[LINK] internet chapter of secret ACTA draft leaked

James Collins nospam at ggcs.net.au
Wed Feb 24 16:49:33 AEDT 2010 

> OK, I'm going to give your idea a moment of my time.

Thank you Glen, I appreciate that.

> 1) It won't help ISPs overcome their issues with ACTA.  The
> ...
> APN firewalls, seeing that as a useful lever too.

	Well I'm not a lawyer, that's why I asked one who has a special
interest in this area. Regarding the operation of the APN, we could provide
them with input to a type, but it would need to be voluntary for people to
use it, or it would cause problems. A "lever" would be putting it mildly.
But as far as Graham could see, it would safely take the ISP out of the
equation.

> ISPs don't want to be involved in a fight between the
> ..
> customers at the behest of a party totally unconnected with you.

No fight involved. As I understand it, if the ISP makes the protection
available, and the user doesn't take it up, then the ISP is safe, and the
User is the only one who has chosen not to be protected.

> ...
> "Deep packet inspection" is CPU intensive.
> ...

Yes it is, but we're not talking fancy CPU intensive DPI here, we're talking
routing only. That's as far as the IP Address layer is concerned.

> Technically, you need federated configuration of the firewalls on
> 
> idea who's time has come and I'd encourage you to pursue it.

Federated installs would certainly take a load off ISP routers, but would to
a certain degree deny some of the function of the Protected Network. I
suspect. Certainly something that's worth pursuing. I've worked to make it
as painless as possible for the ISPs.

> 3) Blocking is problematic.

Straight out forced blocking of web sites is certainly problematic. Surgical
blocking of dangerous sites on a voluntary basis is advantageous to the user
who could otherwise fall foul. There's a lot more to this than just blocking
though. We need to find compromised locations and advise them of their
problem, blocking them until it is fixed, and then releasing the blocks. NB:
They are going to do some other silly thing if we don't become proactive in
this and put forward a more sensible alternative. 

> 3a) Evil traffic runs on real ports between real IP addresses.
> For example, HTTP to a real but subverted web server.

Yeah, so for instance, the conficker worm, we knew web sites which purported
to remove the worm, or protect users from the worm and did just the
opposite. We could block them. We knew websites that worm was trying to
connect to and download instructions from. We could protect them from those
things. In fact, we could protect users from any website which we knew was a
phishing site, within minutes of its discovery. Isn't that worth a little
hard work?

> 3b) You don't know what you are blocking. It could be a machine,
> ...

Phishing sites aren't usually hospitals. But in this case, we would
certainly have to be surgical in our approach.

> For example, imagine a parliament with its web site being DDoSed.
> ....
> a political website can continue to serve its pamphlets.

We could certainly stop them before they reached the Protected Network, and
allow Australian Citizens on the Protected Network access to their
Governments resources.


-- James :) Collins - Head Office * +61-7-3823-5150 *
   ,-_|\    Web Management InterActive Technologies
  /      *  Sydney Office      - +61-2-8011-3237
  \_,-._/   Canberra Office    - +61-2-6100-7721
        v   Fax Number         - +61-7-3823-5152
www.wmit.net - P.O. Box 1073, Capalaba, Qld, 4157


> So blocking is effective on a small scale, but fails at a large
> scale.

-- 
  Glen Turner   <http://www.gdt.id.au/~gdt/>

More information about the Link mailing list