So you Issue a Decree (you're king today, right?) that says ISPs have to immediately disconnect any botnets and terminate their service.
And Evil Botnet Dude modifies his botnet to spoof $TARGET1 attacking $TARGET2. And $TARGET1's ISP immediately takes them offline.
PROFIT!!
Tracing botnets is hard - it's a moving target, and the bad guys have access to as much crypto and security technology as the good guys do, and so much of the internet technology wasn't made to deal with clever malicious attackers, and much of it was designed to allow really private, relatively anonymous communications.
Sure, Windows is wretched hive of scum and villainy, but a lot of that's not just the OS, it's Word and Excel and Powerpoint (which think every document should be a Turing-complete programming language that autoexecutes) and Outlook (which makes it so easy to click on HTML links, opens images by default, and can be tricked into running things) and Internet Explod\it\\rer.
But then there's Mozilla, which defaults to executing Javascript and which is almost always set to run Flash as well.
And then there are the more popular operating systems, like Android and IOS, which have applications that are written by all sorts of people, and which deliberately do all kinds of things nobody in their right mind would want them doing (like Angry Birds reporting your location), much less the things they do by accident or can be maliciously tricked into doing.
The default setting on just about any SOHO router out there is that it does NAT from the LAN side (192.168.x.x) to the WAN (which gets one IP address from the ISP, either by DHCP or configured.) And of course, lots of people have more than one layer of NAT involved, because there's an ISP router (wired) and their own wireless one. But the defaults on SOHO routers generally also support UPNP, so it's easy to reset them.
The kinds of ISPs that are going to lie about it are either small enough that you can check their information (e.g. do good filtering on their BGP announcements, which you were going to do anyway just for reliability reasons), or big enough you can't do much about it (e.g. China's big providers.)
Individual addresses don't matter much at this level, except for communications that weren't going to be spoofed anyway (such as bot-to-controller traffic, which mostly hides behind moving DNS addresses.) And I don't know which router you're thinking about the botnets hijacking - BCP38 gets implemented by the ISP's edge routers, not the end customer's cheap vulnerable home hardware, and if somebody's hacking ISPs' routers (which I'm sure they are), there are lots more serious problems.
BCP38 spoof-dropping stops forged UDP connections, which blocks a lot of kinds of attacks from infected PCs, such as queries to DNS or NTP servers that send back bigger responses. It also stops some more subtle TCP attacks, like SYN floods or forged resets.
Dropping spoofed traffic also reduces some more interesting attacks (such as overwhelming the target's firewall or IDS with CPU-burning alarms - no need to break their web server if you can make their firewall crash by sending it too many obviously malicious packets that break its management connection.)
And sure, some of these attacks are old-school and boring, but they're still out there.
Too many lawmakers are doing well to understand that the Internet is a Series of Tubes with cat pictures and pirated music on it, and too many of the ones who have some technical clue understand it deeply enough to make meaningful, implementable laws. Remember the CAN-SPAM law a few years ago, that was going to save us from spam? We can't even get the NSA to find Rachel from Cardholder Services.
Nobody in the comments you're replying to was defending the people launching DDOS attacks from their PC. A DDOS attack is a Distributed Denial of Service; typically it has thousands or millions of infected machines each doing a bit of the attack, and you're not going to detect them all without doing Deep Packet Inspection on all the traffic, which isn't economically or technically feasible and would cause huge political controversy if it were.
Sure, it's that simple, just tell your customers not to do Bad Things! And tell all those cable modem users not to click on the attachments in their email that might infect their machines, that'll keep them all from doing it, just like it keeps them from buying spamvertised products, and like telling corporate users who have seriously funded IT departments not to be a victim of phishing attacks. Just because you customers are using third-party webmail instead of ISP mail services, that doesn't mean you can't protect them, does it?
This stuff is REALLY ####ING HARD. 3-4 years ago, a big DDOS attack might be 1 Gbps, and ISP backbones were mostly 10 Gbps circuits, so an ISP running a bit cleaner box from Arbor or whoever had enough bandwidth to address the attack. Now we're looking at attacks at multiples of 100 Gbps, and if you want to clean that stuff you basically need those expensive boxes at every peering point, and you need to worry a lot more about false positives when you do.
