

Is an "Internet Kill Switch" Technically Feasible in the US?  - privacyguru
http://www.securityweek.com/internet-kill-switch-technically-feasible-us

======
bitskits
Wouldn't it just be a law requiring ISP's to kill peering upon the
government's request? Am I missing something here? If it isn't feasible, I
would think that's because it isn't legal, not because of a technical hurdle.

~~~
roc
If the "Kill Switch" bill passes, the legal question will be answered. As no-
one's optimistic the bill will fail [1] commentary has moved on to: can it
_actually_ be implemented?

Personally, I don't see that being a very interesting question either. Once
it's law, "Kill Switch"-Compliance will get built into the big switches and
routers. It would only be a technical challenge to implement in the near term.
And I don't think you can be paranoid-enough to think the government plans on
hitting this switch in the near term, yet be rational enough to believe the
government would wait for _legal authority_ to do so.

So whether it's feasible in the next 5 years is pretty academic.

[1] If people aren't going to take issue with standing constitution-free-zones
covering 80% of the population, the growing surveillance state, increasingly-
intrusive security theatre at the airport and greenlit assassinations of
_suspected_ terrorist US citizens, an argument about internet access during
hypothetical 'states of emergency' has a snowball's chance in hell.

~~~
wmf
I think you're right on. People complained that CALEA was technically
infeasible, but those people just didn't understand it; ISPs are obligated to
_make_ CALEA work and they complied even if it meant redesigning their
networks. If ISPs have to update their OSS systems to support the "kill
switch", they will do it.

~~~
bitskits
That's actually the example [CALEA] I had in mind as well.

I don't see a huge technical hurdle here, other than maybe a script to disable
all peering interfaces for every ISP in the US. This could be done by hand
just as easily should Uncle Sam come knocking.

The real issue, to me, is the why behind this. The only real motivator is to
prevent people from organizing to overtake a government they perceive as
corrupt. Is it really worth exploring crippling our economy and stifling free
speech at the same time? Forget the technical hurdle, what about the
constitutional one?

Interesting that we also claim to have a way to "force" internet on a country
who kills it, but at the same time are looking for a legal basis to kill it
ourselves.

~~~
roc
> _"Forget the technical hurdle, what about the constitutional one?"_

We haven't had much luck with that one lately.

I don't think the "Why" is quite so transparently dystopian. They don't want
to turn off the entire internet. It's just another attempted end-run around
the judicial process, to make it easier to further political and economic
goals. e.g. filtering WikiLeaks or BitTorrent.

The idea that they would need this to disconnect critical infrastructure to
protect it from cyberattack is laughable. Any critical infrastructure that
could still operate independent from the internet should not _have_ a
connection to the internet, and if it _did_ should certainly have it's own
disconnect capability.

The only reason to put disconnect capability on the ISP or backbone carrier is
to do it _against the will of the target facility_. If they wanted to protect
things like the Hoover Dam [1] they'd just issue/enforce some government regs.
[2]

[1] The Dam Authority has already taken issue with being a talking point in
this debate. Pointing out that, no, they are not foolish enough to have dam
controls connected to the internet.

[2] I'm pretty sure these already exist, as regards air-gaps for critical
infrastructure and security requirements for networks that _do_ have a
connection to the public internet. There may not be a unified national service
to flip connection-kill-switches, but that would be resolved with a government
network project, not a new law. The government already has legal authority
over infrastructure.

------
blauwbilgorgel
Instead of a Kill Switch, I think it would be possible to make a Flood Switch.
When enough shit would hit the fan, to make the president issue the Kill
order, all bets would be off.

Let's say Americans are using Twitter or a foreign website to organize riots
in a civil war, I don't think once the order is given and such a bill is in
place, that the government has to ask nicely and force compliance. It will put
all government computers and some very big tubes into DDOS'ing whoever is
publishing something they don't want published at that very moment.

~~~
chc
If I were these hypothetical guerillas, I wouldn't have one site, I'd have
hundreds. Good luck DDOSing 600 independent sites at once, even if you're the
government. I'm pretty sure killing the ISPs is simple by comparison.

------
ZachPruckowski
From a brute-force PoV, I imagine you can have armed FBI agents in the offices
of major ISPs in an hour or so. If they block their customers and they also
block their resellers, then really you can handle most of the Internet with
probably a dozen 2-man teams. It's not really that critical if it's deemed too
hard to block two guys on the same local ISP from chatting.

Not to mention that even rudimentary steps - knocking out DNS or even just
Google, Yahoo, and Bing - would put 95% of Americans effectively offline.

Metcalfe's Law works both ways - if you cut off even 3/4 of the internet, it's
now only a square-root of a square-root as valuable as it used to be.

------
oigftrgtyh
Isn't it as simple as changing the router tables so everything goes to fox
news?

------
cosmicray
You could certainly bust the internet into a lot of small unconnected subnets,
simply by telling all the backbone providers to disconnect peering. I would
expect that .mil and continuity of government circuits would be tagged as
exempt, and would continue to work.

I dunno what happens if your provider happens to be someone like Hughes or
DirectPC. That's one heck of a large subnet.

------
quellhorst
If the kill switch is built into routers, expect that to be used by hackers.
You'll have to use open source router code like dd-wrt to avoid it.

This is a bad idea and is trying to change how the Internet works. The
Internet was designed to stay on even if there was a nuke attack. ISPs have
been handeling DOS attacks for years successfully without a kill switch.

------
gojomo
And note, if a 'kill switch' is ever required, the agency that will enforce
its adoption by ISPs? Just as with wiretap requirements and broadcast
language/content censorship, the FCC.

Remember that before cheering on the FCC to have authority over which ISPs are
sufficiently 'neutral'. (And don't be surprised when 'neutral' gets redefined
over time into 'compliant with the FCC's political biases'.)

