RE: Legislative proposal sent to my Congressman

2016-10-05 Thread Harry Crowder 
The term you are referencing is unicast reverse path verify strict/hard mode
Enforces that the packets source can be reached via the interface of the 
receiving traffic
If this is generaly applied at all provider edge routers and dsl/dialup/vpc 
pop's would solve the spoofing issue as a whole

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Larry Sheldon
Sent: Monday, October 3, 2016 5:36 PM
To: Stephen Satchell <l...@satchell.net>; nanog@nanog.org; ietf-act...@ietf.org
Cc: s...@us-cert.gov; act...@eff.org
Subject: Re: Legislative proposal sent to my Congressman



On 10/3/2016 13:58, Stephen Satchell wrote:
> In thinking over the last DDos involving IoT devices, I think we don't 
> have a good technical solution to the problem.  Cutting off people 
> with defective devices they they don't understand, and have little 
> control over, is an action that makes sense, but hurts the innocent.  
> "Hey, Grandma, did you know your TV set is hurting the Internet?"
>
> It's the people who foist bad stuff on the people who need to take the 
> responsibility.  Indeed, with enough moxie, we could avoid the net 
> saturation problem in the first place.
>
> My proposal, as I sent it to my US House Representative:
>

[much snipping]


> Why not nip the IoT problem in the bud?

Why not, indeed?  (Full disclosure:  I am not and have not for some years been 
active in management of any networks, and I AM woefully behind the state of the 
arts.)

Having said that, it occurs to me that Mr. Satchell's proposal (and most of the 
others I have read about here and elsewhere lately) are doomed to the same 
failure as Chicago's plan for reducing illegal deaths by firearm, and for much 
the same reason (discussion of which here I will spare you.

Back in the day, I was fighting a problem that I summarized (then and
now) as trying to stop the use and abuse of the University's (that employed me) 
56kb Frame Relay link to the Internet.  Then as now I defined "abuse" as the 
use of our facilities for purposes that no stretch of imagination or definition 
could be said to be to the University's benefit.

Through some experimentation I concluded that there were several clearly 
identifiable sources of abuse.  I disremember the ordering by severity but they 
included:

Outright attacks on the University and others.
Myriad "scans" for a variety of reasons.

The first of these two I remember as being the worst (in terms of item-count 
AND in terms of packet-size.  I also recall it being the easiest to fix, if 
anybody want to fix it.  (The dominant reasons  given where that it would cost 
money without a revenue stream, and it would reduce traffic that WAS in the 
revenue stream.  The fix I proposed: 
Require (by law) that every service provider and every origination customer of 
a service provider would under penalty of law, block the transmission of a 
packet whose source address could not be reached via the link upon which it was 
found.

The Myriad scans problem was a little harder (for among other reasons--the 
argument that they were good for us, even though they accounted for something 
like 60% of the traffic on that link).  The solution I tried but ran out of 
dollars on was to detect somebody scanning and route them to the Loopback 
interface of the boundary router.
--
"Everybody is a genius.  But if you judge a fish by its ability to climb a 
tree, it will live its whole life believing that it is stupid."

--Albert Einstein

 From Larry's Cox account.

Re: Legislative proposal sent to my Congressman

2016-10-05 Thread Stephen Satchell 
On 10/05/2016 09:46 AM, jim deleskie wrote:
> Can we please not get the government ( who's gov ) involved. I fully agree
> that it will not only not help, but will make some things worse.  This is
> why we can't have nice things.

I would be in favor of your pleas if you would accompany it with your
proposal for eliminating exploitable devices from accessing the Internet
and being the source of damaging traffic.

This IS the NANOG mailing list.  So far, the "solutions" I've seen put
foreward are like requiring government ID at polling places.

Re: Legislative proposal sent to my Congressman

2016-10-05 Thread jim deleskie 
Can we please not get the government ( who's gov ) involved. I fully agree
that it will not only not help, but will make some things worse.  This is
why we can't have nice things.