If you're an eyeball-handling ISP, you can detect some problems, and you'd certainly better be running BCP38. But how do you tell if your customers who are all sending https queries to the same site at the same time are an infected botnet, vs. just all trying to download some popular web page they read about on Slashdot?
If you're a cloud provider, it's even tougher, because the technology and market are changing so fast that nobody knows what "normal" really looks like, and it's possible for somebody to spin up a botnet using a bunch of stolen-but-not-yet-blocked credit cards, attack, and run away before you've hit the $50 limit on each of them.
And remember how much abuse Carrier X got when they got into a peering fight with Carrier Y? Think what happens when they do it suddenly because Carrier Y seems to be hosting a lot of botnets. And then think about what happens if Carrier Y is Amazon (see previous paragraph) or $CABLE-COMPANY or China.
Sure, that'll stop some kinds of attacks. But the bots may not be sending TCP at all - they may be sending UDP, or faking UDP source addresses on DNS or NTP queries that generate big responses. Or they may not be doing full TCP, just sending the packets and ignoring the responses.
First of all, you can't trust CPE, because an evil user might have their own, and an innocent users' CPE might have been cracked; you have to actually detect at the carrier's end of the access line. Having the CPE try to also implement it is nice, because it sometimes protects against compromised computers, which are more common.
But it's actually semi-ok if the Bad Guy spoofs a nearby address, just not a distant one. I'm going to change your numbers here, but if your home address is 1.1.1.1, and you send out a lot of spoofed traffic pretending to be from 1.1.1.3, you might annoy somebody on your block, but your bandwidth and theirs are probably similar, and your upstream is probably a lot smaller than their downstream.
The problem is that if you're faking UDP traffic from your target or another large site, so you start pretending to be from 8.8.8.8 (trying to swamp victim.com's DNS queries with fake ones), or start sending queries from v.v.v.v to 8.8.8.8, especially if Google still allows any UDP DNS traffic that has bigger responses than queries. And it's a much worse problem when you're a Bad Guy getting a whole lot of infected home computers to do that, so they all gang up on v.v.v.v.
Yeah, I was having trouble figuring that out. I think of "ponytail-wearing hackers" as those members of my (Boomer) generation who still have enough hair to tie up. And sorry, the Army tried to draft me once (my birthday made its saving throw successfully), taxed me for decades to pay for the Vietnam and Cold and Anti-Muslim Wars, and they're not going to get another chance.
If the ISPs want to ignore the ban, they've got good ammunition. The ban lists a bunch of "URLs", including things like "http://vimeo.com/" and "https://archive.org". Does it ban URLs like "http://vimeo.com/some-movie-here" or "https://archive.org/whatever"? Nope, just the front pages of the websites:-). Then there's also the problem that most ISPs don't serve URLs, they transmit IP packets and maybe also serve domain names and email mailboxes, so technically the ISP is just connecting you to 107.162.132.45 port 80, not to http://vimeo.com./
Does this incompetence mean that the government of India can't hassle ISPs that don't do what the censors wanted them to do, rather than what they asked them to? Sadly, probably not.
That also reduces the ability of the company to coordinate your purchasing information (though your name and address are probably relatively unique, unless you also use single-use versions of those, like random apartment numbers for your house.)
Somebody else also recommended using PayPal for sites that you don't want to trust on a regular basis. Any place that you don't trust, or that you think might be lax about security, or that you're not planning to use repeatedly can get by with that.
The phrase "smallest of all 88 constellations" really irks me. Constellations aren't real things, they're imaginative descriptions of patterns people see to make it easier to remember which stars are which. There's at least one constellation "The Triangle*" which is smaller, or if you allow two-star constellations, "those two faint dots over there" is even smaller.
(*Yes, I stole that The Triangle from Terry Pratchett; it's the name of a Discworld constellation.)
