[LINK] internet chapter of secret ACTA draft leaked
James Collins
nospam at ggcs.net.au
Tue Feb 23 23:24:14 AEDT 2010
Thanks for your reply Kim! It's going to take me a little while to answer
all those questions! Can you ask them one at a time next time!!! :)
>> We talked about the problems associated with the Copyright decision
>> ...
>> the function of the Australian Protected Network proposal which I
> I went to your website or should I say web page. It is a rather wide
> page that doesn't really say anything or go anywhere.
Sad isn't it. There's very little I can do as a lone voice in the
wilderness. But as the APN site says, a safer, more secure network, is just
waiting for us. Collaboration requires more than one voice, and while many
like the idea of the result of this project, few are prepared to stand up
and say, "OK. Let's look into this!". I'll try and put something more
descriptive up there, but there is just so much to do every day!
> I read your submission pdf.
Which submission PDF? You mean to the Cybercrime committee?
> Not a lot of technical detail really.
Technical details are not what they want in those submissions, they made it
very clear that Politicians had to understand it! Tricky! :) I had to dumb
it down an awful lot of times to make it acceptable.
> Perhaps you could explain what it is you're trying to do?
Provide a first level of defence on the Internet. A little like Social
Networking, but instead, working together to provide "Protective
Networking". We constantly get bombarded with information that we could use
to protect ourselves on a large scale. If those "Logical" attacks were
physical, we would at the very least protect ourselves. Since it's an
international issue, we'd probably get the UN involved!
> Give people a firewall? A firewall they control?
Yes. And not that simple. As far as the ISP end of the equation goes, it
could be anything that is able to function as a proxy and able to block IPs
and Ports selectively. As far as the user is concerned, they'd join
communities of protection that reflect their needs. Different access levels
are given to people who want to Monitor or Moderate the network. Only a
small percentage of the population are likely to want to get involved, but
it will be possible for them to.
> Ordinary users? Can opt in or out of whatever they want?
Yes, ordinary internet users have access to the Protected Network as their
Internet connection. They're able to select what protection levels they
want.
> And this is different from when grandma gets asked a weird question by
> ZoneAlarm that even an IT professional might not be able to answer, how?
Bingo! You've got one of the biggest problems with the current protection
systems right there. People don't know how to use them because they are
complex and difficult to use. I can't fix that. The final line of defence is
up to the providers of Virus and Firewall software. But we can protect
Internet connected devices against things that we know exist, when we know
where they are coming from.
> A firewall which is connected to your servers and database?
> And some kind of privileged communication between users' firewalls and
your servers?
The reason why the ISPs have to be brought onside is because that is where
the firewalling function needs to occur. Before the connection enters the
network. Hence the name Protected Network. We know an awful lot about the
origins of scams, viruses and materials that we basically don't want on our
computers (Unless we are a researcher into these things of course! Or
perhaps you're "into" that sort of thing!?). Even if you don't consider that
I might just have something with my Knowledge Engine computer which is
constantly searching for these things, there are lot of sources of
information which can assist us in locating what needs to be blocked to
protect us.
http://www.computerworld.com.au/article/334162/experts_us_gov_t_needs_prepar
e_cyberwar/
> And finally from slashdot:
> Your post advocates a
> (X) technical
It's Technical, and it's social. We get together, and we protect ourselves.
It's only logical and sensible.
> (X) It is defenseless against brute force attacks
It's not you know :)... The router entry between the Protected Network and
the rest of the Internet isn't likely to be a squiddly little thing which is
easily overcome. Besides, on the other side of the connection, there's
peace. If you're going to Denial of Service something, you'll be DOSing the
Internet Service Provider's router. They don't tend to take kindly to that
sort of thing. Of course "Brute Force" could mean a lot of things, but in
this context, I assume that's what you mean?
> (X) Users of the internet will not put up with it
> (X) Users of the internet will not understand it
That's actually the current position of internet users. They are frustrated
and confused. They don't know what's wrong with their computers, they don't
know how to protect themselves, and they certainly don't know what buttons
to press on the existing range of PC based protection products. Let's put a
first line of defence up that detects the problems, isolates the problems,
and informs the users what they can do.
