Posts by Innismir.

More Malware DNS Cache Scraping

There has been some impressive hoopla over the ZeuS DNS scraper I posted last week. There’s been even more chatter then I expected. I’ve received nothing but good feedback and have even gotten tweeted by Mikko Hyppönen and Lenny Zeltser, two people I have immense respect for. Anyway, I have continued messing around with the script, found and squashed a few bugs, and added a few features. So, now, I am releasing:

All of the old flags should continue to work, and most of the changes are under the hood. There is, however, one major bug that was squashed: apparently the old version would never update the local copy of the ZeuS domain block list, even when it was supposed to. So, I would highly recommend everyone use this newer version. The big feature that has been added in this script is the ability to limit the rate of queries being fed to the DNS server. When I was running v0.3, I would occasionally run into problems where the script would stall for a bit, presumably when the DNS server didn’t respond fast enough. Worried that the sheer amount of queries may be overwhelming the server and also trying to make this as low-impact as possible for folks to run, I added he –rate flag in which you can specify how many queries per second the script should send.

So, if you wanted to run it at 30 queries per second:

perl --server --server --rate 30

If no rate is specified, the script currently defaults at 25 queries per second, which (I assume) most normal DNS servers should be able to easily handle without breaking a sweat.

Also, this might probably the last version of this tool in it current form. I currently have a new and improved version baking in the oven that expands the capabilities and dataset of the tool. I hope to have this out and released within the next week or so.

A Tale of Two Skiddies…

… or, how selective prosecution of computer crimes is causing more problems then it’s solving.

Allow me to introduce you to two script kiddies: David Kernell and Michael Mooney. One of which is currently on trial for accessing computers in an unauthorized manner, the other is currently scott free for doing the same. Why is one being prosecuted for his crimes while the other is not? I think it’s a symptom of a larger problem in the legal system in the United States.

First off, a little background: In 2008, David Kernell aka “rubico” correctly guessed then Alaskan Governor Sarah Palin’s password reset question on her Yahoo mail account using public information sources such as Wikipedia. Kernell then proceeded to post the screenshots and other bits of information found in the account in a public forum on the Internet. A few months later, Michael Mooney aka “Mikeyy” found a security hole in the Twitter service which allowed a user to post Javascript in their “Bio” section. Mooney then decided that instead of doing the responsible thing and reporting this to Twitter, he should instead use the hole to hijack people’s Twitter account to at first promote a site he ran, then to sing his praises. You may remember me writing an article about what unfolded next, but that’s another discussion entirely.

Now, today, Kernell is currently awaiting trial for his crimes in a Federal court in Knoxville. Mooney would have long faded into obscurity in my mind, but he decided to do some Google vanity searches on himself, came across my article, and decided to convince himself that I was somehow jealous of his… hmm… nope, not sure on that one, but anyway… After telling him in no uncertain terms about what I thought of him, we got in a classic Internet argument.

After dealing with his inane ramblings and him trying trying to convince me that despite him admitting what he did broke the law what he did wasn’t illegal (Obviously, Mooney retained Erwin Schrödinger as counsel), I got to wondering why is Mooney free to drink Martinis, watch the sun rise, and fancy himself as some kind of security consultant, while Kernell is currently staring down a sentence in FPMITA prison? I understand that the Feds don’t have the time and inclination to investigate every little event, but the facts that Mooney admitted to doing it, his information is publicly available (Heck! Check his Twitter stream or his website and find his mobile number!), and that he’s admitted to breaking the law, the Feds are saying that while it’s not OK to break into a Vice Presidential candidate’s e-mail, you can hijack thousands of user’s computers to promote your website and get away with it, provided you don’t  do anything really nasty.

Something that has always concerned me is the selective prosecution of one computer crime and not of another. As someone who deals with the endless streams of attacks and scans coming down the SuperInfoBahn, “getting the bad guys” is a all too infrequent event. When incidents like the Mikeyy worm go un-prosecuted I feel that we are continuing to send the message to people that compromising a computer, website, or whatever, is fine provided that, you know, don’t do anything really bad, whatever that means. I think we’re essentially already looking at the Fixing Broken Windows theory at work: we’re not going after the crimes when their small, and thus, we’re continuing to see problems escalate. While I’m not suggesting that if we go after the small crimes we’ll see ZeuS drop off the face of the planet next week, it might start to take a bite out of younger people trying to compromise each other via Rouge Neopets Paintbrush Generators.

