Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
The Internet Networking Privacy Security The Military IT

Ex-NSA Chief Supports Separate Secure Internet 214

Hugh Pickens writes "Nextgove reports that Michael Hayden, former director of both the NSA and the CIA, says the United States may seriously want to consider creating a new Internet infrastructure to reduce the threat of cyberattacks and several current federal officials, including U.S. Cyber Command chief Gen. Keith Alexander, also have floated the concept of a '.secure' network for critical services such as financial institutions, sensitive infrastructure, government contractors, and the government itself that would be walled off from the public web. Unlike .com, .xxx and other new domains now proliferating the Internet, .secure would require visitors to use certified credentials for entry and would do away with users' Fourth Amendment rights to privacy. 'I think what Keith is trying to suggest is that we need a more hardened enterprise structure for some activities and we need to go build it,' says Hayden. 'All those people who want to violate their privacy on Facebook — let them continue to play.' Clay Dillow writes that on the existing internet everyone does everything online anonymously, and while that's great for liberties, it's also dangerous when cyber criminals/foreign hackers are roaming the cyber countryside. Under the proposed .secure internet 'you may not be able to go to certain neighborhoods of the Web without showing your papers at a checkpoint — and perhaps subjecting yourself to one of those humiliating electronic pat-downs as well,' writes Dillow. 'Those who want to remain anonymous on the Web can still frolic about in the world of dot-com, but in the dot-secure realm you would have to prove you are you.'"
This discussion has been archived. No new comments can be posted.

Ex-NSA Chief Supports Separate Secure Internet

Comments Filter:
  • 'All those people who want to violate their privacy on Facebook — let them continue to play.'

    All those people who want to violate their privacy on Facebook — let them continue to play — we'll violate their privacy everywhere else.

  • I think they also need a .kids so that there is a separate internet for kids. This way they don't have to use children as the excuse to censor the entire internet. Anyone who wants to access .kids should either be under 18 or be a licensed adult. Sex offenders of course would not receive a license.

  • by rbrander ( 73222 ) on Saturday July 09, 2011 @11:51AM (#36705398) Homepage

    It's funny how hard it is to let go of past models. The heart of the Internet model is, as the saying goes "a sphere", where every node has equal access to every other node. No clients, no servers, just equal connectors. Society as a whole (when weighted by money rather than head-count) keeps trying to reject that in favour of it being a fancy way to broadcast: a few large hosts running Wal-Mart-sized data centres, many clients on as dumb a terminal as possible. Efforts to democratize information flow are opposed as either unserious utopianism or outright crime. (They can't seem to find a statute forbidding Wikileaks that doesn't forbid the Times, but from the rhetoric, you'd never guess.)

    When Hayden says that "users" 4th-amendment rights would be abrogated, he isn't thinking of all the users, not the big ones. Just the little ones. Which I think just models how Hayden sees society itself. Little folks don't have rights, just privileges.

    • Re: (Score:2, Insightful)

      by c6gunner ( 950153 )

      The heart of the Internet model is, as the saying goes "a sphere", where every node has equal access to every other node

      No, it's not, nor has it ever been. Such a network would be completely impractical, both from a technological/economic perspective, and from a security perspective.

      Society as a whole (when weighted by money rather than head-count) keeps trying to reject that in favour of it being a fancy way to broadcast: a few large hosts running Wal-Mart-sized data centres, many clients on as dumb a terminal as possible.

      Right - people want functionality. They don't want every person to write their own version of facebook - they want a large service which everyone can access. Money has nothing to do with it - it's about usefulness.

      Efforts to democratize information flow are opposed as either unserious utopianism or outright crime. (They can't seem to find a statute forbidding Wikileaks that doesn't forbid the Times, but from the rhetoric, you'd never guess.)

      Complete nonsense, of course, supported by nothing other than your personal ideological biases.

      When Hayden says that "users" 4th-amendment rights would be abrogated, he isn't thinking of all the users, not the big ones.

      He's speaking about anonymity, dumba

      • Re: (Score:2, Insightful)

        by spire3661 ( 1038968 )
        You do a lot of name calling and tongue lashing, but not a whole lot of analysis or rebuttal. Most of your post is simple trolling and selective reading. How about you provide a reasoned argument.
    • I am amused in particular that he wants you to "prove" who you are on the internet - because, you know, it's totally impossible for someone else to use my computer, or steal (or emulate) my little key fob which has my unique identifier, or whatever. There is simply no way to guarantee with 100% certainty that anyone is who they claim to be when using an electronic medium. A "secure internet" is doomed to fail because people will make too many assumptions about just how secure it is.