On Tuesday, October 4, 2016, Anne Mitchell  wrote:

> (Interesting and inarguably well-intentioned, and possibly even sound,
> idea snipped, but noted.)
>
> There are a handful of reasons that this will never happen (well, I'm 98%
> certain it will never happen, nothing is every 100% sure when it comes to
> the law, and legislation)... among them the manufacturer's lobby is much
> more well-girded than is the   'home internet security' lobby;  the
> cyber-security concerns of the Federal government are focussed on other
> things (whether they should be or not, they are);  and for the most part
> legislators are still fairly unsavvy about tech in general, and these
> things make their eyes glaze over.
>
> That said, there are already tort (negligence, etc.) laws and precedents
> under which such manufacturers can be sued, along with things like breach
> of contract between the manufacturer and consumer, and breach of implied
> warranty of fitness for a particular purpose and breach of implied warranty
> of merchantability.
>
> A couple of winning lawsuits against manufacturers under these laws and
> theories - which judges *already understand* - is, I think, not only a more
> likely, but a much faster, route to industry reform.
>
> All that said, much of this faces the same issues that spam lawsuits faced
> - the people who care the most about it are not the ones who can afford to
> finance such lawsuits.
>
> Anne
>
> Anne P. Mitchell,
> Attorney at Law
> Legislative Consultant
> CEO/President, Institute for Social Internet Public Policy
> Member, Cal. Bar Cyberspace Law Committee
> Member, Colorado Cyber Committee
> Member, Asilomar Microcomputer Workshop Committee
> Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
> Ret. Professor of Law, Lincoln Law School of San Jose
> Ret. Chair, Asilomar Microcomputer Workshop

Re: Legislative proposal sent to my Congressman

2016-10-04 Thread Anne Mitchell 
(Interesting and inarguably well-intentioned, and possibly even sound, idea 
snipped, but noted.)

There are a handful of reasons that this will never happen (well, I'm 98% 
certain it will never happen, nothing is every 100% sure when it comes to the 
law, and legislation)... among them the manufacturer's lobby is much more 
well-girded than is the   'home internet security' lobby;  the cyber-security 
concerns of the Federal government are focussed on other things (whether they 
should be or not, they are);  and for the most part legislators are still 
fairly unsavvy about tech in general, and these things make their eyes glaze 
over.

That said, there are already tort (negligence, etc.) laws and precedents under 
which such manufacturers can be sued, along with things like breach of contract 
between the manufacturer and consumer, and breach of implied warranty of 
fitness for a particular purpose and breach of implied warranty of 
merchantability.

A couple of winning lawsuits against manufacturers under these laws and 
theories - which judges *already understand* - is, I think, not only a more 
likely, but a much faster, route to industry reform.

All that said, much of this faces the same issues that spam lawsuits faced - 
the people who care the most about it are not the ones who can afford to 
finance such lawsuits.

Anne

Anne P. Mitchell, 
Attorney at Law
Legislative Consultant
CEO/President, Institute for Social Internet Public Policy
Member, Cal. Bar Cyberspace Law Committee
Member, Colorado Cyber Committee
Member, Asilomar Microcomputer Workshop Committee
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Ret. Professor of Law, Lincoln Law School of San Jose
Ret. Chair, Asilomar Microcomputer Workshop

Re: Legislative proposal sent to my Congressman

2016-10-03 Thread Valdis . Kletnieks 
On Mon, 03 Oct 2016 18:33:38 -0700, Matthew Petach said:

> If you hold the executives of the hardware manufacturer
> responsible for the software running on their devices,
> then the next generation of hardware from every
> manufacturer is going to be hardware locked to
> ONLY run their software.  No OpenWRT, no Tomato,
> no third party software that could be compromised
> and leave them holding the liability bag.

Turn it on its ear.

Liability only attaches if the product is closed-source.

Sure, that leaves us with lots of open-source light bulbs
that are basically abandonware 5 years later, but at least
at that point it's more possible to fix any remaining issues...



pgpPlhm_yeRDV.pgp
Description: PGP signature

Re: Legislative proposal sent to my Congressman

2016-10-03 Thread Lyndon Nerenberg 

> On Oct 3, 2016, at 6:52 PM, Lyndon Nerenberg  wrote:
> 
> It's the closed software that is fscking everything up right now.  A little 
> sunshine on the code base will go a long way towards those people not losing 
> their Ferrari's after all.

Or coming from a more legalistic view, if they lock things down that hard, they 
cannot possibly blame anyone else for having "rooted" the gear, therefore no 
passing the buck.  They would have to admit that it was their - and only their 
- code that was responsible for inflicting the damages.

I've been in the tech biz for 30+ years, and have worked for a wide range of 
organizations over that time.  The only common denominator across them all 
(small, large, and everything between - commercial and not) is that rapid 
response high level organizational change ONLY happen when the executives see 
the possibility of an imminent, significant, personal loss.  That might be 
monetary loss, or loss of reputation.  But it must be personally hurtful.  When 
the reaper appears on the horizon, it's amazing how quickly they see the path 
to redemption.


