ISOC Perspectives on Domain Name System (DNS) Filtering

The Internet Society (ISOC) posted its views on DNS filtering. They are excellently summed up by the ISOC in a single phrase:

The real solution is international cooperation.

The reality though is that DNS filtering is here to stay. And it is here to stay because its initial deployment is far more easier than attacking the problem to its source via international cooperation.

So until DNS filtering (and supporting users mainly) starts costing Service Providers a lot, as in costing that much that it makes international cooperation cost less (even with the bureaucracy involved) it is a fact of everyday life that we have to get used to. Just imagine debugging not being able to access a single site, while at the same time all antivirus vendors run their own private, and allowed to be queried only by machines running their products (a “value added service”), resolvers.

Sad but true.

“consultants will say anything”

“the one thing government seldom gets is honest advice from consultants. Let’s face it, many consultants will say anything they have to in order to be called back.”

Gene Woolsey, from Real World Operations Research.

(←)

Figure it out…

“Figure it out, Cliff, and you’ll amaze everyone”, Dave said.

Or, how a $0.75 imbalance can markedly change your life.

The Cuckoo’s Egg, page 5

Bob Metcalfe’s advice on public speaking

Amazing advice from Bob Metcalfe advice on public speaking. I shamelessly copy it here:

Speak on what you know.
Prepare by collecting and organizing your thoughts in writing, say on 3X5 cards for small groups, 5X7 index cards for larger audiences (that’s humor), or Powerpoint.
Start preparation by asking who your audience is and why they will be listening to you.
Show respect by over-dressing your audience. Smile and say thank you.
Summarize what you are going to say, say it, then summarize what you said.
Speak slowly and clearly, pausing now and then at carefully chosen places, to let people process what you’ve said.
If at all possible, take questions from the start and continuously through your talk.
After promising at the start to end on time, end on time. End on time. Early is better.
Keep in mind that generally your audience wants you to succeed — they are rooting for you.
Bless their hearts, but audiences generally do not realize that you can see them, so for impact make some eye contact and smile.
Be funny, especially if the topic isn’t.
Look at your audience when speaking to them — pick out friendly faces in the audience here and there, move your eyes from one to the other.
If people start to tune out, notice, stop talking and ask if they are still interested or have questions, you do not want to waste their time.
When you make lists, three items is best. Start a list with your second strongest item, end with your strongest.
When someone seems to want to ask a question, stop talking immediately, invite them, and reward them by listening carefully to their question, asking for clarification if needed.
If someone asks a question you cannot answer, say the words “I don’t know” and make a big show of writing it down and promising to get back on that.
If an audience member misbehaves, walk toward them and that usually quiets them down.
Be sure to have fun speaking; audiences can smell fear.
Get good at it by practicing — get gigs regularly.
If someone makes a video of your talk, watch it twice and take notes on how to improve.
Speaking is the most fun you can have standing up.

[via]

Ela re George, eimai kala

Θυμάμαι ήμουν στο Υπουργείο Μεταφορών και αναβάθμιζα δύο μηχανήματα FreeBSD. Ένας φύλακας ήρθε τρέχοντας και είπε στο διευθυντή:

– Έπεσε ένα αεροπλάνο σε ουρανοξύστη στη Νέα Υόρκη!
– Περίεργο, είπε.

Μετά από λίγο ξαναήρθε ο φύλακας για το δεύτερο πύργο.

– Ε, αυτό μοιάζει με τρομοκρατική ενέργεια.

Θυμήθηκα τη διαφήμιση του CNN χρόνια πριν για μια συνέντευξή του Μπιν Λάντεν: America’s public enemy number one.

– Εγώ λέω να πάω προς το σπίτι.
– Να πας.

