Re: Scanning the Internet for Vulnerabilities Re: 202207240927.AYC

[John Curran <jcurran () istaff org>]

> On 24 Jul 2022, at 10:20 AM, Abraham Y. Chen <aychen () avinta com> wrote:
>
> Hi, John:
>
> 1) "...  dynamically assigned IP address space can still be tracked back to a given system ... ": I fully agree with 
> this statement. However,
>    A. You overlooked the critical consideration of the response time. If this can not be done in real time for law 
> enforcement purposes, it is meaningless.

Abe - 

That’s correct - but that does not require having static addresses to accomplish (as you postulated earlier), 
rather it just requires having appropriately functioning logging apparatus. 

>    B. Also, the goal is to spot the specific perpetrator, not the "system" which is too general to be meaningful. In 
> fact, this would penalize the innocent users who happen to be on the same implied "system".

Yes, it is quite obvious that a degree of care is necessary.

>    C. In addition, for your “whack-a-mole” metaphor, the party in charge is the mole, not the party with the mallet. 
> It is a losing game for the mallet right from the beginning.

As with all enforcement, it is a question on changing to breakeven point calculation on incentives & risks
for the would be perpetrators, and presently there’s almost nearly no risk involved. 

>    So, the current Internet practices put us way behind the starting line even before the game. Overall, this 
> environment is favored by multi-national businesses with perpetrators riding along in the background. When security 
> is breached, there are more than enough excuses to point the finger to. No wonder the outcome has always been 
> disappointing for the general public.

Indeed.

> 2) What we need to do is to reverse the roles in every one of the above situations, if we hope for any meaningful 
> result, at all. The starting point is to review the root differences between the Internet and the traditional 
> communication systems. With near half a century of the Internet experience, we should be ready to study each issue 
> from its source, not by perpetuating its misleading manifestations.

That’s one possible approach, although before becoming too enamored with it, it is probably worth remembering] 
that the “traditional communication systems” have also suffered from similar exploits occasion (they’ve been fewer
in number, but then again, the number of connected devices was also several orders of magnitude smaller.)

Thanks,
/John

Disclaimer:  my views alone – use caution - contents may be hot!

> ...
>
> On 2022-07-24 07:27, John Curran wrote:
> > Abe -
> >
> > Static versus dynamic address assignment isn’t the problem - dynamically assigned IP address space can
> > still be tracked back to a given system (reference: RFC6302/BCP162 & RFC6269 for discussion of the
> > requirements and various related issues.)
> >
> > Tracking back to a particular server doesn’t really matter if all that happens is that the service is terminated
> > (as the culprit will simply appear elsewhere in the Internet with a new connection/server and start over.)
> >
> > Alas, the situation doesn’t change unless/until there’s a willingness to engage law enforcement and pursue
> > the attackers to prevent recurrence.  This is non-trivial, both because of the skills necessary, the volume of
> > attacks, the various jurisdictions involved, etc. – but the greatest obstacle is simply the attitude of “Why bother,
> > that’s just the way it is…”
> >
> > With zero effective back pressure, we shouldn’t be surprised as frequency of attempts grows without bound.
> >
> > Thanks,
> > /John
> >
> > Disclaimers: my views alone – no one else would claim them.  Feel free to use/reuse/discard as you see fit.