* https://arstechnica.com/tech-policy/2024/06/fcc-pushes-isps-...
* https://www.techspot.com/news/104590-white-house-declares-bg...
* https://www.securityweek.com/white-house-outlines-plan-for-a...
WH PR (linked to by Reuters):
> While there is no single solution to address all internet routing vulnerabilities, the roadmap advocates for the adoption of Resource Public Key Infrastructure (RPKI) as a mature, ready-to-implement approach to mitigate BGP’s vulnerabilities. RPKI consists of two primary components: Route Origin Authorizations (ROA) and Route Origin Validation (ROV). A ROA is a digitally-signed certificate that a network is authorized to announce a specific block of internet space (i.e., IP addresses). ROV is the process by which BGP routers use ROA data to filter BGP announcements flagged as invalid. Importantly, ROV can help protect an organization’s internet address resources only if that organization has created ROAs.
* https://www.whitehouse.gov/oncd/briefing-room/2024/09/03/fac...
Roadmap/whitepaper (PDF):
* https://www.whitehouse.gov/wp-content/uploads/2024/09/Roadma...
But what impacts does this have on performance? Great we solved hijacking issue. But this other ASN which used to be a preferred route doesn’t use ROA/ROV (yet or refuses).
Now traffic reroutes to a less efficient path?
No performance impact: a routing table is a very (ahaha) binary thing, it takes a destination address and does a longest prefix match search in a table to find the next hop interface, to which it routes the packet.
Route validity is considered (alongside a bunch of other routing policy inputs) when constructing the table, not when a packet arrives.
In RIPE, each as-num should list out a policy of which other ASNs can import/export routes from that ASN. I think there should also be a route/route6 object.
Do vultr not check/enforce this? (Other providers do).
Government agencies regularly game regulations that apply to them in the same way as corporations. See e.g. FOIA, Fourth Amendment, qualified immunity, civil asset forfeiture.
People like to dump on government but they can move the acceptable window/best practice to a place that corps would not have gotten to by themselves. Crypto is one, OWASP springs to mind, etc. But the government is not a homogeneous monolithic entity and it necessarily has to have some confliction built into it. You could have a bulletproof secure system for identity for example come out of NIST, say,...but the CIA would immediately need a workaround so that agents could assume new IDs in the field.
> we’re launching a new national awareness campaign to raise awareness of cyberthreats and encourage more Americans to move beyond passwords—adding an extra layer of security like a fingerprint or codes sent to your cellphone
Amongst other things.
I guess it probably does raise the baseline, but at the cost of those who have good security practices.
Edit: SOX, HIPAA, NIST CSF.
Government is not always bad.
HIPAA is extraordinarily expensive, meanwhile healthcare providers continue to have abominable security because compliance is offloaded to a "compliance team" who comes around once in a while to check boxes without really understanding the system, which is managed by other people who don't really understand HIPAA. This is one of the reasons security in large organizations is hard. Bureaucracies gravitate toward bureaucratic solutions, but then the left hand doesn't know what the right hand is doing, which is a direct mechanism for security to get messed up.
SOX isn't really about "security", it's about auditing and so on, but it suffers from a disadvantageous trade off. Large companies are less likely to have accounting problems than smaller ones. The law was passed in response to major outliers like Enron, but basing rules on rare outliers generally results in bad rules. Meanwhile the smaller companies have disproportionately higher compliance costs, to the point that there have been proposals to exempt smaller companies. But that implies it probably isn't worth it for large companies because the rate of fraud is so low and it probably isn't worth it for small companies because the compliance costs are so high, and then there's nothing left.
Whereas NIST CSF is a different kind of thing because it's voluntary. This is where government publications can really do some good, because if they publish rubbish then nobody has to pay any attention to it and the cost is limited to the money they spent creating it, but if it's good then it's valuable to anyone who uses it. The government should definitely lean towards this method, but it's hard to call this one "regulations" -- and the criticism you're responding to was that corporations would end up "just gaming the regulations".
Isn't that funny when the white house has been exposed secretly tapping every single non American (Chinese included) and American online activity, phones calls, mails, etc.
I'm not saying the Chinese should be able to do what the USA is already doing to the world but it's like seeing a thieft getting robbed by another criminal. Somehow its funny.
Trusting US/Five eyes controlled companies with your data is a bad move. No matter if private or enterprise.
It is like people being perplexed about people complaining about some company or product. 'So choose another one?' Ye well others might wanna know about it too...
Security issues is a security issue, the justification is mostly just puffery. Even the white house statement is vague as hell with things some adversary might be able to do grasping at something to relate what is an industry-specific esoteric issue to some hypothetical tangible real world consequence.
It's like how Net Neutrality had that fake Comcast ad where you had to pay for tiers of internet to try to make sense of what really was a B2B market intervention to stop ISPs from rent-seeking tech companies. It made it relatable even if it wasn't at all what would have (and didn't happen I suppose) happened.
Russia (and before them the Soviets), the Chinese, the French, the Brits, and many others have been doing it for decades.
This isn’t a response from China to US revelations, it’s a continuation and escalation of a practice they’ve been doing all along.
What would be the most convincing arguments to email my ISP with?
And official release: https://www.whitehouse.gov/oncd/briefing-room/2024/09/03/pre...