The sooner we all admit this is not a *technical* problem, the sooner we will 
eradicate it.

--lyndon

Re: Legislative proposal sent to my Congressman

2016-10-03 Thread Lyndon Nerenberg 

> On Oct 3, 2016, at 6:33 PM, Matthew Petach  wrote:
> 
> If you hold the executives of the hardware manufacturer
> responsible for the software running on their devices,
> then the next generation of hardware from every
> manufacturer is going to be hardware locked to
> ONLY run their software.  No OpenWRT, no Tomato,
> no third party software that could be compromised
> and leave them holding the liability bag.

It's the closed software that is fscking everything up right now.  A little 
sunshine on the code base will go a long way towards those people not losing 
their Ferrari's after all.

Re: Legislative proposal sent to my Congressman

2016-10-03 Thread Matthew Petach 
On Mon, Oct 3, 2016 at 6:15 PM, Lyndon Nerenberg  wrote:
>
[...]
>
> The only way to stop this sort of thing once and for all is to make it 
> punitively costly to the humans at the helm of the corporations selling this 
> crap in the first place.  Under corporate law, this almost always means the 
> directors.  Only when they start losing their homes/yachts/Jaguars, or start 
> spending some quality time in jail, will this problem go away.
>
> Of course, this does require governments to grow some balls :-P
>
> --lyndon


Please, no.

This will put a sword through the heart of open source.

If you hold the executives of the hardware manufacturer
responsible for the software running on their devices,
then the next generation of hardware from every
manufacturer is going to be hardware locked to
ONLY run their software.  No OpenWRT, no Tomato,
no third party software that could be compromised
and leave them holding the liability bag.

If you want a world in which only a handful of companies
make the hardware and software, with commensurately
higher prices, and no freedom to select what software
you'd like to load on it, I suspect this is a good path
towards it.

I think there's got to be solutions that don't drive
us into a closed-software world.  Before we start
asking the government and the lawyers to solve
this in ways we'll come to hate down the road,
let's give it a few more tries ourselves, shall we?

Thanks!

Matt

Re: Legislative proposal sent to my Congressman

2016-10-03 Thread Valdis . Kletnieks 
On Mon, 03 Oct 2016 11:58:10 -0700, Stephen Satchell said:

> > THEREFORE the Consumer Product Safety Commission shall require that
> > the manufacturer provide a security update to the device within 30 day
> > of first notice; or failing that, to issue a complete recall of the
> > defective devices.

What percent of recalled devices are actually replaced/repaired?

It's not too hard to (in principle) track down all owners of 2014 Ford Escapes.
But how do you track down all purchasers of a light bulb?  That's been
sold in multiple continents with differing legal environments?


pgp7D8U5MfZQI.pgp
Description: PGP signature

Re: Legislative proposal sent to my Congressman

2016-10-03 Thread Lyndon Nerenberg 

> On Oct 3, 2016, at 5:39 PM, Jay R. Ashworth  wrote:
> 
> You're not familiar with CPSC mandatory recalls, are you?

I'm not sure how you could make the case that a compromised DVR, e.g., directly 
creates a risk of physical injury to a person.  Without that, I don't see how 
the CPSA would apply.

But even if a mandatory recall was made under some law, how many of those 
devices do you think would be returned/exchanged, realistically.  And what 
percentage of those devices would fall under the jurisdiction of any one 
country's laws?

The only way to stop this sort of thing once and for all is to make it 
punitively costly to the humans at the helm of the corporations selling this 
crap in the first place.  Under corporate law, this almost always means the 
directors.  Only when they start losing their homes/yachts/Jaguars, or start 
spending some quality time in jail, will this problem go away.

Of course, this does require governments to grow some balls :-P

--lyndon

Re: Legislative proposal sent to my Congressman

2016-10-03 Thread Peter Beckman 

On Mon, 3 Oct 2016, Lyndon Nerenberg wrote:

The only cure to this will be changing the law so that the directors of the 
companies that ship massively insecure devices like these are personally 
liable for all the financial loss attributed to their products. Bankrupt a 
few companies' board of directors and you'll start seeing things change in a 
hurry.


 Manufacturers are global, and their distribution is global. Local,
 technical laws are difficult at best to get enacted, much less
 consistently and by 190+ countries. And even when technically-minded laws
 are implemented (see US Federal and State Do Not Call Lists) they are
 problematic and difficult to enforce when abuse may be coming from outside
 the US. And the tech usually is far ahead of the legislation.

