[LINK] Fixing the internet (I didn't know it was broken? Clogged maybe?) (was Re: internet chapter of secret ACTA draft leaked

James Collins nospam at ggcs.net.au
Wed Feb 24 11:07:26 AEDT 2010


> Not to be discouraging but there is a general law (of economics?)  
> whose name I forget that says: If it were easy to do, somebody would  
> already be doing it.

I didn't say that it was going to be easy to do. I said it can be done.
Actual implementation and operation is a straight forward enough concept,
but getting everyone to understand A) The need for it and B) The
practicality of it; now that's not been easy. (A) has become more and more
obvious as the years have rolled by, and (B) has followed close behind.
Rising threats which even major software protection providers and the US
government are admitting to are making sure of that. With the threat of a
mandatory version of this with no User input, no give and take, no actual
protection, and no real advantages, this system has to be looked at in a
different light, surely?

> Even if I create a small safe, protected part of the network for  
> myself why should I trust someone else's safe part?

You're possibly getting a little ahead of the game here, and that's fine,
but you're missing some of the preceding parts. Try and bear with me Kim, I
know this is a little tricky to follow since it's different. But different
locations on the net are classified as dangerous because of Phishing
activities, Hacker dens, known locations from which botnets run, etc. You
select those areas which you want to block, and include them as part of your
protection. Heck you might be allergic to gambling for instance! If you even
hear a Roulette wheel your heart rate increases. So you include that.

> Creating a safe network is not simply adding border protection.
> It would at the very least involve testing all the internal parts of the
network and all  
> the edge devices.  Not a simple process.

Which is why discovery and notification of compromised computers is so vital
to this operation. The talk at the moment, without the introduction of the
APN is that people who have compromised computers may simply be denied
access on the Australian Internet. ISPs would be required to identify and
deactivate their connections until they get their computers fixed. Now call
me naive if you like, but I think an APN style system which got them the
help they needed while protecting others from their ... infection.. would be
a lot more useful. Why remove their access to help, when with a system like
the APN we can do something positive?  

> There are people who say that if there are windows desktops in there then
> ...
> systems on hard disks then it's not going to be safe, all systems must
boot off CDs.

I will admit that in a _standard_ "static firewall" based system, where all
machines in a DMZ are able to freely talk to each other, that this is the
case. However, this isn't what we're talking about. It's much more than
that, as I hope you can see. We have data sources that tell us there are
threats. We have security experts who are able to detect compromises. We
have good, powerful network tools that are able to protect networks. Put it
all together.

> It's the areas of a network with desktops that are the most difficult  
> to protect and to protect from.  They are the problem!

Once again on this point, we aren't talking about a normal situation with a
DMZ and a link to the internet. We're talking about an interactive system
which protects people from themselves as well as from external inputs.

> The more smarts you put at borders the slower and messier your network  
> gets.

Ah now this is an important part. You can't have smarts at the edge of the
network. When it comes to the processing of those packets through a network
device, you don't want any more analysis and shredding than is absolutely
necessary. We already have enough work for the routers to do detecting
spoofed packets and diverting terabytes of data around every day. When it
comes to the edge, it needs to simply know do I allow this packet? Or not. 

> There are also severe privacy concerns with proxies and  application
gateways and DPI.

Extremely. And I've already privately emailed people like Roger a long time
ago saying that one day, I hope I'll need their advice on the best way to
handle these issues. But here's the real kicker. All those other "Filtering"
and "Monitoring" systems out there that process our internet usage, they
really do monitor all traffic passing through our internet connections.
Already Telstra has implemented a system to try and catch failed DNS queries
and use them to their advantage, bypassing the 404 system. Companies which
run server based internet filtering routinely monitor access and report
findings to foreign based servers in the UK, Japan and US. The APN design
does none of this. None. Zero. Zip. The simple proxy system for the HTTP
side of the equation doesn't need to keep the logs for the more than the
maintenance of the system. And I think someone was talking about that
recently. Doesn't matter to the APN anyway, they can be deleted daily?

> The internet works because it's a dumb network.
> The smarts are at the edges, where the people are.
> That's not going to change.  

Unfortunately, judging by the rapid rise of compromised machines, that
theory is not working. The number of compromised systems is accelerating at
a great rate of knots. I understand the reasoning, but it just hasn't proven
itself over time. It's certainly "Part" of the solution. It's just not the
whole solution. The APN isn't the whole solution. It's just the "First line
of defence".

> We have to fix the edges, if we can.

Precisely. But before we can even start to work on that, we have to make a
leap of faith somewhere. The man who did the first open heart surgery, I
can't remember his name, before he did that operation, no one else had.
There's got to be a first time, somewhere on this planet, where we get
together and work this one out.

>> Yes, ordinary internet users have access to the Protected Network as  

> So they have to have some special hardware to opt in?  Then it's not  
> simple.  If they can choose what protection levels then how are they  
> safe, how can the others trust them?

No special hardware required. Let's face it, the basic level of protection
on the network would have to provide protection from compromised machines.
That's 101. 

>> Internet connected devices against things that we know exist, when  

>And how does the ordinary user know what level of protection to ask for?

I should think using simple terminology should suffice. Do you want
protection from: etc.

>> do what we can to help them. We aren't doing enough. There is so  
>> much we CAN do.

> How?  and who's going to pay for it?

In a few words, two very good questions. How? See above. Who's going to pay
for it? First question in answer to that is "Who is paying for the lack of
it at the moment?" We all are! Do you think the banks print that money they
refund from when people get scammed on the internet? Not trying to be
offensive or too cheeky here, but seriously, this is a big cost in our
modern, Internet connected society. Initial roll out and implementation of
the APN has already been budgeted for. It's currently a mandatory filter,
but this would be much cheaper to implement and operate in the first year
alone. As to the longer term, well I have a few ideas, but I'd have to have
the APN functioning properly and people interested in cooperating first. But
I believe it could be lot cheaper than we think... 

Thank you again for your reply Kim. I really believe we can make something
positive out of all these goings on, and we can make a difference here,
today. A trip of a thousand miles starts with the first step. Or in my case,
another worn our keyboard!


-- James :) Collins - Head Office * +61-7-3823-5150 *
   ,-_|\    Web Management InterActive Technologies
  /      *  Sydney Office      - +61-2-8011-3237
  \_,-._/   Canberra Office    - +61-2-6100-7721
        v   Fax Number         - +61-7-3823-5152
www.wmit.net - P.O. Box 1073, Capalaba, Qld, 4157







More information about the Link mailing list