From ge at linuxbox.org Wed Nov 18 17:02:04 2009 From: ge at linuxbox.org (Gadi Evron) Date: Wed, 18 Nov 2009 19:02:04 +0200 Subject: [CII] Announcement: Critical Internet Infrastructure WG is now open to public participation Message-ID: <4B04288C.1090907@linuxbox.org> Folks, feel free to share this announcement with people you believe can contribute here. ISOTF Critical Internet Infrastructure WG is now open to public participation. The group holds top experts on internet technology, critical infrastructure, and internet governance, from around the globe. Together, we discuss definitions, problems, challenges and solutions in securing and assuring the reliability of the global internet infrastructure, which is critical infrastructure for a growing number of nations, corporations and indeed, individuals -- world wide. The group started as a closed and private forum, to discuss technical and operational risks, as other venues limited discussion of critical internet resources to politically charged subjects such ascontrol of ICANN and ARIN, thus overshadowing other important aspects. As of November 18th 2009, the list is open for public access, to advance public awareness of the issues, and bring new talent on board. The group is hosted by the ISOTF, but is governed by members. Note: SCADA, network operations, and other related issues should be discussed in the appropriate forums, elsewhere. This group deals with the internet. To subscribe: http://isotf.org/mailman/listinfo/cii Gadi Evron for ISOTF-CII-WG. From ge at linuxbox.org Wed Nov 18 17:13:41 2009 From: ge at linuxbox.org (Gadi Evron) Date: Wed, 18 Nov 2009 19:13:41 +0200 Subject: [CII] list archives have been deleted Message-ID: <4B042B45.8050004@linuxbox.org> The list archives from the time of this list being private have been deleted, and are no longer accessible from the Internet. They are backed-up. Gadi. -- Gadi Evron, ge at linuxbox.org. Blog: http://gevron.livejournal.com/ From marcus.sachs at verizon.com Thu Nov 19 02:17:34 2009 From: marcus.sachs at verizon.com (Sachs, Marcus Hans (Marc)) Date: Wed, 18 Nov 2009 21:17:34 -0500 Subject: [CII] Hello open list Message-ID: <81D582C724CA1046A279A7EE1299638B026A0488@FHDP1LUMXCV24.us.one.verizon.com> So now we are an open list. Hello World. Marc -- Marcus H. Sachs, P.E. Executive Director, National Security and Cyber Policy Office of Federal Government Relations Verizon, 1300 I (eye) St. NW Suite 400 W Washington, D.C. 20005 USA tel +1 202 515 2463 fax +1 202 336 7921 From ge at linuxbox.org Wed Nov 25 21:35:24 2009 From: ge at linuxbox.org (Gadi Evron) Date: Wed, 25 Nov 2009 23:35:24 +0200 Subject: [CII] welcome to the public CII Message-ID: <4B0DA31C.1090501@linuxbox.org> Hello all, This list is now officially open for discussion. The list is not moderated, although any new subscriber is auto-moderated until we are sure they are not a spam bot. I'd like to start with a clean slate, and at least for a little while, with no set agenda. Many of us discussed what critical infrastructure on the internet is, how to define it, and how to protect it, many times before. We all have varying ideas, so let's try and be patient until we find our feet and what our specific goals are. Before we put forth any sort of charter or specific issues, I'd like to hear from you what you think is lacking in current discussion on the subject matter, and what you would like to see happen in the next few years. People on the list are all very busy individuals, so while we encourage discussion, please try and conduct yourselves properly. CII is co-admin'd by Barry Greene and myself, while some more spots may open up as necessary, as we settle into a routine in the coming months. Gadi. -- Gadi Evron, ge at linuxbox.org. Blog: http://gevron.livejournal.com/ From Michael.Hamilton at seattle.gov Wed Nov 25 21:50:40 2009 From: Michael.Hamilton at seattle.gov (Hamilton, Michael) Date: Wed, 25 Nov 2009 13:50:40 -0800 Subject: [CII] welcome to the public CII In-Reply-To: <4B0DA31C.1090501@linuxbox.org> References: <4B0DA31C.1090501@linuxbox.org> Message-ID: Hello all as well. I am not a spam bot. For what are probably obvious reasons, I'd like to discuss a couple things related to local government that are missing from the discussion: - The amount of CI that is under the purview of local government, and the general inadequacy of applied controls; - Methods for incentivizing local government to apply those controls, conduct adequate monitoring, etc; and - Cross-organizational information sharing on a local scale, preferably in near-realtime and automated In the next few years I'd like to see the federal government come up with some incentives and disincentives to herd the locals into addressing this issue. For example, the average fraction of IT budget that is spent on security is something like 3-5%. OK, if the federal government supplies grant funding for a technology project, 4% must be spent on security controls. How easy was that? Lastly, I'd like to see the non-word "cyber" purged from our lexicon. Thank you. - mkh --- Michael K. Hamilton Chief Information Security Officer, City of Seattle michael.hamilton at seattle.gov 206.684.7971 (D) / 206.255.6243 (M) -----Original Message----- From: cii-bounces at isotf.org [mailto:cii-bounces at isotf.org] On Behalf Of Gadi Evron Sent: Wednesday, November 25, 2009 1:35 PM To: cii at isotf.org; Hamilton, Michael Subject: [CII] welcome to the public CII Hello all, This list is now officially open for discussion. The list is not moderated, although any new subscriber is auto-moderated until we are sure they are not a spam bot. I'd like to start with a clean slate, and at least for a little while, with no set agenda. Many of us discussed what critical infrastructure on the internet is, how to define it, and how to protect it, many times before. We all have varying ideas, so let's try and be patient until we find our feet and what our specific goals are. Before we put forth any sort of charter or specific issues, I'd like to hear from you what you think is lacking in current discussion on the subject matter, and what you would like to see happen in the next few years. People on the list are all very busy individuals, so while we encourage discussion, please try and conduct yourselves properly. CII is co-admin'd by Barry Greene and myself, while some more spots may open up as necessary, as we settle into a routine in the coming months. Gadi. -- Gadi Evron, ge at linuxbox.org. Blog: http://gevron.livejournal.com/ _______________________________________________ CII mailing list CII at isotf.org http://isotf.org/mailman/listinfo/cii From charles at thewybles.com Wed Nov 25 22:28:32 2009 From: charles at thewybles.com (Charles N Wyble) Date: Wed, 25 Nov 2009 14:28:32 -0800 Subject: [CII] welcome to the public CII In-Reply-To: <4B0DA31C.1090501@linuxbox.org> References: <4B0DA31C.1090501@linuxbox.org> Message-ID: <4B0DAF90.3080006@thewybles.com> Glad to see the list is open. :) I'll be participating from an operations perspective (I'm a systems and network engineer). Gadi Evron wrote: > Hello all, > > This list is now officially open for discussion. The list is not > moderated, although any new subscriber is auto-moderated until we are > sure they are not a spam bot. > > I'd like to start with a clean slate, and at least for a little while, > with no set agenda. Many of us discussed what critical infrastructure > on the internet is, how to define it, and how to protect it, many > times before. We all have varying ideas, so let's try and be patient > until we find our feet and what our specific goals are. > > Before we put forth any sort of charter or specific issues, I'd like > to hear from you what you think is lacking in current discussion on > the subject matter, and what you would like to see happen in the next > few years. > > People on the list are all very busy individuals, so while we > encourage discussion, please try and conduct yourselves properly. > > CII is co-admin'd by Barry Greene and myself, while some more spots > may open up as necessary, as we settle into a routine in the coming > months. > > Gadi. > > From m.mlotek at gmail.com Wed Nov 25 23:06:49 2009 From: m.mlotek at gmail.com (Michal) Date: Thu, 26 Nov 2009 00:06:49 +0100 Subject: [CII] welcome to the public CII In-Reply-To: <4B0DA31C.1090501@linuxbox.org> References: <4B0DA31C.1090501@linuxbox.org> Message-ID: <24bc783c0911251506x3e71f051wab53d32f752e24f8@mail.gmail.com> Hello to all on the list. As for the beginning I would go the path that Gadi indicated: "What ic CI". >From my personal experience I know, that critical infrastructure is differently defined not only in every country (for the national critical infrastructure) but sometimes even in every branch of the same corp. In my opinion we have to quickly develop a common dictionary just to be sure we that the meaning is the same for all. I hope that I'll be of any help. Michal Mlotek -- **"I'm from the government and I'm here to help." -------------- next part -------------- An HTML attachment was scrubbed... URL: From jarenangerbauer at gmail.com Wed Nov 25 22:19:45 2009 From: jarenangerbauer at gmail.com (Jaren Angerbauer) Date: Wed, 25 Nov 2009 15:19:45 -0700 Subject: [CII] welcome to the public CII In-Reply-To: <4B0DA31C.1090501@linuxbox.org> References: <4B0DA31C.1090501@linuxbox.org> Message-ID: <4c6b8c910911251419y622f8b10xa0f5ba5288afb562@mail.gmail.com> Hi All, I'm probably one of a few (if not the only?) individual from the email "sender" side of the industry on this list. I'm excited to expand my understanding and learn more in this area, and look forward to some productive discussion. While I probably won't have the depth of knowledge and experience on the topics discussed here, my hope is that I'll be able to provide some visibility and/or perspective from a [legitimate] email sender's point of view that might otherwise be missed. Please feel free to reach out to me on/offlist if I can help out in any way. Thanks, Jaren Jaren Angerbauer Email Deliverability Consultant DeliveryVision O: 801-206-9035 M: 801-230-1687 From jmamodio at gmail.com Wed Nov 25 23:28:25 2009 From: jmamodio at gmail.com (Jorge Amodio) Date: Wed, 25 Nov 2009 17:28:25 -0600 Subject: [CII] welcome to the public CII In-Reply-To: <4B0DA31C.1090501@linuxbox.org> References: <4B0DA31C.1090501@linuxbox.org> Message-ID: <202705b0911251528y59865d52m94a54dc1478a7a2d@mail.gmail.com> Hi there, I'm not a bot, even when my wife insists I'm some kind of nerdus-apparatus. Cheers Jorge From dedelman at iname.com Thu Nov 26 01:12:02 2009 From: dedelman at iname.com (Dave Edelman) Date: Wed, 25 Nov 2009 20:12:02 -0500 Subject: [CII] welcome to the public CII In-Reply-To: <4B0DA31C.1090501@linuxbox.org> References: <4B0DA31C.1090501@linuxbox.org> Message-ID: <00af01ca6e35$75defaf0$619cf0d0$@com> For sure I'm not a spam bot because someone at least has control over those :) I have strong background in network operations and incident response. To me the question that rarely is asked and never is accurately answered is: "Just how much do you rely on the availability and integrity of the Internet?" --Dave -----Original Message----- From: cii-bounces at isotf.org [mailto:cii-bounces at isotf.org] On Behalf Of Gadi Evron Sent: Wednesday, November 25, 2009 4:35 PM To: cii at isotf.org Subject: [CII] welcome to the public CII Hello all, This list is now officially open for discussion. The list is not moderated, although any new subscriber is auto-moderated until we are sure they are not a spam bot. I'd like to start with a clean slate, and at least for a little while, with no set agenda. Many of us discussed what critical infrastructure on the internet is, how to define it, and how to protect it, many times before. We all have varying ideas, so let's try and be patient until we find our feet and what our specific goals are. Before we put forth any sort of charter or specific issues, I'd like to hear from you what you think is lacking in current discussion on the subject matter, and what you would like to see happen in the next few years. People on the list are all very busy individuals, so while we encourage discussion, please try and conduct yourselves properly. CII is co-admin'd by Barry Greene and myself, while some more spots may open up as necessary, as we settle into a routine in the coming months. Gadi. -- Gadi Evron, ge at linuxbox.org. Blog: http://gevron.livejournal.com/ _______________________________________________ CII mailing list CII at isotf.org http://isotf.org/mailman/listinfo/cii From hillar.aarelaid at cert.ee Thu Nov 26 07:23:46 2009 From: hillar.aarelaid at cert.ee (Hillar Aarelaid) Date: Thu, 26 Nov 2009 09:23:46 +0200 Subject: [CII] welcome to the public CII In-Reply-To: <24bc783c0911251506x3e71f051wab53d32f752e24f8@mail.gmail.com> References: <4B0DA31C.1090501@linuxbox.org> <24bc783c0911251506x3e71f051wab53d32f752e24f8@mail.gmail.com> Message-ID: On Nov 26, 2009, at 1:06 AM, Michal wrote: > critical infrastructure is differently defined we have no CI, we have '''_vital_services_''' if garbage is not taken care off, but let in the street, then rats will ++++ and deceases will ++++ and people will ---- => garbage collection == vital service here is EE official version: ? 34. Vital services, continuous operation thereof and organiser of continuous operation (1) The continuous operation of vital services is the capability of consistent functioning of vital services and the ability to restore the consistent functioning of vital services after a disruption. (2) The Ministry of Economic Affairs and Communication shall organise the continuous operation of the following vital services: 1) functioning of electricity supply; 2) functioning of gas supply; 3) functioning of liquid fuel supply; 4) functioning of airports; 5) functioning of air navigation services; 6) functioning of the management of public railway; 7) functioning of railway transport services, incl. public passenger transport; 8) functioning of ice-breaking operations; 9) functioning of ports; 10) functioning of the system for organising shipping traffic; 11) functioning of the maintenance of main and basic roads in the country; 12) functioning of the telephone network; 13) functioning of the mobile telephone network; 14) functioning of the data communication network; 15) functioning of marine radio communication; 16) functioning of the cablecasting network; 17) functioning of the broadcasting network; 18) functioning of the postal network. (3) The Ministry of the Interior shall organise the continuous operation of the following vital services: 1) functioning of the maintenance of public order; 2) functioning of rescue work; 3) functioning of the processing of emergency aid messages; 4) functioning of air and sea rescue; 5) functioning of marine pollution monitoring and control; 6) functioning of the operative radio communication network; 7) ensuring the functioning of the work of the Riigikogu, the Government of the Republic and the President of the Republic. (4) The Ministry of Social Affairs shall organise the continuous operation of the following vital services: 1) functioning of stationary special medical care; 2) functioning of emergency medical care; 3) functioning of drinking water safety control; 4) functioning of blood donor service. (5) The Ministry of the Environment shall organise the continuous operation of the following vital services: 1) functioning of air monitoring and early warning; 2) functioning of hydrological and meteorological monitoring and early warning; 3) functioning of the risk of radiation early warning system. (6) The Ministry of Agriculture shall organise the continuous operation of the functioning of the control of food safety as a vital service. (7) The Ministry of Finance shall organise the continuous operation of the functioning of payments and settlements, including the collection of state taxes, as a vital service. (8) The Bank of Estonia shall organise the continuous operation of the following vital services: 1) functioning of payments and settlements, including securities payments; 2) availability of cash. (9) Local government units shall organise the continuous operation of the following vital services in their administrative territory: 1) functioning of the district heating system and network; 2) functioning of the maintenance of rural municipality roads and city streets; 3) functioning of water supply and sewerage, including waste water treatment plants; 4) functioning of waste management; 5) functioning of public transport in the rural municipality or city. Hillar /source http://www.riigiteataja.ee/ert/act.jsp?id=13201475 /translation http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.riigiteataja.ee%2Fert%2Fact.jsp%3Fid%3D13201475&sl=et&tl=en /sorry no official translation in web yet From andrea at digitalpolicy.it Thu Nov 26 08:58:20 2009 From: andrea at digitalpolicy.it (Andrea Glorioso) Date: Thu, 26 Nov 2009 09:58:20 +0100 Subject: [CII] welcome to the public CII In-Reply-To: <4B0DA31C.1090501@linuxbox.org> (Gadi Evron's message of "Wed, 25 Nov 2009 23:35:24 +0200") References: <4B0DA31C.1090501@linuxbox.org> Message-ID: <87638xacib.fsf@digitalpolicy.it> Hello Gadi, hello all, >>>>> "gadi" == Gadi Evron writes: > Hello all, This list is now officially open for discussion. The > list is not moderated, although any new subscriber is > auto-moderated until we are sure they are not a spam bot. > I'd like to start with a clean slate, and at least for a little > while, with no set agenda. Many of us discussed what critical > infrastructure on the internet is, how to define it, and how to > protect it, many times before. We all have varying ideas, so > let's try and be patient until we find our feet and what our > specific goals are. > Before