Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You're completely ignoring the potential monetary damages. A plenty of financial systems use the internet. I've also heard of a couple of other businesses utilizing the internet.

"Shit happens" would've been applicable if this was solved in 5 minutes. Accidents like this are trivial to prevent with proper policies.



You're completely ignoring the potential monetary damages. A plenty of financial systems use the internet. I've also heard of a couple of other businesses utilizing the internet.

So what you're telling me is that these financial systems' risk analyses didn't result in them mitigating this risk (1), but because things went pear-shaped now the government needs to step in?

I was going to be unsympathetic to them, because in my field we have to analyze and then mitigate certain levels of risk. But I guess if your business is financial, bellyaching after the fact to the government is your mitigation.

(1) different design, SLAs, making sure service providers already have those policies, acceptable and expected levels of downtime, whatever...


There are "financial systems" who actually care enough about their comms network to build it themselves (Google for "High Frequency Trading in my backyard" for some great stories).

Any "financial system" who uses "the internet" without acknowledging and accepting the risk of this sort of downtime should probably be considered incompetent. (Of course, there are probably many such institutions where the techs are currently saying "We warned you! But you refused to authorise the budget to mitigate this!" - who are now baying for blood from people who never signed up to provide 100% reliable networking for some cheapskate financial firm...)


There's also "financial systems" that cannot realistically operate on their own comms networks.

Online banking, PayPal, Bitcoin...


And sometimes their sites or systems go down because of their own issues.


That's their fault. Sometimes their sites go down because of someone attacking them (intentionally or not).


I see you're very much concerned about liability and financial compensation here. I'm no lawyer so I don't know whether it could be a criminal offence to export prefixes like this either intentionally or by accident. However, we don't know what SLA agreements the financial institutions you speak of had with their providers. If said institution has paid for a 100% reachability guarantee then I would presume they are entitled to financial compensation. Everyone else, not so much.


I'm really not focusing on financial compensation here (I'm more interested in discouraging people from breaking the internet) , with the amount of people affected that's a topic you could write books on.

I am focusing on liability though, I very much believe Telecom Malaysia should face criminal charges for this (I do not know if they should be sentenced though, as I am not aware of all the facts. That's up for the court to figure out)

In most countries (I do not know if this applies to Malaysia too, but I believe it should) denial of service attacks are a criminal offence, I'd say exporting prefixes like this would constitute as one.


I agree that denial of service attacks are at best unlawful. However, an attack? I think not. For it to be an attack I would presume there must be some evidence of malice and intent. I have seen no such evidence of this.


I don't actually think it's an "attack" either. But guilty or not is binary, the actual sentence tends to be affected by details such as malice and intent.


Seatbelts are risk mitigation, but I guess you still wouldn't be happy if someone crashed their car into yours.


  You're completely ignoring the potential monetary damages.
If there's a car accident that closes the road, it's frustrating for everyone involved. But if someone's crash means I'm late for a vital sales meeting and I lose a multi-million-dollar contract, I wouldn't blame them for my consequential losses.


If someone causes a car accident because of their gross negligence, they'll most likely face criminal charges.


But even if they do, they won't (and shouldn't) be held liable for any subsequent things that happen in your life because you were delayed in traffic, consequent to that accident.


Did I ever suggest that?


You should do that though: it would allow us to know the complete cost of the accident so we can allocate the correct number of resources to preventing it.


Should the complete cost of the accident include monetary losses from people who had no plans for dealing with unexpected delays? Or to put it another way; Lets say you're driving across a bridge with your laptop in your car and you get hit causing you to drive through the rail and into the ocean. Should the 'complete cost of the accident' change based on whether or not you were smart enough to make backups?


If they can't take something like this, they should not depend on public packet-switched networks. In many ways, "the internet" is a victim of it's own success - it works so well most of the time that people come to expect too much of it.


I invite you read over the history of IRR and summaries of SO-BGP, S-BGP, PBGP, and MC-BGP.


I'm very well aware, just because there's a history of people messing up doesn't mean the people that mess up shouldn't be held responsible.


I was responding specifically to your "trivial to implement" comment.


Policies to defend against these mistakes are trivial to implement. Testing of configs before deploying, live monitoring of newly deployed configs.


what makes you think it is trivial? how do I generate an accurate prefix list of who should be announcing what, when?


Surely YOU know what YOU should be announcing.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: