Wednesday, December 31, 2008

More doom?

a) 1974 http://web.mit.edu/Saltzer/www/publications/protection/

and

b) SecurityMetrics mailing list going round in circles.....

including

c) "It'll be just as insecure as it possibly can, while still continuing to function."
http://www.ranum.com/security/computer_security/editorials/point-counterpoint/homeusers.htm

One does worry.

Until we can elicit a value to shared and dedicated nodes/messages + the organisational superorganism as a whole, risk and the quantification thereof is a joke.... unfortunately shared infrastructure and services such as routing/DNS/SNMP/NTP/logging *are* business critical e.g. data and control planes including management control planes. http://twitter.com/irldexter/status/1087480944

Here's to 2009! And some standardisaiton of code development and testing including liability etc as per David Rice's arguments in Geekonomics. http://my.safaribooksonline.com/9780321477897

Peace.

Security Absurdity from Ranum

Saturday, December 27, 2008

Aussie Filtering Meme

Gridlock 09': what do you think happens when every car is searched on the information superhighway?

Note: potentialy breath testing on the freeway, what do you think will happen?
NoteII: can use trucks, cars, buses and motorbikes to refer to packets/QOS etc.
NoteIII: easily accessible meme... 87% speed limit reduction on motorways for everyone..
NoteIIII: Australia, going nowhere fast.
NoteIIIII: Australia = Auto-BAN!

Sunday, December 21, 2008

Cavity searches and Internet Filtering

Proxying and tunnels will always get around filters. Full stop. I do not support censorship. Full stop. I do not support child pornography. Full stop. If child pornography was served from static webservers it would be easy to pull down. Full stop. There are 65,535 usable tcp ports. There are 65,535 usable udp ports. There are ~4 billion usable IP addresses spread around different regions on the planet and advertised by different Autonomous Systems.

However some thoughts.

a) From a Cisco perspective on a CRS/SSG/SCE, a thousand+ line ACL and Policy Map that routes requests for certain IP addresses to 'null 0' or sets the next hop for traffic to a logging/404 host would be feasible at peering edges. Feasible. As would a live feed akin to the Team Cymru dynamic bogon and martian feed. Feasible but very dangerous to centralise such dynamic control. One could also insert better prefixed /32 routes on the fly, akin to 'clean pipes' solutions that sinkhole and try to scrub distributed denial of service attacks.

The above points in (a) are equally achievable with Juniper high end gear also... and probably others too.

b) Any appliance/blade based content filtering or 'inline/OOB' IDS(Intrusion Detection System) will result in an epic fail; as opponents could shunt bad packets and malformed/obfuscated http gets at the device from multiple shifting sources all day and night to bring it to its knees! (Unless it only runs a DST IP block list...) There would also be massive issues with scaling and redundancy for most ISPs, let alone power and space constraints.

Both of the above techniques with the exception perhaps of the Null routing option for option(a) would allow one to reverse engineer the list with web spidering and/or large scale scanning.

c) AHTCC(Australian High Tech Crime Centre) and AFP(Australian Federal Police); if they are aware of known IP source addresses of 'kiddie porn', should already be looking for these traffic flows via a form of (a) that only provides them logging e.g. fully honors the traffic request and then subsequently investigate which Australian devices have sent said illegal requests via standard process. Unfortunately there can be issues with malware and establishment of identity/intent, however subsequent forensic investigations on offending hard-disks *should* confirm innocence or guilt (though costly to pursue as most good investigations are). If the list of DST IP addresses was leaked, miscreants could play havoc with the authorities through spoofing requests from local ISP IP addresses e.g. valid local SRC ranges(which an ISP cannot filter), and/or use botnets on Australian networks to achieve denial of service. Devices would have to fail open.

If logging was bidirectional then both inbound requests to Australian hosted content and requests to external countries would be enumerated. Unfortunately one could only effectively begin with IP's reported to authorities as any form of deeper content inspection would facilitate issues and abuses mentioned in (b).

Essentially, as with real world crime, one issue encountered is sometimes to balance the benefit of blocking or pre-empting an ongoing 'crime', with the possible information garnered by passively monitoring and going for the 'crimebosses' or actual perpetrators. This is a tough topic. No one is suggesting child pornography is a victimless crime, however are we going after paedophiles or trying to block what kids *might* see?

I do not support censorship. I am across LI(Legal Interception) in mobile/PSTN and data networks somehwhat and one should have warrants to actively tap citizens communications based upon probable cause. If one can prove that an IP address serves or accesses child pornography individuals should be prosecuted as per the judicial system. Unfortunately filtering *all* flows is a slippery slope, especially for those that control the blacklist(s).

d) How does one vet content and keep the IP addresses in (a) up-to-date and based upon what criteria? This can be especially difficult when recent research found that 69.8% of the websites for .com, .org and .net domains shared an IP address with 50 or more other websites. Such that a device served illegal content from a fixed IP, the content would be brought down very quickly by the authorities in the hosting country once that country had laws governing hosting of said content.

e) DNS poisoning = epic fail. Go direct to IP. Do not pass go. Do not collect $200.

I do not support child pornography. I do not support censorship. I do not support wasting millions of tax payers hard earned money on a fallacy.

I support law enforcement that works. I support the AHTCC and AFP. I support democracy. I do not support strip searching everyone that enters and leaves the country. I do not support all phone calls being tapped for illegal seditious conversations. I do not support our mail service opening every one of our letters. What are we doing about child pornography being physically mailed around in hardcopy or encrypted on USB thumb drives in the regular mail, or is that too hard?

And yes I am having seditious thoughts.

Cyberlaw, cybercops and cyber-democracy are required for cyberspace. Not cyber kid gloves and cyber sledge hammers.

Saturday, December 06, 2008

Some light relief?

I might get in trouble for this with the natives but I love this guy. Protect the kids from predators but that's about it. Industrial schooling, FUCK YOU SOCIETY!

Read Summerhill and grow. Link to website here: http://www.summerhillschool.co.uk/

Build more tubes for Australian Censorship!

Wordle.net tres-cool-super-sexy


"Wordle is a toy for generating “word clouds” from text that you provide. The clouds give greater prominence to words that appear more frequently in the source text."

This is my wordle of this blog.