Category Archives: Reputation Systems

Community Flow-spec Project

A lightning talk at NANOG 48, Austin, Texas, 22 Feb 2010, by John Kristoff, Team Cymru. See RFC 5575.

Update: PDF of presentation slides here. 

+--------+--------------------+--------------------------+
| type   | extended community | encoding                 |
+--------+--------------------+--------------------------+
| 0x8006 | traffic-rate       | 2-byte as#, 4-byte float |
| 0x8007 | traffic-action     | bitmask                  |
| 0x8008 | redirect           | 6-byte Route Target      |
| 0x8009 | traffic-marking    | DSCP value               |
+--------+--------------------+--------------------------+

A few selected points:

  • Dissemination of Flow Specification Rules
  • Think of filters(ACLs) distributed via BGP
  • BGP possibly not the right mechanism
  • Multi-hop real-time black hole on steroids
  • Abuse Handler + Peering Coordinator
    = Abeering Coordinator?
  • Traditional bogon feed as source prefix flow routes
  • A la carte feeds (troublesome IP multicast groups, etc.)
  • AS path prepend++
  • Feed-specific community + no-export
He showed some examples of specs for flows (I can’t type fast enough to transcribe those).

Trust issues for routes defined by victim networks.

Research prototype is set up. For questions, comments, setup, contact: http://www.cymru.com/jtk/

I like it as an example of collective action against the bad guys. How to deal with the trust issues seems the biggest item to me.

Hm, at least to the participating community, this is a reputation system.

Solving for the Commons

So simple!

BN > BE + C

Aldo Cortesi channels Elinor Ostrom and summarizes what we need to fix Internet security by enticing the providers and users of the Internet to manage it as a commons. But first, some background.

Since at least 1997 (“Is the Internet a Commons?” Matrix News, November 1997) I’ve been going on about how Garrett Hardin’s idea of the tragedy of the commons doesn’t have to apply to the Internet, because: Continue reading

Chinese Honeynet Project: Botnets Are Sneaky and Evolving; Need Adaptive Distributed Counter

lifetime.png The subject is my interpretation of a sixteen page paper by a joint Chinese-German project to examine botnets in China.
Botnets have become the first-choice attack platform for network-based attacks during the last few years. These networks pose a severe threat to normal operations of the public Internet and affect many Internet users. With the help of a distributed and fully-automated botnet measurement system, we were able to discover and track 3,290 botnets during a period of almost twelve months.

Characterizing the IRC-based Botnet Phenomenon, Jianwei Zhuge1 , Thorsten Holz2 , Xinhui Han1 , Jinpeng Guo1 , and Wei Zou1 Peking University Institute of Computer Science and Technology Beijing, China, University of Mannheim Laboratory for Dependable Distributed Systems Mannheim, Germany, Reihe Informatik. TR-2007-010

The paper provides many interesting statistics, such as only a small percent of botnets are detected by the usual Internet security companies. But the main point is exactly that a distributed and adaptive honeypot botnet detection network was able to detect and observe botnets in action and to get data for all those statistics. Trying to deal with an international adaptive botnet threat via static software or occasional centralized patches isn’t going to work.

Some readers conclude that this paper shows that reputation services don’t work,because they don’t show most botnets. I conclude that current reputation services don’t work because they aren’t using an adaptive distributed honeypot network to get their information, and because their published reputation information isn’t tied to economic incentives for the affected ISPs and software vendors, such as higher insurance rates.

-jsq

Egerstad Arrested: Uses Tor to Snoop Snoopers; Is This a Crime?

So this fellow was just arrested and some of his computers confiscated: danegerstad_narrowweb__300x378,0.jpg
Dan Egerstad, a security consultant, intercepted data carried over a global communications network used by embassies around the world in August and gained access to 1000 sensitive email accounts. They contained confidential diplomatic memos and other sensitive government emails.

After informing the governments involved of their security failings and receiving no response, Egerstad published 100 of the email accounts, including login details and passwords, on his website for anyone curious enough to have a look. The site, derangedsecurity.com, has since been taken offline.

Swedish Police Swoop on Dan Egerstad – UPDATE by Fergie, Fergie’s Tech Blog, 14 Nov 2007

He got this information by installing Tor, which people use to hide their IP addresses, and looking to see what passed over it. What he saw he thinks was people who had already broken into embassy accounts using them illicitly. He tried to inform governments, who (except for Iran) were uninterested. Then he posted his information online, thus probably stopping the snoopers.