 The common device through which all of these smart devices will pass is
 the router. Router manufacturers often build and sell larger big iron
 routers to ISPs, or ISPs are buying end-user routers from manufacturers
 and reselling to their customers. ISPs are motivated financially to avoid
 unwanted and "bad" traffic on their networks.

 The global ISP community is in the best position here to pressure their
 vendors to implement a standard on end-user routers which protects their
 networks from rogue and unsecured devices. The IoT manufacturers will need
 to follow standards that the router manufacturers implement to limit the
 negative impact of IoT devices if they want their devices on the
 network/Internet.

 When the standards are available to help protect the ISP networks at the
 end of the last mile from unwanted and fraudulently created traffic, and
 the ISPs pressure/demand the router manufacturers to implement the
 protections, IoT and other device manufacturers will fall in line.

Beckman
---
Peter Beckman  Internet Guy
beck...@angryox.com http://www.angryox.com/
---

Re: Legislative proposal sent to my Congressman

2016-10-03 Thread Jay R. Ashworth 
- Original Message -
> From: "Lyndon Nerenberg" 

>> But that does not remove those devices from the network.
> 
> That ship has sailed.

You're not familiar with CPSC mandatory recalls, are you?

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274

Re: Legislative proposal sent to my Congressman

2016-10-03 Thread Larry Sheldon 



On 10/3/2016 13:58, Stephen Satchell wrote:

In thinking over the last DDos involving IoT devices, I think we don't
have a good technical solution to the problem.  Cutting off people with
defective devices they they don't understand, and have little control
over, is an action that makes sense, but hurts the innocent.  "Hey,
Grandma, did you know your TV set is hurting the Internet?"

It's the people who foist bad stuff on the people who need to take the
responsibility.  Indeed, with enough moxie, we could avoid the net
saturation problem in the first place.

My proposal, as I sent it to my US House Representative:



[much snipping]



Why not nip the IoT problem in the bud?


Why not, indeed?  (Full disclosure:  I am not and have not for some 
years been active in management of any networks, and I AM woefully 
behind the state of the arts.)


Having said that, it occurs to me that Mr. Satchell's proposal (and most 
of the others I have read about here and elsewhere lately) are doomed to 
the same failure as Chicago's plan for reducing illegal deaths by 
firearm, and for much the same reason (discussion of which here I will 
spare you.


Back in the day, I was fighting a problem that I summarized (then and 
now) as trying to stop the use and abuse of the University's (that 
employed me) 56kb Frame Relay link to the Internet.  Then as now I 
defined "abuse" as the use of our facilities for purposes that no 
stretch of imagination or definition could be said to be to the 
University's benefit.


Through some experimentation I concluded that there were several clearly 
identifiable sources of abuse.  I disremember the ordering by severity 
but they included:


Outright attacks on the University and others.
Myriad "scans" for a variety of reasons.

The first of these two I remember as being the worst (in terms of 
item-count AND in terms of packet-size.  I also recall it being the 
easiest to fix, if anybody want to fix it.  (The dominant reasons  given 
where that it would cost money without a revenue stream, and it would 
reduce traffic that WAS in the revenue stream.  The fix I proposed: 
Require (by law) that every service provider and every origination 
customer of a service provider would under penalty of law, block the 
transmission of a packet whose source address could not be reached via 
the link upon which it was found.


The Myriad scans problem was a little harder (for among other 
reasons--the argument that they were good for us, even though they 
accounted for something like 60% of the traffic on that link).  The 
solution I tried but ran out of dollars on was to detect somebody 
scanning and route them to the Loopback interface of the boundary router.

--
"Everybody is a genius.  But if you judge a fish by
its ability to climb a tree, it will live its whole
life believing that it is stupid."

--Albert Einstein

From Larry's Cox account.

Re: Legislative proposal sent to my Congressman

2016-10-03 Thread Ca By 
On Monday, October 3, 2016, Lyndon Nerenberg  wrote:

> In thinking over the last DDos involving IoT devices, I think we don't
>> have a good technical solution to the problem.  Cutting off people with
>> defective devices they they don't understand, and have little control over,
>> is an action that makes sense, but hurts the innocent.  "Hey, Grandma, did
>> you know your TV set is hurting the Internet?"
>>
>
> The way this will get solved is for a couple of large ISPs and DDoS
> targets to sue a few of these IoT device manufacturers into oblivion.
>
> --lyndon
>
>
FTC has a hand in this area


https://www.ftc.gov/news-events/press-releases/2016/02/asus-settles-ftc-charges-insecure-home-routers-cloud-services-put

Re: Legislative proposal sent to my Congressman

2016-10-03 Thread John R. Levine 

This is where device profiles could help.  If enough devices register
profiles with the local router, at some point the router's default
could be closed, so devices with no profile can't talk to the outside.