(X) The police will not put up with it
(X) The government will not put up with it
Police are going to love this. Criminals are going to hate it! And they ARE
going to try everything in the book to stop it happening. They're currently
searching for a needle in a haystack and coming up against all manner of
obstacles in their search. Let's take that haystack and turn it into... a
Hay Bale. Remove Ma and Pa kettle from the equation.
> (X) Requires immediate total cooperation from everybody at once
> (X) Many internet users cannot afford to lose business or alienate
> potential employers
Not everyone will take an active role on the Protected Network. There will
need to be a hierarchy of people who are responsible for maintaining the
network. The computer system I've designed will control this. As for
alienation and loss of business. That's what we have at this moment.
> ( ) Spammers don't care about invalid addresses in their lists
And Gee that's a handy little fact, amongst a million other handy little
facts when it comes to spam, but then that's another story.
(X) Evil packets don't always have the evil packet bit set.
RFC 3514 Would deny that. At least in certain instances.
> (X) Lack of centrally controlling authority for the internet
Yes there is. That's one of its strengths, and the reason why I need the
government to get involved. I said 8 years ago that they would eventually
get involved, and everyone told me to go stick my head in a pig. Well now
they are getting involved, let's do something useful and right. Not
something hasty and haphazard. I've not just dreamt this up overnight.
(X) Asshats
This is an unfortunate fact of life. Fortunately, I've considered that. To
make an impact on the network, they would have to plan it for ages, slowly
building themselves up as a good guy. Pretending to be one thing, when they
are actually another. Eventually reaching the position of Moderator before
showing their true colours in one blinding flash of attack on the network,
telling it outright lies and basically ruining everything. Of course the
very technology that decided their access level in the first place would
detect this affront on the system and not only cut them down, but rectify
their attempt. What a sad thing.... NOT.
> (X) Jurisdictional problems
There would be such problems if we were to force them to use the network. If
we were to mandate that they MUST do this or that they MUST do that, then
indeed, there would be innumerable problems. Fortunately, the very "Sprit"
of the Australian Protected Network is that of friendly cooperation. If you
don't want to use it, you don't have to. Your loss.
> (X) Susceptibility of protocols other than HTTP and SMTP to attack
This is harking back more to the Spam orientation of the original form, but
is worth answering. There are some things which affect us and are
transported via the HTTP protocol, or at least via the Proxy server system.
Others use more sophisticated means of attack. I could certainly craft an IP
Packet which passes seamlessly through a firewall, if I had enough knowledge
of how that firewall worked. Perhaps I could spoof origin addresses and
route packets in ways that would make it more difficult to locate me. But is
that any reason to not block an IP Address which only has one purpose, and
that is to do me harm? And you know that there are lots out there that fall
into that category, so we've got some good we can do straight away!
> (X) Armies of worm riddled broadband-connected Windows boxes
This is where our problems are right now. 1/3 of the eastern seaboard of
Australia is infected. That's shocking. And we're just sitting here arguing
the point about whether it's worth doing something. No offence intended!
Those people, with those machines that are infected, are real people. They
are trying to use their machines, and do their banking, and run their web
searches. Let's identify their problem, where we can!, protect the rest of
the Net from them and them from themselves. Let's point them towards the
help that they need to correct their problem. They expect people like us, to
do what we can to help them. We aren't doing enough. There is so much we CAN
do.
> (X) Eternal arms race involved in all filtering approaches
You better believe it. And we don't want to have the Kim Holburns of this
world on the wrong side. We, the people of Australia, want you working with
us. It's going to be a constant battle between the system and hackers, as
system discovers new vectors of attack and blocks them.
> (X) Extreme profitability of spam
That's about the only thing that keeps the botnets from doing something more
destructive. As long as Spam is profitable, they'll keep using them for that
purpose. Not entirely safe, but not as dangerous as some of the things they
could be using them for. At the moment, they are staying as quiet and as far
below the radar as possible.
> (X) Extreme profitability of malware
See above.
> (X) Technically illiterate politicians
Ah. Now you've got me on that one. But Politicians are advised by advisors.