      • There is simply no way to guarantee with 100% certainty that anyone is who they claim to be when using an electronic medium.

        To be fair, you could drop the last five words from that sentence and it would still be true. At a certain point, we have to either assume that the various means we have to verify our identity, whether in person or not, are sufficient for the task at hand; or come up with better ways to accomplish that goal.

    • sometimes slashdot should go above +5, when it's for important matters.

    • "Stop right where you are! You know the score, pal. You're not cop, you're little people!"
  • by king neckbeard ( 1801738 ) on Saturday July 09, 2011 @11:56AM (#36705442)
    "Core elements of our electric grid, of our financial, transportation and communications infrastructure would be obvious candidates. But we simply cannot leave that core infrastructure on which the life and death of Americans depends without better security."
    Here's an idea, if a service being infiltrated can result in deaths, DON'T CONNECT IT TO THE FUCKING INTERNET
    • by YrWrstNtmr ( 564987 ) on Saturday July 09, 2011 @12:12PM (#36705564)
      Here's an idea, if a service being infiltrated can result in deaths, DON'T CONNECT IT TO THE FUCKING INTERNET

      Given that some of these systems have to communicate, that is exactly what this guy is proposing!
      Don't connect them to the regular 'Net, but some other communication setup.
      • It sounds more like he wants to use the same cables, and try and wall it off via hardcore authentication. My solution is completely separate wires if communication is needed for a system, and no wires if direct communication isn't needed
      • by MimeticLie ( 1866406 ) on Saturday July 09, 2011 @12:51PM (#36705914)
        No, what he is proposing is "levels" within the existing internet that would require varying amounts of identification. From TFA:

        Mulvenon, an executive at Defense Group Inc., a government contractor that provides agencies with intelligence analysis, has in mind a three-level network. "If you want to do banking, there's no anonymity," and users would need to enter true names and digital credentials to operate in the space, he said. The middle level, perhaps applicable to the .edu domain, would require fewer personal details from visitors.

        "At the bottom, you can run around like a hobbit," he said. "How can you have a multilevel system that allows you to play up here and down there and doesn't compromise your ability to play?" is the challenge.

        The article doesn't have any quotes from Alexander or Hayden, but it has some from others talking about the same plan. Despite the FUD that the proponents of this plan are spreading, this isn't about securing crucial industrial infrastructure. It's about creating a special ".secure" TLD that would somehow be outside the protections the Fourth Amendment grants on search and seizure with the stated goal of eliminating anonymity. So it's clearly not about "cyberattacks" either, as requiring credentials has nothing to do with DDOS.

        So then what is this (not) new network? Given that it's being pushed by Michael "warrantless wiretaps" Hayden, the whole Fourth Amendment link starts to make sense. It's not about eliminating anonymity from secure transactions (it's not like credentials aren't already required for all this stuff. Hell, even World of Warcraft had 2 factor identification available), it's about bypassing your right to privacy. The government (and defense contractors like, oh I don't know, Defense Group Inc.) would be able to datamine all that juicy stuff they currently aren't allowed to touch because of those pesky "constitutional protections". China is the model here:

        Nations with fewer civil liberty protections, including China, use "deep packet inspection" to search all Internet traffic for viruses -- as well as anti-government content, noted James Mulvenon, a China and cybersecurity specialist. Due to privacy laws, the United States cannot monitor private network traffic using this approach. Mulvenon questioned whether such restrictions give other nation states the upper hand in cyber defense.

        • by EdIII ( 1114411 )

          The whole thing sounds good on the surface.

          I have two problems with it:

          1) There needs to be a law that says a citizen cannot be forced to use services on the "secure" net and
          2) Why does the 4th Amendment even apply here?

          If the goal is to secure infrastructure...... Hello!? They already do this with the government now with the intelligence agencies and military. Citizens do not need to have access or be on this network at all. The whole reason why it sounds good is that it protects our fundamental infrast

        • by cgenman ( 325138 )

          If it has a physical connection to the internet, you're just as open to hackers. There isn't any sort of additional layer of authentication that you can put in place that isn't just-one-more layer of authentication to crack. Or rather, the idea that nobody thought of authenticating against hackers on the existing internet is deeply insulting.