I don’t know how it’s come to be that Kernell is being prosecuted while Mooney is not, I’m sure going after such a high profile target under USSS protection definitely made it hard for Kernell to slide back into obscurity. I’m not suggesting that Kernell be let off  the hook for his crimes, but, I don’t think anyone can disagree that it’s fair that Mooney isn’t being held responsible for his crimes, while Kernell is.

Finding Malware on your network via cached DNS entries

UPDATE: There’s a new version, with 25% less bugs! Use this instead.

As some of you may know, I wear an Incident Response hat within my organization. As I like to be proactive and actively search for issues rather then just be an IDS alert monkey, I love pages like the Malware Domain List, the ZeuS Tracker, and While these are great resources, it is a bit difficult attempting to take the lists and apply them to the environment; most of their usefulness comes from when you have a questionable URL and need to see if someone else has reported it as a bad site. A great service, but not proactive.

While staring at the ZeuS Tracker Domain Block list and trying my usual method of snipe hunting manually entering domains to query the firewalls, a moment of inspiration hit: I don’t care about all the domains, just the domains that people visit. Who knows what domains people visit? The DNS servers! Now it was just a question of trying to coax the information out of the DNS servers. Thankfully, PaulDotCom Security Weekly came to the rescue: They have been talking about getting information out of DNS servers during penetration tests and a simple non-recursive DNS lookup on the local DNS server can tell you if someone queried for the host recently. A couple of quick experiments to verify this fact on my work’s main DNS servers confirmed this fact, and I set to work.

My first attempt was a simple script to take a pre-chewed version of the ZeuS Domain list, feed it through dig and pipe the output through grep. It worked, but I wanted something a touch more automated. Over the next couple of nights on the train, I whipped up a tool to automate the process a little more. The resulting tool is the ZeuS DNS Scraper. It’s a simple script written in Perl and should work straight out of the box with the default modules included in a Perl distribution.

Running the Script

Running the tool is fairly simple, there are only 4 options: –server, specifying which server(s) to query, –file, specifying where to put the downloaded ZeuS Tracker block list (defaulting to /tmp/ztbl.txt) , –download/–nodownload which specifies whether or not the script should attempt to download the block list, and –debug, which specifies the verbosity of the script.

A typical command line would be:

perl --server --server

Which would download the block list, and then proceed to query and for each entry in the block list. You can specify as many as many servers as you like, however, the block list often hovers around a thousand entries, so each additional server adds another thousand or so queries.

Alternatively, once the list is downloaded, the script will download the block list only if the local copy is older then 60 minutes, (don’t worry it doesn’t update that frequently). You can also specify that the script doesn’t download the list again with the –nodownload option:

perl --server --server --nodownload

You can also turn on debugging with the debug option, which will display every step in the process:

perl --server --server --debug

Interpreting Results

When the script is run in default mode, a ‘.’ will appear after each query, while in debug mode it will display the result of the query and whether or not it found an entry.

What You Want To See

NNNN queries made, 0 entries found! Hooray!

In this example, NNNN would be the number of queries sent, remember this increases which each additional server you need to query, and it has found 0 entries, indicating that the DNS servers queried have no cached entries for any of the domains. Congratulations, pat yourself on the back and grab yourself a nice frosty beverage from the refrigerator.

What You Do Not Want To See

NNNN queries made, 4 entries found. Uh Oh.
W.X.Y.Z has an entry in it's cache for
W.X.Y.Z has an entry in it's cache for
W.X.Y.Z has an entry in it's cache for
W.X.Y.Z has an entry in it's cache for

Well, crap. This time the beverage you need is probably kept in your flask. NNNN is the number of queries the script made and the “4” in this example is number of results found. In this example, “” was cached with two separate addresses, while “” and “” both have one apiece. The W.X.Y.Z in the above example is the DNS server that responded, and the 10.X.X.X addresses are the IP addresses that the DNS server responded with. These IP addresses are what you are interested in.

My DNS Servers Have Cached Entries! Now What?

This is where some good old detective work comes in. The presence of the cached entries on your DNS server only means that one of the clients on your network asked for the entry in question. Normally, it’s time to start plugging IP addresses in your firewall logs to see who’s been visiting them. Then it’s time to start cleaning.