Στο λεωφορείο υπήρχαν δύο κατηγορίες ανθρώπων: Αυτοί που ήξεραν τι είχε γίνει και οι άλλοι. Τους ξεχώριζες αμέσως. Στο ραδιόφωνο άκουγα για τα υπόλοιπα αεροπλάνα και με συγκεχυμένες πληροφορίες που τα ανέβαζαν σε δέκα. Και κάπου εκεί και η συνειδητοποίηση πως ένας από τους καλύτερους φίλους μου μπορεί να ήταν εκεί. Το mail έφτασε την άλλη μέρα:

– Ela re George, eimai kala

Strategic Cyber Security

“Strategic Cyber Security” (which is available for download) is a book that states from the very beginning that computer security has evolved from a technical discipline to a strategic concept. To this end the author tries to examine four strategic choices: IPv6, Sun Tzu‘s “Art of War“, Cyber Attack Deterrence and Cyber Arms Control. The book is written for those people who read executive summaries. As such it can be seen as a long (very long) executive summary that often repeats itself. I cannot count the times Eligible Receiver is mentioned in the book, but it is now imprinted in my brain.

There is no technical coverage of IPv6 in the book. As such, discussion of IPv6 is limited to the vast address space that it offers which will give the opportunity to eliminate NAT, thus having better attribution capabilities on unauthorized connections. It also shows big faith on IPSec deployment as a means of stopping cyber attacks. The concerns about privacy invasion with the deployment of IPv6 are also mentioned, but not specifically. In fact most such concerns can easily be debunked by now. As a purely technical solution, I feel that IPv6 does not mix well with the three other choices that are examined in the book, given the fact (that the author also notes) that IPv4 will be with us for a long (very long) period of time.

I had thought of drawing parallels between the “Art of War” and cyber security a number of times, the last being when von Clausewitz was mentioned in Daily Dave. Ten specific points are discussed which do not fit to the cyber domain.

Thanks to the book I got to learn a few things about Deterrence Theory. Deterrence is based on two axis: Denial and Punishment. Denial means that those who control the strategic technology will deny you access to it, while punishment means that should you develop said strategic advantage countermeasures for other strategic players will be enforced.

The final choice discussed in the book, is the examination of whether a Cyber Arms Treaty can have some positive results (It so happens that there’s a wikileak relevant to the matter. If others exist, a more systematic treatment of these should take place). To examine the possible success or failure of such an agreement, the highly successful Chemical Weapons Convention is used. From the comparison there seems to be little room for success for limiting the development and use of “cyber arms”.

I found chapter 10 of the book the most interesting. It makes use of the Decision Making Trial and Evaluation Laboratory (DEMATEL) method in order to compare rank the four strategic choices. Unfortunately it is not very easy to locate online material about the original DEMATEL method, however there’s lots of available literature (and a lot of it by the Chinese) on DEMATEL variations used in health, agriculture and other areas.

To me learning about DEMATEL was the one thing I got from the book. The rest of it while interesting, was not equally appealing.

Αργυρό

Ξυπνάς 05:30, παίρνεις λεωφορείο και φτάνεις στις 06:50 στην πόρτα για να διαπιστώσεις πως είσαι …δεύτερος.

(previous) (next)

Logicomix για το iPad

Βγήκε!

Breaches and the five stages of grief

I recently observed while discussing a harmless incident related to someone I know, that how breaches are dealt with may be viewed through the five stages of grief model.

I was planning on writing more on my thoughts on this, but it seems that Jeremiah Grossman beat me to it since 2007. My version would be slightly different:

The five stages of grief for incident handling:
Denial	“We never got hacked.”
Anger	“How the heck did this get so bad?!?!?”
Bargaining	“Is it possible that it is not a hack?”
Depression	“We do not have time to rebuild; keep it running as it is.”
Acceptance	“We got hacked.”, spoken in pubic.

in-house

I copy from “Cyberwar: a Whole New Quagmire” written by Markus J. Ranum (emphasis mine):

“The best defense against something like Stuxnet could not possibly be a strong offense – how can you pre-empt something unknown that was released without attribution? Stuxnet was exactly adequate for its job. How do you prevent such a thing from working on you? You do exactly the opposite of what we’re doing everyplace: you in-house security, in-house IT, and begin to build your infrastructure so that there are unpredictable and unknown barriers within it, including critical sections that are air-gapped and closely monitored. Yes, that is expensive and inconvenient. The question is whether the alternative is even more expensive and inconvenient.”

And that is why outsourced government clouds will not work. We only have to wait until the first major event to see this. The lean behavior is to build people so as to control the infrastructure. Short term cost cutting practices are for bonus hunters who will be long gone (disclaiming any responsibility) when disaster strikes.

Won’t “free market” advocates love this, I wonder.