Re: Calcuating Loss

["'Alexander Schreiber'" <als () thangorodrim de>]

On Wed, May 12, 2004 at 08:56:25AM -0700, Schmidt, Michael R. wrote:
> Well one of the biggest issues that allows people to remain anonymous
> is DHCP. 

No. Even Dialup (modem/ISDN), Cable or DSL users who get a new IP
address on every reconnect or every $X hours can be traced back easily
by their appropriate provider who can identifiy them by phone number of
their line or by MAC. Although you do _not_ _identify_ _persons_ this way,
only _equipment_ - which supposedly is linked to a person (think stolen
cell phone - which is getting a more interesting target with UMTS due to
the higher bandwith there (yes, I know a cell phones location can be
pinpointed to within a few hundred meters or less)).

> If everyone on the internet was required to get a static IP
> address, or to log which IP they were using - using a secure technology
> then everyone could be tracked, sure a few "super" hackers could still
> manage to escape detection I am sure,

No need for super hackers. All you need is one of the usual worms and
the usual windows box. Or even better, a normal (read: unsecured)
WaveLAN. Instant free net access or at least proxy.

> but there is nothing that is the equivalent of a drivers license on the
> internet.
>
> Sure there would still be criminals using stolen credentials, but IPs
> are handed out based on location or where you dialed in from. Dialing
> in can be traced using caller ID, wireless by IP and base station
> proximity, so just like today, people would have a alibi for the time
> and place the criminal used their identity.

And if Joe Fool was at home while Jack Badguy drove within range of his
WaveLAN (which was wide open because Joe Fool didn't know how to
properly secure it) and used it to commit some nasty crime? Bang, Joe
Fool is presumed guilty and ends up in prison? Well, that approach
_would_ cut down on unsecured WaveLANs, if only by jailing most of the
fools.

> What we need is something that you have to log into (securely) or your
> DHCP is revoked immediately.  And of course static IPs are well, static
> and since they are routed, routes can be logged and therefore trackable.

Well, this kind of control over the populace might work in The Land of
The Free (aka USA), but good luck trying to enforce it in some less free
places - like Nigeria, for instance.

> So again it is anonymity that causes most of the grief.  If all code had
> to be signed, then you'd know who wrote it, and running unsigned code
> would be your own stupid fault.

And trying to run code which the vendor of your code signing checker
(for most this would be Microsoft, I'm afraid) does not approve for
whatever shady reasons won't work either. Of course, criminals will
still be able to turn out perfectly signed malware executables, there
are more than enough ways to do this.

> If you replace a part on some new cars with a non-manufacturers part, 
> you void the warranty.  But when you run unsigned downloaded for free
> or sent through email code on your dell, who do you call and expect to
> fix it when it stops working?  The end user is the moron, we require no
> test to get on the internet and yet we let more people anonymously sign
> on the net everyday.

Wrong. You have to really work to get an anonymous link to the net.
Basically: As long as you are paying for your internet connection, it is
virtually guaranteed that it is _not_ anonymous. Your provider can track
you down and thereby also the police. It is just a bit of work to
identify the user. And if the police calls up an Internet provider and
ask for the customer who used dialinpool711.provider.com 6 months ago,
well, those logs are almost _certainly_ gone already.

Your best bet at anonymous internet access is to still it without anybody
noticing (open WaveLANs are probably best, public terminals can be a bad 
choice (think cameras)).

Regards,
       Alex.
> -----Original Message-----
> From: Alexander Schreiber [mailto:als () thangorodrim de]
> Sent: Tuesday, May 11, 2004 10:34 PM
> To: Schmidt, Michael R.
> Cc: 'Frank Knobbe'; Valdis.Kletnieks () vt edu; Full-Disclosure
> Subject: Re: [Full-disclosure] Calcuating Loss
>
> On Tue, May 11, 2004 at 03:02:30PM -0700, Schmidt, Michael R. wrote:
> > I think that part of the evolution is to lock people who create these
> > things up for a *very* long time.  It will deter the script kittens
> > when they start to find that their computers are confiscated and their
> > parents homes are sold to pay for the "loss" incurred by there
> > stupidity.  The real black hats will be deterred when 20 FBI/CIA whoever
> > agents drag them from their homes at gunpoint with the handcuffs tight
> > around there wrists.
>
> Dead wrong. All this will accomplish is the any malware author will just
> be one hell of a lot more careful to avoid getting caught. It might even
> accelerate another trend: malware by script kiddies who goes down,
> malware by real criminals (who use/sell the infected machines as spam
> relays, DDoS zombies (nice extortion tool, already used), ...) will go
> up. Net result: you ruined the live of a few foolish kids and their
> entire family, but you still don't get the (much more dangerous)
> professional criminals. Achievement for network security: NIL.
>
> > The consequences need to be severe enough.  In order to accomplish that
> > our infrastructure has got to support the basic ability to find people
> > who cause problems.  Anonymity is not an option.
>
> Ever heard of identity theft? In the same way that the less stupid
> criminals don't use their own private cars but stolen ones for
> committing crimes, criminal malware authors will just use
> computers/accounts whose access credentials were stolen. You end up
> investigating a fool who got his access credentials stolen, but probably
> didn't do anything else. And you still have to find the real guy ...
>
> We really should take a lesson from the real world here: valuable
> property (like big bags full of money) are not usually left out on the
> kitchen table and only protected by strong penalties for anyone
> wandering in and grabbing a few - if you tried to rely on this, police and
> insurance would laugh you out of town. Instead, valueable physical
> property is protected by serious physical means of protection (like
> putting your bags full of cash into a big, heavy, unmovable safe) _and_
> legislation to punish the few serious criminals who still manage to
> steal some.
>
> The way to protect digital infrastructure from the destructive effects
> of malware is to harden the infrastructure itself. Don't use insecure
> operating systems and hope that the 'patch of the day' will keep the
> malware out - because it won't. Don't use sloppily coded, insecure
> software on hope nothing bad will happen because nobody will find out
> how to exploit the flaws - because somebody will find out and exploits
> will happen. Don't build insecure networks and hope nobody will abuse
> them because nobody knows what a mess it is - because somebody will
> abuse them.
>
> In short: Don't build a house of cards and then try to outlaw the wind,
> build a house of stone and enjoy the fresh air.
>
> Yes, there are things that are very hard or practically impossible to
> guard against (DoS comes to mind), but practically all malware problems
> are due to avoidable failures: insecure configurations (like executing
> untrusted code from unknown sources by default), coding errors that
> could be avoided by using proper tools (like buffer overflows) and so
> on. Close the existing easy attack paths and then we can deal with the
> remaining few attackers with the law and a lot of attention.
>
>
> Regards,
>       Alex.
> --
> "Opportunity is missed by most people because it is dressed in overalls and
>  looks like work."                                      -- Thomas A. Edison
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
"Opportunity is missed by most people because it is dressed in overalls and
 looks like work."                                      -- Thomas A. Edison

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html