So Egerstad gets arrested, yet this man, who says “Privacy no longer can mean anonymity” walks around free.

-jsq

RIAA Blowback

tanya_andersen.jpg Sometimes suing your customers produces blowback:
Former RIAA target Tanya Andersen has sued several major record labels, the parent company of RIAA investigative arm MediaSentry, and the RIAA’s Settlement Support Center for malicious prosecution, a development first reported by P2P litigation attorney Ray Beckerman of Vandenberg & Feliu. Earlier this month, Andersen and the RIAA agreed to dismiss the case against her with prejudice, making her the prevailing party and eligible for attorneys fees.

The lawsuit was filed in the US District Court for the District of Oregon late last week and accuses the RIAA of a number of misdeeds, including invasion of privacy, libel and slander, and deceptive business practices.

Exonerated defendant sues RIAA for malicious prosecution By Eric Bangeman, Ars Technica, June 25, 2007 – 04:40PM CT

Does it help a company or an industry’s reputation when its customers sue back? Is this good risk management?

-jsq

Breach Discovery

bv.jpg If people know about security breaches, maybe there’s incentive for the companies whose customers they are or the governments whose constituents they are to do something about them, so this is good news:

New Hampshire, one of a handful of U.S. states that require breaches involving personal information to be reported to the state as well as to affected individuals, has made at least some breach notices it has received available on the net.

New Hampshire gets it, Chris Walsh, Emergent Chaos, 13 June 2007

Or at least if we know what’s really going on, maybe unfounded scare

Continue reading

Reputation Management

In the previous post I mentioned reputation systems. The flip side of that is reputation management, so that companies can react to reputation systems and proactively manage their own reputations. It turns out that Harold Burson, “the century’s most influential PR figure”, and Jon Harmon are thinking along similar lines:
The key is in reputation management. When company leaders come to understand that reputation is the company’s most valuable asset, they will increasingly value those who can actively and successfully manage reputation.

Reputational momentum defines the art of the possible of nearly every other goal of the business or organization – sales, profits, retention, recruitment or fund-raising. If your reputation is on the rise, achieving your other goals is so much easier. Conversely, a poorly managed crisis leading to a significant drop in reputation can capsize even the company’s most valiant efforts to achieve its other goals.

An Open Letter to Harold Burson: Reputation Management Fulfills PR’s Highest Calling, John Harmon, Force for Good, 15 March 2007

Harmon’s specific suggestion has to do with a chief-level PR officer, with potential for being on CEO track. On the one hand, every profession seems to want this. On the other hand, after the big reputation botches at Intel and HP it’s hard to argue that corporations could use reputation advice at the highest levels, preferably before they shoot themselves in the foot. So a PR consigliere sounds good to me.

-jsq

Flickr Flickers

Flickr’s recent outage is aptly described Abel Eble in The Quiet Earth:
Folks, this is one of the best pieces of crisis management I have ever seen! It states the problem; it states the solution; it takes the blame where necessary and it gives a promise to the future. Now, if we could set this as mandatory teaching for all companies worldwide I would feel so much better.
Leveling with the customers; what a concept!

-jsq

It Can’t Happen Here

Lately I’ve seen a lot of ink and bits spilled about whether to move New Orleans.  NOLA is unique, because it is mostly below sea level. It is also part of an industrial corridor sometimes called the American Ruhr.  And it is the port for a third of the U.S.  And the whole levee system is an artificial attempt to contain a river that naturally changes course every so often.  All those points are worth separate discussion.

But here I’d like to address the underlying assumption of many people who suggest moving New Orleans: that it can’t happen here, here being wherever the writer is.

Let me pick on Boston.  Everyone knows that Boston never gets serious hurricanes, right? Yet downtown Boston is surrounded on three sides by water and has a typical elevation of about 20 feet.  Boston’s Back Bay is built on landfill about that high above the Charles River, and might subside if flooded. Then there’s the Big Dig, which undermines numerous buildings; what would it do if completely flooded? Plus Bostonians aren’t used to preparing for hurricanes.

The Great Colonial Hurricane

Yet it can happen here.  It has, in August 1636, with with 20 foot ocean surge.

Continue reading