we put forth any sort of charter or specific issues, I'd > like to hear from you what you think is lacking in current > discussion on the subject matter, and what you would like to see > happen in the next few years. > People on the list are all very busy individuals, so while we > encourage discussion, please try and conduct yourselves > properly. > CII is co-admin'd by Barry Greene and myself, while some more > spots may open up as necessary, as we settle into a routine in > the coming months. I'm not a bot, but a male human being (Andrea is a male name in Italy, where I come from). I am currently working as a `policy officer' at the European Commission, in the Directorate-General for Information Society and Media, in the unit which deals with policies on Internet Governance and Network and Information Security, including the EU policy on Critical Information Infrastructure Protection. In March 2009 the Commission launched an action plan on CIIP, which includes a series of activities aimed at identifying principles and guidelines for the resilience and stability of the Internet. Furthermore, as people engaged in Internet Governance issues will know, the topic of "Critical Internet Resources" is rather central in the policy space of today. I hope I will be able to provide some insights on the Commission's approach to these matters but, especially, that I will be able to learn from the participants. In terms of "what is missing", I think policy-makers have still a long way to go before they understand what the Internet actually is and how it is operationally managed. One consequence of this is that in some cases they still try to apply crisis management approaches that will not work. On the other hand, the private sector must stop pretending (at least with us) that we are still in the '80s and that the Internet infrastructures they operate are not vital for society. Please note that, notwithstanding my affiliation, everything I will write here is my personal opinion, unless otherwise noted. Best, -- Andrea Glorioso || http://people.digitalpolicy.it/sama/cv/ M: +32-488-409-055 F: +39-051-930-31-133 * Le opinioni espresse in questa mail sono del tutto personali * * The opinions expressed here are absolutely personal * "Constitutions represent the deliberate judgment of the people as to the provisions and restraints which [...] will secure to each citizen the greatest liberty and utmost protection. They are rules proscribed by Philip sober to control Philip drunk." David J. Brewer (1893) An Independent Judiciary as the Salvation of the Nation -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available URL: From bmanning at vacation.karoshi.com Thu Nov 26 12:58:30 2009 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Thu, 26 Nov 2009 12:58:30 +0000 Subject: [CII] welcome to the public CII In-Reply-To: <87638xacib.fsf@digitalpolicy.it> References: <4B0DA31C.1090501@linuxbox.org> <87638xacib.fsf@digitalpolicy.it> Message-ID: <20091126125830.GB1185@vacation.karoshi.com.> I occasionally get confused. Is there a common understanding of the term "Critical Internet Infrastructure"? Or are we all talking past each other? --bill From webdawg.security at gmail.com Thu Nov 26 04:51:31 2009 From: webdawg.security at gmail.com (Security Account (WebDawg)) Date: Wed, 25 Nov 2009 23:51:31 -0500 Subject: [CII] welcome to the public CII In-Reply-To: <4B0DA31C.1090501@linuxbox.org> References: <4B0DA31C.1090501@linuxbox.org> Message-ID: Nice. I was just watching something about this on CSPAN. Some people from the NSA, CIA, and another country were there. They where talking about international standards and the internet. "Rules" for the internet and communication between countries to stop wrong doers.... I cannot wait to participate... WebDawg -------------- next part -------------- An HTML attachment was scrubbed... URL: From tropology at gmail.com Thu Nov 26 13:11:12 2009 From: tropology at gmail.com (Michael Maranda) Date: Thu, 26 Nov 2009 07:11:12 -0600 Subject: [CII] welcome to the public CII In-Reply-To: <4B0DA31C.1090501@linuxbox.org> References: <4B0DA31C.1090501@linuxbox.org> Message-ID: <3feff8d60911260511i6d2111d0o761ed07d5c39a6c7@mail.gmail.com> > > If I were a bot, I'd be a multiplicity of bots.... Writing from Chicago I can say that seeing CI on the header of the mail wont help me on any given day -- having interests in Community Informatics, Civic Intelligence, Cyber and Critical Infrastructure, among others... I have been active in Community Networking, and am one of the proponents of the language of digital excellence in Chicago (now heavily co-opted and diluted). One of the prior messages articulated an aversion to Cyber as non-word. Please say more? For now I'll take it as similar to my aversion to prefixing everything with e-; i; and "digital" regards, MM -------------- next part -------------- An HTML attachment was scrubbed... URL: From Mark.Brunner at CIBC.com Thu Nov 26 14:19:22 2009 From: Mark.Brunner at CIBC.com (Brunner, Mark) Date: Thu, 26 Nov 2009 09:19:22 -0500 Subject: [CII] welcome to the public CII In-Reply-To: <4B0DA31C.1090501@linuxbox.org> References: <4B0DA31C.1090501@linuxbox.org> Message-ID: Greetings like minded, non-spam-bots, I'm generally a lurker in most of my mailing lists, but it would be interesting to start a discussion regarding what is and what is not Critical Infrastructure, and who is charged with protecting which segment. Start herding the cats towards the fences before the charter is issued. Honestly, until recently, I did not consider much of the online banking environment to be "critical infrastructure" beyond its ability to generate revenue for the organization and provide convenience to the customer. My vision has been historically narrow due to my propellor-headed view of world. Having worked in my current position for a number of years, I see that there is a considerable amount of reliance upon networks that are beyond our ability to control, let alone to protect, and delays in trade communications in the millisecond range can cause losses of an almost unimaginable scale with cascading effects throughout multiple industries. I would also be very interested in learning more about the actual SCADA networks that are in place, how connectivity policies are enforced on them, what controls are in place to restrict connectivity between networks and the Internet or other networks, and how these policies and controls are audited against over the next few years. Of course so would the bad guys, so I expect a lot of off-line discussion? Thanks to the mods for their commitment, and setting this up. Cheers, Mark Brunner, CISSP Senior Security Incident Response Specialist CIBC Information Security Risk Management Tel: 416-980-6622 e-mail: mark.brunner at cibc.com -----Original Message----- From: cii-bounces at isotf.org [mailto:cii-bounces at isotf.org] On Behalf Of Gadi Evron Sent: Wednesday, November 25, 2009 4:35 PM To: cii at isotf.org Subject: [CII] welcome to the public CII Hello all, This list is now officially open for discussion. The list is not moderated, although any new subscriber is auto-moderated until we are sure they are not a spam bot. I'd like to start with a clean slate, and at least for a little while, with no set agenda. Many of us discussed what critical infrastructure on the internet is, how to define it, and how to protect it, many times before. We all have varying ideas, so let's try and be patient until we find our feet and what our specific goals are. Before we put forth any sort of charter or specific issues, I'd like to hear from you what you think is lacking in current discussion on the subject matter, and what you would like to see happen in the next few years. People on the list are all very busy individuals, so while we encourage discussion, please try and conduct yourselves properly. CII is co-admin'd by Barry Greene and myself, while some more spots may open up as necessary, as we settle into a routine in the coming months. Gadi. -- Gadi Evron, ge at linuxbox.org. Blog: http://gevron.livejournal.com/ _______________________________________________ CII mailing list CII at isotf.org http://isotf.org/mailman/listinfo/cii From hespinoza at interior.gov.cl Thu Nov 26 17:10:05 2009 From: hespinoza at interior.gov.cl (Hernan Espinoza) Date: Thu, 26 Nov 2009 14:10:05 -0300 Subject: [CII] welcome to the public CII In-Reply-To: <24bc783c0911251506x3e71f051wab53d32f752e24f8@mail.gmail.com> References: <4B0DA31C.1090501@linuxbox.org> <24bc783c0911251506x3e71f051wab53d32f752e24f8@mail.gmail.com> Message-ID: <4B0EB66D.2050907@interior.gov.cl> Hi, I think a good starting point could be the next link: http://www.dhs.gov/xlibrary/assets/CII_Act.pdf Hernan. Michal wrote: > Hello to all on the list. > > As for the beginning I would go the path that Gadi indicated: "What ic > CI". > > From my personal experience I know, that critical infrastructure is > differently defined not only in every country (for the national > critical infrastructure) but sometimes even in every branch of the > same corp. > > In my opinion we have to quickly develop a common dictionary just to > be sure we that the meaning is the same for all. > > I hope that I'll be of any help. > > Michal Mlotek > -- > //"I'm from the government and I'm here to help." > ------------------------------------------------------------------------ > > _______________________________________________ > CII mailing list > CII at isotf.org > http://isotf.org/mailman/listinfo/cii > -------------- next part -------------- An HTML attachment was scrubbed... URL: From josmon at rigozsaurus.com Thu Nov 26 17:21:02 2009 From: josmon at rigozsaurus.com (John Osmon) Date: Thu, 26 Nov 2009 10:21:02 -0700 Subject: [CII] welcome to the public CII In-Reply-To: <20091126125830.GB1185@vacation.karoshi.com.> References: <4B0DA31C.1090501@linuxbox.org> <87638xacib.fsf@digitalpolicy.it> <20091126125830.GB1185@vacation.karoshi.com.> Message-ID: <20091126172102.GB9694@jeeves.rigozsaurus.com> On Thu, Nov 26, 2009 at 12:58:30PM +0000, bmanning at vacation.karoshi.com wrote: > > I occasionally get confused. Is there a common understanding > of the term "Critical Internet Infrastructure"? We all get confused at times. :-) CI *ought* to be pretty obvious, huh? > Or are we all talking past each other? I think there will be lots of talking past each other at one level or another. The layering of modern communications services makes it inherent in the conversation. Consider a situation where: - Big Telco sells service to smaller provider. - Smaller provider sells service to local goverment. - Local government considers end service "critical." Assuming we can all agree that the end service is critical, what pieces or layers of underlying infrastructure get to have have that designation as well? All of the smaller provider? Or just the individual services sold by the Big Telco? If the end service is packet based and the smaller provider is multi-homed do we have to consider all Big Telco links used for backhaul critical? Some "critical infrastructure" is obvious -- others not so much. Talking past each other will occur. The value of this mailing list will be defined by the number of people served by their view. One man's network layrer is another man's application layer... From pschmehl_lists at tx.rr.com Thu Nov 26 18:16:45 2009 From: pschmehl_lists at tx.rr.com (Paul Schmehl) Date: Thu, 26 Nov 2009 12:16:45 -0600 Subject: [CII] welcome to the public CII In-Reply-To: <87638xacib.fsf@digitalpolicy.it> References: <4B0DA31C.1090501@linuxbox.org> <87638xacib.fsf@digitalpolicy.it> Message-ID: <177f01ca6ec4$9d57e8f0$d807bad0$@rr.com> The first thing governments must understand is that they cannot control the internet. Therefore they must learn how to develop policies that will result in resilience of CI (whatever that is defined to be) rather than attempting to stop "bad stuff" from happening. If you listen to politicians in the US, you quickly realize that they think of the internet as a contiguous "thing" that can be controlled somehow. The internet is more like air. You cannot hope to control air. You can merely try to keep it as clean as possible while acknowledging that one hurricane, tornado or volcanic eruption can undo years of hard work. -----Original Message----- From: cii-bounces at isotf.org [mailto:cii-bounces at isotf.org] On Behalf Of Andrea Glorioso Sent: Thursday, November 26, 2009 2:58 AM To: cii at isotf.org Subject: Re: [CII] welcome to the public CII In terms of "what is missing", I think policy-makers have still a long way to go before they understand what the Internet actually is and how it is operationally managed. One consequence of this is that in some cases they still try to apply crisis management approaches that will not work. On the other hand, the private sector must stop pretending (at least with us) that we are still in the '80s and that the Internet infrastructures they operate are not vital for society. From joe at oregon.uoregon.edu Thu Nov 26 15:30:51 2009 From: joe at oregon.uoregon.edu (Joe St Sauver) Date: Thu, 26 Nov 2009 08:30:51 -0700 (PDT) Subject: [CII] welcome to the public CII Message-ID: <09112609305166_1F92D@oregon.uoregon.edu> Mark mentioned: #I would also be very interested in learning more about the #actual SCADA networks that are in place, how connectivity #policies are enforced on them, what controls are in place #to restrict connectivity between networks and the Internet #or other networks, and how these policies and controls are #audited against over the next few years. If you're interested, feel free to see my December 2004 talk: "SCADA Security and Critical Infrastructure," http://www.uoregon.edu/~joe/scadaig/infraguard-scada.pdf (or .ppt) Unfortunately, what I said five years ago continues to be all too applicable even today. :-( If you have a particular ongoing interest in SCADA/process control security, you may also want to check out Bob Radvanovsky's SCADA Security mailing list (see http://scadasec.infracritical.com/ ) Depending on the failure/attack modes you're interested in, I've got some other talks you may also want to see: "Electromagnetic Pulse," http://www.uoregon.edu/~joe/infragard-2009/infragard-eugene-2009.pdf (or .ppt) and "Cyber War, Cyber Terrorism and Cyber Espionage," http://www.uoregon.edu/~joe/cyberwar/cyberwar.pdf (or .ppt) Despite the unquestionably serious nature of these topics, I hope that everyone's having a nice Thanksgiving (including those of you outside the United States). I think we *all* have much to be thankful for, for one thing, and I heartily encourage everyone to "adopt" any/all holidays that provide an excuse for getting together for food, drink and good times with families and friends, whether those holidays happen to be foreign or domestic. (I *will* say that you're "excused" from the traditional "obligation" to watch American football, however, unless you want to, much as I sometimes watch cricket or that "other football" :-) just for a change of pace. Go Ducks! (#8 in the BCS national rankings, 9 and 2 overall) :-) Regards, Joe St Sauver (joe at oregon.uoregon.edu) http:/www.uoregon.edu/~joe/ Disclaimer: all opinions strictly my own From manny.fuentes at yahoo.com Thu Nov 26 16:30:16 2009 From: manny.fuentes at yahoo.com (manny fuentes) Date: Thu, 26 Nov 2009 08:30:16 -0800 (PST) Subject: [CII] welcome to the public CII In-Reply-To: <4B0DA31C.1090501@linuxbox.org> References: <4B0DA31C.1090501@linuxbox.org> Message-ID: <220766.48562.qm@web58508.mail.re3.yahoo.com> Hello All, Looking forward to spamming, err participating in these discussions :-) Coming from the utilities sector, I have first hand knowledge regarding CI - scada, ems, bulk electric system, etc. Looking forward to it. Regards, Manuel Fuentes CISSP, GIAC, MBA ________________________________ From: Gadi Evron To: "cii at isotf.org" Sent: Wed, November 25, 2009 1:35:24 PM Subject: [CII] welcome to the public CII Hello all, This list is now officially open for discussion. The list is not moderated, although any new subscriber is auto-moderated until we are sure they are not a spam bot. I'd like to start with a clean slate, and at least for a little while, with no set agenda. Many of us discussed what critical infrastructure on the internet is, how to define it, and how to protect it, many times before. We all have varying ideas, so let's try and be patient until we find our feet and what our specific goals are. Before we put forth any sort of charter or specific issues, I'd like to hear from you what you think is lacking in current discussion on the subject matter, and what you would like to see happen in the next few years. People on the list are all very busy individuals, so while we encourage discussion, please try and conduct yourselves properly. CII is co-admin'd by Barry Greene and myself, while some more spots may open up as necessary, as we settle into a routine in the coming months. ??? Gadi. -- Gadi Evron, ge at linuxbox.org. Blog: http://gevron.livejournal.com/ _______________________________________________ CII mailing list CII at isotf.org http://isotf.org/mailman/listinfo/cii -------------- next part -------------- An HTML attachment was scrubbed... URL: From angela.cataldo at gmail.com Thu Nov 26 21:23:44 2009 From: angela.cataldo at gmail.com (Angela Cataldo) Date: Thu, 26 Nov 2009 22:23:44 +0100 Subject: [CII] welcome to the public CII In-Reply-To: <4B0DA31C.1090501@linuxbox.org> References: <4B0DA31C.1090501@linuxbox.org> Message-ID: <4d9107cf0911261323x6e0bf35agd6987108edfd916b@mail.gmail.com> Hi Gadi, hi all, I'm not a bot, I'm from Italy, I work as System Administrator and Engineer and something else. I'm here as listener: hope to help, but first hope to understand the discussion context. Regards AC -- Ing. Angela Cataldo System Engineering, Integration, Administration, Design and Planning -------------- next part -------------- An HTML attachment was scrubbed... URL: From jjohnstone at diamondtech.ca Thu Nov 26 21:39:21 2009 From: jjohnstone at diamondtech.ca (Jeff Johnstone) Date: Thu, 26 Nov 2009 13:39:21 -0800 Subject: [CII] welcome to the public CII In-Reply-To: <4B0DA31C.1090501@linuxbox.org> References: <4B0DA31C.1090501@linuxbox.org> Message-ID: <558b776c0911261339v216cca6fueb9da9513a56e56d@mail.gmail.com> Hello World Looking forward to mostly lurking here as I do on many other lists. Semi retired now and mostly acting as advisory to local governments and a few long term corporate clients. cheers Jeff Johnstone On Wed, Nov 25, 2009 at 1:35 PM, Gadi Evron wrote: > Hello all, > > This list is now officially open for discussion. The list is not moderated, > although any new subscriber is auto-moderated until we are sure they are not > a spam bot. