[Dshield] The internet -- testing platform, or production environment?

keithtarrant@spamcop.net keithtarrant at spamcop.net
Wed Oct 30 21:13:54 GMT 2002

----- Original Message -----
From: "Lauro, John" <jlauro at umflint.edu>
To: <list at dshield.org>
Sent: Tuesday, October 29, 2002 10:43 PM
Subject: RE: [Dshield] The internet -- testing platform, or production

> > 2.  Is it an academic right to do what you want on the roads?
> >
> > Is it academic freedom to be able to test theoretical or test-built
> > automobile braking systems on freeways?
> >
> > I think you'll find most engineers, unless they want to argue the
> > semantics of the wording, will agree that public safety comes first.
> >
> > Well, in my opinion, the internet is like the public roads.
> It is the individual that uses or abuses the car on the road.  It is
> not the job of the site where you leave from or arrive at to police
> the behavior on the roads to get from one location to another.

General Motors is not an individual it is a company.

Generally the provider of the roads (the government) polices the roads.

The provider of the site where you leave is usually the individual.  As we
depart from our own homes, our data departs from our own computers.

> What
> is needed is better router<-->router policing on the backbone sites
> (which academia is improving and researching with various distributed
> flow modeling for DDOS auto detection and tracking, IPv6, etc)...

> > Few addresses are firewalled compared with what should be.  Also,
> I'm
> > including egress filtering in this.  IMO it should be mandatory that
> > egress filtering be applied that retail customers connections be
> subject
> > to egress filters that at least ensure their source IPs in their
> packets
> > are from somewhere on their ISP.
> I agree 100% that egress filters should be law...  I suspect that this
> is a larger problem from ISPs and small companies, and that most
> academic institutions of a reasonable size at least do egress filters
> already even if not a firewall.

That's good then!
> > You run unit tests and system using the real internet?
> >
> > This is why we need rules-of-the-road with the force of law.  If it
> isn't
> > illegal it is okay in the minds of many people.
> >
> Besides for the RFCs already concerning IP/TCP/UDP/etc, and egress
> filters, what *rules* would you suggest be enforced?

Quality requirements for operating systems and software in mass use.  Laws
on scanning and when it can be done.  Laws making the distribution of viri
and trojans illegal (those laws don't exist everywhere).  And of course
laws requireing egress filtering.

> > I can see using the internet to run user acceptance tests, and beta
> tests
> > obviously, but not unit, integration, and system tests.
> >
> > We get new skid-proof steering systems from auto-makers.  The auto
> > companies do not develop them by doing their initial and development
> > testing on our freeways.
> Unless things have changed in the last 10 years, the auto companies do
> test prototypes on our freeways.

A braking system has to be pretty far along before they let it out on the
public roads.

Prototype sheet metal designs are something else.  I have no objection to
testing "skins" on internet connected software.

> I still don't see what your opposition to initial testing on the
> internet is, if the application obeys all the rules?  The testing of
> applications have no bearing on security, besides how open/closed
> firewalls (if any) are configured.

If it isn't tested you don't know if it does obey the rules.

> > In production, you need a safe environment for the sites connecting
> to
> > you. I have to rely on their service suppliers to do what our
> highway
> > departments do in the physical world -- attempt to make the service
> they
> > provide as safe as possible.
> >
> > Would your campus physical facilities department let the engineers
> build
> > test pot holes in the road?
> Good idea.  There could be good reasons for that, especially for
> testing for the auto industry.  You would not build it on the freeway,
> but on a road that is somehow connected to the freeway.  If you could
> not get to the test road, what good would it be?

You test on a closed track.  You get the vehicle there on a trailer.
(i.e. you FTP it over and then remove the connection from the internet to
the intranet before beginning the test)
> > > If your real goal is to get junk packets and hackers off the net,
> then
> > > firewalls might not be your best bet anyways.  Your time might be
> > > better spent recommending passive IDS.  It may not instantly block
> the
> > > abusers, but it also does not go so sharply against academic
> freedom.
> >
> > It wouldn't stop intrusions but it might be better because it
> wouldn't go
> > against so-called academic freedom.  ;)
> Assuming that systems are kept current, they shouldn't be able to
> intrude...  and the IDS will log the attempts, so you can take
> appropriate actions toward the individual.  If serious enough
> penalties are given to those attempting to intrude, it will be a
> deterrent to others.

Except we don't have those penalites, the interest of law enforcement, and
outside the UK (where they have some pretty draconian requirements), the
evidence of who has which IP address disappears pretty quickly if it ever
> > Huh?  Not if it is a good firewall.  In fact a lot of times they
> don't
> > even know their is a network behind it.  It all depends on how the
> > firewall is configured.
> I was referring to a firewall protecting the world from your users,
> assuming you don't block the entire internet from your users which is
> not acceptable for many.
> > > Here is one option...  assuming you know he is in...
> > > Unplug the network cable....  :)
> >
> > So I want to be safe on the public highways, and you say I should
> keep my
> > car in the driveway?
> If a hacker is in your system (and you know it), then you know the
> system is not working correctly.  So, yes if you have a flat, or
> engine trouble, or you car is smoking, then leave it in the driveway
> until you get it fixed!

But what if the hacker is in my customer's system with a keyboard logger.

My security is only as good as the security of the internet because I deal
with customers.


More information about the list mailing list