to speak with (usually within their Management, not tech support) and apprise them of the issue. With the right person's email in hand, I forward the issue to them (from my address, with your information completely removed). I expect, and get, a reaction within 2 business days, and then move on to the resolution phase. I get them to explain how long it will take to fix, and why, and keep after them monitoring the progress of the fix. When a fix is ready, I get a copy before they go public to test.
Of course throughout this process I send you a copy of all communication with the Vendor. In your case, I'd ask them how they would react to the person who discovered the issue, so you'd be able to see what their reaction would be. You're free to jump in the communication any time you want.
I seek no credit in the affair, and any publication of the issue would bear your name (or nym, whatever you prefer).
Once the fix is done, you can write up any explanation you deem appropriate. I encourage people to do this responsibly, and not disclose sample exploit code and/or complete details on how to exploit the issue. It should be easy to describe the issue sufficiently to provide an accurate indication of the threat without such details, but its your call. Again, you can use your own address to send the write up, or I can do it for you.
You can read my short disclosure policy at http://www.ntbugtraq.com/policy.asp
Cheers,
Russ - NTBugtraq Editor
Russ.Cooper@rc.on.ca
Throwing a tantrum?? Come on, how many times must one be diplomatic before you can get fed up? How many messages must I receive from subscribers indicating their unhappiness over the problems before I speak out on their, and my, behalf?
I've spoken with many people at Microsoft about Windows Update for over 5 years now, none of that has worked. Wait until Longhorn is released and Windows Update Next Generation gets released. You'll see it addresses many of the problems I've outlined. My complaint is that in the meantime we suffer with what they've given us. Instead of building something for the next OS, deliver the solutions to our problems with this version.
Of course we know Microsoft doesn't do that, which is why the Trustworthy Computing Initiative is failing, IMNSHO.
Cheers,
Russ - NTBugtraq Editor
Yup, you're right, that wasn't in the original. The line should read; "See for yourself, have a look at my previous musings and then tell me what's been fixed or improved." Shame someone at Slashdot can't correct it for accuracy, no doubt someone's going to eventually tell me I said what was posted here...;-[ Cheers, Russ - NTBugtraq Editor
Actually, I have made suggestions as to how Windows Update could be better. The second link in my post pointed to an article I wrote last year to NTBugtraq with suggestions. That message was discussed widely within Microsoft according to people there I have spoken with, yet despite that, WU continues to suck.
Almost everything I said in this recent message is a suggestion. They need to be more informative about the activities of the application. What's the point of doing a scan and saying you need no patches if it failed in the process and recorded a message in an obscure log on your machine? The suggestion is it shouldn't do that, it should say on the web page that the scan failed, and, provide something more of an explanation than an 8-digit error message.
Read my message again with that mindset and I think you'll see many suggestions.
Cheers,
Russ - NTBugtraq Editor