          If you need a network to be secure and private, run some dedicated T1 lines. Anything less (and even that, if you're not sure how your provider is handling the backe

    • Re: (Score:3, Funny)

      Here's an idea, if a service being infiltrated can result in deaths, DON'T CONNECT IT TO THE FUCKING INTERNET

      Your idea won't work. How can people employed at power plants, banks, etc. use bitcoins (the only secure currency of the future) if their network isn't connected to the Internet?

    • So you agree. The need to interconnect between these agencies has forced them to use the Internet, as no other metal does this. So, like he, you suggest a separate Internet for these agencies. Sounds quite sound to me.

      Small FYI, you don't need to shout an agreement.
      • I don't think I agree. He seems to want to use the same internet separated by software, while I want a physically separate network if there has to be any direct intercommunication, and in cases where there doesn't have to be, there shouldn't by any connection at all.
    • they very well know that. its just the regular trojan horse to control the internet.
      it's like saying "its because of child porn", except its "to secure life critical infrastructure".

      There's not many nuclear power plants which controls have a shared internet access as you might imagine, lol.

      No, what they want is an internet where you are not free and equal, using any argument they can, and they will never stop trying.

      • I suspect that is the case as well. That's why I feel we should call them on their bullshit. If the problem really is what they say it is, there's a much better solution, so this isn't a valid justification.
  • The west, not just America, needs MULTIPLE networks. In particular, there should be one for DOD, another for utilities such as Power, water, etc, and other for general commerce. The DOD and utilities should NOT be connected in any fashion with the general internet. In addition, the DOD one should be limited to friends, only.
    • To take this further, the equipment on it should be done in the west ONLY. We need to know that it will not be taken down by China when they finally decide to attack.
    • Re:Actually (Score:4, Interesting)

      by FreelanceWizard ( 889712 ) on Saturday July 09, 2011 @12:40PM (#36705810) Homepage

      What's funny about this is that we *already* have this setup. SIPRnet, JWICS, and other networks running on the Defense Information Systems Network (DISN) are already segregated from the public Internet by an air gap. This is actually required for any classified data. Information can sometimes enter a classified network from the outside world, but the mechanisms for doing so are extremely circumscribed and a massive amount of analysis has to go into making such systems "provably secure." In practice, NIPRnet and SIPRnet require different physical terminals. That's why we have things like the presidential Blackberry, which is essentially two Blackberries in the same case with a physical switch to swap between the unclassified and classified systems.

      As for utilities and the like, sure, you have two options. One is to airgap the communications network, which is what I'd advise given the shoddy quality and poor security record of SCADA systems. The other is to use secure communications from the transport layer up and using defense in depth principles. Of course, that requires building security into the system from the ground up, and very few companies and people are willing to do that. In light of that, an airgapped network makes sense. If a truly independent network isn't needed, every backbone provider is more than happy to provide MPLS virtual networks for the right price.

      In the end, though, I think the problem is that utilities don't want to spend the money on what they feel has no deterministic ROI (cf. trying to get a company to buy a disaster recovery system). This is rational self-interest, especially when you consider the explicit guarantee of insurance and the implicit guarantee of the government for critical infrastructure. The solutions are simple: enforce proper controls through regulation or nationalize the infrastructure so rational self-interest is removed.

      • Actually, it is not. All of that runs in virtual lans, going over the same physical cables as the net inside of ATT, Verizon, Qworst, etc. Worse, many of the VLANS are using Chinese made equipment which makes it all prone to cracking. Simply put, we need MULTIPLE PHYSICAL infrastructures. We have loads of dark cables. Does not matter where that is made. However, the electronics absolutely needs to be western made.
  • by MacTO ( 1161105 ) on Saturday July 09, 2011 @12:03PM (#36705488)

    Ignore the privacy bit for a moment, because that seems to garner knee-jerk reactions around these parts, and look at the security bit.

    There are a lot of transactions that need to be secure, yet would not qualify for the .secure network. For example: you could cram bank systems into the new network, but are you really going to allow every business that uses these financial systems on it (e.g. credit card transactions or trades on the stock market)? Even if you did, you would still end up with 'insecure' connections between the customer and the business. Or are you going to give every citizen a security token too? In that case, the ability to verify the identity of the user drops to nil since identify theft becomes an issue. Or people lending their identity to friends. Or people using loopholes in the system to create new identities.

    Even a network which tightly restricts who could access it would face hurdles. Research labs attract all sort of riff-raff scientists and technicians. Some of those people will create bridges between the .secure network and everything else. Even if it is unintentional, because they are using the same systems to access secure databases as they use to access journals (and their goof-off resources). I'm not saying that it is impossible to stop that sort of thing, but it will be awfully difficult given the population involved.

