[NCAP-Discuss] why enhanced controlled interruption - not legal
Jeff Schmidt
jschmidt at jasadvisors.com
Fri Feb 25 23:28:31 UTC 2022
>> Your comments above don’t appear to align with Verisign’s public
>> comment submission Additional Comments on “Mitigating the Risk of
>> DNS Namespace Collisions” Phase One Report [1], which reads:
>>
>>> Verisign maintains its position that directing requesters to an
>>> internal address during the controlled interruption period is
>>> preferable to an external honeypot, because as previously stated, it
>>> avoids “controlled exfiltration” where sensitive traffic from an
>>> installed system – without the advance consent of the user or
>>> system administrator – may be drawn outside the local network.
>>
>> Am I not understanding something?
>
> You should review the full comments, which also states:
>
> "Although an installed system may well send traffic over unsecured
> networks all the time, it shouldn’t be “controlled” into doing so
> without its consent, especially without demonstrable evidence that no
> lower-risk mitigation measure is available."
>
> That last bit is the operative part, I've seen no demonstrable evidence
> that suggests that CI is effective.
Agree, the last part is the operative part. Verisign of 2014 and Danny of 20* : - ) correctly recognize that a successor to CI must be "lower-risk." It doesn't say "generate more data" it says "lower-risk." There is no world in which any honeypot approach is "lower risk" than CI.
Jeff
More information about the NCAP-Discuss
mailing list