North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Hi, we're from the government and we're here to help

  • From: Patrick Greenwell
  • Date: Sat Mar 11 00:42:51 2000

On Fri, 10 Mar 2000, Kelly J. Cooper wrote:

> People who coordinate these kinds of consortia do so on a 
> practically full-time basis if they want to get anything
> done.

Having sat on the board of such an organization, I know this full well. 
I've also come to realize that this is because many such organizations
attempt to do far too many things. 

> If a specific ISP sponsors the group, what's to stop the
> rest of the world from accusing that ISP of bias?  

I wasn't suggesting any one ISP sponsor such an entity by itself.

> Same issue with a vendor.  The problems of anti-trust are very
> serious in this arena.

That is entirely dependent on the scope of the organization, how
it is formed, and how it behaves in operation. 

> If you have an elected board doing volunteer work and 
> meeting on a periodic basis to discuss security, you suffer
> from the same problem of resources without someone more
> dedicated to sheparding the process along.

What I've suggested is a much narrower focus initially: creating 
workable communication/procedures protocols for NOC<->NOC event handling.

That's it. 

Effective communication and event handling is what is needed most IMO, and
that which is completely lacking among providers. Having these things
would have served to both greatly decrease the length and severity of the
recent round of attacks, and more importantly may have significantly aided
attempts to track down the perpetrator.

People are going to continue to run insecure boxes/networks. People are
going to continue to author insecure code. It's a fact of life. It's not a
problem that is going to be solved in the short or mid-term by
anyone. That is why I feel so strongly that working on a problem where
there is a reasonable chance of solving it(communication) is of much
greater benefit to the community at large. It certainly is a better
expenditure of my time which is a rare commodity and not something I am
eager to waste.

> All the groups suffer from the same problems - they slack 
> off, lose funding, re-invent themselves, start some new 
> subgroup, try to drum up interest, etc.  Because sustained 
> volunteer work is HARD.  If you don't think it's hard, then 
> you don't have enough to do.

Again, like you, I've been there. I know all too well the difficulties
surrounding volunteer labor in this arena.

However as I stated above, I believe this is due to a scoping
issue. Trying to be the "all-singing all-dancing organization" is what 
leads to these failures.

As an example of a relatively successful community-based effort take a
look at the RBL. It has maintained a fairly narrow focus, and succeded
on that basis. It should serve as evidence that carefully scoped
organizations *can* succeed. 

> This cycle is old.  I know I'm bored with it.
> So now what?

That's up to you. 

> How do you propose to cull the wheat from the chaff? 

By doing what I've already done: ask that those among us who are willing
to put their money where their mouths are do so. It is seemingly damn near
the quickest way of shutting up the uncommitted.

> Because if it was just as easy as kicking in a few bucks to 
> yet another consortium, I'd do it in a heartbeat.

That of course isn't enough. The only way that these things are going to
get fixed is if people care enough to do so. 

I'm not holding my breath....

                               Patrick Greenwell                          
                       Earth is a single point of failure.