Re: Scanning the Internet for Vulnerabilities Re: 202207240927.AYC
On 7/24/22 07:20, Abraham Y. Chen wrote: Hi, John: 1) "... dynamically assigned IP address space can still be tracked back to a given system ... ": I fully agree with this statement. However, A. You overlooked the critical consideration of the response time. If this can not be done in real time for law enforcement purposes, it is meaningless. The same is true for statically assigned addresses, unless you're proposing that ISPs be forced to preemptively divulge all customer data to law enforcement and keep that data updated in real time. At least in the US, this would almost certainly be ruled an unconstitutional search. It also fails to address the CGNAT scenarios often required to provide IPv4 Internet access at all. B. Also, the goal is to spot the specific perpetrator, not the "system" which is too general to be meaningful. In fact, this would penalize the innocent users who happen to be on the same implied "system". "System" isn't implied. It would be the AS and assigned CIDR block from the RIR. C. In addition, for your “whack-a-mole” metaphor, the party in charge is the mole, not the party with the mallet. It is a losing game for the mallet right from the beginning. The party in charge (ISP) is the programmer of the game that also holds the records of where the mole has been historically. With the proper warrant, law enforcement can get those records. It matters not whether the IP is static, dynamic, or part of a CGNAT pool. So, the current Internet practices put us way behind the starting line even before the game. Overall, this environment is favored by multi-national businesses with perpetrators riding along in the background. When security is breached, there are more than enough excuses to point the finger to. Overall, this environment is favored by most users of the Internet that don't want law enforcement to be handed yet another virtual wiretap by their ISP. It's also required in many cases to provide IPv4 Internet access at all, as there aren't enough static addresses to go around. No wonder the outcome has always been disappointing for the general public. I disagree that the general public is disappointed. No one I know wants yet more agencies tracking them on the Internet, particularly agencies employing people with guns and the ability to throw them in jail. -- Jay Hennigan - j...@west.net Network Engineering - CCIE #7880 503 897-8550 - WB6RDV
Re: Scanning the Internet for Vulnerabilities Re: 202207240927.AYC
> On 24 Jul 2022, at 10:20 AM, Abraham Y. Chen wrote: > > Hi, John: > > 1) "... dynamically assigned IP address space can still be tracked back to a > given system ... ": I fully agree with this statement. However, >A. You overlooked the critical consideration of the response time. If this > can not be done in real time for law enforcement purposes, it is meaningless. Abe - That’s correct - but that does not require having static addresses to accomplish (as you postulated earlier), rather it just requires having appropriately functioning logging apparatus. >B. Also, the goal is to spot the specific perpetrator, not the "system" > which is too general to be meaningful. In fact, this would penalize the > innocent users who happen to be on the same implied "system". Yes, it is quite obvious that a degree of care is necessary. >C. In addition, for your “whack-a-mole” metaphor, the party in charge is > the mole, not the party with the mallet. It is a losing game for the mallet > right from the beginning. As with all enforcement, it is a question on changing to breakeven point calculation on incentives & risks for the would be perpetrators, and presently there’s almost nearly no risk involved. >So, the current Internet practices put us way behind the starting line > even before the game. Overall, this environment is favored by multi-national > businesses with perpetrators riding along in the background. When security is > breached, there are more than enough excuses to point the finger to. No > wonder the outcome has always been disappointing for the general public. Indeed. > 2) What we need to do is to reverse the roles in every one of the above > situations, if we hope for any meaningful result, at all. The starting point > is to review the root differences between the Internet and the traditional > communication systems. With near half a century of the Internet experience, > we should be ready to study each issue from its source, not by perpetuating > its misleading manifestations. That’s one possible approach, although before becoming too enamored with it, it is probably worth remembering] that the “traditional communication systems” have also suffered from similar exploits occasion (they’ve been fewer in number, but then again, the number of connected devices was also several orders of magnitude smaller.) Thanks, /John Disclaimer: my views alone – use caution - contents may be hot! > ... > > On 2022-07-24 07:27, John Curran wrote: >> Abe - >> >> Static versus dynamic address assignment isn’t the problem - dynamically >> assigned IP address space can >> still be tracked back to a given system (reference: RFC6302/BCP162 & RFC6269 >> for discussion of the >> requirements and various related issues.) >> >> Tracking back to a particular server doesn’t really matter if all that >> happens is that the service is terminated >> (as the culprit will simply appear elsewhere in the Internet with a new >> connection/server and start over.) >> >> Alas, the situation doesn’t change unless/until there’s a willingness to >> engage law enforcement and pursue >> the attackers to prevent recurrence. This is non-trivial, both because of >> the skills necessary, the volume of >> attacks, the various jurisdictions involved, etc. – but the greatest >> obstacle is simply the attitude of “Why bother, >> that’s just the way it is…” >> >> With zero effective back pressure, we shouldn’t be surprised as frequency of >> attempts grows without bound. >> >> Thanks, >> /John >> >> Disclaimers: my views alone – no one else would claim them. Feel free to >> use/reuse/discard as you see fit. >>