    • This is just the camel's nose in the tent to do away with all that awful, yucky anonymity on teh Internets. Monitored, controlled, non-anonymous citizens don't file-share, among other things. Think of the children!!
    • This, I think, is the crux of the problem. Inevitably, someone will want WiFi access from their smart-phone and will finagle a way to do it. There are secure - and separate - networks in NSA and CIA which rely on clearances and job security and even they have problems with people abusing the system; how do you suppose Berkeley is going to do?

      And who pays for this?

    • by durdur ( 252098 )

      US military and diplomats already use secure networks [wikipedia.org] so it's not completely infeasible.

      But for commercial transactions there are some issues. It is hard to require a separate machine for secure access so privilege escalation (insecure->secure) is an issue. Plus if you store the credentials you need to access the secure internet on the machine that is doing the access, then all you know for sure is that the machine initiated a transaction, not that a specific individual did. In particular, a hacked box a

  • Conceptually this sounds good as it would allow separate networks for stuff that should be secure from stuff that doesn't. I fear that the implementation will not work out that way as business now don't want to spend the money to separate things as it requires more hardware. You will also run into the why can't I access Google/Facebook/internet thing from this machine that is only connected to the scads system. In general companies are too cheap and their employees are too stupid to have real security.

    Add

  • by kpainter ( 901021 ) on Saturday July 09, 2011 @12:06PM (#36705512)
    They would be separate for about an hour. Right away, somebody would figure out a way to connect them together thus defeating the purpose.
  • by Nkwe ( 604125 ) on Saturday July 09, 2011 @12:16PM (#36705590)
    So is the article talking about a separate physical network that is firewalled off from what we now call the Internet or is it just talking about a new top level domain that by policy requires domain owners to demand some sort of verifiable credentials for access to services on hosts that are pointed to by DNS entries within the new domain?

    Unless it is a separate physical network with firewalls or other edge devices that require authentication and there is a mechanism to securely forward the credentials from the edge device to the internal host, you haven't crated any more real security.

    Creating a new TLD on an existing "insecure" network that doesn't require authentication to access the physical network doesn't add any security. In this scenario anyone can still access the machines and it is up the owners of the machines to implement their own security. If the government (and others) can't manage security on their machines now, crating a new naming system for those machines isn't going to help.
    • by tsotha ( 720379 )

      Creating a new TLD on an existing "insecure" network that doesn't require authentication to access the physical network doesn't add any security. In this scenario anyone can still access the machines and it is up the owners of the machines to implement their own security.

      According to TFA part of the reason is legal. To get on you'd have to agree to deep packet inspection, something they can't do in the .com TLD because of 4th amendment concerns.

      The article quotes a couple different people, but I suspect t

  • by GrantRobertson ( 973370 ) on Saturday July 09, 2011 @12:18PM (#36705610) Homepage Journal
    This proposal is not for a separate "Internet" as the headline states. It is merely for a separate top-level-domain. And all the servers on this domain would supposedly have super secure firewalls that are impenetrable and unhackable? Riiiiight.

    If this separate-but-not-really-SEPARATE "internet" is connected to the same wires as the regular internet then the hackers will still get in. Hell, all the servers that were hacked recently were supposedly super secure. Not a lot of good that did them.

    If they want a truly secure, truly separate network then it shouldn't even be an "Internet" at all. It should have a completely separate set of wires. The equipment connected to these wires should be able to detect if the wires have been tapped into or if other unauthorized equipment is attached. It should have all new protocols, designed from the ground up for security and authentication rather than anonymity. In fact, every layer in the the entire IP stack should be completely thrown out and replaced with a secure system which, by law, can only be used on this new system. It will only be licensed for very specific purposes and no one else will be allowed to own this equipment or even have software that uses these protocols. Then, when you catch someone with this equipment or software, you know they are up to no good. The only way into the network will be by tapping in, which will be physically traceable, or by gaining physical access to a licensed terminal, which would be partially traceable but far more difficult to do.

    Anything less than this is mere theater. Any claims that a .secure TLD will be any more secure than existing firewalls are just wishful thinking.
    • by mlts ( 1038732 ) * on Saturday July 09, 2011 @12:35PM (#36705762)

      A .secure domain on the same physical net is one thing. However, what we really need are separate backbones designed from the ground up to carry traffic.