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ahmad.taha at usa.net Fri Nov 27 05:17:57 2009 From: ahmad.taha at usa.net (Ahmad Taha Zaki) Date: Fri, 27 Nov 2009 07:17:57 +0200 Subject: [CII] welcome to the public CII Message-ID: <4B0F6105.3010807@usa.net> Hello everyone, I'm not a bot either although my former employer thinks I am, anyway I'm glad to see this issue brought to light. Regards, Ahmad Taha Zaki CISSP, GCIH, OSCP From marc at marcd.org Fri Nov 27 07:06:52 2009 From: marc at marcd.org (Marc) Date: Fri, 27 Nov 2009 02:06:52 -0500 Subject: [CII] welcome to the public CII In-Reply-To: <4B0DA31C.1090501@linuxbox.org> References: <4B0DA31C.1090501@linuxbox.org> Message-ID: <013501ca6f30$3329a100$997ce300$@org> > -----Original Message----- > From: cii-bounces at isotf.org [mailto:cii-bounces at isotf.org] On Behalf Of > Gadi Evron > Sent: Wednesday, November 25, 2009 16:35 > To: cii at isotf.org > Subject: [CII] welcome to the public CII > > Hello all, > > ..... > Hi, I too, am looking forward to the discussion. I especially liked the comment about relying on networks over which we have no control and limited visibility. Even backup systems, such as dial in modems, rely on these networks. In a true emergency, the backup management system of last resort (physical access) may not be available due to other infrastructure (roads, fuel, transportation, buildings, etc.) not being available, so this may become a huge subject area. As far as being a bot, I don't believe I am a bot - unless I've been root-kitted, then I wouldn't know - in which case, the only real solution is a wipe and re-image. Crap - there goes my weekend - I hope I have a good image of myself. Marc D'Aloisio, CISSP From sys at aniota.com Fri Nov 27 10:04:39 2009 From: sys at aniota.com (The Mighty Phlabaud) Date: Fri, 27 Nov 2009 02:04:39 -0800 (PST) Subject: [CII] howdy ... Message-ID: ... ciao: i tend to think technology will ultimately solve the 'availability' aspect 'critical infrastructure'. that an optimistic view of standards implementation, bounds checking, and advances in hardware deployment. however, what happens, when "google aware" routers, start making decisoins for the network's users. ignoring legal issues, the flap over bit-torent, and voip, suggests 'commercial' factors that might come into focus ... From andre.engel at fhe3.com Fri Nov 27 10:12:30 2009 From: andre.engel at fhe3.com (Andre Engel) Date: Fri, 27 Nov 2009 11:12:30 +0100 Subject: [CII] welcome to the public CII Message-ID: <20091127101231.B49121C07C49@smtp.enterprisemail.de> Hello , Good to see the list is open . So Im not a fluffy spam bot , maybe my wife, she believes in that Im a sweet honeypot . I'll be participating from an operative perspective ,too . Cheers Andre -- Andre Engel Consulting Program Director, Email and Cyber Intelligence Services "..no ghost just a shell" FHE3 GmbH P: +49 721 869 5907 Scheffelstr. 17a M: +49 160 962 44476 76135 Karlsruhe andre.engel at fhe3.com http://www.fhe3.com/ Amtsgericht Mannheim, HRB 702495 Umsatzsteuer-Ident: DE254677931 Gesch?ftsf?hrer: Peter Eisenhauer, Michael Feger, Dimitrij Hilt This message (including any attachments) is the property of FHE3 and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. From isen at isen.com Fri Nov 27 14:05:23 2009 From: isen at isen.com (David S. Isenberg (isen)) Date: Fri, 27 Nov 2009 09:05:23 -0500 Subject: [CII] Cost per mile of . . . ? Message-ID: Anybody here have some insight into the costs of roads? For example: A rule of thumb cost per mile for building a simple paved 2 lane road? Cost per mile to operate, maintain and repair existing simple 2-lane? Specific examples to illustrate or bound the above? How about 4-lane, limited-access divided highway? Cost per mile to build? Annual cost per mile to operate, maintain, repair? David I ------------------ 203-661-4798 (main number, follows me everywhere) 888-isen.com (toll free) 508-548-5924 (Woods Hole) AIM, Skype, Y!IM: david_isenberg http://isen.com/blog http://freedom-to-connect.net ------------------ From avri at acm.org Fri Nov 27 15:37:11 2009 From: avri at acm.org (Avri Doria) Date: Fri, 27 Nov 2009 10:37:11 -0500 Subject: [CII] welcome to the public CII In-Reply-To: <4B0DA31C.1090501@linuxbox.org> References: <4B0DA31C.1090501@linuxbox.org> Message-ID: Hi, I had thought to lurk not to reply to the first welcome message. But having seen you all reply figured i better before someone decided that I was bot. I don't think I am, but if you all decided I was I might get confused, so figured I would put a non-bot stake in the ground. BTW, is this a new variant on the Turing Test? In any case, on the substantive side of what this list may be about. I also, am not sure I know exactly what CII covers. There are the logical entities people point to, e.g. the names and addresses, and there are the physical resources that one points to, e.g. backbones and last meters. In my research work, I work on networks for communications challenged areas and try to assume a network where none of the things that people normally assume are critical are available. Now this obviously involves communications gear and software of some sort, but i look to minimize what is necessary from the well known set of things. This is an extreme, but I think it corresponds to the original goal of the Internet - a network of networks that continues to work even if some part of it is missing. I.e I think the original concept of the Internet intended for there to be little if anything that was truly critical - i.e. without which the network would not work. the questions becomes if nothing is in itself critical, is there a set of things of which some must be there, but no individual member of the set is necessary. Or are thee things that are really critical in all places at all times. In my avocation, I work with those who have elevated the one naming architecture and the bifurcated addressing structure into global imperatives, i.e. things without which the Internet would fail and hence could be designated as CII. And in a part time contract, I work in a political environment where anything anyone wants to control is called CII. I tend to exist somewhere among these points of view, trying to come up with technology that minimizes the need for any infrastructure that is critical in that it can't be worked around yet accepting that there are working assumptions that make something critical at some place in some time frame. So, I look forward to this conversation, but am not sure I have a lot to offer other then my questions and existential angst about things. a. From rMslade at shaw.ca Fri Nov 27 19:31:45 2009 From: rMslade at shaw.ca (Rob, grandpa of Ryan, Trevor, Devon & Hannah) Date: Fri, 27 Nov 2009 11:31:45 -0800 Subject: [CII] welcome to the public CII In-Reply-To: <013501ca6f30$3329a100$997ce300$@org> References: <4B0DA31C.1090501@linuxbox.org> Message-ID: <4B0FB8A1.18628.A8376F4@localhost> Date sent: Fri, 27 Nov 2009 02:06:52 -0500 From: Marc > As far as being a bot, I don't believe I am a bot - unless I've been > root-kitted, then I wouldn't know - in which case, the only real solution is a > wipe and re-image. Crap - there goes my weekend - I hope I have a good image of > myself. Well, if you're seriously rootkitted, then all forms of verifying the image are inoperative. So, why worry? My bio has, for years, admitted the possiblity that I'm a bot. I'm also a glossary guy, so I'm interested in the suggestion that we nail down some of the terms used ... ====================== (quote inserted randomly by Pegasus Mailer) rslade at vcn.bc.ca slade at victoria.tc.ca rslade at computercrime.org Common sense isn't. victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/NoticeBored http://twitter.com/rslade From rMslade at shaw.ca Fri Nov 27 19:48:31 2009 From: rMslade at shaw.ca (Rob, grandpa of Ryan, Trevor, Devon & Hannah) Date: Fri, 27 Nov 2009 11:48:31 -0800 Subject: [CII] Cost per mile of . . . ? In-Reply-To: Message-ID: <4B0FBC8F.7200.A92D0E2@localhost> Date sent: Fri, 27 Nov 2009 09:05:23 -0500 From: "David S. Isenberg (isen)" > Anybody here have some insight into the costs of roads? Too many variables. I live in BC: we have to build roads around and through mountains. Costs a bomb. Next door, in Alberta, road construction costs are dirt cheap. If you're willing to build dirt roads. (On the other hand, if you want to get all fancy and have the road last a while, they always complain because they haven't got any gravel. We just blow up part of a mountain ...) ====================== (quote inserted randomly by Pegasus Mailer) rslade at vcn.bc.ca slade at victoria.tc.ca rslade at computercrime.org Just because I have a short attention span doesn't mean I victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/NoticeBored http://twitter.com/rslade From marc at marcd.org Fri Nov 27 21:02:08 2009 From: marc at marcd.org (Marc) Date: Fri, 27 Nov 2009 16:02:08 -0500 Subject: [CII] Cost per mile of . . . ? In-Reply-To: <4B0FBC8F.7200.A92D0E2@localhost> References: <4B0FBC8F.7200.A92D0E2@localhost> Message-ID: <009f01ca6fa4$e37c6320$aa752960$@org> > Date sent: Fri, 27 Nov 2009 09:05:23 -0500 > From: "David S. Isenberg (isen)" > > > Anybody here have some insight into the costs of roads? > The Minnesota LRRB put together a report with some of the info for their State others may be available via Google. I know records of build and maintenance costs are kept by all States and Municipalities: http://www.lrrb.org/pdf/200509.pdf From pmm at igtc.com Fri Nov 27 19:49:14 2009 From: pmm at igtc.com (Paul M Moriarty) Date: Fri, 27 Nov 2009 11:49:14 -0800 Subject: [CII] welcome to the public CII In-Reply-To: <4B0FB8A1.18628.A8376F4@localhost> References: <4B0DA31C.1090501@linuxbox.org> <4B0FB8A1.18628.A8376F4@localhost> Message-ID: I'm not a bot, but I play one on certain honeypots. From bmanning at vacation.karoshi.com Fri Nov 27 22:24:46 2009 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Fri, 27 Nov 2009 22:24:46 +0000 Subject: [CII] terms and conditions In-Reply-To: References: <4B0DA31C.1090501@linuxbox.org> Message-ID: <20091127222446.GA18408@vacation.karoshi.com.> well, well... Taking each word in turn: Critical:: adj (2) a : relating to or being a state in which or a measurement or point at which some quality, property, or phenomenon suffers a definite change b : crucial, decisive c : indispensable, vital d : being in or approaching a state of crisis Internet:: noun an electronic communications network that connects computer networks and organizational computer facilities around the world Infrastructure:: noun 1 : the underlying foundation or basic framework (as of a system or organization) 2 : the permanent installations required for military purposes 3 : the system of public works of a country, state, or region; also : the resources (as personnel, buildings, or equipment) required for an activity Critical has other definitions, but #2 seemed the best fit, for me, I think 2c is what many folks would think of. Yet i could argue that 2a is happening, with the emergence of things like IGF, ITU, and more direct governmental oversight as opposed to strictly sound technical and engineering judgement. One small group would argue the 2d is or should be the focus as the transition period when two IP address families will be used. All three, 2a, 2c, and 2d could be correct. Internet - I think this definition is flawed since the Internet is a concatination of many networks, some of whom agree to exchange traffic and some do not - the baseline seems to be that they all use IP and -could- if needed communicate with each other if so desired - conversely, they can continue to operate even in the absense of connectivity with other networks. Infrastructure depends on whom is talking - although from a strictly engineering standpoint, I'd have to limit discussion to the first definition. Some public policy folks have intimated that they see Infrastructure in the CII context as more along the lines of the third definition - the Infrastructure is a system of public works. Some governmental types seem to favor the second, intimating that since the Internet is required for military purposes, that fits there best. Perhaps all are true to a degree, but I think it would help if we were to settle on one or at least be clear when we are talking, just which things we talk about. What do you all think? --bill From dotzero at gmail.com Fri Nov 27 22:55:06 2009 From: dotzero at gmail.com (Dotzero) Date: Fri, 27 Nov 2009 17:55:06 -0500 Subject: [CII] welcome to the public CII In-Reply-To: <4B0DA31C.1090501@linuxbox.org> References: <4B0DA31C.1090501@linuxbox.org> Message-ID: <7ae58c220911271455s667f857u969fed9174ca29b6@mail.gmail.com> On Wed, Nov 25, 2009 at 4:35 PM, Gadi Evron wrote: > Hello all, > > This list is now officially open for discussion. The list is not moderated, > although any new subscriber is auto-moderated until we are sure they are not > a spam bot. > I am not a spam bot. In Gadi We Trust. (Do spam bots have a sense of humor?) > I'd like to start with a clean slate, and at least for a little while, with > no set agenda. Many of us discussed what critical infrastructure on the > internet is, how to define it, and how to protect it, many times before. We > all have varying ideas, so let's try and be patient until we find our feet > and what our specific goals are. > I would be interested in a stalking horse definition for CI as a starting point. Critical to whom? In what way? Is Critical a generic or are there differentiators for criticality? Do we consider macro, micro or both? Do we consider protection or do we consider survivability to use the vernacular of the Software Engineering Institute? How about geography or political boundaries in terms of CI? How useful might "Islands of Survivability/functionality" as a concept be? How much might realistically be protected in a target rich environment? > Before we put forth any sort of charter or specific issues, I'd like to hear > from you what you think is lacking in current discussion on the subject > matter, and what you would like to see happen in the next few years. > Most of the attacks that I am aware of (Palestinian/Israeli, Estonia, Georgia, etc) are what I would call tactical rather than strategic in terms of concept and execution. Much of the focus appears to be on the mechanics. What exactly do we think we are ultimately defending CI against? What is the difference between criminal acts and acts of war? What about the combination of physical and remote/network based attacks? Just a few thoughts. From josmon at rigozsaurus.com Sat Nov 28 05:36:55 2009 From: josmon at rigozsaurus.com (John Osmon) Date: Fri, 27 Nov 2009 22:36:55 -0700 Subject: [CII] terms and conditions In-Reply-To: <20091127222446.GA18408@vacation.karoshi.com.> References: <4B0DA31C.1090501@linuxbox.org> <20091127222446.GA18408@vacation.karoshi.com.