You're thinking of the "Bush or Chimp" website. We're not monkeys!
And as the other poster said, at least in America, calling black people "monkeys" is specifically racist; calling white people that is just a non-racial insult.
Ok, the company as a whole tanked rapidly, as one might expect, but according to friends who lived in its territory at the time, one reason the service was so popular was that one of the things it delivered was weed. The company itself didn't sell it, but the drivers did that themselves, so they were happy and the customers were happy, and there were an awful lot of deliveries that had only one random item on the books (plus weed.)
Skype used a server-based system to set up calls, going through supernodes if possible (so it was semi-P2P), which handled subscriber lookup functions and also NAT transparency (which was the big thing that Skype did better than standard VOIP protocols such as H.323 and SIP.)
For the actual media path, if it could go directly, it would, but otherwise it would carry the call through supernodes (again, the NAT traversal problem.)
These days it seems to be mostly central servers, partly as a result of Microsoft buying them and partly because there was a lot of corporate pushback against supernodes using your corporation's bandwidth to complete somebody else's call.
They'll buy them cheap from China, just like we do. Maybe they won't buy the fanciest ones, or the ones hottest off the cutting edge of performance, but if you're making a device for internet access rather than mobility, it doesn't have to be as small or power-efficient.
If you believe in a patent system at all (which is a separate argument), an original implementation for a relatively obvious concept can still be patentable. Most patents I've seen start out by claiming something fairly obvious (a wheel) and have several progressively less obvious claims before getting to the core invention (a specific axle mounting design, etc.) and then maybe some variations. Most articles about patent abuse focus on the more obvious claims being obvious; that's separate from whether the more abusive actual cases are somebody getting a patent for the less obvious parts and then suing people for violating the much more obvious claims.
Since Uber's lost about 10 previous attempts, they may very well be trying to patent something obvious (charging more when it's busy), or may be trying to patent more specific things about their implementation (but maybe still obvious to the patent examiners, who've actually taken taxis before, even if they haven't written compilers or optimized databases.)
The politics that mattered weren't the ones with Chavez, it was the US pressure on anybody else. Cuba's a really convenient place to run cable, and there's some cable there, but the amount of actual service that it was carrying was very tightly restricted because of the US embargoes. The telcos would have been happy to run a lot more of it, but weren't allowed to.
It's not completely wireless; to get any reasonable bandwidth out to the users, you need fiber to the towers, not just T1 or radio uplinks, but that's not too hard to do. (As another poster says, the telco's run by the government, so they shouldn't have a problem getting permits, just the usual issues with new construction in old cities.)
No reason to use old phones - the newer standards are much more efficient at spectrum usage.
And there's been fiber to the island for a long time; the problem has been that the US embargoes on trade with Cuba severely limited the services the telcos could provide. To the extent that that was caused by Treasury regulations (which Obama can change for two years) rather than law (which requires the Republicans in Congress to cooperate), they can get some of that service running quickly.
Sure, some people will invest in Bitcoins, and other people will invest in racehorses. (I avoid the problem by mining Dogecoins, which are almost totally worthless.) That's missing the point of Bitcoin, which is that it's intended to be a currency for relatively-private transactions.
Unfortunately, the markets that most wanted a currency for relatively-private transactions didn't do as good a job as they should have about being relatively-private on their own end (i.e. Silk Road got busted), but there is still a market for legitimate transactions, as you've pointed out.
What you need is a good voice-only interface for your phone, and if possible in your clean-room environment, some kind of Bluetooth headset. Phone rings, you tell it "answer". If you want to do something, tell Siri or equivalent, and get voice feedback. Not being an iPhone user, I don't know if Siri's good enough. (The Android stuff I've used so far hasn't been, but my car's phone-dialing interface is at least a start.)
Slashdot Mirror
So you Issue a Decree (you're king today, right?) that says ISPs have to immediately disconnect any botnets and terminate their service.
And Evil Botnet Dude modifies his botnet to spoof $TARGET1 attacking $TARGET2. And $TARGET1's ISP immediately takes them offline.