      The US has NIPRNet and SIPRNet. Ideally, it would be nice to see banks and credit card processing places have a "BIPRNet" just so that machines from bank "A" can contact bank "B" via a secure link, preferably a separate physical wire than what the traffic from the outside runs on. This way, a blackhat would have to find a machine that sits on both networks, and go from there. If the network backbone is set up to allow communications only between machines that have a business need to see/connect to each other, it would make that backbone quite secure. Add an IDS/IPS system will make compromise even more difficult.

      Same with SCADA stuff. It needs its own backbone, then hardened computers that relay the diagnostic info from the embedded controllers to where it needs to be. I've even used two machines that were connected to each other via a one way serial port (slow link, but it worked getting the small datasets across, and one tx/rx pair was disabled so data could only move from the inner network to the outer) to ensure that the inner embedded network would require physical access to be compromised.

      Good internet security is not a matter of "can't". It is a matter of "won't".

      • Good internet security is not a matter of "can't". It is a matter of "won't".

        I totally agree. I once read an article by the creator of SendMail that said it is impossible to create an e-mail system that is any more secure than the current one. I wrote him a message saying essentially: "Not with your program we can't." Can you imagine the audacity of the guy. Because the program he wrote decades ago isn't secure, it is impossible to be secure. Again: Riiiiiiiight.

      • Same with SCADA stuff. It needs its own backbone, then hardened computers that relay the diagnostic info from the embedded controllers to where it needs to be.

        Why not just harden the SCADA equipment? Powerful microcontrollers are cheap; stick TLS and certificates on them.
  • by TheGratefulNet ( 143330 ) on Saturday July 09, 2011 @12:20PM (#36705632)

    I thought about this a bit. this is MY proposal (from some random internet guy; but one who's been around, online, for quite a few decades).

    what we need is true end-to-end encryption and that will get us all the 'secure' we need. it would not be a bad idea to insist that all non-encrypted protocols be aged out and replaced with SSL carried user-protocols (mail, file transfer, remote console, DNS, all the basics).

    oh, there's one other tiny little detail. NO one can spy on the end-to-end connections. no MitM, no wiretaps, no opto-sniffing, no none of that [sic]. promise and ensure that all world citizens have protected (as in 'their rights, as human beings') end-to-end private communications. tapless and secure. to me, THIS means secure.

    what they want is exactly the opposite. no encryption and nothing BUT tapping us (DPI, etc). they will know the identity of each networked station but this will not add to privacy OR security for anyone.

    recognize this, people. do not give them this 'divided internet'! really bad idea. lets, instead, change the debate BACK to private communications and the right to not be listened to, monitored and surveiled.

    • encryption is nice, but its not the answer to everything. the major issue is in fact, bugs. and you can't easily prevent bugs.
      there are operating systems and security measure which are VERY good compared to what 99.9% use today, but they're not applied because there is no commercial gain yet.

      anyhow, the point of their push for a 2nd internet is not security. it's control. Don't get that wrong. it has little to see with life critical stuff.

    • I decline your offer because you have no idea what you are talking about.

      what we need is true end-to-end encryption and that will get us all the 'secure' we need.

      First off, I don't mean to be an ass, you just seem to be ignorant. There is something called DNSSEC [dnssec.net] that not only exists, but is part of IPv6. Considering that you do not mention DNSSEC, and that both it and our current TLS implementations include "tapless and secure" "end-to-end" encryption facilities supports my first sentence...

      DNSSEC i

  • the concept of a '.secure' network for critical services such as financial institutions, sensitive infrastructure, government contractors, and the government itself that would be walled off from the public web

    ohh you mean a VPN right? yeah we've had them for a while now
  • it will grow with time and then the same problems will exist again.

    What we need is the idea that managing access to networks is important.

    Use your own CA, use big (maybe even one time pad) keysizes, make firewalls restrictive, make it mandatory that all systems are are managed by an experienced administrator, use TCPI, make encryption mandatory, and educate all employees to do it the right way or ask for help. Educated everybody in controlling the access to documents correctly (no: oh, lets just make it rea

  • Were these guys asleep in the last couple months? Seems to me that we have all been publicly reminded that computer networks aren't secure, and that some are very not secure because their owners are asleep at the wheel. So what to do about that? Of course! Pretend the problem is people pretending to be whom they are not, and carry on pretending that you can secure a network against that. Give a load of taxpayers money to some buddies to build a new 'secure' network, instead of legislating and regulating
  • I thought they already had a secured network -- SIPRNET?

    Or do they just want a spam-free network?

    Oh, maybe they mean NIPRNET -- why not let the banks and such on that?