Now, obviously, this sends a boat load of queries in a very rapid fashion to DNS servers. Make sure that your DNS server and your connection can handle the load and don’t run it against DNS servers that you do not have permission to do so. Also, some of the DNS entries have small enough TTLs that they may expire quickly, meaning that even if the script comes back clean, there could still be infected hosts.


I’d just like to say a big thanks to the folks over at for hosting the ZeuS Tracker. It’s a handy tool and it’s invaluable if you’re running even a moderately sized network.

ZeuS DNS Scraper

LMSD just a sign of things to come?

Over the past few weeks, the Lower Merion School District has been in the news due to their use of school issued laptops to photograph, monitor, and otherwise invade the privacy of students that used them. The information security community I follow on Twitter, Martin Mckeay in general, are up in arms regarding the school’s behavior, and rightly so. But, with the way things are blowing, at least in Massachusetts, are the things that LMSD did just a sign of things to come?

In Massachusetts, there have been a couple high profile suicides over the past year by students that were the result of being “bullyed” at school. While each death is a tragedy, the Massachusetts Legislature, backed by the public’s outrage, is trying to pass “anti-bullying” legislation in order to somehow fix the problem. The legislation covers the usual bases, making it illegal to harass students at school, but the bill also covers…

…bullying through, without limitation, electronic mails, cellular phones, instant messages, text messages or websites…

…and that each school district must prohibit…

…bullying through the use of the district computer system while on or off campus…

Of course, the legislation is, like any law, vague in how the school is to accomplish such things.

With schools keen to embrace the “computers and broadband for everyone” mantra, and with the possibility of it becoming illegal for students to harass one another online, are we going to see more mandatory school issued computers for students tightly locked down with monitoring software and all activities logged? With the recent groundswell of support by parents of stiffer penalties I worry about whether or not there would be similar outrage if such an incident like the one in LMSD occurs again. Will the general public be aghast or pleased at the fact that a school district monitors such behavior in a few years time? Even more concerning, as pointed out in ComputerWorld, schools get to slide sometimes as they have a sort of quasi-guardianship of students. It scares me that  if such legislation is passed and such an incident occurs again, the school may be able to legally hide behind such legislation saying that they’re trying to protect the general student populace as required by law.

Now, I am no fan of bullies, as I’m sure any computer geek that went to public schools can attest. However, despite the fact that everyone can agree that students harassing other students is bad, the schools should not have the right to monitor and investigate any behavior that happens physically off school grounds. Such areas are the parent’s and, if necessary, law enforcement’s domain. Also, as we start going even further down this slippery slope, are we going to see schools wanting to gain more access into student’s personal accounts if they access them from a school district computer? Wow! Check it out! This slope is slippery!

Any such legislation that mandates the protection of students must also mandate due process and protect the privacy of students, both the harassed and harassers. Otherwise we may start to see incidents like the one at LMSD stop being the exception and start being the rule.

Even More Mobile Operation Madness and being a good Lobbyist

So, I’ve had questions regarding the safety of using one’s amateur radio while operating for a while; but, over the last week, in the words of my sister “this shit just got real.” The Massachusetts House passed an anti-mobile phone bill that, while not banning mobile amateur radio operation outright, is sufficiently vague that such operation may be banned. While I often wonder about how safe mobile amateur radio operation is, I bit the bullet and wrote to my state senator asking for an exemption to federally licensed radio operators.

Now… This bill has caused a bit of a hoopla on the local amateur radio discussion lists I follow. After the house passed the bill, there was some questions and people were concerned regarding how it applied to Amateur Radio. Then, after the ARRL Eastern MA State Government Liason posted his analysis (Very timely! 2-3 days after the bill passed the House! Thanks for keeping us ahead of things!) people started posting e-mails that they were sending to their senator. The e-mails all consisted, more or less, of the message suggested by the SGL, which while a nice skeleton, left much to be desired. That, combined with the fact that everyone is sending e-mail, made me cringe. So, let me stand on my soapbox for a moment…

Ben’s Guide to Harrassing Lobbying Your Elected Official

For some reason, I like to put my two cents in when a topic that matters to me comes up on a state or federal level. I blame my Dad for being so active in elections when I was a kid. Since I seem to do it on a semi-regular basis, I seem to have developed a knack for it. So, let me attempt to offer some tips on lobbying (that’s right, you’re your own personal lobbyist) your elected official.

