[diminoten]

I am never more reminded of how smart people can succumb to groupthink than I am when I read HN posts about CISPA. There are a lot of misconceptions about the law, including what kind of data gets shared (only relevant threat data, this isn't your bank account info, and the RIAA can't sue you if shared data reveals you to be torrenting movies - can elaborate more on this if there's interest), who does the sharing (orgs share to the government voluntarily), who has access to the sharing (government and people the government decide to share the data with), etc.

I saw an infographic a little while back that I thought made a pretty good representation of what the bill actually proposes, I wonder if anyone has a link available to it.

[Wingman4l7]

It's not necessarily the letter of the law that people are worried about, it's the overreach that would result once it's on the books.

[tptacek]

The USG is actively prevented by current regulations from setting up a clearinghouse that would collect netflow signatures, botnet identification, and traffic captures of exploit code and then sharing that information with companies like Google and Facebook.

Private companies can and do share (heavily scrubbed) electronic signature information, but must go through contortions to do so, and incur huge legal costs to do it. As a result, only the largest companies participate in these efforts.

Because the USG is more or less enjoined from participating in clearinghouses with private companies, information sharing networks are handshake affairs that are often unknown to anyone outside tier-3 network engineering. Other private IT security product companies run de facto clearinghouses, but only for their customers.

As a result, when your startup gets DDoS'd and you call your ISP for help, they generally can't do shit to help you. It may annoy you to know that if your connectivity provider is large, there is a group in there that could offramp your traffic to internal "scrubbing centers" to peel off DDOS traffic. But because high-end DDoS protection at ISPs is done sub rosa, startups have a very hard time finding these people.

There is an actual problem with online security attacks right now, and hysteria over any USG intervention with the Internet at all is helping perpetuate it. And all it appears to take to fuel that hysteria is statements like "think of the overreach that will happen once a law hits the books".

[nitrogen]

How do your last two paragraphs follow from the first three? How does having large companies share threat data help your small startup mitigate a DDoS?

There is an actual problem with online security attacks right now, and hysteria over any USG intervention with the Internet at all is helping perpetuate it.

This sounds an awful lot like, "We must do something. This is something, therefore we must do this."

[tptacek]

ISPs propagate flow-based snapshots of attacks to populate filters and redirect traffic to scrubbing centers, but they do so discreetly in part because of concerns about how well their data --- which is used exclusively to generate filters --- has been anonymized.

[declan]

What "regulations" are those that weren't addressed by the president's executive order last month? Can you provide a cite to an actual federal law that says this?

[tptacek]

Are you suggesting that the President's EO gave the federal government a blanket authority to publish threat information to the private sector?

[declan]

No, what I'm asking you for is an actual citation to federal law or the U.S. Code of Federal Regulations that backs up your claim ("USG is actively prevented by current regulations from setting up...")

That you failed to provide any, even though I think my request was fairly clear, provides strong evidence that you're unable to do so and your pro-CISPA argument was hand-waving, not based on facts or the law.

[tptacek]

Or that you asked at 1:00AM.

Two responses, briefly:

1. FISMA spells out in positive terms that incident data collected by agencie is to be reported out to LEOs and the national security services unless otherwise designated by the President, and

2. much of the data we're discussing is classified, so, 18 U.S.C. § 798 is a starting point.

Do you dispute that, say, botnet identification data collected by DoD is classified? Do you have a source to suggest otherwise? I did network security product work at Pentagon with Arbor Networks and they were bananas about classification, operating an entire clone of their enterprise network to account for classification.

I find it interesting that you can publish an article that suggests CISPA is a backdoor attempt at warrantless wiretapping but accuse other people of handwaving.

[diminoten]

Having read the criticism the EFF's been pointing at CISPA, I fail to see how they're interpreting the bill to mean that such overreaching is even possible. I want to see what sort of changes the EFF would make to the current bill which would satisfy the privacy concerns they're claiming exist.

I think everyone agrees that companies should be able to describe to the cops what the guy who robbed them looked like, and those companies should be able to tell their customers they've been robbed without getting sued by their shareholders because the ensuing PR fallout tanks the stocks.