Coffeehouse Thread

19 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

A compartmentalized Internet?

Back to Forum: Coffeehouse
  • User profile image
    davewill

    With state sponsored offensive Internet attacks almost reaching a point where it isn't even covert anymore, will the Internet have to be compartmentalized for business to succeed?

    Will anyone operating in RIPE have to block APNIC, arin, and vice-versa? Will those entities have to be reshuffled so their boundaries fit the state conflict boundaries?  Will the central authority of those entities be usurped by state or multi-state centralized authority (in the name of being best for its citizens, of course)?

    We all want our businesses to succeed. Today it seems business is increasingly caught in the middle of this Internet naughtiness, whether they be direct targets or more likely indirect pawns.

    It seems the desire for businesses to use the Internet for scale and financial savings is coming at a time when governments around the world are increasing their ability to be offensive on the very same network that business relies upon.  As a result, business is increasingly caught in the middle of this Internet naughtiness, whether they be direct targets or more likely indirect pawns.

    I see an impending virtual set of walls appearing on the Internet map, a compartmentalized Internet.  A set of black markets will appear as underground conduits between state (more likely multi-state) compartments.

    Does anyone else see this same impending conflict?  Does anyone else see another outcome?

  • User profile image
    figuerres

    well the orignal model / design for the "internet" was one of multiple networks that peer with each other so that one network going dark would not stop the other networks from continuing to operate.

    the trends i have seen over the last 20 years have been to try and make a more centeralized and hirearchical network.  IMHO that makes for problems as you limit routes to other networks.

    *IF* we want back to a more decenteralized netowrk it would better allow each network to act on it's own.

    while not without problems if you have many routes to use you can select the ones that give less ptoblems.  you can let traffic get dropped when the source is attacking your network.

    if multiple networks that connect to a netowork sending out attack traffic stop routing it then it is blocked from the glabal netwwork.

  • User profile image
    W3bbo

    ,davewill wrote

    With state sponsored offensive Internet attacks almost reaching a point where it isn't even covert anymore, will the Internet have to be compartmentalized for business to succeed?

    What "attacks" on the Internet? The worst I've seen are moralist politicians seeking to impose content filtering for users, and Hollywood looking to ban BitTorrent. These are all groups concerned with what the Internet is used for, rather than the Internet itself.

    Will anyone operating in RIPE have to block APNIC, arin, and vice-versa? Will those entities have to be reshuffled so their boundaries fit the state conflict boundaries?  Will the central authority of those entities be usurped by state or multi-state centralized authority (in the name of being best for its citizens, of course)?

    I can't say. As for RIPE, I don't manage that, my account manager at my colocation provider handles all that for me. RIPE is just an entity that assigns blocks of IP addresses to customers. RIPE, APNIC, etc all exist to co-ordinate things, they're not King-makers. AS operators are free to completely disregard them and attempt to peer with other ASes. The Internet only needs co-operation to work, it doesn't require authoritative rule.

    We all want our businesses to succeed. Today it seems business is increasingly caught in the middle of this Internet naughtiness, whether they be direct targets or more likely indirect pawns.

    If you're referring to DDoS attacks, those are simply an occupational hazard; they're easy to avoid: don't be a target, and if you are a target then you probably have the resources to handle the situation.

    It seems the desire for businesses to use the Internet for scale and financial savings is coming at a time when governments around the world are increasing their ability to be offensive on the very same network that business relies upon.  As a result, business is increasingly caught in the middle of this Internet naughtiness, whether they be direct targets or more likely indirect pawns.

    I don't understand. How are governments being "offensive" on the Internet in such a way that it impacts e-business?

    I see an impending virtual set of walls appearing on the Internet map, a compartmentalized Internet.  A set of black markets will appear as underground conduits between state (more likely multi-state) compartments.

    Does anyone else see this same impending conflict?  Does anyone else see another outcome?

    If you're supposing a grander version of the "walled garden" approach of the mid-1990s (AOL, Compuserve, etc) will make a come-back, you'll be disappointed. Free markets, etc.

  • User profile image
    blowdart

    ,W3bbo wrote

    I don't understand. How are governments being "offensive" on the Internet in such a way that it impacts e-business?

    US: Domain name seizures for businesses operating outside their country

    China, UAE, Australia, UK : The filtering/great firewalls.

    Media businesses : 3 strikes laws being pushed with the help of the US on other governments

    The attacks on the pseudo anonymity by putting onerous logging  into place. The stupidity of the likes of France which now mandates passwords should be handed over (so no more hashed passwords for you)

    And of course state sponsored hacking, DNS highjacks, rerouting through government owned facilities (all AT&T traffic rerouted facebook through Chinaa few months back) and so on.

