Re: Tier1 blackholing policy?

[Jared Mauch <jared () puck nether net>]

On May 1, 2013, at 7:44 AM, Rich Kulawiec <rsk () gsp org> wrote:

> On Tue, Apr 30, 2013 at 12:47:40PM -0400, Jared Mauch wrote:
> > If the phishing attack is against an enterprise that is also an ISP,
> > surely you can imagine a case where they might block traffic to prevent
> > folks from being phished.
>
> This is not an effective anti-phishing tactic, any more than "user education"
> is an effective anti-phishing tactic.  (Let me quote Marcus Ranum on
> the latter: "if it was going to work, it would have worked by now."
> And let me observe: it's never worked; it's not working; it's never
> going to work.)

We're talking about denying access to what is typically a compromised end-host
which is in violation of an AUP.  Speaking about my employer, we typically don't
see something null0'ed for more than a few hours until we have confirmed the
host is offline being repaired.

I don't know about other networks practices which is what started the thread.

> > i think it's great that someone is blocking folks from being infected with either malware or giving up their private 
> > details improperly.
>
> One person's "malware" is merely an interesting collection of inert
> bits to someone else, just as "email virus" has no operational meaning
> to anyone clueful enough to run a sensible mail client on a sensible
> operating system.
>
> Thus one undesirable effect of such blocking is that it denies access to
> researchers who are at nearly zero risk of negative consequences *and*
> who might be the very people in a position to understand the threat
> (phishing, malware, etc.) and figure out how to mitigate it.  Another is
> that it presents a false sense of security to the ignorant, the lazy,
> and the careless.  While in the short term that may seem benevolent and
> useful, I think in the long term it has a deleterious effect on security
> as a whole.  And if we've arrived at a point in time where people are
> actually considering making routing decisions based on longstanding design
> and implementation defects in consumer operating systems and applications,
> then I think "long term" equates to "right now".

I think many people understand these risks and tradeoffs.  We could stop mitigating
DDoS attacks or responding to security complaints as well with this line of
reasoning as it could be interfering with law-enforcement actions, or a researcher.

Just because the house has been broken into, doesn't mean as the provider of the
roads that we're going to let everyone visit it until the owner has a chance to secure
it properly.  I don't like that role, but it becomes necessary at times.  What you are
suggesting is a slippery slope to no mitigation of any badness which will lead to
a lack of trust and confidence in the market.  That to me is a plain and simple reason
to do the right thing, even if it causes a problem for a few hours or a day or two.

- Jared