Reviewing Bruce Schneier’s 2004 book Secrets and Lies,
much of which was written in 2000, reminds us of something really basic.
You can’t just fix security.
Security is a process, most of which is about knowing what’s going on.
Detection is more important than prevention.
To which I add that for detection we need comparable Internet-wide metrics
on security performance so every organization can see
what’s going on and will have incentive to do something about it
because its customers and competitors can see, too.
SpamRankings.net is about.
2. “Detection is much more important than prevention”
Schneier keeps coming back to this point. He had this epiphany in
1999 that “it is fundamentally impossible to prevent
attacks” and “preventative countermeasures fail all the
time.” Security is “about risk management, that the
process of security was paramount, that detection and response was
the real way to improve security.” (emphasis mine)
I had formerly thought of security as largely being about
prevention. A year ago, if you have asked me about
“InfoSec” I might have prattled on about firewalls,
injection attacks, encryption and good passwords. That’s still
important, but now I know that there’s a lot more to it.
Zack says he thinks Schneier was like Nostradamus for having such
NSA PRISM and even before Facebook.
Sure, Bruce has always been ahead of his time.
But that basic insight was not unique to him, and Continue reading →
John S. Quarterman, long time Internet denizen, wrote one of the
seminal books about networking prior to the commercialization of the
Internet. He co-founded the first Internet consulting firm in Texas
(TIC) in 1986, and co-founded one of the first ISPs in Austin
(Zilker Internet Park, since sold to Jump Point). He was a founder
of TISPA, the Texas ISP Association.
Quarterman was born and raised
in Lowndes County, where he married his wife Gretchen. They live on
the same land where he grew up, and
participate in local community
WWALS is an advocacy organization working for watershed conservation
of the Willacoochee, Withlacoochee, Alapaha, and Little River
Systems watershed in south Georgia and north Florida through
awareness, environmental monitoring, and citizen advocacy.
Microsoft, world leader in Internet security, will doubtless clean up its spamming act when it sees its AS 8075 is #1 for outbound spam in the U.S. for April 2012 in rankings from PSBL data, pushing the U.S. to #1 worldwide.
Other rankings don’t show Microsoft high, but does MSFT really want to show up in any of these rankings?
Percent of top 10
These rankings that show Microsoft high are derived by SpamRankings.net from PSBL blocklist data. The April 2012 SpamRankings.net from CBL blocklist data do not show Microsoft in the top 10. Apparently PSBL’s spam traps happened to be in the line of spam from Microsoft, while CBL’s were not.
And of course Microsoft probably doesn’t mean to be sending any of that spam. More likely botnets exploited a MSFT security vulnerability. Here’s hoping they clean it up soon!
What is to be done when botnet takedowns don’t produce lasting benefits?
At the Telecommunications Policy and Research Conference in Arlington, VA
in September, I gave a paper about
Rustock Botnet and ASNs.
Most of the paper is about effects of a specific takedown (March 2011)
and a specific slowdown (December 2010) on specific botnets
(Rustock, Lethic, Maazben, etc.) and specific ASNs (Korea Telecom’s AS 4766,
India’s National Internet Backbone’s AS 9829, and many others).
The detailed drilldowns also motivate a higher level policy discussion.
Knock one down, two more pop up: Whack-a-mole is fun, but not a
solution. Need many more takedowns, oor many more organizations
playing. How do we get orgs to do that? …
RIPE-NCC is the oldest of the Regional Internet Registries (RIRs),
and RIPE is the deliberately unorganized association of interested parties
that meets twice a year and holds discussions online in between.
It’s a mix of operations, research,
Topics range from obscure details of deploying IPv6 to organizational
proposals such as what I was talking about.
430 people attended the meeting in Rome, which was quite a few more
than the dozen or two of the first RIPE meeting I went to many years ago.
Interesting questions were asked.
I may blog some of them.
Paul Graham points out that big company checks on purchasing
usually have costs, such as purchasing checks increase the costs of
purchased items because the vendors have to factor in their costs
of passing the checks.
Such things happen constantly to the biggest organizations of all,
governments. But checks instituted by governments can cause much worse
problems than merely overpaying. Checks instituted by governments can
cripple a country’s whole economy. Up till about 1400, China was richer
and more technologically advanced than Europe. One reason Europe pulled
ahead was that the Chinese government restricted long trading voyages. So
it was left to the Europeans to explore and eventually to dominate the
rest of the world, including China.
I would say western governments (especially the U.S.) subsidizing
petroleum production and not renewable energy is one of the biggest
source of current world economic, political, and military problems.
Of course, lack of checks can also have adverse effects as we’ve
just seen with the fancy derivatives the shadow banking system
sold in a pyramid scheme throughout the world.
It’s like there should be a balance on checks.
Which I suppose is Graham’s point: without taking into account
the costs of checks (and I would argue also the risks of not
having checks), how can you strike such a balance?