Re: Interim signing of the root zone.

[Edward Lewis <edlewis@arin.net>]

At 18:17 +0200 10/15/02, Markus Stumpf wrote:
>Do you know if they don't do it every month with "small unimportant"
>incidents that no reporter finds worth writing an article? That we
>don't know about it doesn't mean that there is none. Maybe nobody
>is trying it hard enough/at all, currently.

There's no point in debating this.  In the context of an engineering 
discussion, we can only make progress against evident, tangible 
problems.  Getting caught up in what "might" be happening, or what we 
"believe" might be happening, will just lead us into rat holes.

>>  (The more times the attacker fails, the more chance the attacker has
>>  at getting caught before perfecting the attack.)
>
>Naaaa ... come on, it's not the late 80's. I am sure we all know and we

My above generalization doesn't just apply to the Internet.  The 
above principle is behind the reason nearly all serial murders are 
solved and bank robbing bands never get really rich.  This even 
applies to sports - offenses may change tactics, but eventually 
defenses adjust.

Security always starts from a position of weakness.  Security is 
initially reactionary until the pattern of attack is determined. 
Only then can security go on the offensive.  This is why a good 
security plan will not set out to prevent attacks, but rather manage 
the damage they initially cause.

Because attackers follow tendencies, security responses become more 
effective, and eventually the attacker is overwhelmed.  In many 
cases, first time attackers follow an already known pattern, so 
security responds correctly the first time.  Often times, getting 
caught once is enough to make a attacker less bold.

If that isn't convincing enough, there's the experience factor.  In 
any competitive situation, having more experience often outweighs 
luck and skill.  Attackers are rarely successful, hence don't gain 
much "good" experience.  Defenders often get to repel attack after 
attack - and do gain "good experience."  Not only that, the defenders 
see more angles of attack, which helps them anticipate new approaches.

>What we have seen so far are kids playing around. What do you think will
>happen, if someone/a group with a plan, enough theoretical/practical
>background and enough money /really/ wants to cause harm? And: I mean
>harm just for the purpose of causing harm.

What will happen?  Bad things, of course, given the conditions you 
describe.  But putting all those pieces together is awfully hard.  In 
that situation, prolonging your life is most effectively done by 
surrendering.  ('Course, "prolonging" may not be your choice of goal, 
especially if the captured are made slaves and have to build large 
pyramids.)  But remember that historically, no one has succeeded in 
"ruling the world."  It's just too hard, logistics will get you every 
time.  And, generally those with sanity and enough resources will not 
see the need to risk losing it all in an attack.

>>  There are no network police, but there are existing legal
>>  jurisdictions.
>
>Where? Think global. There are many countries around the world and they all
>have different laws. Some even don't have laws for computer fraud at all.
>And: if someone writes such a worm and injects it via public internet
>access points (e.g. internet cafes) how do you think you will ever be
>able to trace her/him back? Make a holiday trip to Bangkok, there's
>public internet at every corner. The PC are usually well equipped, CD
>drives and all. Spend some bucks and have fun.

I've been to Bangkok.  They have laws.  They do have jails.  Police 
officers are present all over the city.  The Department of 
Corrections building along the river has it's name spelled out in 
English - I assume to at least make sure visitors know it exists.

I am thinking global.  There are pockets in the world that are 
(perceived to be) light on law enforcement.  They are pressured 
politically to comply, if the lawlessness is rampant enough.  They 
are also economically sanctioned and sometimes even invaded.

>>  My point here is - if
>>  the attacker is thrown in jail, the attack will stop by then.
>
>Wrong again. Think CodeRed, think Nimda.
>Do you think the attacks will stop, just because the originator of the
>virus is thrown to jail (if at all possible with local jurisdiction)?

"Just because" - no, of course not.  But each time the originator is 
caught and punished, the appeal of attacking lessens.

I'm not sure if my answer is at all helpful.  The reason I am 
bothering is that sense a misunderstanding of what "security" is all 
about, and how signing the root zone helps us.  Signing the root 
won't stop someone from doing bad things, but it will make it that 
much harder to accomplish an attack and get away with it.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                          +1-703-227-9854
ARIN Research Engineer

#----------------------------------------------------------------------
# To unsubscripbe, send a message to <dnsop-request@cafax.se>.