On Tue, 30 Apr 2002 15:49:46 PDT, james woodyatt <jhw@wetware.com> said: > > with care and consideration. For those who choose to abuse these > > privileges, let us dedicate ourselves to developing the necessary > > tools to combat the abuse and punish the abuser. > > I'd like to see a more thoughtful statement about what kind of tools the > Internet Society favors for countering Internet abuse. The final > sentence in the paragraph above seems under-clear to me. It's under-clear because those of us who do network security and similar don't have a better idea of how to phrase it better. There's no clear-cut and obvious way to phrase it for the legal profession, and we're still working on how ot make the network itself abuse-proof. > As a personal statement of conviction, I would say that I favor tools > that empower individuals cooperating in large numbers to make the > decisions about who should be punished and to what extent. When such > tools are efficacious, I think the Internet Society should favor them. > It's much better when abusers are driven from the network because they > can't attract buyers for their services, than when the cops have to run > them off as a menace to the whole Internet. Now, although this may *sound* like a good idea, and has shown some limited areas of success (tools like MAPS and ORBS, or Vipul's Razor, for instance), there's some *very* tricky issues lurking here: 1) Remember that MAPS and ORBS do *NOT* reject spam mail. They merely maintain a database for you to consult and make your *OWN* decisions regarding whether *YOU* wish to reject a given piece of mail. This is a very important legal distinction, and necessary in most countries so that the people running the database don't end up in legal trouble, both civil and criminal, for conspiracy and restraint-of-trade. 2) Take a good close look at the last piece of spam you received, and ask yourself who to "punish" - keeping in mind that it could be a "joe job" (disguised to look like somebody else did it), or possibly even the result of a Klez/SirCam style worm. Also, remenber that any given user may only get 2 or 3 copies *at most* to work with, so you need a way to aggregate stuff (see Vipul's Razor or any of the IDS systems that have a 'network management' interface). This brings us to point 3: 3) Let's say that we decide that 3,000 reports of a given sPam is enough to "flag" a site as an offender (remember that even if only 1% of the users *report* it, that's over a quarter million spams...). This leads to an interesting Denial of Service attack: Large Corporation A sends 10,000 workers home with forged spam for them to "report", causing B-Corp Ltd's main e-mail gateway to get flagged as a spamhaus. If you don't think this *WILL* happen, note that the corporation responsible for 'astroturfing' in the Jargon File was caught trying to stack an online poll recently... 4) Although there are corners of the world that have corrupt judges and police, or concept of "justice" that may be greatly at odds with your own, most parts of the world have a workable definition of "due process". Although a grass-roots "we dont want it" campaign *might* be good enough to stop spammers, it certainly won't cut it in the cybercrime arena (and I speak here as somebody who at least once a week was accused of doing slow portscans of people. Oddly enough, the UDP source port was always 123, and the machine was the A record that the CNAME ntp-2.vt.edu pointed at. Go figure ;) This is certainly *not* the sort of thing you want IWF (Idiot With Firewall) users doing, there needs to be some clued and trained investigators, due process, and all that stuff. 5) Instead of finding a way to punish the bad guys, consider rewarding the good guys instead. (Warning: shameless plug - see disclosure below) See if your organization can specify "must be hardened against the SANS/FBI Top 20 list", or "scores at least a 7 on the apppropriate Center for Internet Security benchmark *out of the box*", or similar. Make it a lot harder for the bad guys. If you have a reason to not like the SANS or CIS lists, feel free to use some other criterion and demand safer systems from vendors. 6) Patch and secure the systems you've got - no sense in being a target. ;) Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech Disclosure: I was heavily involved in producing the SANS/FBI Top 20 list, and have been involved in the CIS benchmark process as well. I don't get any financial benefit from it, only the knowledge that every time a system gets tightened down, the net gets a bit safer....