North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Q: What do ISPs really think about security issues?

  • From: Gadi Evron
  • Date: Fri Jan 11 09:39:21 2008

On Fri, 11 Jan 2008, Suresh Ramasubramanian wrote:

All of it translates to

1. X more mailing lists to sign up to (lots and lots more email, great)
2. X more conferences to attend (more miles, yay, that's plat for this
year taken care of)
3. A sizeable amount of reinvention of the wheel too

Fun, isn't it?

To begin, I hate my inbox too. I want the same thing. And yes, I know a serious part of your inbox problem comes from me and mine--all I can offer in reparations is beer. I also dislike the fact many people are clueless, but I do like the fact clueless people are starting to get clued by, to a level, re-inventing the wheel.

This email is long, I am giving you my take. What I want to see is not necessarily your thoughts on my philosophy, but rather what YOU think should be done. What would MAKE a difference in the fighting, for you?

Suresh, you *know* I am with you and that there is nothing more important to me that information sharing and cooperation. Now let me correct that to recent times, that *used* to be the most important consideration, whether some of those in need never share back or give feedback only meant we only shared some of what we have, rather than all of it--not that we won't share.

Getting cooperation inside industries, then between them, then with academics, then with law enforcement, then with policy makers. It's been a rocky ride.. but well worth it.

The first ammendment to this was the understanding that 'diversity is good', meaning; not to get upset when others choose to double resources and not cooperate. Diversity truly is great:

	* It lets new blood in
	* It creates new political presences (not necessarily powers) that
	  we need to cope with, making us less close-minded
	* Helps create and foster a community
	* Proves time and again that what we believe to be evil may have
	  been bad once, but is actually pretty good in the current
	  landscape--we got set in our ways and set taboos (sharing virus
	  samples outside the AV world, sharing C&C information, listening
	  in on bad guys, etc.)

Letting efforts run free enforces a sort of Darwinian selection as far as their methods and people, but more importantly it pushes the successful ones up to our sand box.. if only we can protect them from people like us long enough.

Naturally, diversity is not *always* good, which is the second ammendment to the thinking process.

Moving on, these subjects are in fact mainstream, no longer discussed in rants by few looney people such as us. This brought some good, and naturally some bad.. but when affecting change one has to remember people need to decide for themselves and they in turn let us be successful in protecting them. Our accomplishments aside we kept what we were working on so secret that:

	* Administrators didn't have the knowledge or tools to cope (and
	  they could help)
	* Public awareness was non existent (which we are suffering from
	  now)
	* Political awareness was non existent (which we are suffering
	  from now)

It is not about an holier than thou attitude, it's about understanding that the Internet is truly the only functioning anarchy, and that "doing" by itself makes a difference. New people who come along and will try their own way, and a sort of non-committal Darwinian seclusion or capitalism (not necessarily monetary) will determine their success. We can't stop them so may as well help them, yes?

As to current existing mail tornados of too many places to be and to see... we get less and less over time, but it is what it is, and it is about human nature. Human nature, social structures, etc.--nuff said.

Meeting the new crowd is always good, but seeing how they not only re-invent the wheel on the how to cope, but rather in their whole thinking process, I am slightly concerned. We HAVE information sharing, we HAVE cooperations. What the Internet, and we, need, is to move to the next level, whatever that may be--of course I have my ideas about that.

That means moving from good-will based relationships to something more substantial, as the criminal side has moved on long ago to billions in revenue, R&D teams, outsourcing, and kinetic [support] operations (from fraud to throat-cutting).

We are of course limited to what we *can* do:

	* Physical world efforts (law enforcment getting better,
	  conferences to bring people together)
	* Intelligence gathering

Non operational:

	* Political outreach ("there is no cyber-crime problem")
	* Awareness raising

We may have achieved a LOT on our end, but at the end of the day we have made exactly a dent in the criminals' operations, and no more. We make that dent once in a while and they move on, evolving. In retrospect we haven't made any difference on their side, and they won.

Won what, you may ask. The war? We never really fought, it is a false argument that we did, and as one of the many people who are doers out there and gave a chunk of their lives to this 'fighting' I can say that and not offend myself.

Our fighting has been (mostly) limited to getting slapped, and writing analysis about it.

What I'd like to see? Here's three items on a strategic level rather than tactical, which I can go on about forever (you know I like to hear my own voice, right? :) )

	* People working to bridge the tech-policy gap between people like
	  us and policy makers (who following Estonia *are* writing
	  policy which will affect us)
	* In a situation where we don't start a war not we, but rather the
	  Internet can't win--actively fight back
	* These efforts stopping to be a volunteer-based 'thing' and
	  moving to people who should be doing it (not people like me)

Listening is, of course, important. As is coming in with an open mind
and without a holier than thou attitude .. especially if the attitude
is combined with the sort of URGENT!! TAKE THIS PHISHER DOWN NOW!!"
abrasiveness nobody else really appreciates.

That, by the way, is why I'm glad to see more and more organizations
holding collocated / joint meetings .. across, to use some igov jargon
(and for want of a better word) "stakeholder communities" .. banks
talking to ISPs talking to LE / regulators talking to independent
researchers etc.

Indeed!
Thing is, most stop at the talking stage, which they get off their chest and will do again 6 months from now.

The Internet is not gonna die tomorrow, it is already IPv6 in Asia. :P

Taking a step back from security, from my niche, in which I am extremely worried--as long as people can download their pr0n and argue over Captain Kirk, I am happy. Thing is, all these millions of incidents every moment are nothing but background noise.

WE CAN'T handle them, we can just jump at big ones. As long as things remain this way, my hollistic-view self will be happy, but as the awareness decreases and the background noise increases--we will eventually be "only useless" rather than "mostly useless" in bottom line net effect on the criminals. That of course unless we understand we need to do something drastically different than what failed us so far, even if it did help us get organized.

What ISPs can do? They can do a lot more than they do now. That is also a false statement as people can always do more. ISPs may be a part of the solution, but they are not the solution. We can affect how techies work, but the business folks are the ones making the decisions and making fighting criminals make business sense is not always the best use of our time.

ISPs? Some of the best and smarted people in the world work at ISPs. Unfortunately, also some of the stupidest.

--srs