  • User profile image
    evildictait​or

    ,blowdart wrote

    ...UK... : The filtering/great firewalls.

    Generic Forum Image

    I don't remember my internet being filtered or blocked, at least not last time I checked.

    Looks to me like there might be some really wild extrapolations on this post.

  • User profile image
    blowdart

    ,evildictait​or wrote

    I don't remember my internet being filtered or blocked, at least not last time I checked.

    Looks to me like there might be some really wild extrapolations on this post.

    Actually it is. The Internet Watch Foundation is a non-governmental block list which blocks potentially illegal content. It's supposed to be blocking child porn through major ISP connections, but there's no oversight at all, which is why they ended up blocking wikipedia at one point.

  • User profile image
    W3bbo

    ,blowdart wrote

    *snip*

    Actually it is. The Internet Watch Foundation is a non-governmental block list which blocks potentially illegal content. It's supposed to be blocking child porn through major ISP connections, but there's no oversight at all, which is why they ended up blocking wikipedia at one point.

    Er...not quite.

    Backstory: someone uploaded the album art of "Virgin Killer" to Wikipedia, it features a naked prepubescent girl in a provoactive posing, but with a lens-crack effect where her genitalia are.

    Someone reported this to the IWF, so they added the path to the image to their blacklist. The IWF only provides the list, actual implementation is up to the ISPs, though most use the "Cleanfeed" system, where every outgoing IP packet is inspected for its destination header:

    If the IP address matches the IP address of a known "bad server" (e.g. "en.wikipedia.org" = 208.80.152.2) then the request is routed through a proxy server which then does the DPI of the HTTP information.

    If the HTTP resource path matches "/images/virginkiller.jpg" then the proxy server returns a response to the end-user "omg ur a paedo", otherwise the proxy server forwards the request to Wikipedia.

    Virgin Internet (and a few other ISPs) used this system, which accounts for millions of users, so Wikipedia noticed that suddenly all these users and edits were suddenly all coming from a small number of IP addresses (the Virgin Cleanfeed proxy servers) and Wikipedia had to block all anonymous edits originating from these IP addresses because it was impossible to identify individual users to a reasonable degree.

    --------------------------------

    Anyway, only the larger ISPs actually implement any kind of content filter, legislation only "requires" it for residential connections (business ISPs are exempt) and smaller ISPs get by without any filtering.

  • User profile image
    blowdart

    ,W3bbo wrote

    *snip*

    Er...not quite.

    Anyway, only the larger ISPs actually implement any kind of content filter, legislation only "requires" it for residential connections (business ISPs are exempt) and smaller ISPs get by without any filtering.

    It did manage to block all of the Internet Wayback machine. I don't believe there's a legislative requirement for use, but there certainly is a moral pressure, and that doesn't get away from the lack of oversight or redress. Then there's it's somewhat dubious charity status.

  • User profile image
    davewill

    ,W3bbo wrote

    *snip*

    What "attacks" on the Internet? The worst I've seen are moralist politicians seeking to impose content filtering for users, and Hollywood looking to ban BitTorrent. These are all groups concerned with what the Internet is used for, rather than the Internet itself.

    I'm not privi to details of nation-state attacks (nor do I want to be as I don't have the resources to play in that sandbox).  My general sense lately has been that nation-state sponsored attack activity is on the rise.

    I don't understand. How are governments being "offensive" on the Internet in such a way that it impacts e-business?

    The impact isn't limited to just e-business.  I'm sure Siemens wasn't thrilled to be associated with the stuxnet story.  I've heard chatter of 2 or 3 post stuxnet naughty-naughties (again nothing specific just chatter).

    I ran across a term new to me and found it interesting for this discussion ... splinternet (http://en.wikipedia.org/wiki/Splinternet ).

     

    As a business owner my number one concern is my customers.  If that means the other 99% of the world is blocked out of the network to keep the customers happy and productive then it won't take long to make that decision.  If increasing numbers of businesses become affected then it seems a tipping point will be reached and a desire will be raised to just block communication altogether at levels above the single business level.

  • User profile image
    evildictait​or

    ,blowdart wrote

    The Internet Watch Foundation isa non-governmental block list ....

    So the government is, in fact, not blocking your content. If you choose to get your internet from an ISP which chooses to block access to en.wikipedia.org then it sucks to be you, take that up with your ISP. The government didn't tell them to (the IWP block list isn't legally enforced) and in fact, didn't even ask them to (the IWP isn't even the government) and the government didn't implement the block (your ISP did - not MI6 blocking your internets like the great firewall of China).