> Message-ID: <20091128053655.GA24114@jeeves.rigozsaurus.com> On Fri, Nov 27, 2009 at 10:24:46PM +0000, bmanning at vacation.karoshi.com wrote: > > well, well... > > > Taking each word in turn: [...definitions elided...] > Perhaps all are true to a degree, but I think it would help if we were > to settle on one or at least be clear when we are talking, > just which things we talk about. > > What do you all think? Wit all respect for Justice Stewart: I don't know what the Internet is, but I know when I see something crtical. :-) So far, people have been happy to point out that they aren't bots, and they they would like to use this list to learn what others think is critical. me? I want to see IP networks beome so ubiquitious and so nimble that they can be used for any critical necessity. This means that any given network will need to have flexible policies -- at different times, different traffic will become critical. I don't think the typical view of "critical" is able to deal with what I think networks should be able to handle. We still live in a world where too many people tie the end application to the network link. Technology moves forward faster than regulation can keep up... "My network, my rules." But I'll always prempt traffic on my net for health/safety. Kinda seems like my duty to the society that I live within... We can argure tighter semantics once other people start talking about what they consider "critical." From rMslade at shaw.ca Sat Nov 28 21:34:43 2009 From: rMslade at shaw.ca (Rob, grandpa of Ryan, Trevor, Devon & Hannah) Date: Sat, 28 Nov 2009 13:34:43 -0800 Subject: [CII] welcome to the public CII In-Reply-To: <7ae58c220911271455s667f857u969fed9174ca29b6@mail.gmail.com> References: <4B0DA31C.1090501@linuxbox.org> Message-ID: <4B1126F3.884.101A6734@localhost> Date sent: Fri, 27 Nov 2009 17:55:06 -0500 From: Dotzero > (Do spam bots have a sense of humor?) Depends on which Markov chain you use ... ====================== (quote inserted randomly by Pegasus Mailer) rslade at vcn.bc.ca slade at victoria.tc.ca rslade at computercrime.org Pay no attention to the critics. Don't even ignore them. - Samuel Goldwin victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/NoticeBored http://twitter.com/rslade From chiewv at shaw.ca Sat Nov 28 08:30:09 2009 From: chiewv at shaw.ca (VINCENT CHIEW) Date: Sat, 28 Nov 2009 01:30:09 -0700 Subject: [CII] Welcome to the "CII" mailing list In-Reply-To: Message-ID: <00b901ca7004$ff922b70$6601a8c0@home4> Hello World, No Bots Testing. Regards, Vincent From markscherling at shaw.ca Sat Nov 28 15:35:17 2009 From: markscherling at shaw.ca (Mark Scherling) Date: Sat, 28 Nov 2009 07:35:17 -0800 Subject: [CII] CII Digest, Vol 12, Issue 3 In-Reply-To: References: Message-ID: <3118392CBD134780A93E99FD09CF32D2@M3P> Hi, I'm new to the list and saw the issue about the Internet and the analogy of it being like the air we breathe. Not sure if any of you have seen the video on Ted from Kevin Kelly on the web , link below but his thoughts about "the machine" and the Internet never going down is very interesting. Parts have been broken but the whole thing has not failed. It starts to make things very interesting. I've been looking at information risk management for a few years now, expanding from information security into taking a more holistic approach to information management and service delivery. I was very excited that Dan invited me to participate in this forum and from my initial reads there are a lot of folks out there who are struggling with all the new technologies, risks, services. Another presentation that I really liked was "Shift Happens" on Youtube. I will sign off for now. Kevin Kelly on the next 5,000 days of the web | Video on TED.com * At the 2007 EG conference, Kevin Kelly shares a fun stat: The World Wide Web, as we know it, is only 5,000 days old. Now, Kelly asks, how ... * http://www.ted.com/talks/lang/eng/kevin_kelly_on_the_next_5_000_days_of_the_ web.html -----Original Message----- From: cii-bounces at isotf.org [mailto:cii-bounces at isotf.org] On Behalf Of cii-request at isotf.org Sent: November 27, 2009 5:09 AM To: cii at isotf.org Subject: CII Digest, Vol 12, Issue 3 Send CII mailing list submissions to cii at isotf.org To subscribe or unsubscribe via the World Wide Web, visit http://isotf.org/mailman/listinfo/cii or, via email, send a message with subject or body 'help' to cii-request at isotf.org You can reach the person managing the list at cii-owner at isotf.org When replying, please edit your Subject line so it is more specific than "Re: Contents of CII digest..." Today's Topics: 1. Re: welcome to the public CII (John Osmon) 2. Re: welcome to the public CII (Paul Schmehl) 3. Re: welcome to the public CII (Joe St Sauver) 4. Re: welcome to the public CII (manny fuentes) 5. Re: welcome to the public CII (Angela Cataldo) 6. Re: welcome to the public CII (Jeff Johnstone) 7. Re: welcome to the public CII (Ahmad Taha Zaki) 8. Re: welcome to the public CII (Marc) 9. howdy ... (The Mighty Phlabaud) ---------------------------------------------------------------------- Message: 1 Date: Thu, 26 Nov 2009 10:21:02 -0700 From: John Osmon Subject: Re: [CII] welcome to the public CII To: bmanning at vacation.karoshi.com Cc: "cii at isotf.org" Message-ID: <20091126172102.GB9694 at jeeves.rigozsaurus.com> Content-Type: text/plain; charset=us-ascii On Thu, Nov 26, 2009 at 12:58:30PM +0000, bmanning at vacation.karoshi.com wrote: > > I occasionally get confused. Is there a common understanding > of the term "Critical Internet Infrastructure"? We all get confused at times. :-) CI *ought* to be pretty obvious, huh? > Or are we all talking past each other? I think there will be lots of talking past each other at one level or another. The layering of modern communications services makes it inherent in the conversation. Consider a situation where: - Big Telco sells service to smaller provider. - Smaller provider sells service to local goverment. - Local government considers end service "critical." Assuming we can all agree that the end service is critical, what pieces or layers of underlying infrastructure get to have have that designation as well? All of the smaller provider? Or just the individual services sold by the Big Telco? If the end service is packet based and the smaller provider is multi-homed do we have to consider all Big Telco links used for backhaul critical? Some "critical infrastructure" is obvious -- others not so much. Talking past each other will occur. The value of this mailing list will be defined by the number of people served by their view. One man's network layrer is another man's application layer... ------------------------------ Message: 2 Date: Thu, 26 Nov 2009 12:16:45 -0600 From: "Paul Schmehl" Subject: Re: [CII] welcome to the public CII To: "'Andrea Glorioso'" , Message-ID: <177f01ca6ec4$9d57e8f0$d807bad0$@rr.com> Content-Type: text/plain; charset="us-ascii" The first thing governments must understand is that they cannot control the internet. Therefore they must learn how to develop policies that will result in resilience of CI (whatever that is defined to be) rather than attempting to stop "bad stuff" from happening. If you listen to politicians in the US, you quickly realize that they think of the internet as a contiguous "thing" that can be controlled somehow. The internet is more like air. You cannot hope to control air. You can merely try to keep it as clean as possible while acknowledging that one hurricane, tornado or volcanic eruption can undo years of hard work. -----Original Message----- From: cii-bounces at isotf.org [mailto:cii-bounces at isotf.org] On Behalf Of Andrea Glorioso Sent: Thursday, November 26, 2009 2:58 AM To: cii at isotf.org Subject: Re: [CII] welcome to the public CII In terms of "what is missing", I think policy-makers have still a long way to go before they understand what the Internet actually is and how it is operationally managed. One consequence of this is that in some cases they still try to apply crisis management approaches that will not work. On the other hand, the private sector must stop pretending (at least with us) that we are still in the '80s and that the Internet infrastructures they operate are not vital for society. ------------------------------ Message: 3 Date: Thu, 26 Nov 2009 08:30:51 -0700 (PDT) From: "Joe St Sauver" Subject: Re: [CII] welcome to the public CII To: Mark.Brunner at cibc.com Cc: cii at isotf.org Message-ID: <09112609305166_1F92D at oregon.uoregon.edu> Mark mentioned: #I would also be very interested in learning more about the #actual SCADA networks that are in place, how connectivity #policies are enforced on them, what controls are in place #to restrict connectivity between networks and the Internet #or other networks, and how these policies and controls are #audited against over the next few years. If you're interested, feel free to see my December 2004 talk: "SCADA Security and Critical Infrastructure," http://www.uoregon.edu/~joe/scadaig/infraguard-scada.pdf (or .ppt) Unfortunately, what I said five years ago continues to be all too applicable even today. :-( If you have a particular ongoing interest in SCADA/process control security, you may also want to check out Bob Radvanovsky's SCADA Security mailing list (see http://scadasec.infracritical.com/ ) Depending on the failure/attack modes you're interested in, I've got some other talks you may also want to see: "Electromagnetic Pulse," http://www.uoregon.edu/~joe/infragard-2009/infragard-eugene-2009.pdf (or .ppt) and "Cyber War, Cyber Terrorism and Cyber Espionage," http://www.uoregon.edu/~joe/cyberwar/cyberwar.pdf (or .ppt) Despite the unquestionably serious nature of these topics, I hope that everyone's having a nice Thanksgiving (including those of you outside the United States). I think we *all* have much to be thankful for, for one thing, and I heartily encourage everyone to "adopt" any/all holidays that provide an excuse for getting together for food, drink and good times with families and friends, whether those holidays happen to be foreign or domestic. (I *will* say that you're "excused" from the traditional "obligation" to watch American football, however, unless you want to, much as I sometimes watch cricket or that "other football" :-) just for a change of pace. Go Ducks! (#8 in the BCS national rankings, 9 and 2 overall) :-) Regards, Joe St Sauver (joe at oregon.uoregon.edu) http:/www.uoregon.edu/~joe/ Disclaimer: all opinions strictly my own ------------------------------ Message: 4 Date: Thu, 26 Nov 2009 08:30:16 -0800 (PST) From: manny fuentes Subject: Re: [CII] welcome to the public CII To: Gadi Evron , "cii at isotf.org" Message-ID: <220766.48562.qm at web58508.mail.re3.yahoo.com> Content-Type: text/plain; charset="iso-8859-1" Hello All, Looking forward to spamming, err participating in these discussions :-) Coming from the utilities sector, I have first hand knowledge regarding CI - scada, ems, bulk electric system, etc. Looking forward to it. Regards, Manuel Fuentes CISSP, GIAC, MBA ________________________________ From: Gadi Evron To: "cii at isotf.org" Sent: Wed, November 25, 2009 1:35:24 PM Subject: [CII] welcome to the public CII Hello all, This list is now officially open for discussion. The list is not moderated, although any new subscriber is auto-moderated until we are sure they are not a spam bot. I'd like to start with a clean slate, and at least for a little while, with no set agenda. Many of us discussed what critical infrastructure on the internet is, how to define it, and how to protect it, many times before. We all have varying ideas, so let's try and be patient until we find our feet and what our specific goals are. Before we put forth any sort of charter or specific issues, I'd like to hear from you what you think is lacking in current discussion on the subject matter, and what you would like to see happen in the next few years. People on the list are all very busy individuals, so while we encourage discussion, please try and conduct yourselves properly. CII is co-admin'd by Barry Greene and myself, while some more spots may open up as necessary, as we settle into a routine in the coming months. ??? Gadi. -- Gadi Evron, ge at linuxbox.org. Blog: http://gevron.livejournal.com/ _______________________________________________ CII mailing list CII at isotf.org http://isotf.org/mailman/listinfo/cii -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ Message: 5 Date: Thu, 26 Nov 2009 22:23:44 +0100 From: Angela Cataldo Subject: Re: [CII] welcome to the public CII To: Gadi Evron , cii at isotf.org Message-ID: <4d9107cf0911261323x6e0bf35agd6987108edfd916b at mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" Hi Gadi, hi all, I'm not a bot, I'm from Italy, I work as System Administrator and Engineer and something else. I'm here as listener: hope to help, but first hope to understand the discussion context. Regards AC -- Ing. Angela Cataldo System Engineering, Integration, Administration, Design and Planning -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ Message: 6 Date: Thu, 26 Nov 2009 13:39:21 -0800 From: Jeff Johnstone Subject: Re: [CII] welcome to the public CII To: Gadi Evron Cc: "cii at isotf.org" Message-ID: <558b776c0911261339v216cca6fueb9da9513a56e56d at mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" Hello World Looking forward to mostly lurking here as I do on many other lists. Semi retired now and mostly acting as advisory to local governments and a few long term corporate clients. cheers Jeff Johnstone On Wed, Nov 25, 2009 at 1:35 PM, Gadi Evron wrote: > Hello all, > > This list is now officially open for discussion. The list is not > moderated, although any new subscriber is auto-moderated until we are > sure they are not a spam bot. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ Message: 7 Date: Fri, 27 Nov 2009 07:17:57 +0200 From: Ahmad Taha Zaki Subject: Re: [CII] welcome to the public CII To: "cii at isotf.org" Message-ID: <4B0F6105.3010807 at usa.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hello everyone, I'm not a bot either although my former employer thinks I am, anyway I'm glad to see this issue brought to light. Regards, Ahmad Taha Zaki CISSP, GCIH, OSCP ------------------------------ Message: 8 Date: Fri, 27 Nov 2009 02:06:52 -0500 From: "Marc" Subject: Re: [CII] welcome to the public CII To: Message-ID: <013501ca6f30$3329a100$997ce300$@org> Content-Type: text/plain; charset="us-ascii" > -----Original Message----- > From: cii-bounces at isotf.org [mailto:cii-bounces at isotf.org] On Behalf Of > Gadi Evron > Sent: Wednesday, November 25, 2009 16:35 > To: cii at isotf.org > Subject: [CII] welcome to the public CII > > Hello all, > > ..... > Hi, I too, am looking forward to the discussion. I especially liked the comment about relying on networks over which we have no control and limited visibility. Even backup systems, such as dial in modems, rely on these networks. In a true emergency, the backup management system of last resort (physical access) may not be available due to other infrastructure (roads, fuel, transportation, buildings, etc.) not being available, so this may become a huge subject area. As far as being a bot, I don't believe I am a bot - unless I've been root-kitted, then I wouldn't know - in which case, the only real solution is a wipe and re-image. Crap - there goes my weekend - I hope I have a good image of myself. Marc D'Aloisio, CISSP ------------------------------ Message: 9 Date: Fri, 27 Nov 2009 02:04:39 -0800 (PST) From: The Mighty Phlabaud Subject: [CII] howdy ... To: "cii at isotf.org" Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed ... ciao: i tend to think technology will ultimately solve the 'availability' aspect 'critical infrastructure'. that an optimistic view of standards implementation, bounds checking, and advances in hardware deployment. however, what happens, when "google aware" routers, start making decisoins for the network's users. ignoring legal issues, the flap over bit-torent, and voip, suggests 'commercial' factors that might come into focus ... ------------------------------ _______________________________________________ CII mailing list CII at isotf.org http://isotf.org/mailman/listinfo/cii End of CII Digest, Vol 12, Issue 3 ********************************** From ChrisSavage at dwt.com Sat Nov 28 17:14:18 2009 From: ChrisSavage at dwt.com (Savage, Christopher) Date: Sat, 28 Nov 2009 12:14:18 -0500 Subject: [CII] terms and conditions In-Reply-To: <20091128053655.GA24114@jeeves.rigozsaurus.com> References: <4B0DA31C.1090501@linuxbox.org><20091127222446.GA18408@vacation.karoshi.com.> <20091128053655.GA24114@jeeves.rigozsaurus.com> Message-ID: <51263FC817FFE0498378E15A05922CFD016819A0@WDCEX01.DWT.COM> Actually, I would encourage people to think about what they mean by "infrastructure." On other lists on related topics, the big debate seems to be around the "business model" that applies to the construction/operation of networks. I'd appreciate the thoughts of this group on the question of whether a network that does "critical" things can have a "business model" or whether, like roads, bridges, etc., what is really going on is a slow realization that maybe this isn't a "business" proposition at all. Chris S. -----Original Message----- From: cii-bounces at isotf.org [mailto:cii-bounces at isotf.org] On Behalf Of John Osmon Sent: Saturday, November 28, 2009 12:37 AM To: bmanning at vacation.karoshi.com Cc: cii at isotf.org Subject: Re: [CII] terms and conditions I don't think the typical view of "critical" is able to deal with what I think networks should be able to handle. We still live in a world where too many people tie the end application to the network link. Technology moves forward faster than regulation can keep up... "My network, my rules." But I'll always prempt traffic on my net for health/safety. Kinda seems like my duty to the society that I live within... We can argure tighter semantics once other people start talking about what they consider "critical." _______________________________________________ CII mailing list CII at isotf.org http://isotf.org/mailman/listinfo/cii From bmanning at vacation.karoshi.com Sat Nov 28 23:41:48 2009 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Sat, 28 Nov 2009 23:41:48 +0000 Subject: [CII] terms and conditions In-Reply-To: <20091128053655.GA24114@jeeves.rigozsaurus.com> References: <4B0DA31C.1090501@linuxbox.org> <20091127222446.GA18408@vacation.karoshi.com.> <20091128053655.GA24114@jeeves.rigozsaurus.com> Message-ID: <20091128234148.GA27687@vacation.karoshi.com.