    Or maybe it's just that these bozos don't like sharing the ball OR the sandbox with anybody else and they want their own for just them and their good friends.
  • Morons everywhere (Score:4, Interesting)

    by WaffleMonster ( 969671 ) on Saturday July 09, 2011 @12:50PM (#36705904)

    This is what happens when politicians who know nothing about security or network infustructure make high level design decisions.

    Securing the wire always has and always will be a lost cause. Just click the little require secure connections only button in all of your operating system (IPSec) and you have yourself your secure private network.

    There is no reason to segment traffic. On a large network you can expect someone on the network will eventually be compromised by an insider or determined advasary. Given this reality physically separate network must not be relied on to convey any security at any time.

    All it means is you don't see a bunch of botnets launching blind attacks 24x7. It means important infustructure on a "secure" network becomes as complacent and vulnerable as the machines behind corporate firewalls. It is human nature. Without constant pressure it will happen. If you are tired of the random hits use IPv6.

    Never trust the wire.. Just don't do it. It is always stupid and you will always be burned by it.

    A few other points needing to be made:

    If the content of your communication can not be private good luck with your "secure" network.

    Federated authentication systems tend to induce weaknesses in server authentication. Imagine everyone on earth was using openid or had the same password file. You could login to any computer you wanted with your credentials.

    This means:

    The material which authenticates you as a person can not also be used to authenticate the service you are consuming as everyone has access to the authentication system. Even if your credentials are never exposed your authentication provides you with no assurances with regards the service you are consuming beyond an unbound trust anchor.

  • Saying that a network which requires credentials linked to your identity "would do away with users' Fourth Amendment rights to privacy" is ridiculous. The only thing that the Fourth Amendment says about privacy is that the feds can't search your stuff without a warrant. What the devil does that have to do with when you choose to visit a site which won't work with you unless you reveal your true identity?

    Extra, Extra! Read all about it! Gub'ment proposes new security technology for shops and inns, called "re

  • by Animats ( 122034 ) on Saturday July 09, 2011 @01:22PM (#36706238) Homepage

    Anonymous individuals aren't the problem. Anonymous businesses are the problem. Most of the troubles we have on the Internet come from web sites which purport to be from some legitimate business, but aren't. Malware, spam, etc. all eventually involve some online business.

    This is a consequence of ICANN's squishy-soft regulation of registrars and weak enforcement of WHOIS data quality rules. More recently, corrupt CAs have become a problem. The companies that collect money registering the identify of web sites are failing in their responsibilities.

    All we need on the client side is good ISP ingress filtering, so that corrupted clients can't use an IP address other than their own. (All you can do with a fake IP address is send junk, since you don't get any of the replies.) Then, DDoS attacks can be tracked and blocked.

  • by MarkH ( 8415 )

    Internet last time I checked was just a commonly recogised way of routing ip packets.

    I think they security is whatever protocol you choose to use on top of that.

    I hear that ssl Is a popular choice these days. Does suffer from being 'open source' rather than a nice secure private protocol you can buy but seems to be quite popular.

  • A completely separate (air gap, and no wireless, no shared programs or data) device from your "insecure" Internet computer. I see very little chance of this happening. The first unwitting member of a botnet who signs in to the "secure" Internet with their magical "secure" credentials will immediately un-secure it for everyone else.
  • Why not create your own "LAN" on top of the internet using VPN connections? Why would this need a separate network? Are we that worried about DoS attacks on VPN connections? And why go with a single network, whilst you may have different roles to different institutions?

    The idea of a non-anonymous sub-network is certainly an interesting one, and you could argue that it does have many benefits over providing credentials to each and every site (for each and every protocol). Proof of citizenship (e.g. with a di

  • Instead of this backward approach to government security being firewalls and this and that, lay out a different network, complete with its own fiber and connections. Think of it like re-creating the old Arpanet, where the public does NOT have access, and the only connections come from places with real reasons to be connected. The places with real need for security would not have ANY connections to the normal Internet, no gateways, no dial-up, NOTHING that others could use to access it remotely. The C

  • It just seems to me if you're going to talk tcp/ip, use the same pipe, adhear to current rfc's, your network will be no more secure then it is today. The wheel already works (securely if you want), its the hamsters powering it that are broken.
      That said, if you need to secure a private network use a private pipe. Secure the "human" access via physical protection, and train your hamsters.

By working faithfully eight hours a day, you may eventually get to be boss and work twelve. -- Robert Frost

Working...