PROFIT!!
Tracing botnets is hard - it's a moving target, and the bad guys have access to as much crypto and security technology as the good guys do, and so much of the internet technology wasn't made to deal with clever malicious attackers, and much of it was designed to allow really private, relatively anonymous communications.
Sure, Windows is wretched hive of scum and villainy, but a lot of that's not just the OS, it's Word and Excel and Powerpoint (which think every document should be a Turing-complete programming language that autoexecutes) and Outlook (which makes it so easy to click on HTML links, opens images by default, and can be tricked into running things) and Internet Explod\it\\rer.
But then there's Mozilla, which defaults to executing Javascript and which is almost always set to run Flash as well.
And then there are the more popular operating systems, like Android and IOS, which have applications that are written by all sorts of people, and which deliberately do all kinds of things nobody in their right mind would want them doing (like Angry Birds reporting your location), much less the things they do by accident or can be maliciously tricked into doing.
The default setting on just about any SOHO router out there is that it does NAT from the LAN side (192.168.x.x) to the WAN (which gets one IP address from the ISP, either by DHCP or configured.) And of course, lots of people have more than one layer of NAT involved, because there's an ISP router (wired) and their own wireless one. But the defaults on SOHO routers generally also support UPNP, so it's easy to reset them.
The kinds of ISPs that are going to lie about it are either small enough that you can check their information (e.g. do good filtering on their BGP announcements, which you were going to do anyway just for reliability reasons), or big enough you can't do much about it (e.g. China's big providers.)
Individual addresses don't matter much at this level, except for communications that weren't going to be spoofed anyway (such as bot-to-controller traffic, which mostly hides behind moving DNS addresses.) And I don't know which router you're thinking about the botnets hijacking - BCP38 gets implemented by the ISP's edge routers, not the end customer's cheap vulnerable home hardware, and if somebody's hacking ISPs' routers (which I'm sure they are), there are lots more serious problems.
BCP38 spoof-dropping stops forged UDP connections, which blocks a lot of kinds of attacks from infected PCs, such as queries to DNS or NTP servers that send back bigger responses. It also stops some more subtle TCP attacks, like SYN floods or forged resets.
Dropping spoofed traffic also reduces some more interesting attacks (such as overwhelming the target's firewall or IDS with CPU-burning alarms - no need to break their web server if you can make their firewall crash by sending it too many obviously malicious packets that break its management connection.)
And sure, some of these attacks are old-school and boring, but they're still out there.
Too many lawmakers are doing well to understand that the Internet is a Series of Tubes with cat pictures and pirated music on it, and too many of the ones who have some technical clue understand it deeply enough to make meaningful, implementable laws. Remember the CAN-SPAM law a few years ago, that was going to save us from spam? We can't even get the NSA to find Rachel from Cardholder Services.
Nobody in the comments you're replying to was defending the people launching DDOS attacks from their PC. A DDOS attack is a Distributed Denial of Service; typically it has thousands or millions of infected machines each doing a bit of the attack, and you're not going to detect them all without doing Deep Packet Inspection on all the traffic, which isn't economically or technically feasible and would cause huge political controversy if it were.
Sure, it's that simple, just tell your customers not to do Bad Things! And tell all those cable modem users not to click on the attachments in their email that might infect their machines, that'll keep them all from doing it, just like it keeps them from buying spamvertised products, and like telling corporate users who have seriously funded IT departments not to be a victim of phishing attacks. Just because you customers are using third-party webmail instead of ISP mail services, that doesn't mean you can't protect them, does it?
This stuff is REALLY ####ING HARD. 3-4 years ago, a big DDOS attack might be 1 Gbps, and ISP backbones were mostly 10 Gbps circuits, so an ISP running a bit cleaner box from Arbor or whoever had enough bandwidth to address the attack. Now we're looking at attacks at multiples of 100 Gbps, and if you want to clean that stuff you basically need those expensive boxes at every peering point, and you need to worry a lot more about false positives when you do.
