![[Home]](http://meatballwiki.org/meatball.gif)
NetworkSoftSecurity
MeatballWiki | RecentChanges | Random Page | Indices | CategoriesHow would you apply SoftSecurity to networks instead of to web pages? CommunityNetworks? like PersonalTelco would be a perfect place to experiment with this. Currently I'm exploring implementations of captive portals [1] but really all they do is use a browser as an authentication method, they don't use SoftSecurity. -- AdamShand
- In order to use SoftSecurity, you need human judgement. Somebody has to do something, you need to observe it, judge it, and react to it. Therefore, you need to involve the participants of the network in monitoring other nodes, you need to agree on some rules of judgement (a value system), and you need the possibility to react. There's no sense in talking about it if you can't do anything about it. I think these are the basic requesites for a working SoftSecurity for networks. The derived requesites boil down to a good user interface. It must be easy to observe, rules must be easy to find and read, it must be easy to take appropriate action. Maybe finding an analogy would be appropriate: newsfeed and mail access, for example. How do you block spam? Where do you poll for news? Better to take advantage of existing experience rather than to reinvent the wheel. -- AlexSchroeder
- Is this necessarily true, isn't anything which minimizes potential damage while not obstructing usage SoftSecurity? For example some wiki's implement rate limiting of changes (SurgeProtector) as a way to minimise damage from automated attacks. If SoftSecurity requires human intervention I fear it will not be applicable.
- A CommunityNetwork? is essentially a service provider, and as such it has both legal and ethical responsibilities (ie. facilitating drive by spamming would be a bad thing) [2]. So as the administrator I feel compelled to control it so that it can survive TheTragedyOfTheCommons. There are two basic types of threats, ones which threaten the network directly, primarily bandwidth abuse, and ones which threaten indirectly mostly through legal or other retaliation (hacking, spam, or any other illegal activity).-- AdamShand
- Another option is to allow the network to dynamically reconfigure to disconnect troublesome nodes. The JabberProject open source server uses a SurgeProtector not only on end users but in between servers to limit spam from all quarters. FreeNet does similar things. Similarly, with TINSEL (as described on DailyMe), based on user's fickle habits, the network automatically reconfigures to eliminate junk sources as you can't force data upstream. -- SunirShah
- Right but all of these have a notion of an authenticated user. You can't use a Jabber client without a Jabber/AIM/ICQ/etc account. Once you require authentication most of the problems go away. What I am interesting in is providing open access to the internet without requiring a login. -- AdamShand
Well I just got back from a trip to Vegas which involved spending a lot of time in airports without a whole lot to do. During this process I had a couple of interesting thoughts (to me at least :-). A captive portal is the wrong way to go about it, as I stated above all captive portals do is leverage the broswer as an authentication tool, while this is very powerful it's not really what a community network wants. As I see it there are two basic types of threats, let's solve them as seperate problems:
- Resource abuse (primarily bandwidth hogs)
- Using an OpenSource network IDS (Intrusion Detection System) like Snort, we should be able to write some fairly simple rules to detect undesirable activity. We can set thresholds to detect spam, hacking etc and triggers to take effect on detection of the activity. Combine this the the bandwidth shaping abilities of recent free unix kernels and we should have a fairly simple solution which allows completely open access.
- Legal abuse (hacking, trading kiddie porn, etc. anything that would direct legal threats our way)
- The legal threat can be solved by using a service like Freedom (by Zero Knowledge Systems) which makes your internet connection physically untraceable back to you. The network IDS will minimise the amount of undesirable behavior taking place on the community netowork and Freedom will remove anyone's ability to prosecute your for anything that's doesn't get immediately caught.
- While this does solve the legal threats it does not solve the ethical ones, eg. "how do you feel about being a method that people can use to trade kiddie porn?" I offer two thoughts, the first is that this may be the price we all pay for freedom, the bad with the good. Second hopefully using the same techniques we used to defeat the resource hogs we can make the other people look elsewhere for a more friendly network to hack from.
I hearby dub this system the ActivePortal?. -- AdamShand
Perhaps it's not necessary to provide full internet access, just as we do not have a RawHtmlWiki. Even on MeatballWiki where the users increasingly gain more direct power as time goes by, we only provide access to what we know how to control. Over time, much if not all of the site may be given over to the users, but the point is to not provide everything right away. The guerilla wireless networks may want to start with something simple, like e-mail, and then work towards providing more and more access over time. -- SunirShah