    So I stand by my original assertion that:

    I don't remember my internet being filtered or blocked, at least not last time I checked.

    Looks to me like there might be some really wild extrapolations on this post.

     

     

     

  • User profile image
    blowdart

    ,evildictait​or wrote

    *snip*

    So the government is, in fact, not blocking your content

    Not exactly. They are funded by the government, and staffed by the usual quango brigade. The government set the damned thing up. It's an arm of government no matter how much it wants to try to distance itself.

    Oh and then there's the pulling of internet connections for movie/music pirates too.

  • User profile image
    W3bbo

    ,blowdart wrote

    Oh and then there's the pulling of internet connections for movie/music pirates too.

    They aren't going to do that.

  • User profile image
    evildictait​or

    ,blowdart wrote

    Not exactly. They are funded by the government, and staffed by the usual quango brigade. The government set the damned thing up. It's an arm of government no matter how much it wants to try to distance itself.

    Lots of things are funded by the government, and of the large amounts of money spent by government I think money spent on defeating child pornography and child traffiking is amongst some of the government's better choices for spending money in recent years.

    The non-governmental body whose head is not appointed by the government, doesn't report to the government, doesn't have a minister in charge of it etc. also has no legislative power to enforce anything on anyone. It is literally a charity that maintains a list of bad websites.

    If your ISP chooses to block access to child pornography, well that's for them to decide how to do. Having a freely available list of bad sites is an easy way to do that, but they don't have to use it. They could either make their own list or not block anything at all - that's the ISP's decision, not the government's.

    This all boils down to the fact that unlike Iran, Syria, China, Pakistan, Saudi Arabia and so on, your government doesn't restrict your lawful access to the Internet in any way, shape or form (and it doesn't stop your unlawful access either - although it will put you in jail for it later), and by saying that it does, you are trivialising the oppressive regimes that don't have the many freedoms that we still have in the west.

  • User profile image
    Maddus Mattus

    @evildictaitor:

    Actually, in France you have the three strikes your off the net law.

    That's even worse then the regimes you mentioned.

  • User profile image
    davewill

    KrebsOnSecurity released the attack list connected with the RSA security breach 12 months ago.

    http://krebsonsecurity.com/2011/10/who-else-was-hit-by-the-rsa-attackers/

    Take a gander at the command and control chart at the bottom.  Machines located in China by far are the commanders.

    On a network by network level it seems rational to (without exception) block all APNIC ip addresses.  http://www.apnic.net/publications/research-and-insights/ip-address-trends/apnic-resource-range .  Sorry Australia.

    Arg.  It is like living in a high crime neighborhood.  Put bars on the doors and windows while we try and turn the neighborhood around.

  • User profile image
    evildictait​or

    You're making some pretty bold assumptions that having an IP address in China means that it's China doing the attack there. It's super easy to get hosting in any given country (including the UK and the US) - and you can proxy attacks through that hosting.

    If you block your server from talking to China and someone in China wants to hack you, they'll just get hosting in Seattle and proxy the traffic from there. To you it'll look like the US is attacking you.

  • User profile image
    davewill

    @evildictaitor: Agreed.  Tracked a New Jersey server today.  I don't know the answer thus the discussion.  But at this point the alternative is to block everything and open up to trusted partners and customers on a case by case basis.  Even with that who can really be trusted.  If big corporations with mega security budgets can't protect themselves how can anyone really be trusted?  This blows holes in just about any idea I've had.

  • User profile image
    evildictait​or

    If big corporations with mega security budgets can't protect themselves how can anyone really be trusted?  This blows holes in just about any idea I've had.

    DSD (the Australian equivilent of the NSA) recently published a list of guidelines (http://www.dsd.gov.au/infosec/top-mitigations/top35mitigationstrategies-list.htm) which were wholeheartedly endorsed by SANS (https://www.sans.org/press/australian-defence-signals-directorate-national-cybersecurity-award.php).

    Basically the gist of it is

    a) There are a few super-good hackers out there, and you can't practically defend against those.
    b) Most high-cost/high-damage hacks that take place on the Internet are not done by those few super-good hackers. They are done by idiots who downloaded metasploit, typed in the address of the company they want info from and press "go".
    c) Companies that don't keep up to date with software updates, windows updates and windows major versions can and do get hacked. If you run fully up-to-date IE/Firefox/Flash/Windows/Office with full patching enabled and don't download free smileys, porn or pirated games you're pretty unlikely to get hacked.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.