[187054] in North American Network Operators' Group
Re: de-peering for security sake
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sat Jan 16 14:10:44 2016
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <0BA33EDB-D8F8-405B-8987-CC8DA1BE5D03@ianai.net>
Date: Sat, 16 Jan 2016 11:09:27 -0800
To: "Patrick W. Gilmore" <patrick@ianai.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On Jan 16, 2016, at 07:15 , Patrick W. Gilmore <patrick@ianai.net> =
wrote:
>=20
> On Jan 16, 2016, at 9:53 AM, Rich Kulawiec <rsk@gsp.org =
<mailto:rsk@gsp.org>> wrote:
>> On Sat, Jan 16, 2016 at 05:43:56AM -0800, Ca By wrote:
>=20
>>> I see a great deal of folks on nanog clamoring to buy ddos gear. =
Packets
>>> are starting to become like spam email, where 90% are pure rubbish, =
and
>>> us good guys have to spend a lot of money and time sorting signal =
from
>>> noise.
>>=20
>> I've said this many times: abuse does not magically fall out of the =
sky.
>> It comes from hosts, on networks, run by people. It is time -- well
>> past time -- to hold those people *personally* acountable.
>>=20
>> Not doing so leaves us where we are today: millions -- heck, hundreds
>> of millions -- of dollars are being spent on defenses THAT WOULD NOT
>> BE NECESSARY if those people performed their jobs at a mere baseline
>> level of competence and diligence.
>=20
> Shared fate systems suck in some ways. But I disagree that =E2=80=9Ca =
mere baseline level of competence and diligence=E2=80=9D is even close =
to what is required.
>=20
> Making the owner of the host responsible for an attack -personally- =
responsible would require every grandma & 6 year old to have insurance =
before buying a laptop or Xbox. And would bankrupt your favorite startup =
no matter how smart & competent the first time a zero-day caught them by =
surprise.
Agreed=E2=80=A6 I think, instead, that the commercial purveyors of =
vulnerable software should be held liable.
> Of course, forcing Uncle Bob to call his insurance carrier before =
buying a smartphone, and having San Hill Road take even greater risks =
when investing, and giving lawyers yet another vector for frivolous =
lawsuits, wouldn=E2=80=99t have the slightest effect on the global =
economy.
>=20
> On the other hand, that 100s of millions of dollars is a rounding =
error in the wealth & public good created by that same shared fate =
system.
>=20
> Overall, I think we=E2=80=99re doing well.
While I agree with you (scary, huh) about most of this, I do think that =
there is legitimate liability to be had by commercial software vendors =
that have so far held themselves immune to prosecution.
We have already seen that vulnerabilities in open source software tend =
to get corrected much faster than in closed commercial software. We=E2=80=99=
ve also seen that opening up source code to inspection by the community =
tends to make the vulnerabilities known faster (which is a double-edge =
sword to be certain).
I=E2=80=99m not saying we should eliminate closed commercial software, =
but I do think giving it a free pass on the liability for the damage it =
inflicts is something that should no longer be tolerated.
> Before anyone pounces on me, I hate spam, dos, etc. as much as anyone =
else. (You know how much personal, unpaid time I=E2=80=99ve put into =
fighting both, Rich.) If we can find the originators of these things, we =
should hang them by their thumbs and beat them senseless. We should do =
everything we can to make ISPs implement BCP38, get software vendors to =
QA better, and educate users to be less, well, idiotic.
+1
> But I am also pragmatic. Life sucks, it is not fair. But the idea of =
making either grandma or the network engineer at an ISP or even the CEO =
of a hosting company personally responsible for things like zero-days or =
minor errors which can be exploited to the tune of greater than their =
personal wealth or even their corporate market cap is a recipe for =
bringing everything to a screeching halt.
Agreed. Perhaps liability with some sort of safe harbor provision for =
corrections released within 30 days of notification of vulnerability =
would be a better choice than outright complete liability.
However, if you want to sell software without giving users the ability =
to plug the holes you created, whether by design or by accident, should =
come with a responsibility to plug them on a timely basis.
> I kinda like the ride we=E2=80=99re on, bumps and all. Let=E2=80=99s =
not bring it to a screeching halt.
Meh=E2=80=A6 If we did, a new ride would soon take its place.
Owen