> On Fri, Nov 27, 2009 at 10:36:55PM -0700, John Osmon wrote: > On Fri, Nov 27, 2009 at 10:24:46PM +0000, bmanning at vacation.karoshi.com wrote: > > > > well, well... > > > > > > Taking each word in turn: > > [...definitions elided...] > > > Perhaps all are true to a degree, but I think it would help if we were > > to settle on one or at least be clear when we are talking, > > just which things we talk about. > > > > What do you all think? > > Wit all respect for Justice Stewart: > I don't know what the Internet is, but I know when I see something > crtical. :-) > > So far, people have been happy to point out that they aren't bots, > and they they would like to use this list to learn what others think > is critical. > > me? I want to see IP networks beome so ubiquitious and so nimble > that they can be used for any critical necessity. This means that > any given network will need to have flexible policies -- at different > times, different traffic will become critical. > > I don't think the typical view of "critical" is able to deal with > what I think networks should be able to handle. We still live in > a world where too many people tie the end application to the network > link. Technology moves forward faster than regulation can keep up... > > "My network, my rules." But I'll always prempt traffic on my net > for health/safety. Kinda seems like my duty to the society that I live > within... > > We can argure tighter semantics once other people start talking > about what they consider "critical." one of the often misunderstood attributes of an IP network is the basic attribute of the End2End principle. e.g. the network can and perhaps should be decomposed on a periodic basis... there is nothing sacrosanct about any given IP network or set of interconnects between any set of IP networks. this is not much more than normal network continuity/disaster testing - I mean we periodically test out backup power, hotsite testing, etc... why don't we test out backup peering paths? BGP is pairwise, so it works well. as to tying applications to the network... we are kind of stuck with the DNS and the one unique root... Now this could be fixed - without much change in the namespace or even the authoritative servers. (send me a note if you want to know more ...) --bill From bmanning at vacation.karoshi.com Sat Nov 28 23:45:40 2009 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Sat, 28 Nov 2009 23:45:40 +0000 Subject: [CII] [bmanning@vacation.karoshi.com: Re: terms and conditions] Message-ID: <20091128234540.GA27757@vacation.karoshi.com.> On Fri, Nov 27, 2009 at 10:36:55PM -0700, John Osmon wrote: > > "My network, my rules." But I'll always prempt traffic on my net > for health/safety. Kinda seems like my duty to the society that I live > within... > a good catch... are there normal or standarized concepts for network triage? what gets cut when? what gets restored first and why? --bill From rMslade at shaw.ca Sun Nov 29 06:34:02 2009 From: rMslade at shaw.ca (Rob, grandpa of Ryan, Trevor, Devon & Hannah) Date: Sat, 28 Nov 2009 22:34:02 -0800 Subject: [CII] terms and conditions In-Reply-To: <51263FC817FFE0498378E15A05922CFD016819A0@WDCEX01.DWT.COM> References: <20091128053655.GA24114@jeeves.rigozsaurus.com> Message-ID: <4B11A55A.30671.120829BB@localhost> Date sent: Sat, 28 Nov 2009 12:14:18 -0500 From: "Savage, Christopher" > Actually, I would encourage people to think about what they mean by > "infrastructure." Oh, oh! I *know* this one! Since I've had to explain to people what the "I" in PKI is, over the years. It's "everything you need to make this work." (For various values of "this.") I guess "critical infrastructure" therefore become redundant ... ====================== (quote inserted randomly by Pegasus Mailer) rslade at vcn.bc.ca slade at victoria.tc.ca rslade at computercrime.org Dictionary of Info Sec www.amazon.com/exec/obidos/ASIN/1597491152 victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/NoticeBored http://twitter.com/rslade From dotzero at gmail.com Sun Nov 29 01:17:09 2009 From: dotzero at gmail.com (Dotzero) Date: Sat, 28 Nov 2009 20:17:09 -0500 Subject: [CII] [bmanning@vacation.karoshi.com: Re: terms and conditions] In-Reply-To: <20091128234540.GA27757@vacation.karoshi.com.> References: <20091128234540.GA27757@vacation.karoshi.com.> Message-ID: <7ae58c220911281717v3fe3a2cp61bfc6ce0011a2d0@mail.gmail.com> On Sat, Nov 28, 2009 at 6:45 PM, wrote: > On Fri, Nov 27, 2009 at 10:36:55PM -0700, John Osmon wrote: >> >> "My network, my rules." ?But I'll always prempt traffic on my net >> for health/safety. ?Kinda seems like my duty to the society that I live >> within... >> > > ? ? ? ?a good catch... ?are there normal or standarized concepts > ? ? ? ?for network triage? > > ? ? ? ?what gets cut when? > > ? ? ? ?what gets restored first and why? > > --bill What do you mean by "preempt". Are you carrying traffic from other networks and destined for other networks or are you talking about preventing traffic from your network going to 3rd party networks? What is the general nature of traffic on your net? I deal with corporate networks and ecommerce sites. Our triage would be to cut traffic when we are putting others at potential risk or if there is significant potential risk to the integrity of our systems and networks. While we have a lot of horsepower we would not be considered CII by most people. From goretsky at gmail.com Sun Nov 29 09:41:20 2009 From: goretsky at gmail.com (Aryeh Goretsky (home)) Date: Sun, 29 Nov 2009 01:41:20 -0800 Subject: [CII] welcome to the public CII In-Reply-To: <4B0DA31C.1090501@linuxbox.org> References: <4B0DA31C.1090501@linuxbox.org> Message-ID: <4b1242ce.e402be0a.566b.79b8@mx.google.com> Greetings, It is probably a good idea to introduce myself, even if I plan on lurking most of the time. My name is Aryeh Goretsky and I am a researcher at ESET, LLC, which makes anti-malware software. Aside from the interests that a computer security software company has in Critical Internet Infrastructure, I have a past background in instant messaging and VoIP technologies and am interested in how (and if!) those would be preserved in the event of a CII issue. Okay, back to lurking. :) Regards, Aryeh Goretsky At 01:35 PM 11/25/2009, Gadi Evron wrote: >Hello all, > >This list is now officially open for discussion. The list is not >moderated, although any new subscriber is auto-moderated until we >are sure they are not a spam bot. > >I'd like to start with a clean slate, and at least for a little >while, with no set agenda. Many of us discussed what critical >infrastructure on the internet is, how to define it, and how to >protect it, many times before. We all have varying ideas, so let's >try and be patient until we find our feet and what our specific goals are. > >Before we put forth any sort of charter or specific issues, I'd like >to hear from you what you think is lacking in current discussion on >the subject matter, and what you would like to see happen in the >next few years. > >People on the list are all very busy individuals, so while we >encourage discussion, please try and conduct yourselves properly. > >CII is co-admin'd by Barry Greene and myself, while some more spots >may open up as necessary, as we settle into a routine in the coming months. > > Gadi. > > >-- >Gadi Evron, >ge at linuxbox.org. > >Blog: http://gevron.livejournal.com/ >_______________________________________________ >CII mailing list >CII at isotf.org >http://isotf.org/mailman/listinfo/cii From david.a.harley at gmail.com Sun Nov 29 10:28:36 2009 From: david.a.harley at gmail.com (David Harley) Date: Sun, 29 Nov 2009 10:28:36 -0000 Subject: [CII] welcome to the public CII In-Reply-To: <4b1242ce.e402be0a.566b.79b8@mx.google.com> References: <4B0DA31C.1090501@linuxbox.org> <4b1242ce.e402be0a.566b.79b8@mx.google.com> Message-ID: <758D070DFDF241A99A2C7CEB91DFE0DA@DAVID> Greetings, humans and fellow bots. Like Aryeh, I currently work for ESET, but in a past life I had a particular interest in the UK's CNI, working for the National Health Service, so I guess I come from a somewhat similar perspective to Hillar's. I'm interested to see how far it's possible to extend what we've learned (or failed to learn) in national security contexts to a rational global infrastructure. -- David Harley CISSP FBCS CITP Small Blue-Green World From Jon.Crowcroft at cl.cam.ac.uk Sun Nov 29 11:32:54 2009 From: Jon.Crowcroft at cl.cam.ac.uk (Jon Crowcroft) Date: Sun, 29 Nov 2009 11:32:54 +0000 Subject: [CII] welcome to the public CII In-Reply-To: <4B0DA31C.1090501@linuxbox.org> References: <4B0DA31C.1090501@linuxbox.org> Message-ID: I'm here http://www.cl.cam.ac.uk/~jac22/ and am notabot. I have been critical of the infrastructure on the net recently and wrote this draft paper:- http://www.cl.cam.ac.uk/~jac22/out/bcs.pdf which I'd welcome (technical) comments on (probably offlist). I'm also quite interested in the relationship between different networks (social nets in real life and online power grids and communication networks, transport and power and communication social, real life, transport, online, power, etc etc - you get the picture) jon From bmanning at vacation.karoshi.com Sun Nov 29 12:17:06 2009 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Sun, 29 Nov 2009 12:17:06 +0000 Subject: [CII] terms and conditions In-Reply-To: <4B11A55A.30671.120829BB@localhost> References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> Message-ID: <20091129121706.GA7158@vacation.karoshi.com.> On Sat, Nov 28, 2009 at 10:34:02PM -0800, Rob, grandpa of Ryan, Trevor, Devon & Hannah wrote: > Date sent: Sat, 28 Nov 2009 12:14:18 -0500 > From: "Savage, Christopher" > > > Actually, I would encourage people to think about what they mean by > > "infrastructure." > > Oh, oh! I *know* this one! > > Since I've had to explain to people what the "I" in PKI is, over the years. It's > "everything you need to make this work." > > (For various values of "this.") > > I guess "critical infrastructure" therefore become redundant ... > thank you for stepping out on to the slippery slope. lets presume I am based in Kamatura Japan. I have work associates in Oxford England, Palo Alto & Santa Cruz California, Family in West Virginia, and teaching assignments in Korea, China and Mynmar. Is there any reason why - given the rigid nature of peering and cross connects that I should care about fiber cuts that take out most of Sau Paulo and all of Norway? I have "everything you need to make this work". I have no need of Brazilian or Norwegian infrastructure. They are not critical to me. --bill From ge at linuxbox.org Sun Nov 29 12:22:40 2009 From: ge at linuxbox.org (Gadi Evron) Date: Sun, 29 Nov 2009 14:22:40 +0200 Subject: [CII] terms and conditions In-Reply-To: <20091129121706.GA7158@vacation.karoshi.com.> References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com.> Message-ID: <4B126790.3040308@linuxbox.org> bmanning at vacation.karoshi.com wrote: > I have "everything you need to make this work". I have no need of Brazilian > or Norwegian infrastructure. They are not critical to me. What would happen to your connectivity if the Brazilian and Norwegian localized internet infrastructures were to stop working? From ge at linuxbox.org Sun Nov 29 12:26:16 2009 From: ge at linuxbox.org (Gadi Evron) Date: Sun, 29 Nov 2009 14:26:16 +0200 Subject: [CII] welcome to the public CII In-Reply-To: References: <4B0DA31C.1090501@linuxbox.org> <24bc783c0911251506x3e71f051wab53d32f752e24f8@mail.gmail.com> Message-ID: <4B126868.9030905@linuxbox.org> Hillar Aarelaid wrote: > On Nov 26, 2009, at 1:06 AM, Michal wrote: > >> critical infrastructure is differently defined > > we have no CI, we have '''_vital_services_''' > if garbage is not taken care off, but let in the street, then rats will ++++ and deceases will ++++ and people will ---- => garbage collection == vital service > If I am to understand the below.. chart.. you basically listed virtal resources, and gave them parents who are without contest responsible for taking care of them? Gadi. -- Gadi Evron, ge at linuxbox.org. Blog: http://gevron.livejournal.com/ From ge at linuxbox.org Sun Nov 29 12:28:48 2009 From: ge at linuxbox.org (Gadi Evron) Date: Sun, 29 Nov 2009 14:28:48 +0200 Subject: [CII] welcome to the public CII In-Reply-To: <24bc783c0911251506x3e71f051wab53d32f752e24f8@mail.gmail.com> References: <4B0DA31C.1090501@linuxbox.org> <24bc783c0911251506x3e71f051wab53d32f752e24f8@mail.gmail.com> Message-ID: <4B126900.8070302@linuxbox.org> Michal wrote: > Hello to all on the list. > > As for the beginning I would go the path that Gadi indicated: "What ic CI". > > From my personal experience I know, that critical infrastructure is > differently defined not only in every country (for the national critical > infrastructure) but sometimes even in every branch of the same corp. > > In my opinion we have to quickly develop a common dictionary just to be > sure we that the meaning is the same for all. > > I hope that I'll be of any help. Michael, I am happy to see folks from Europe participating in this forum. Your experience in Poland, Hillar's experience in Estonia, etc. are all invaluable. Bill Manning and Rob Slade are making your wishes happen, and I wonder what your take is on how they are defining the terminology in this thread. Gadi. -- Gadi Evron, ge at linuxbox.org. Blog: http://gevron.livejournal.com/ From ge at linuxbox.org Sun Nov 29 12:31:02 2009 From: ge at linuxbox.org (Gadi Evron) Date: Sun, 29 Nov 2009 14:31:02 +0200 Subject: [CII] welcome to the public CII In-Reply-To: <87638xacib.fsf@digitalpolicy.it> References: <4B0DA31C.1090501@linuxbox.org> <87638xacib.fsf@digitalpolicy.it> Message-ID: <4B126986.9090503@linuxbox.org> Andrea Glorioso wrote: > In terms of "what is missing", I think policy-makers have still a long > way to go before they understand what the Internet actually is and how > it is operationally managed. One consequence of this is that in some > cases they still try to apply crisis management approaches that will > not work. On the other hand, the private sector must stop pretending > (at least with us) that we are still in the '80s and that the Internet > infrastructures they operate are not vital for society. Andrea, with your experience at the European Commission, do you think you can advise us on how to turn the results of our conversations here into products that policy makers can understand? For example, the advancing discussion on terminology. Gadi. > Please note that, notwithstanding my affiliation, everything I will > write here is my personal opinion, unless otherwise noted. > > Best, > > -- > Andrea Glorioso || http://people.digitalpolicy.it/sama/cv/ > M: +32-488-409-055 F: +39-051-930-31-133 > * Le opinioni espresse in questa mail sono del tutto personali * > * The opinions expressed here are absolutely personal * > > "Constitutions represent the deliberate judgment of the > people as to the provisions and restraints which [...] will > secure to each citizen the greatest liberty and utmost > protection. They are rules proscribed by > Philip sober to control Philip drunk." > David J. Brewer (1893) > An Independent Judiciary as the Salvation of the Nation > > > ------------------------------------------------------------------------ > > _______________________________________________ > CII mailing list > CII at isotf.org > http://isotf.org/mailman/listinfo/cii -- Gadi Evron, ge at linuxbox.org. Blog: http://gevron.livejournal.com/ From ge at linuxbox.org Sun Nov 29 12:32:24 2009 From: ge at linuxbox.org (Gadi Evron) Date: Sun, 29 Nov 2009 14:32:24 +0200 Subject: [CII] welcome to the public CII In-Reply-To: <3feff8d60911260511i6d2111d0o761ed07d5c39a6c7@mail.gmail.com> References: <4B0DA31C.1090501@linuxbox.org> <3feff8d60911260511i6d2111d0o761ed07d5c39a6c7@mail.gmail.com> Message-ID: <4B1269D8.3090103@linuxbox.org> Michael Maranda wrote: > One of the prior messages articulated an aversion to Cyber as non-word. > Please say more? For now I'll take it as similar to my aversion to > prefixing everything with e-; i; and "digital" You got it. Just that most of us gave up and use it until the trend is over. It's difficult to explain to people why most "cyber-war" stories are nonsense when they don't understand other terminology. From bmanning at vacation.karoshi.com Sun Nov 29 12:54:07 2009 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Sun, 29 Nov 2009 12:54:07 +0000 Subject: [CII] terms and conditions In-Reply-To: <4B126790.3040308@linuxbox.org> References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com.> <4B126790.3040308@linuxbox.org> Message-ID: <20091129125407.GB7158@vacation.karoshi.com.> On Sun, Nov 29, 2009 at 02:22:40PM +0200, Gadi Evron wrote: > bmanning at vacation.karoshi.com wrote: > > I have "everything you need to make this work". I have no need of > > Brazilian or Norwegian infrastructure. They are not critical to me. > > What would happen to your connectivity if the Brazilian and Norwegian > localized internet infrastructures were to stop working? nothing. zero. nada. zilch. not critical to me. the point being, critical has a reference, usually an end user. and any given end user is either completely expendable or is the focus of connectivity. presume three endusers... Aaron, a homeless 47 year old man living on the streets of Detroit, Barak, the president of the United States, and Marline, project manager fo the Direct Marketing Assoc. Are they equally entitled to access to Critical Internet Infrastructure? Do they perceive the reach/scope of Critical Internet Infrastructure in the same way? What are the results of them not having access? John Ozman raised the (very germane) point of triage. Who gets cut off when and who gets restored first and why? Critical implies weakness. A single point of failure, a locus of control. Where those things emerge, there is a strong, almost overpowering drive to capture and monitize that locus or to use it to exploit the infrastrucuture to impose a given policy framework. From a strictly engineering POV, the "right" thing to do, to ensure resilience and robustness is to work at reducing/minimizing/defusing critical points. IMHO of course :) --bill From tvest at eyeconomics.com Sun Nov 29 13:00:57 2009 From: tvest at eyeconomics.com (tvest at eyeconomics.com) Date: Sun, 29 Nov 2009 08:00:57 -0500 Subject: [CII] "critical infrastructure" Message-ID: On Nov 26, 2009, at 7:58 AM, bmanning at vacation.karoshi.com wrote: > > I occasionally get confused. Is there a common understanding > of the term "Critical Internet Infrastructure"? > > Or are we all talking past each other? > --bill Hello all, In practice, "critical infrastructure" (CI) is not defined based primarily on intrinsic features, but rather almost exclusively on extrinsic/contextual considerations. CI is the union of (a) the set of things that contemporary (enterprise/local/national) emergency and security planners are paid to harden and/or make redundant in the event that bad things happen, and (b) the cumulative set of things that were in-sourced, nationalized and/or militarized in response to past bad events. Implicitly, (a) makes CI highly contingent on the scope of individual/ professional interests and responsibilities, and (b) makes the set of current CI -- what's included, what's excluded -- somewhat arbitrary. It might be interesting to try to identify common features and/or transitive dependencies across the superset of CI, e.g., as a possible method for rank ordering levels of criticality, but I suspect that achieving consensus on such a ranked list would be a bit tricky. That said, even a non-converging conversation about broad CI issues involving lots of different CI stakeholders might help to illuminate cross-cutting issues and inform local relative priorities. Bottom line: the goal of collectively developing a baseline, "clean slate" definition of critical infrastructure could be quite useful, but the value is unlikely to come from success in that narrow goal, but rather in the discussion itself. Tom Vest P.S. A day may come when I am a bot, but it is not this day. From ge at linuxbox.org Sun Nov 29 13:24:56 2009 From: ge at linuxbox.org (Gadi Evron) Date: Sun, 29 Nov 2009 15:24:56 +0200 Subject: [CII] terms and conditions In-Reply-To: <20091129125407.GB7158@vacation.karoshi.com.