If you're an eyeball-handling ISP, you can detect some problems, and you'd certainly better be running BCP38. But how do you tell if your customers who are all sending https queries to the same site at the same time are an infected botnet, vs. just all trying to download some popular web page they read about on Slashdot?
If you're a cloud provider, it's even tougher, because the technology and market are changing so fast that nobody knows what "normal" really looks like, and it's possible for somebody to spin up a botnet using a bunch of stolen-but-not-yet-blocked credit cards, attack, and run away before you've hit the $50 limit on each of them.
And remember how much abuse Carrier X got when they got into a peering fight with Carrier Y? Think what happens when they do it suddenly because Carrier Y seems to be hosting a lot of botnets. And then think about what happens if Carrier Y is Amazon (see previous paragraph) or $CABLE-COMPANY or China.
Sure, that'll stop some kinds of attacks. But the bots may not be sending TCP at all - they may be sending UDP, or faking UDP source addresses on DNS or NTP queries that generate big responses. Or they may not be doing full TCP, just sending the packets and ignoring the responses.
First of all, you can't trust CPE, because an evil user might have their own, and an innocent users' CPE might have been cracked; you have to actually detect at the carrier's end of the access line. Having the CPE try to also implement it is nice, because it sometimes protects against compromised computers, which are more common.
But it's actually semi-ok if the Bad Guy spoofs a nearby address, just not a distant one. I'm going to change your numbers here, but if your home address is 1.1.1.1, and you send out a lot of spoofed traffic pretending to be from 1.1.1.3, you might annoy somebody on your block, but your bandwidth and theirs are probably similar, and your upstream is probably a lot smaller than their downstream.
The problem is that if you're faking UDP traffic from your target or another large site, so you start pretending to be from 8.8.8.8 (trying to swamp victim.com's DNS queries with fake ones), or start sending queries from v.v.v.v to 8.8.8.8, especially if Google still allows any UDP DNS traffic that has bigger responses than queries. And it's a much worse problem when you're a Bad Guy getting a whole lot of infected home computers to do that, so they all gang up on v.v.v.v.
Yeah, I was having trouble figuring that out. I think of "ponytail-wearing hackers" as those members of my (Boomer) generation who still have enough hair to tie up. And sorry, the Army tried to draft me once (my birthday made its saving throw successfully), taxed me for decades to pay for the Vietnam and Cold and Anti-Muslim Wars, and they're not going to get another chance.
If the ISPs want to ignore the ban, they've got good ammunition. The ban lists a bunch of "URLs", including things like "http://vimeo.com/" and "https://archive.org". Does it ban URLs like "http://vimeo.com/some-movie-here" or "https://archive.org/whatever"? Nope, just the front pages of the websites :-). Then there's also the problem that most ISPs don't serve URLs, they transmit IP packets and maybe also serve domain names and email mailboxes, so technically the ISP is just connecting you to 107.162.132.45 port 80, not to http://vimeo.com./
Does this incompetence mean that the government of India can't hassle ISPs that don't do what the censors wanted them to do, rather than what they asked them to? Sadly, probably not.
That also reduces the ability of the company to coordinate your purchasing information (though your name and address are probably relatively unique, unless you also use single-use versions of those, like random apartment numbers for your house.)
Somebody else also recommended using PayPal for sites that you don't want to trust on a regular basis. Any place that you don't trust, or that you think might be lax about security, or that you're not planning to use repeatedly can get by with that.
The phrase "smallest of all 88 constellations" really irks me. Constellations aren't real things, they're imaginative descriptions of patterns people see to make it easier to remember which stars are which. There's at least one constellation "The Triangle*" which is smaller, or if you allow two-star constellations, "those two faint dots over there" is even smaller.
(*Yes, I stole that The Triangle from Terry Pratchett; it's the name of a Discworld constellation.)
Quantum mechanics does let you slightly violate relativity, sending very short messages back from the future.
Ooook! Don't say the M-word near the Librarian!
You're thinking of the "Bush or Chimp" website. We're not monkeys!
And as the other poster said, at least in America, calling black people "monkeys" is specifically racist; calling white people that is just a non-racial insult.