Unfortunately, they appear to be worse. They know just enough to be
dangerous, but not enough to make a responsible technical decision. Someone,
for instance, correctly advised Senator Conroy about what the capacity of
HTTP filtering was. Unfortunately, they also missed a whole stack of other
stuff out. Not least of which is just how counter-productive the current
approach is!
> (X) Extreme stupidity on the part of people who do business with
> spammers and malware
That's why we need a simple push button first line of defence. Yes, we will
still need more complicated Anti-Virus programs to protect as a final line
of defence, but let's give them a first line.
> (X) Dishonesty on the part of spammers and malware controllers
> themselves
Don't know where this one comes in the form really. I mean, by definition
that's a fact.
> and the following philosophical objections may also apply:
> (X) Ideas similar to yours are easy to come up with,
> yet none have ever been shown practical
Yes and no. Like I said, there's a heck of a lot more to this system than a
simple blocking list. The matrix which drives this is quite unique in its
approach to making decisions, while the philosophy behind people getting
together for protection dates back to the stone age!
> ( ) Any scheme based on opt-out is unacceptable
> (X) Any scheme based on opt-in is unacceptable
I ah, won't bother commenting on that one, since it's obviously part of the
form which is specifically designed to not be answered :) Mind you, the
entire form is an attempt to prevent answering. So perhaps I should? I
wonder if you put the X in the wrong box? To some people, any "Scheme" would
be unacceptable, simply because it doesn't maintain the status quo.
Unfortunately, in this arena, there is no status quo. It's accelerating. In
the wrong direction...
> (X) Blacklists suck
> (X) Whitelists suck
Heck yes. If this were nothing more than a bunch of static lists, it would
be next to useless, but you partially guessed how this system works earlier.
Before you entered into "Form" mode, you suggested the possibility of a
database connected to a firewall. This is what it essentially becomes.
Something which is able to respond to threats as they occur.
> (X) Why should we have to trust you and your servers?
Because it'll be Your database, and Jan's database, and everyone's database.
More than that, it will be the sum of our values. It will get information
from sources on the network which already provide this information, and that
vendors are already using.
> (X) Feel-good measures do nothing to solve the problem
How true. But sometimes, sometimes miracles do happen. Sometimes "Schemes"
can be made to make our lives better. If the people behind them are true to
their convictions. I'm not saying that implementing this network would
happen overnight, and I've certainly learned to live with detractors to the
system. But if we worked together, instead of against each other, we could
actually protect people. After all, wasn't that what the Internet was first
built to do? To share information and cooperate with each other?
> Furthermore, this is what I think about you:
> (X) Sorry dude, but I don't think it would work.
> ( ) This is a stupid idea, and you're a stupid person for suggesting it.
> ( ) Nice try, assh0le! I'm going to find out where you live
> and burn your house down!
Well I must say that, given the choices that the form made available to you,
that I appreciate your answer to that particular block! :). But to answer
this particular comment, I realise that there is a great deal of trepidation
surrounding this suggestion. How will it communicate with the boxes at the
ISPs? How will you provide the security it needs to provide reliable data?
There's a million and one questions. I know, I've been asked them enough
over the years. And that's why I've spent so much time designing all this.
Yes, the APN website, which I only put up in the past few weeks, doesn't
explain how it works. And the plain and simple reason for that is that there
is just TOO much to put up there, and too little time to manage the network
by myself. And quite frankly, there are probably a lot of things that I
shouldn't put up there for security reasons. But if you are half the man I
think you are, I think you'll be able to tell that I have worked on this
concept for an awfully long time. I've made the basic tenets to all my work
in Web Management towards this issue. To protect people, intuitively, with
interactive technologies that work for good, and not evil.
I thank you for your time, and apologise to the "Link" for the verbose
reply!
-- James :) Collins - Head Office * +61-7-3823-5150 *
,-_|\ Web Management InterActive Technologies
/ * Sydney Office - +61-2-8011-3237
\_,-._/ Canberra Office - +61-2-6100-7721
v Fax Number - +61-7-3823-5152
www.wmit.net - P.O. Box 1073, Capalaba, Qld, 4157
More information about the Link
mailing list