> References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com.> <4B126790.3040308@linuxbox.org> <20091129125407.GB7158@vacation.karoshi.com.> Message-ID: <4B127628.7080807@linuxbox.org> bmanning at vacation.karoshi.com wrote: > On Sun, Nov 29, 2009 at 02:22:40PM +0200, Gadi Evron wrote: >> bmanning at vacation.karoshi.com wrote: >>> I have "everything you need to make this work". I have no need of >>> Brazilian or Norwegian infrastructure. They are not critical to me. >> What would happen to your connectivity if the Brazilian and Norwegian >> localized internet infrastructures were to stop working? > > nothing. zero. nada. zilch. > > not critical to me. the point being, critical has a reference, > usually an end user. > > and any given end user is either completely expendable or is the > focus of connectivity. presume three endusers... Aaron, a homeless > 47 year old man living on the streets of Detroit, Barak, the > president of the United States, and Marline, project manager fo the > Direct Marketing Assoc. Are they equally entitled to access to > Critical Internet Infrastructure? Do they perceive the reach/scope > of Critical Internet Infrastructure in the same way? What are the > results of them not having access? > > > John Ozman raised the (very germane) point of triage. Who gets > cut off when and who gets restored first and why? > > Critical implies weakness. A single point of failure, a locus of > control. Where those things emerge, there is a strong, almost overpowering > drive to capture and monitize that locus or to use it to exploit > the infrastrucuture to impose a given policy framework. > > From a strictly engineering POV, the "right" thing to do, to ensure > resilience and robustness is to work at reducing/minimizing/defusing > critical points. IMHO of course :) That makes sense. Designing better is always a good idea. But I also disagree on you not feeling any impact. If the Internet in Norway and Brazil goes down, that would mean at the very least a very very slow internet in north/central Europe and South America (in shockwave outwards from these spots, starting from no net at all and tricking down). This due to central hubs of communication going down. This will naturally also result in... The net fixing itself by rerouting around these areas, which can be an issue for the entire infrastructure when other areas are over-extended. Which is one of the reasons why I proselytize that the Internet is in fact Global Critical Infrastructure. Gadi. > --bill > > -- Gadi Evron, ge at linuxbox.org. Blog: http://gevron.livejournal.com/ From bmanning at vacation.karoshi.com Sun Nov 29 14:56:42 2009 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Sun, 29 Nov 2009 14:56:42 +0000 Subject: [CII] path selection In-Reply-To: <4B127628.7080807@linuxbox.org> References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com.> <4B126790.3040308@linuxbox.org> <20091129125407.GB7158@vacation.karoshi.com.> <4B127628.7080807@linuxbox.org> Message-ID: <20091129145642.GA8343@vacation.karoshi.com.> On Sun, Nov 29, 2009 at 03:24:56PM +0200, Gadi Evron wrote: > bmanning at vacation.karoshi.com wrote: > >On Sun, Nov 29, 2009 at 02:22:40PM +0200, Gadi Evron wrote: > >>bmanning at vacation.karoshi.com wrote: > >>> I have "everything you need to make this work". I have no need of > >>> Brazilian or Norwegian infrastructure. They are not critical to me. > >>What would happen to your connectivity if the Brazilian and Norwegian > >>localized internet infrastructures were to stop working? > > > > nothing. zero. nada. zilch. > > > > But I also disagree on you not feeling any impact. > > If the Internet in Norway and Brazil goes down, that would mean at the > very least a very very slow internet in north/central Europe and South > America (in shockwave outwards from these spots, starting from no net at > all and tricking down). This due to central hubs of communication going > down. you are presuming facts not in evidence. if i have ensured my communications paths do not traverse any shared infrastructure in northern/central EU or latin/south america then on what basis can you assert shockwave/ripple effects that will effect me? > > This will naturally also result in... > The net fixing itself by rerouting around these areas, which can be an > issue for the entire infrastructure when other areas are over-extended. there is no -net- to fix... folks with busted bilateral relationships will correct them or not depending on the perceived value in doing so. my bilaterals should not affect yours. > Which is one of the reasons why I proselytize that the Internet is in > fact Global Critical Infrastructure. then we have to go back to what the Internet really is then don't we? :) > > Gadi. > > > >--bill > > > > > > > -- > Gadi Evron, > ge at linuxbox.org. > > Blog: http://gevron.livejournal.com/ From rmslade at shaw.ca Sun Nov 29 15:37:28 2009 From: rmslade at shaw.ca (Robert Slade) Date: Sun, 29 Nov 2009 07:37:28 -0800 Subject: [CII] terms and conditions In-Reply-To: <20091129121706.GA7158@vacation.karoshi.com> References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com> Message-ID: From: bmanning at vacation.karoshi.com Date: Sunday, November 29, 2009 4:17 am > lets presume I am based in Kamatura Japan.? I have work > associates in > Oxford England, Palo Alto & Santa Cruz California, Family in > West Virginia, > and teaching assignments in Korea, China and Mynmar.? > > Is there any reason why - given the rigid nature of peering and > cross connects > that I should care about fiber cuts that take out most of Sau > Paulo and > all of Norway? So that's your definition of "this." As you say, you have no need of something that my sister in Stavanger or colleagues in Angre dos Reos desperately need. At the moment I am in the Vancouver airport. It is one of the few that provides free Wifi. (Works great, too.) I'm fine. Except for the fact that US Airways are clueless, their "checkin" function doesn't work, and even their "Contact US" (isn't that just too *cute*!) link is broken. Right now, that is part of my critical infrastructure, even though the vast majority of the world (including, apparently, their own staff) doesn't particularly care. ====================== rslade at computercrime.org? slade at victoria.tc.ca? rslade at vcn.bc.ca "If you do buy a computer, don't turn it on."???? - Richards' 2nd Law ============= for back issues: [Base URL] site http://victoria.tc.ca/techrev/ CISSP refs:???? [Base URL]mnbksccd.htm Security Dict.: [Base URL]secgloss.htm Book reviews:?? [Base URL]mnbk.htm ??????????????? [Base URL]review.htm Partial/recent: http://groups.yahoo.com/group/techbooks/ Review mailing list: send mail to techbooks-subscribe at egroups.com http://blogs.securiteam.com/index.php/archives/author/p1/ http://blog.isc2.org/isc2_blog/slade/index.html http://twitter.com/rslade From rmslade at shaw.ca Sun Nov 29 16:09:00 2009 From: rmslade at shaw.ca (Robert Slade) Date: Sun, 29 Nov 2009 08:09:00 -0800 Subject: [CII] terms and conditions In-Reply-To: References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com> Message-ID: From: Robert Slade Date: Sunday, November 29, 2009 7:37 am > At the moment I am in the Vancouver airport.? It is one of > the few that provides free Wifi.? (Works great, too.)? OK, lemme qualify that. Works OK as long as you keep going. Seems to have a timeout of about five minutes, and, if you haven't done anything in that time, you need to agree to the terms and conditions again. So, part of my current critical infrastructure is a need to have an additional browser window open, in order to do another acceptance of the terms and conditions before I send any message that took me more than five minutes to type. (I'm using a Web interface, protected by SSL. It's good to see that Firefox and SSL won't just accept any non-SSL traffic in the middle of my session, but it does mean the separate window is necessary. On the other hand, it's nice to see that Firefox is acceptable to the YVR system: so many hotels demand that you have an IE window open in order to sign on or accept their terms.) ====================== rslade at computercrime.org? slade at victoria.tc.ca? rslade at vcn.bc.ca "If you do buy a computer, don't turn it on."???? - Richards' 2nd Law ============= for back issues: [Base URL] site http://victoria.tc.ca/techrev/ CISSP refs:???? [Base URL]mnbksccd.htm Security Dict.: [Base URL]secgloss.htm Book reviews:?? [Base URL]mnbk.htm ??????????????? [Base URL]review.htm Partial/recent: http://groups.yahoo.com/group/techbooks/ Review mailing list: send mail to techbooks-subscribe at egroups.com http://blogs.securiteam.com/index.php/archives/author/p1/ http://blog.isc2.org/isc2_blog/slade/index.html http://twitter.com/rslade From josmon at rigozsaurus.com Sun Nov 29 16:34:37 2009 From: josmon at rigozsaurus.com (John Osmon) Date: Sun, 29 Nov 2009 09:34:37 -0700 Subject: [CII] terms and conditions In-Reply-To: References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com> Message-ID: <20091129163437.GC24114@jeeves.rigozsaurus.com> On Sun, Nov 29, 2009 at 07:37:28AM -0800, Robert Slade wrote: > From: bmanning at vacation.karoshi.com > Date: Sunday, November 29, 2009 4:17 am > > > Is there any reason why - given the rigid nature of peering and > > cross connects that I should care about fiber cuts that take out [...place not germane to direct commmunication...] > So that's your definition of "this." As you say, you have no need of > something that my sister in Stavanger or colleagues in Angre dos Reos > desperately need. The end application is going to drive the definition of what is critical. The means of providing that application becomes the infrastructure. If all I care about is a jabber session, I can get by with 9.6k. If I need to move pictures and video, my needs are not as modest. This thinking implies that every set of circumstances could require a unique set of critical infrastructure in a worst case scenario. So -- how do you christen any piece more "critical" than the other? From avri at acm.org Sun Nov 29 16:32:25 2009 From: avri at acm.org (Avri Doria) Date: Sun, 29 Nov 2009 11:32:25 -0500 Subject: [CII] terms and conditions In-Reply-To: References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com> Message-ID: <4721F65B-5696-455A-90A7-CE76D53EC261@acm.org> On 29 Nov 2009, at 11:09, Robert Slade wrote: > From: Robert Slade > Date: Sunday, November 29, 2009 7:37 am > >> At the moment I am in the Vancouver airport. It is one of >> the few that provides free Wifi. (Works great, too.) > > > OK, lemme qualify that. Works OK as long as you keep going. Seems to have a timeout of about five minutes, and, if you haven't done anything in that time, you need to agree to the terms and conditions again. So, part of my current critical infrastructure is a need to have an additional browser window open, in order to do another acceptance of the terms and conditions before I send any message that took me more than five minutes to type. (I'm using a Web interface, protected by SSL. It's good to see that Firefox and SSL won't just accept any non-SSL traffic in the middle of my session, but it does mean the separate window is necessary. On the other hand, it's nice to see that Firefox is acceptable to the YVR system: so many hotels demand that you have an IE window open in order to sign on or accept their terms.) > But doesn't this start to equate 'Critical' with 'convenient to have'. I guess i tend to want to push the meaning of 'Critical' to the edge of 'something without which there is no Internet' The question then becomes for me one of the locality and temporality of that statement. Critical for the Internet at large, or Criticial for Internet at some place in time. 'Internet At large' works fine if by our definition being an Internet means reaches all people. But few people mean that, I think. a. From lukasz at bromirski.net Sun Nov 29 16:20:39 2009 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Sun, 29 Nov 2009 17:20:39 +0100 Subject: [CII] terms and conditions In-Reply-To: <20091129125407.GB7158@vacation.karoshi.com.> References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com.> <4B126790.3040308@linuxbox.org> <20091129125407.GB7158@vacation.karoshi.com.> Message-ID: <4B129F57.1030703@bromirski.net> On 2009-11-29 13:54, bmanning at vacation.karoshi.com wrote: > On Sun, Nov 29, 2009 at 02:22:40PM +0200, Gadi Evron wrote: >> bmanning at vacation.karoshi.com wrote: >>> I have "everything you need to make this work". I have no need of >>> Brazilian or Norwegian infrastructure. They are not critical to me. >> >> What would happen to your connectivity if the Brazilian and Norwegian >> localized internet infrastructures were to stop working? > > nothing. zero. nada. zilch. > > not critical to me. the point being, critical has a reference, > usually an end user. Somebody already called for defining the 'critical infrastructure', as we can easily go into many discussions without actually definining why we disagree :) So, even if You're not living in the Brazil or Norway, they infrastructure may be critical for you. Think about shared hubs for banks, C&C systems for ATM machines and the card readers in shops, gas stations, etc. It doesn't have to be a bunch of DNS root servers, it may be a GSM IP network that is connecting you via a dialin to the internet, or a AAA server somewhere around the world (we're already in the era of cloud computing, please remember that), that just breaks. And in terms of daily life, you're reduced to what you have in your house. Shops won't sell you anything, they won't take orders, your cell phone won't connect you anywhere, nor paid phone. If you have cash, the TAXI may get you somewhere (if they still have fuel), but the train system may not be able - precisely because of the fact, that some set of IP networks used by a just a couple of companies in your country just became unreachable. And that's a fact that some of the networks in just three countries are very important to most of the international companies operating around the world. Without them, we're going to 'backup' plan, and sometimes the backup plan really doesn't exist, or was tested 'well, three years ago'. When you have a chance to work for couple of companies dealing with internet connectivity on a "it's a something on our checklist to have our project complete" or a "it always did work!" basis, you may change your idea about being always safe very fast. I wonder if Raoul Chiesa is on the list to share his experience. And I expect we all have our own and sometimes it's really scary to become aware during auditing, discussing architecture or redesigning a network that just a simple error in ONE place may render whole set of 'entities' disconnected. And to show some real example: two years ago in Poland, we've had a rather small DDoS. The DDoS was aimed at one of the international bank. As the bot C&C apparently missed the fact, that the bank had only something like /24 allocated, he brought down entire /19. Along it went away two other banks (one national), a big newspaper and independent company doing ATM 'services', and part of the network of a gas station company. People at the edge of Christmas Eve were unable to withdraw money from ATMs, and pay by credit cards in shops. They were unable to pay at gas stations, not to mention other 'difficulties' I can't actually discuss in public. If the /19 would be further extended to say /16, I see other countries would begin to see the 'problem'. That's how it works - it's interconnected. Everything with everything else. So, that's my hello to the list :) -- "Everything will be okay in the end. | ?ukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net From ocl at gih.com Sun Nov 29 18:47:57 2009 From: ocl at gih.com (Olivier MJ Crepin-Leblond) Date: Sun, 29 Nov 2009 19:47:57 +0100 Subject: [CII] welcome to the public CII References: <4B0DA31C.1090501@linuxbox.org> <87638xacib.fsf@digitalpolicy.it> <20091126125830.GB1185@vacation.karoshi.com.