Re: Scanning the Internet for Vulnerabilities Re: 202207240927.AYC
Hi, John: 1) "... dynamically assigned IP address space can still be tracked back to a given system ... ": I fully agree with this statement. However, A. You overlooked the critical consideration of the response time. If this can not be done in real time for law enforcement purposes, it is meaningless. B. Also, the goal is to spot the specific perpetrator, not the "system" which is too general to be meaningful. In fact, this would penalize the innocent users who happen to be on the same implied "system". C. In addition, for your “whack-a-mole” metaphor, the party in charge is the mole, not the party with the mallet. It is a losing game for the mallet right from the beginning. So, the current Internet practices put us way behind the starting line even before the game. Overall, this environment is favored by multi-national businesses with perpetrators riding along in the background. When security is breached, there are more than enough excuses to point the finger to. No wonder the outcome has always been disappointing for the general public. 2) What we need to do is to reverse the roles in every one of the above situations, if we hope for any meaningful result, at all. The starting point is to review the root differences between the Internet and the traditional communication systems. With near half a century of the Internet experience, we should be ready to study each issue from its source, not by perpetuating its misleading manifestations. Regards, Abe (2022-07-24 10:19 EDT) On 2022-07-24 07:27, John Curran wrote: Abe - Static versus dynamic address assignment isn’t the problem - dynamically assigned IP address space can still be tracked back to a given system (reference: RFC6302/BCP162 & RFC6269 for discussion of the requirements and various related issues.) Tracking back to a particular server doesn’t really matter if all that happens is that the service is terminated (as the culprit will simply appear elsewhere in the Internet with a new connection/server and start over.) Alas, the situation doesn’t change unless/until there’s a willingness to engage law enforcement and pursue the attackers to prevent recurrence. This is non-trivial, both because of the skills necessary, the volume of attacks, the various jurisdictions involved, etc. – but the greatest obstacle is simply the attitude of “Why bother, that’s just the way it is…” With zero effective back pressure, we shouldn’t be surprised as frequency of attempts grows without bound. Thanks, /John Disclaimers: my views alone – no one else would claim them. Feel free to use/reuse/discard as you see fit. On 23 Jul 2022, at 10:28 PM, Abraham Y. Chen wrote: Hi, John: 1) "... i.e. we’re instead going to engage in the worlds longest running game of “whack-a-mole” by just blocking their last known website/mail server/botnet and the wishing for the best… ": Perhaps it is time for us to consider the "Back to the Future" strategy, i.e., the Internet should practice static IP address like all traditional communication system did? Regards, Abe (2022-07-23 22:27 EDT) On 2022-06-22 10:35, John Curran wrote: Barry - There is indeed a metaphor to your “rattling doorknobs", but it’s not pretty when it comes to the Internet… If you call the police because someone is creeping around your property checking doors and windows for possible entry, then they will indeed come out and attempt to arrest the perpetrator (I am most certainly not a lawyer, but as I understand it even the act of opening an unlocked window or door is sufficient in many jurisdictions to satisfy the “breaking the seal of the property” premise and warrant charging under breaking and entering statues.) Now welcome to the Internet… paint all your windows black, remove all lighting save for one small bulb over your front entry. Sit back and enjoy the continuous sounds of rattling doorknobs and scratching at the windows. If/when you find a digital culprit creeping around inside the home, your best option is burn down the place and start anew with the copies you keep offsite in storage elsewhere. Similarly if you find a “trap” (e.g., a phishing email) placed on your patio or amongst your mail… discard such cautiously and hope your kids use equal care. “Best practice” for handling these situations on the Internet is effectively to cope as best you can despite being inundated with attempts – i.e. most Internet security professionals and law enforcement will tell you that the idea of actually trying to identify and stop any of the culprits involved is considered rather quaint at best – i.e. we’re instead going to engage in the worlds longest running game of “whack-a-mole” by just blocking their last known website/mail server/botnet and the wishing for the best… Enjoy your Internet! /John Disclaimers: My views alone - use, reuse, or discard as desired. This message made of 100% recycled electrons. On 22 Jun 2022, at 12:04