[Dshield] An Abuse-Free internet organzation
peteoutside at yahoo.com
Wed Jan 21 17:18:50 GMT 2004
Gentlemen & Ladies,
If I may offer my $0.02,
What Erwin is suggesting is a lot easier to implement in a corporate setting.
The users at your average company do not own the machines they use at work.
The company does.
They are there for a very specific purpose--in effect, they are appliances to be used for word processing, document access, communications, etc.
In this setting, you (the sysadming/security pro) can be as restrictive as you want with your access controls--ie, it makes perfect sense that employees demonstrate a need for access to something (documents, internet, etc.) before you give it to them.
When there is access you know who is getting what and why. Therefore you can always spot "weird" behavior because you have defined what is allowed or good; anything else, by default, is disallowed, bad, etc. and you can come down hard on it.
With home users this gets opened up considerably.
On the face of it, you might say that a private user can't be restricted from doing just about anything they want--that it's not the ISP's role to enforce the law (excepting cases where some governmental organization forces them to). They take a typically "hands off" attitude towards what the private user wants to use his access for, barring rules that they must enforce to maintain bandwidth, etc. (for this reason many ISPs don't let you run any kind of server).
But let's think about this.
Any ISP should still be able to tell what their users should and should not be allowed to do. They can do this because internet access is a privilege for which users pay, not a right in any sense of the word. There is no legitimate reason for a user to be conducting large-scale port reconnaissance, or attempting to access what they have no business accessing, etc.
Up until now the law has been treating personal access controls (e.g. over the content of your e-mails) as sacrosanct. Maybe it's time to re-think this. What you're using their networks for--whether you have paid for access or not--is very much their business, even if the content you're transmitting is not. Traffic analysis at the ISP level ought to reveal abuse or illegitimate use if we keep track of legitimate applications and so forth. This would be difficult but let's just be aware that the list of applications is finite; therefore, it's possible. If an ISP conformed to this policy yet was sluggish in "accepting" new technologies then their users could simply "vote with their feet" and migrate to a more responsive ISP. Any ISP which failed to conform to this policy (and thus, allowed abuse) could be blacklisted according to methods already discussed.
There is a tendency to treat the internet as if it's public space--but it's not.
I'm not saying any of this is remotely likely, but I think it's at least POSSIBLE.
Erwin Van de Velde <erwin.vandevelde at ua.ac.be> wrote:
On Tuesday 20 January 2004 17:49, Brad Spencer wrote:
> At 05:28 PM 1/20/2004 +0100, you wrote:
> >You could block some IP addresses (I'm even writing my master thesis about
> > a system that could do that :-) )
> Blocking is so old hat. If you're doing a master's thesis why not move
> If your thesis is about quickly and reliably identifying IPs to block and
> then quickly unblocking when the need has disappeared it might be a very
> good thesis - but somehow I doubt that's what it covers. If I'm wrong I'd
> be delighted to be shown in error.
That's just what it is about: not only trying to identify attackers using
known attacks, but also trying to block new viruses, inventive attackers, ...
using a broader range of security tools. This includes also the question
about who should be blocked how long, and if other actions can be
appropriate. It will include some recovery actions too, like automatically
recovering deleted or modified data.
I hope to get as far as possible with the time that is given to me. It's quite
difficult as our curriculum does not include courses about security, security
is only mentioned now and then.
As always, good ideas are welcome, and you could win a line in my thank word
Erwin Van de Velde
Student of University of Antwerp
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
More information about the list