> Message-ID: Bill Manning wrote: > > I occasionally get confused. Is there a common understanding > of the term "Critical Internet Infrastructure"? When in doubt, I always believe that some good folks at Congress have paid some people lots of US taxpayer's money to find out for me (and for anyone else who's interested) http://www.fas.org/sgp/crs/RL32631.pdf Warm regards, Olivier -- Olivier MJ Cr?pin-Leblond, PhD http://www.gih.com/ocl.html From rmslade at shaw.ca Sun Nov 29 18:53:14 2009 From: rmslade at shaw.ca (Robert Slade) Date: Sun, 29 Nov 2009 10:53:14 -0800 Subject: [CII] terms and conditions In-Reply-To: <4721F65B-5696-455A-90A7-CE76D53EC261@acm.org> References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com> <4721F65B-5696-455A-90A7-CE76D53EC261@acm.org> Message-ID: From: Avri Doria Date: Sunday, November 29, 2009 8:38 am > But doesn't this start to equate 'Critical' with 'convenient to have'. > > I guess i tend to want to push the meaning of? 'Critical' > to the edge of 'something without which there is no Internet' I would say that, even with your definition of critical, an extra browser window (and, if in a hotel, IE) become critical. In YVR, without the extra browser window, I can't get the connection restarted, and therefore cannot send email. (If I even take too long reading your email message, I'm stuck.) Well, OK, I suppose I could do some workaround that involves signing on, reading one message, creating a reply in a Notepad window, and then restarting the session and signing on to email again in order to send it. So, yes, at that point we are talking about convenience rather than criticality. However, in the hotel case, IE is critical. (As long as I'm reviewing airport free Wifi, I'm now in Seattle. They have free Wifi, too. Odd, though. On first looking for the network, it tells you it is security enabled, and asks for the key. Then it says it is security enabled, but provides you the key. Then it says it is unsecured.) (Slow as molasses in January, too ...) ====================== rslade at computercrime.org? slade at victoria.tc.ca? rslade at vcn.bc.ca "If you do buy a computer, don't turn it on."???? - Richards' 2nd Law ============= for back issues: [Base URL] site http://victoria.tc.ca/techrev/ CISSP refs:???? [Base URL]mnbksccd.htm Security Dict.: [Base URL]secgloss.htm Book reviews:?? [Base URL]mnbk.htm ??????????????? [Base URL]review.htm Partial/recent: http://groups.yahoo.com/group/techbooks/ Review mailing list: send mail to techbooks-subscribe at egroups.com http://blogs.securiteam.com/index.php/archives/author/p1/ http://blog.isc2.org/isc2_blog/slade/index.html http://twitter.com/rslade From josmon at rigozsaurus.com Sun Nov 29 19:03:29 2009 From: josmon at rigozsaurus.com (John Osmon) Date: Sun, 29 Nov 2009 12:03:29 -0700 Subject: [CII] welcome to the public CII In-Reply-To: References: <4B0DA31C.1090501@linuxbox.org> <87638xacib.fsf@digitalpolicy.it> <20091126125830.GB1185@vacation.karoshi.com.> Message-ID: <20091129190329.GD24114@jeeves.rigozsaurus.com> On Sun, Nov 29, 2009 at 07:47:57PM +0100, Olivier MJ Crepin-Leblond wrote: > Bill Manning wrote: > > > > > >I occasionally get confused. Is there a common understanding > >of the term "Critical Internet Infrastructure"? > > When in doubt, I always believe that some good folks at Congress have paid > some people lots of US taxpayer's money to find out for me (and for anyone > else who's interested) > > http://www.fas.org/sgp/crs/RL32631.pdf First reaction: Cool. So we can get all of our non-USA readers to buy into this definition as well. Right? Second blush: Cool. Useful info. Thanks for pointing it out. From pauls at utdallas.edu Sun Nov 29 20:06:28 2009 From: pauls at utdallas.edu (Paul Schmehl) Date: Sun, 29 Nov 2009 14:06:28 -0600 Subject: [CII] terms and conditions In-Reply-To: References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com> Message-ID: --On November 29, 2009 9:37:28 AM -0600 Robert Slade wrote: > > So that's your definition of "this." As you say, you have no need of > something that my sister in Stavanger or colleagues in Angre dos Reos > desperately need. > > At the moment I am in the Vancouver airport. It is one of the few that > provides free Wifi. (Works great, too.) I'm fine. Except for the fact > that US Airways are clueless, their "checkin" function doesn't work, and > even their "Contact US" (isn't that just too *cute*!) link is broken. > Right now, that is part of my critical infrastructure, even though the > vast majority of the world (including, apparently, their own staff) > doesn't particularly care. > This begs the question when does I become CI? I submit that one of the necessary elements is the importance of the person(s) or the function(s) that is/are affected by the loss of service. It would also appear that the number of people or functions affected would have an affect on when something transitions from I to CI as well. So some of the elements in the definition of CI would be the number of people affected and the amount of functionality affected, it would seem, as well as the importance of the person(s) and/or function(s). Paul Schmehl (pauls at utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ From mysidia at gmail.com Mon Nov 30 00:24:36 2009 From: mysidia at gmail.com (James Hess) Date: Sun, 29 Nov 2009 18:24:36 -0600 Subject: [CII] terms and conditions In-Reply-To: <4B127628.7080807@linuxbox.org> References: <20091128053655.GA24114@jeeves.rigozsaurus.com> <4B11A55A.30671.120829BB@localhost> <20091129121706.GA7158@vacation.karoshi.com.> <4B126790.3040308@linuxbox.org> <20091129125407.GB7158@vacation.karoshi.com.> <4B127628.7080807@linuxbox.org> Message-ID: <6eb799ab0911291624s693031fbj14154c4d1719ad57@mail.gmail.com> On Sun, Nov 29, 2009 at 7:24 AM, Gadi Evron wrote: > bmanning at vacation.karoshi.com wrote: [snip] >> ? ? ? ?resilience and robustness is to work at reducing/minimizing/defusing >> ? ? ? ?critical points. ?IMHO of course :) > That makes sense. Designing better is always a good idea. > But I also disagree on you not feeling any impact. > If the Internet in Norway and Brazil goes down, that would mean at the very > least a very very slow internet in north/central Europe and South America > (in shockwave outwards from these spots, starting from no net at all and > tricking down). This due to central hubs of communication going down. I think the words "critical infrastructure" may be understood to be slightly more strict than just the combination of the two words' possible dicdefs. Otherwise, the word "critical" might be redundant here. Can you think of anything that would meet the definition of "Infrastructure" that wouldn't be critical: is there such a thing as non-critical infrastructure? As I see... use of "critical" is meant to emphasize the very most important infrastructure required for civilized society to survive, function, and be secure, to the exclusion of infrastructure meant to provide convenience. It would seem there might be multiple "layers" of criticality involved. "Critical Infrastructure" on the internet could suggest at least 3 distinct things, that could have different criteria for being "critical on the internet"... (a) Critical Infrastructure, as in, machines that perform important functions for the public, that happened to be connected to the internet or normally utilize the internet for convenience, as a backup, or 'just for management', where in fact: they don't require the internet to perform the critical function. (b) Critical Infrastructure that depends on the internet to function, and is disrupted or cannot possibly work without some form of proper Internet connectivity being available between components. Including systems that _could_ have been designed to use private telecommunications circuits, but for one reason or another, the technology was designed to use the Internet instead. (c) Infrastructure that is required in some manner for the Internet itself to function, either to provide for (b), or that the Internet itself is critical. -- -J From pschmehl_lists at tx.rr.com Fri Nov 27 20:09:16 2009 From: pschmehl_lists at tx.rr.com (Paul Schmehl) Date: Fri, 27 Nov 2009 14:09:16 -0600 Subject: [CII] welcome to the public CII In-Reply-To: References: <4B0DA31C.1090501@linuxbox.org> Message-ID: <77C6B69B00BC1347245BB21D@Macintosh-2.local> Interesting. Your comments suggest some questions. At what point does something become CII and for whom? If a power company is attacked and goes down, so that a large segment of a population is without power, one would presume that the issue is critical to that group of people. But is it to the global community? I guess that depends on your POV. In the final analysis perhaps no one thing really is critical if all others can function without it. Often politicians seems to think of the internet in binary terms, as if it were possible to "turn it off" if it were "under attack" (China comes to mind), but can you really turn the internet off? And if you can't, what part(s) of it, if any, are truly CII? I can see this being a difficult topic to enclose within any logical terminology to which all might agree. --On November 27, 2009 10:37:11 AM -0500 Avri Doria wrote: > > Hi, > > I had thought to lurk not to reply to the first welcome message. But > having seen you all reply figured i better before someone decided that I > was bot. I don't think I am, but if you all decided I was I might get > confused, so figured I would put a non-bot stake in the ground. BTW, is > this a new variant on the Turing Test? > > In any case, on the substantive side of what this list may be about. I > also, am not sure I know exactly what CII covers. There are the logical > entities people point to, e.g. the names and addresses, and there are > the physical resources that one points to, e.g. backbones and last > meters. > > In my research work, I work on networks for communications challenged > areas and try to assume a network where none of the things that people > normally assume are critical are available. Now this obviously involves > communications gear and software of some sort, but i look to minimize > what is necessary from the well known set of things. This is an > extreme, but I think it corresponds to the original goal of the Internet > - a network of networks that continues to work even if some part of it > is missing. I.e I think the original concept of the Internet intended > for there to be little if anything that was truly critical - i.e. > without which the network would not work. the questions becomes if > nothing is in itself critical, is there a set of things of which some > must be there, but no individual member of the set is necessary. Or are > thee things that are really critical in all places at all times. > > In my avocation, I work with those who have elevated the one naming > architecture and the bifurcated addressing structure into global > imperatives, i.e. things without which the Internet would fail and hence > could be designated as CII. > > And in a part time contract, I work in a political environment where > anything anyone wants to control is called CII. > > I tend to exist somewhere among these points of view, trying to come up > with technology that minimizes the need for any infrastructure that is > critical in that it can't be worked around yet accepting that there are > working assumptions that make something critical at some place in some > time frame. > > So, I look forward to this conversation, but am not sure I have a lot to > offer other then my questions and existential angst about things. > > a. > > > > > _______________________________________________ > CII mailing list > CII at isotf.org > http://isotf.org/mailman/listinfo/cii > Paul Schmehl, If it isn't already obvious, my opinions are my own and not those of my employer. ****************************************** WARNING: Check the headers before replying From bgreene at senki.org Sun Nov 29 23:12:24 2009 From: bgreene at senki.org (Barry Raveendran Greene) Date: Sun, 29 Nov 2009 15:12:24 -0800 Subject: [CII] End2End (was) terms and conditions In-Reply-To: <20091128234148.GA27687@vacation.karoshi.com.> Message-ID: > one of the often misunderstood attributes of an IP network > is the basic attribute of the End2End principle. e.g. > the network can and perhaps should be decomposed on a periodic > basis... there is nothing sacrosanct about any given IP network > or set of interconnects between any set of IP networks. Given that this comment was lost, I think it is worth bringing up and highlighting. My personal experience working "CII" with Government Policy Makers in US and Asia exposed to me just how too few people understand the End2End principle. Q. Do you, when you work with "CII" activities, weave the End2End principle into your work? I know this was a major shift to my architectural practices for high-resilient systems. I'm wondering if is the same for anyone else. From dan at doxpara.com Mon Nov 30 02:40:27 2009 From: dan at doxpara.com (Dan Kaminsky) Date: Sun, 29 Nov 2009 18:40:27 -0800 Subject: [CII] End2End (was) terms and conditions In-Reply-To: References: <20091128234148.GA27687@vacation.karoshi.com.> Message-ID: Since it's not often understood, the reason you go end to end is then you have only two endpoints to fix, both of which are motivated to fix the problem, rather than a million endpoints to fix, most of which you can't even identify. On Sun, Nov 29, 2009 at 3:12 PM, Barry Raveendran Greene wrote: > > >> one of the often misunderstood attributes of an IP network >> is the basic attribute of the End2End principle. ?e.g. >> the network can and perhaps should be decomposed on a periodic >> basis... ?there is nothing sacrosanct about any given IP network >> or set of interconnects between any set of IP networks. > > Given that this comment was lost, I think it is worth bringing up and > highlighting. My personal experience working "CII" with Government Policy > Makers in US and Asia exposed to me just how too few people understand the > End2End principle. > > Q. Do you, when you work with "CII" activities, weave the End2End principle > into your work? > > I know this was a major shift to my architectural practices for > high-resilient systems. I'm wondering if is the same for anyone else. > > > > _______________________________________________ > CII mailing list > CII at isotf.org > http://isotf.org/mailman/listinfo/cii > From josmon at rigozsaurus.com Mon Nov 30 03:06:32 2009 From: josmon at rigozsaurus.com (John Osmon) Date: Sun, 29 Nov 2009 20:06:32 -0700 Subject: [CII] End2End (was) terms and conditions In-Reply-To: References: <20091128234148.GA27687@vacation.karoshi.com.> Message-ID: <20091130030632.GA8247@jeeves.rigozsaurus.com> On Sun, Nov 29, 2009 at 03:12:24PM -0800, Barry Raveendran Greene wrote: > > > > one of the often misunderstood attributes of an IP network > > is the basic attribute of the End2End principle. e.g. > > the network can and perhaps should be decomposed on a periodic > > basis... there is nothing sacrosanct about any given IP network > > or set of interconnects between any set of IP networks. > > Given that this comment was lost, I think it is worth bringing up and > highlighting. My personal experience working "CII" with Government Policy > Makers in US and Asia exposed to me just how too few people understand the > End2End principle. I'm glad you brought it back to the forefront -- it's important. Enough so, that I felt it imperative the above is kept in context. People involved in this area need to see it often... > Q. Do you, when you work with "CII" activities, weave the End2End principle > into your work? > > I know this was a major shift to my architectural practices for > high-resilient systems. I'm wondering if is the same for anyone else. Can you restate that? I wasn't sure if it meant you had started to weave things in, or if you'd been asked to do so. I suspect the former. From tvest at eyeconomics.com Mon Nov 30 04:54:51 2009 From: tvest at eyeconomics.com (tvest at eyeconomics.com) Date: Sun, 29 Nov 2009 23:54:51 -0500 Subject: [CII] End2End (was) terms and conditions In-Reply-To: References: Message-ID: <27FC0337-AF77-48B3-9B1E-5ECF44DD974F@eyeconomics.com> On Nov 29, 2009, at 6:12 PM, Barry Raveendran Greene wrote: >> one of the often misunderstood attributes of an IP network >> is the basic attribute of the End2End principle. e.g. >> the network can and perhaps should be decomposed on a periodic >> basis... there is nothing sacrosanct about any given IP network >> or set of interconnects between any set of IP networks. > > Given that this comment was lost, I think it is worth bringing up and > highlighting. My personal experience working "CII" with Government > Policy > Makers in US and Asia exposed to me just how too few people > understand the > End2End principle. > > Q. Do you, when you work with "CII" activities, weave the End2End > principle > into your work? > > I know this was a major shift to my architectural practices for > high-resilient systems. I'm wondering if is the same for anyone else. Hi Barry, Actually, I would slightly restate and say that e2e is the primary factor that makes the Internet a candidate for "critical infrastructure" status. When attempting to convey this distinction to policy makers and other non-operators, I would suggest using the following illustrative parallel(s): The failure of any single, enterprise-specific payment mechanism (e.g., a department store credit card), or even of a single bank can be a major problem for the its current customers/users, employees, and investors. But thanks to the flexibility and basic inter-institutional neutrality of the monetary economy, customers can move their deposits elsewhere and find other ways to send and receive payments, workers can find other places or means to earn money, and investors can find other opportunities where their capital resources can yield more stable returns. So long as that capacity for dynamic readjustment is preserved, no single element or arrangement of elements within the monetary economy is sacrosanct, and no single atomic or aggregate- level element within the system would necessarily qualify as a "critical infrastructure." Given