[133456] in North American Network Operators' Group
Re: [Operational] Internet Police
daemon@ATHENA.MIT.EDU (Fred Baker)
Thu Dec 9 14:22:36 2010
From: Fred Baker <fred@cisco.com>
In-Reply-To: <AANLkTimrbfuv+sOy1dH0rCP0Txr+C9h59mRfZbJmdyso@mail.gmail.com>
Date: Thu, 9 Dec 2010 11:22:31 -0800
To: Michael Smith <tifoso.michael@gmail.com>
Cc: "nanog@nanog. org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Dec 9, 2010, at 10:19 AM, Michael Smith wrote:
> My question is what architectural recommendations will you make to =
your employer if/when the US Govt compels our employers to accept our =
role as the "front lines of this "cyberwar"?
>=20
> I figure once someone with a relevant degree of influence in the govts =
realizes that the "cyberwar" is between content/service controllers and =
eyeballs. With involuntary and voluntary botnets as the weapons of "the =
eyeballs", relying exclusively on a line of defense near to the content =
(services) leaves a great expanse of "battlefield". I would expect the =
content/service controllers to look for means to move the battleline as =
close to the eyeballs as possible (this community) So... if/when our =
employers are unable to resist the US Govt's demand that we "join in the =
national defense", wouldn't this community be the ones asked to guard =
the border?
>=20
> Assuming the govt won't send federal agents into each of our NOCs, =
won't our employers ask us "what can we do?"
>=20
> If inspecting and correlating every single packet/flow for attack =
signatures is not feasible (on scale), are there name/address =
registration/resolution measures that could effectively lock-down the =
edge? ...will we look toward China/Saudi Arabia/etc for lessons learned =
in there 'great firewalls' to develop a distributed version where =
central control pushes policy out to the edge (into the private networks =
that currently provide the dreaded "low barrier for entry")?
>=20
> Obviously the environment is created by layers 8/9, but I'm interested =
in the layer 1-7 solutions that the community would consider/recommend.
>=20
> -Michael
In my ever-so-humble opinion, this is not primarily about copyrighted =
material; it is primarily about content control. Go to any country in =
the world; they have something they wish wasn't available on the net. It =
might be child pornography, pornography in general by some definition of =
that term or lack thereof, journalist reports regarding their country or =
certain events in their country, paparazzi photos of their leaders or =
their consorts, or comments or comics featuring important religious =
figures or violating local social norms (did you know that DSLRs are =
illegal in Kuwait unless one is a registered journalist?). The UN Al =
Qua'da Task Force would like to block all files that originate from Al =
Qua'da. During the US 2004 presidential elections, one of the candidates =
suggested using CleanFeed to suppress information about dog racing. It =
might be COICA, HADOPI, or some municipal court judge who has no idea =
what he is asking but makes a decree that <something> should go away. =
They are all, at the end of the say, talking about the same thing: "we =
don't care what other countries or other people think; in our country, =
<something> should not be available on the Internet."
Which is to say that they think that they should be in control of some =
bit of content. Content control, which they might well decry when others =
do it and respond very poorly when you point out their own actions.=20
I would note that in many cases similar laws already exist in the =
various countries' legal systems. For some reason, rather than enforcing =
the existing law of the land, they feel compelled to make a new law that =
is specific to the Internet. I asked a lawyer advocating yet another =
such a law about this once, trying to find out why she thought that was =
necessary. Her response was that the existing law of the land had been =
found in court after court and jurisdiction over jurisdiction to be =
unimplementable and unenforceable; a certain famous statement about the =
definition of obscenity comes to mind, and very appropriately. "If I =
have the law, it gives me one more chance to argue the case in court". A =
case she freely admitted that she would very likely lose.
If your boss comes to you and asks you to be part of it, my suggestion =
(I am not a lawyer, and this is not legal advice) would be to first ask =
him whether he has a court order. If you are obligated to comply, you =
are obligated to comply. But in any event, I would suggest that he read =
http://www.washingtonpost.com/wp-dyn/content/article/2010/12/08/AR20101208=
04038.html. I suspect we will be reading similar articles about some 70 =
sites that have been taken down recently, and in some cases they may =
take whoever-did-it to court and win a judgement. The Internet routes =
around failure, and people who think they can control content are =
notorious for failing.
That's not a political viewpoint; some of those things that folks would =
like to go away probably should. =46rom a very pragmatic and practical =
perspective, any technical mechanism that has been proposed is trivially =
defeated. The first implementers of DKIM were the spammers. What does =
CleanFeed do with https or encrypted BitTorrent? DNS Blocking is very =
interesting in a DNSSEC world, and is trivially overcome by purchasing a =
name in another TLD - or a thousand of them. Null routes block access to =
specific addresses; move the content, and the null route is a waste of =
bits. Look at how successful we have been in erasing botnets from our =
memory, or viruses, or spam.=20
The way to address these things is not to childishly wish there was a =
magic silver bullet that would make the problem go away. If it's against =
the law, and in most cases the content that folks want to control is, go =
arrest the guy.
That's not to say that you couldn't use technologies like CleanFeed or =
Lawful Intercept, if you use them lawfully, to gather forensic evidence. =
But that's a far cry from pretending to make the content go away.=