Ok, the company as a whole tanked rapidly, as one might expect, but according to friends who lived in its territory at the time, one reason the service was so popular was that one of the things it delivered was weed. The company itself didn't sell it, but the drivers did that themselves, so they were happy and the customers were happy, and there were an awful lot of deliveries that had only one random item on the books (plus weed.)
Skype used a server-based system to set up calls, going through supernodes if possible (so it was semi-P2P), which handled subscriber lookup functions and also NAT transparency (which was the big thing that Skype did better than standard VOIP protocols such as H.323 and SIP.)
For the actual media path, if it could go directly, it would, but otherwise it would carry the call through supernodes (again, the NAT traversal problem.)
These days it seems to be mostly central servers, partly as a result of Microsoft buying them and partly because there was a lot of corporate pushback against supernodes using your corporation's bandwidth to complete somebody else's call.
It would be ok if the message said "Manifest file contains correctly formatted checksum - still need to verify."
That might also give you the hint that, if no message about "checksum verified correctly" appears later, probably no verification has been done.
I'm holding out for the 4-movie 16-hour extended-trilogy version of Farmer Giles of Ham and the first part of Leaf by Niggle: An Unwanted Journey.
That, or if I do watch Hobbit 3, I'll need some good pipeweed first.
They'll buy them cheap from China, just like we do. Maybe they won't buy the fanciest ones, or the ones hottest off the cutting edge of performance, but if you're making a device for internet access rather than mobility, it doesn't have to be as small or power-efficient.
If you believe in a patent system at all (which is a separate argument), an original implementation for a relatively obvious concept can still be patentable. Most patents I've seen start out by claiming something fairly obvious (a wheel) and have several progressively less obvious claims before getting to the core invention (a specific axle mounting design, etc.) and then maybe some variations. Most articles about patent abuse focus on the more obvious claims being obvious; that's separate from whether the more abusive actual cases are somebody getting a patent for the less obvious parts and then suing people for violating the much more obvious claims.
Since Uber's lost about 10 previous attempts, they may very well be trying to patent something obvious (charging more when it's busy), or may be trying to patent more specific things about their implementation (but maybe still obvious to the patent examiners, who've actually taken taxis before, even if they haven't written compilers or optimized databases.)
The politics that mattered weren't the ones with Chavez, it was the US pressure on anybody else. Cuba's a really convenient place to run cable, and there's some cable there, but the amount of actual service that it was carrying was very tightly restricted because of the US embargoes. The telcos would have been happy to run a lot more of it, but weren't allowed to.
It's not completely wireless; to get any reasonable bandwidth out to the users, you need fiber to the towers, not just T1 or radio uplinks, but that's not too hard to do. (As another poster says, the telco's run by the government, so they shouldn't have a problem getting permits, just the usual issues with new construction in old cities.)
No reason to use old phones - the newer standards are much more efficient at spectrum usage.
And there's been fiber to the island for a long time; the problem has been that the US embargoes on trade with Cuba severely limited the services the telcos could provide. To the extent that that was caused by Treasury regulations (which Obama can change for two years) rather than law (which requires the Republicans in Congress to cooperate), they can get some of that service running quickly.
Sure, some people will invest in Bitcoins, and other people will invest in racehorses. (I avoid the problem by mining Dogecoins, which are almost totally worthless.) That's missing the point of Bitcoin, which is that it's intended to be a currency for relatively-private transactions.
Unfortunately, the markets that most wanted a currency for relatively-private transactions didn't do as good a job as they should have about being relatively-private on their own end (i.e. Silk Road got busted), but there is still a market for legitimate transactions, as you've pointed out.
What you need is a good voice-only interface for your phone, and if possible in your clean-room environment, some kind of Bluetooth headset. Phone rings, you tell it "answer". If you want to do something, tell Siri or equivalent, and get voice feedback. Not being an iPhone user, I don't know if Siri's good enough. (The Android stuff I've used so far hasn't been, but my car's phone-dialing interface is at least a start.)