that flexibility, the overall pattern of system elements can (and perhaps should) be decomposed thoroughly from time to time. That said, the one undeniably "critical" feature within a monetary economy is precisely that capacity to support locally initiated dynamic readjustments, at almost any level (e.g., individual, institutional, jurisdictional, etc.), whenever a change is required, or recommended, or merely preferred over the status quo. This element is responsible not only for the system's resilience to constant localized (and occasional system-wide) shocks, but also for the system's tendency to spawn surprising new developments, some of which regularly turn out to be beneficial/profitable/adaptive, i.e., "innovations." In a well functioning monetary economy, the capacity for and frequency of such innovations is limited only by the extent of the system itself (ala Adam Smith). Although there's no good, widely used term for this feature of the monetary system (some monetary economists describe it as an aspect of money's role as a "medium of exchange"), in the Internet it's usually invoked by reference to its enabling technical conditions, the shorthand name for which is e2e. Although this can come across as a tough sell for some career network engineers, it seems to work fairly well with some other audiences, esp. economic policy makers and financial industry types. Regards, TV From josmon at rigozsaurus.com Mon Nov 30 07:41:00 2009 From: josmon at rigozsaurus.com (John Osmon) Date: Mon, 30 Nov 2009 00:41:00 -0700 Subject: [CII] End2End (was) terms and conditions In-Reply-To: <27FC0337-AF77-48B3-9B1E-5ECF44DD974F@eyeconomics.com> References: <27FC0337-AF77-48B3-9B1E-5ECF44DD974F@eyeconomics.com> Message-ID: <20091130074100.GB8247@jeeves.rigozsaurus.com> On Sun, Nov 29, 2009 at 11:54:51PM -0500, tvest at eyeconomics.com wrote: > [...] > The failure of any single, enterprise-specific payment mechanism > (e.g., a department store credit card), or even of a single bank can > be a major problem for the its current customers/users, employees, and > investors. But thanks to the flexibility and basic inter-institutional > neutrality of the monetary economy, customers can move their deposits > elsewhere and find other ways to send and receive payments, workers > can find other places or means to earn money, and investors can find > other opportunities where their capital resources can yield more > stable returns. So long as that capacity for dynamic readjustment is > preserved, no single element or arrangement of elements within the > monetary economy is sacrosanct, and no single atomic or aggregate- > level element within the system would necessarily qualify as a > "critical infrastructure." Given that flexibility, the overall pattern > of system elements can (and perhaps should) be decomposed thoroughly > from time to time. I like the gist of the above. I read it as: "Critical economic infrastructure is intact if individual institutions can communicate." Bill Manning points out that "pairwise" BGP relationships allow for periodic tests of connectivity. Is it sufficient to say that economic/banking crictial infrastructure is intact if the majority of those institutions can continue to "talk" during a crisis? If so, we need to increase the "splay" of networking between the various economic/banking entities that appear to be critical. If we can keep enough pairwise connections up, "dynamic readjustment" is prserved. If the above is true, can we generalize this approach to other critical functions? From josmon at rigozsaurus.com Mon Nov 30 07:52:25 2009 From: josmon at rigozsaurus.com (John Osmon) Date: Mon, 30 Nov 2009 00:52:25 -0700 Subject: [CII] [bmanning@vacation.karoshi.com: Re: terms and conditions] In-Reply-To: <7ae58c220911281717v3fe3a2cp61bfc6ce0011a2d0@mail.gmail.com> References: <20091128234540.GA27757@vacation.karoshi.com.> <7ae58c220911281717v3fe3a2cp61bfc6ce0011a2d0@mail.gmail.com> Message-ID: <20091130075225.GA10226@jeeves.rigozsaurus.com> On Sat, Nov 28, 2009 at 08:17:09PM -0500, Dotzero wrote: > > On Fri, Nov 27, 2009 at 10:36:55PM -0700, John Osmon wrote: > >> > >> "My network, my rules." ?But I'll always prempt traffic on my net > >> for health/safety. ?Kinda seems like my duty to the society that I live > >> within... > > What do you mean by "preempt". Are you carrying traffic from other > networks and destined for other networks or are you talking about > preventing traffic from your network going to 3rd party networks? What > is the general nature of traffic on your net? I'm not operating a network at the momment, but I have during other stages of my career. Mostly, I've dealt with rurual areas, and have relied on other carriers for backhaul. However, if, at any time, someone would have shown me that some form of health/safety were in need, I would have setup QOS to ensure that health/safety traffic had absolute priority over other traffic. > I deal with corporate networks and ecommerce sites. Our triage would > be to cut traffic when we are putting others at potential risk or if > there is significant potential risk to the integrity of our systems > and networks. While we have a lot of horsepower we would not be > considered CII by most people. I can see the logic of your reasoning. Let's consider a situation where you have a BGP connection to a local ISP in a region. If that ISP had "critical" traffic that needed to get somewhere, and you had the ability to deliver it -- would you be willing to give that "critical" traffic priroity on your network if it caused congestion for you "normal" traffic? If you were to answer "yes," I would include you as CII for that region. Hopefully, you'd have a different physical path from the ISP that had "critical" traffic. However, even if you don't have path diversity, your equipment diversity might be enough to handle the "critical" information. From angela.cataldo at gmail.com Mon Nov 30 09:57:40 2009 From: angela.cataldo at gmail.com (Angela Cataldo) Date: Mon, 30 Nov 2009 10:57:40 +0100 Subject: [CII] welcome to the public CII In-Reply-To: <4B126986.9090503@linuxbox.org> References: <4B0DA31C.1090501@linuxbox.org> <87638xacib.fsf@digitalpolicy.it> <4B126986.9090503@linuxbox.org> Message-ID: <4d9107cf0911300157n6eab82a2jae9fade2235e7c4c@mail.gmail.com> Gadi, Andrea, before making policy-makers completely aware of deep dependance from (and criticities of) internet infrastructure, can we think of a way of double controlling CII? I mean: we cannot have an ideal opinion of policy-makers as people employed for the benefit of community. As citizen, I would like to have (or third party to have) a way to control their operations, and have knowledge enough to understand what happens and what will happen in near and far future, if possible. As technician, I would be sure not to be completely dependent only on policy-makers, which might be non honest persons. In this context, CII is not made only of sotware and hardware, but of persons able to control them in some way, too. Regards AC On Sun, Nov 29, 2009 at 1:31 PM, Gadi Evron wrote: > Andrea Glorioso wrote: > >> In terms of "what is missing", I think policy-makers have still a long >> way to go before they understand what the Internet actually is and how >> it is operationally managed. One consequence of this is that in some >> cases they still try to apply crisis management approaches that will >> not work. On the other hand, the private sector must stop pretending >> (at least with us) that we are still in the '80s and that the Internet >> infrastructures they operate are not vital for society. >> > > Andrea, with your experience at the European Commission, do you think you > can advise us on how to turn the results of our conversations here into > products that policy makers can understand? > > For example, the advancing discussion on terminology. > > Gadi. > > > Please note that, notwithstanding my affiliation, everything I will >> write here is my personal opinion, unless otherwise noted. >> >> Best, >> >> -- >> Andrea Glorioso || http://people.digitalpolicy.it/sama/cv/ >> M: +32-488-409-055 F: +39-051-930-31-133 >> * Le opinioni espresse in questa mail sono del tutto personali * >> * The opinions expressed here are absolutely personal * >> >> "Constitutions represent the deliberate judgment of the >> people as to the provisions and restraints which [...] will >> secure to each citizen the greatest liberty and utmost >> protection. They are rules proscribed by >> Philip sober to control Philip drunk." >> David J. Brewer (1893) >> An Independent Judiciary as the Salvation of the Nation >> >> >> ------------------------------------------------------------------------ >> >> >> _______________________________________________ >> CII mailing list >> CII at isotf.org >> http://isotf.org/mailman/listinfo/cii >> > > > -- > Gadi Evron, > > ge at linuxbox.org. > > Blog: http://gevron.livejournal.com/ > _______________________________________________ > CII mailing list > CII at isotf.org > http://isotf.org/mailman/listinfo/cii > -- Ing. Angela Cataldo System Engineering, Integration, Administration, Design and Planning -------------- next part -------------- An HTML attachment was scrubbed... URL: From tvest at eyeconomics.com Mon Nov 30 16:50:18 2009 From: tvest at eyeconomics.com (tvest at eyeconomics.com) Date: Mon, 30 Nov 2009 11:50:18 -0500 Subject: [CII] End2End (was) terms and conditions In-Reply-To: <20091130074100.GB8247@jeeves.rigozsaurus.com> References: <27FC0337-AF77-48B3-9B1E-5ECF44DD974F@eyeconomics.com> <20091130074100.GB8247@jeeves.rigozsaurus.com> Message-ID: <6A98C986-FBB5-4C18-964B-92454E0B8B79@eyeconomics.com> On Nov 30, 2009, at 2:41 AM, John Osmon wrote: > On Sun, Nov 29, 2009 at 11:54:51PM -0500, tvest at eyeconomics.com wrote: >> > [...] >> The failure of any single, enterprise-specific payment mechanism >> (e.g., a department store credit card), or even of a single bank can >> be a major problem for the its current customers/users, employees, >> and >> investors. But thanks to the flexibility and basic inter- >> institutional >> neutrality of the monetary economy, customers can move their deposits >> elsewhere and find other ways to send and receive payments, workers >> can find other places or means to earn money, and investors can find >> other opportunities where their capital resources can yield more >> stable returns. So long as that capacity for dynamic readjustment is >> preserved, no single element or arrangement of elements within the >> monetary economy is sacrosanct, and no single atomic or aggregate- >> level element within the system would necessarily qualify as a >> "critical infrastructure." Given that flexibility, the overall >> pattern >> of system elements can (and perhaps should) be decomposed thoroughly >> from time to time. > > I like the gist of the above. I read it as: "Critical economic > infrastructure is intact if individual institutions can communicate." > > Bill Manning points out that "pairwise" BGP relationships allow for > periodic tests of connectivity. Is it sufficient to say that > economic/banking crictial infrastructure is intact if the majority > of those institutions can continue to "talk" during a crisis? Hi John, Thanks for the response. Although I wouldn't say that it's erroneous, I don't think that I would embrace this particular summary reformulation myself. Perhaps it works best as a description of the perspective from any single atomic or aggregate-level system element (i.e., an individual, an enterprise, a jurisdiction, et al.), but even then to me the characterization "intact" seems excessively static and binary. IMO, e2e is important because it recommends a distinctive form of inter- process signaling/interaction that critically affects both communications within the system as it exists at any point in time, and also the responsiveness of the system to the addition (or subtraction) of individual components over time. While a system might be perceived as "intact" by individual participants so long as it supports their own (bilateral) interactions, if the system's e2e characteristics are degraded in ways that would impact interactions that they (or others) might wish to have in the future -- including with functions that might not even have been incorporated into the system yet -- then in fact the system is no longer "intact," even if some (or even most/all) participants have not yet recognized that fact. In this sense, e2e is a description of a dynamic system with an open frontier, or an unbounded future. It seems like your reformulation would be consistent with that kind of system, but would also work in systems that are robust to failure although not necessarily open to more elements, including completely novel elements. > If so, we need to increase the "splay" of networking between the > various economic/banking entities that appear to be critical. If we > can keep enough pairwise connections up, "dynamic readjustment" is > preserved. In my own formulation, the idea of "splay" as a feature that individual system elements (including aggregate-level elements like institutions) may possess or not possess is obviated by the more fundamental flexibility/adaptability that is an inherent feature of an e2e-defined systems. By definition, an e2e-defined system permits such "dynamic readjustments" whenever and wherever they are required/ preferred -- but that does not necessarily guarantee that such adjustments will always happen. Thus, whenever some specific aggregate- level system participant is unable or unwilling to make a necessary adjustment, the aggregate may cease to exist, but its constituent elements (e.g., the customers, employers, and investors in my previous example) can remain integrated into the broader system (albeit in different roles or capacities), and the system itself endures. Granted, this may not be especially comforting to enterprises with CI concerns, but I imagine it might at least suggest some potentially useful forward-looking strategies. Perhaps something along the lies of "enhanced awareness of splay opportunities that are inherent in the system"... In fact, that sounds like the sort of thing that Barry might have had in mind when he raised the e2e question... (?). > If the above is true, can we generalize this approach to other > critical functions? Actually, even if the above is not true, I would say that the generality of this framework is already quite explicit, at least in my own work. Perhaps I can make that point clearer by clarifying the relationship between the above and the canonical e2e arguments. Consider: If fate sharing is the core idea behind e2e, and the system to which we would seek to apply e2e is understood to encompass multiple parallel, intersecting, and overlapping functional elements, then fate-sharing necessarily implies four distinct kinds of potential problems: a functional component's degree or level of effect that is either (a) excessive or (b) inadequate, and the scope of those effects with respect to (1) the function's intended target scope, and/or to (2) other, unrelated, out-of-scope system components. On this view, e2e is a particular strategy for system design in which functional features are modularized, scoped, and arrayed (in some cases as a result of evolution/trial-and-error as much as by conscious design) in such a way that, in the aggregate, the system delivers a mix of rank-ordered benefits (or solves a mix of rank-ordered problems), in which the ordering of goals/problems roughly corresponds to the placement of functions along some notional spatial and/or temporal axis ("notional" b/c of the system's more complicated dimensionality). In the specific case of the system of TCP/IP-based addressing and routing, the function that enjoys highest priority is that of (mere) attachment, including re-attachment -- a.k.a. resilience, adaptability -- as well as new, first-time attachment -- a.k.a. system openness, including to completely novel, "unprecedented' elements. By design, that goal trumps the legitimate but subordinate goal of (reliable, "quality") attachment, et al. This combination of adaptability and openness, which distinguishes the Internet from both its constituent inputs and from its predecessor technologies, exactly parallels the features that distinguish a "monetary" economy (i.e., a heterogenous, decentralized exchange system in which diverse bilateral transactions are dramatically simplified by the use of a common mediating technology called "money") from the sort of ad hoc, barter-based economic systems that predated the discovery of the advantages of technologically-mediated exchange. Put more succinctly, the system of monetary instruments and financial flows and the system of TCP/IP addressing and routing are at root just different implementations of the same critical function: they're both what monetary economists (esp. those that specialize in the subfield of monetary "search and matching") would call "liquidity mechanisms." In fact, if you take into consideration the two systems' basic moving parts, and all of their various bilateral relationships, flows, motivations, and then consider the primary existential risks to which both systems are vulnerable, and even the most common risk mitigation strategies that have been adopted in both systems, you find that the two systems are almost perfectly isomorphic. Hard to believe at first blush, I know, but the supporting evidence is extensive and growing, with no confounding observations in evidence to date despite close to three years of skeptical scrutiny, including by quite a few of the most experienced protocol designers and operators around. I'm working on an introductory article on this now... can provide more information in the interim if you're interested. Regards, TV