That would be nice, but a manufacturer who can't be bothered to take even the 
most basic security precautions certainly isn't going to implement this, 
either.


They will if the routers start rejecting their traffic.

The only cure to this will be changing the law so that the directors of the 
companies that ship massively insecure devices like these are personally 
liable for all the financial loss attributed to their products. Bankrupt a 
few companies' board of directors and you'll start seeing things change in a 
hurry.


Good luck with that.

R's,
John

Re: Legislative proposal sent to my Congressman

2016-10-03 Thread John R. Levine 

This is where device profiles could help.  If enough devices register
profiles with the local router, at some point the router's default
could be closed, so devices with no profile can't talk to the outside.


Are you thinking of MUD (
https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud/) here, when you say
"register profiles"?


Yes.  Eliot Lear said they're working actively on it.

Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: Legislative proposal sent to my Congressman

2016-10-03 Thread Lyndon Nerenberg 

This is where device profiles could help.  If enough devices register
profiles with the local router, at some point the router's default
could be closed, so devices with no profile can't talk to the outside.


That would be nice, but a manufacturer who can't be bothered to take even 
the most basic security precautions certainly isn't going to implement 
this, either.


The only cure to this will be changing the law so that the directors of 
the companies that ship massively insecure devices like these are 
personally liable for all the financial loss attributed to their products. 
Bankrupt a few companies' board of directors and you'll start seeing 
things change in a hurry.


--lyndon

Re: Legislative proposal sent to my Congressman

2016-10-03 Thread Ted Hardie 
On Mon, Oct 3, 2016 at 1:39 PM, John Levine  wrote:

> In article  you write:
> >> But that does not remove those devices from the network.
> >
> >That ship has sailed.
>
> This is where device profiles could help.  If enough devices register
> profiles with the local router, at some point the router's default
> could be closed, so devices with no profile can't talk to the outside.
>
>
Hi John,

Are you thinking of MUD (
https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud/) here, when you say
"register profiles"?

regards,

Ted


> For a lot of devices like lightbulbs, that would probably make no
> difference at all.  It would mean you couldn't remotely monitor your
> five year old CCTV camera unless you take in the camera for an upgrade
> or replace it, but I can't get too upset about that.
>
> R's,
> John
>
>
>
>

Re: Legislative proposal sent to my Congressman

2016-10-03 Thread John Levine 
In article  you write:
>> But that does not remove those devices from the network.
>
>That ship has sailed.

This is where device profiles could help.  If enough devices register
profiles with the local router, at some point the router's default
could be closed, so devices with no profile can't talk to the outside.

For a lot of devices like lightbulbs, that would probably make no
difference at all.  It would mean you couldn't remotely monitor your
five year old CCTV camera unless you take in the camera for an upgrade
or replace it, but I can't get too upset about that.

R's,
John

Re: Legislative proposal sent to my Congressman

2016-10-03 Thread Lyndon Nerenberg 

But that does not remove those devices from the network.


That ship has sailed.

Re: Legislative proposal sent to my Congressman

2016-10-03 Thread Florian Weimer 
* Lyndon Nerenberg:

>> In thinking over the last DDos involving IoT devices, I think we
>> don't have a good technical solution to the problem.  Cutting off
>> people with defective devices they they don't understand, and have
>> little control over, is an action that makes sense, but hurts the
>> innocent.  "Hey, Grandma, did you know your TV set is hurting the
>> Internet?"
>
> The way this will get solved is for a couple of large ISPs and DDoS
> targets to sue a few of these IoT device manufacturers into oblivion.

But that does not remove those devices from the network.

Re: Legislative proposal sent to my Congressman

2016-10-03 Thread Lyndon Nerenberg 
In thinking over the last DDos involving IoT devices, I think we don't have a 
good technical solution to the problem.  Cutting off people with defective 
devices they they don't understand, and have little control over, is an 
action that makes sense, but hurts the innocent.  "Hey, Grandma, did you know 
your TV set is hurting the Internet?"


The way this will get solved is for a couple of large ISPs and DDoS 
targets to sue a few of these IoT device manufacturers into oblivion.


--lyndon