For the love of God, don’t e-mail if you have another way of making contact –  e-Mail is great. It’s quick, easy, and simple to send. This makes it a horrible medium for lobbying. Since so many folks do it, your message will likely be lost within the noise of all the other messages. The best way to contact your elected official is good old snail mail, it’s harder to ignore. When I brought this up on one of my mailing lists one of the curmudgeons replied “nah, they go through the shredder just fine…” While he is 100% correct, what’s easier to ignore? 100 e-mails in your Inbox or 100 letters being delivered by USPS?

Now, this is my personal opinion, but I feel the next best way to contact your elected official is via Fax. Fax edges out a phone call ever so slightly because there is a physical object delivered. While I’m sure that no receptionist would ever not write down your message, I think that a piece of paper showing up is just a bit more “real”

Be Informed – K3HI hit on this in his message. You’re speaking for all of us fighting to change the bill. If you look dumb, we all look dumb and you hurt our cause. Don’t berate, yell, or annoy. You’re not helping anyone.You attract more flies with honey then vinegar.

Be Brief – Don’t write a 20 page dissertation on the subject. Keep it to one page maximum. Say who you are and why you’re writing, list any credentials you may have on the subject, go into detail on your position, and close with what you would like your elected official to do.

Let me toot my own horn and show off my letter.

First off, I started with my name and address, and my senator’s name and address. This is a formal letter, so follow all those rules you learned in 7th grade English class (Mrs. McGuinness would be so proud of me!). Also, including your address will give the official a chance to respond.

Dear Senator Montigny:

Hello. As a constituent, I am writing you to ask you to oppose House 4475 in its current state. The definitions in this bill are vague enough that it could unfairly include amateur radio operators in its ban.

I started off with the fact that I’m a constituent. People write other people’s elected officials all the time because of the fact that they’re on some committee or just want to spam the entire legislative branch with their lobbying. By stating that I vote for him, I give myself a little more attention. I also state why I’m writing.

Now, I go into detail as to what I’m writing about. Lay it on thick. Tell a fun story. Why should your official see it your way? While this is 100% anecdotal evidence, but it is also 100% fact:

I am a FCC licensed Amateur (“Ham”) Radio operator. I have been since 1995. In order to reach my current license level (“Extra”), I’ve had to pass three separate exams. In these exams, safe operation radio operation is covered. I know that operating a radio while driving needs to be done with the utmost care, and shouldn’t be done in certain situations. Because of this, I also know that the same applies to mobile telephones. My wife often pokes fun at me because I don’t answer my mobile phone if I don’t feel the situation is safe enough. Amateur Radio operators have been operating in their cars for years, and we have never had issues with legislative action trying to ban us from operating. We only seem to be caught up in vaguely worded cell phone bans.

As much as I wonder how useful such services are, I decided to toe the party line and wave the bloody shirt of public service too…

Amateur Radio provides a valuable public service for the community at large. This past Wednesday during the snow storm, SKYWARN, an amateur radio weather observation group, passed information to the National Weather Service and MEMA regarding storm and road conditions. If this ban takes effect, this information will be limited to amateurs operating in fixed locations, which will limit the timeliness and accuracy of information.

I now wrap up by restating what I would like him to do. Note that I didn’t specifically ask for an exemption of Amateur Radio. I asked for an exemption of any FCC licensed radio operator. No sense in splitting hairs.

I am asking you to please oppose House 4475 in its current state. Alternatively, if you would like to support it, please amend the bill to include a exemption for federally licensed radio operators like myself operating radio equipment.

Finally, I always close with my contact information, on the off chance the official wants to talk further. I will be shocked if this ever happens, but I feel that it shows that I don’t mind having a dialogue. I also thank the official for his or her time. Always be polite!

If you would like to discuss this further, please do not hesitate to call me at <my telephone-o-rono>, or e-mail me at <my e-mail address>.

Thank you for your time.

There you have it. This fit onto one page with 11 point font and it was put in the mail today. I hope it will arrive on Beacon Hill by Tuesday and that it will start a revolution regarding exemptions for two-way radios in any future cell phone bill.

Hope this might have given you some good ideas about writing and may have inspired you to start lobbying yourself. It’s hard to complain about the system when you don’t participate.

A man’s got to know his limitations. Dirty Harry, th3j35t3r, ethics, and InfoSec

There has been a minor murmur in the TwitterSphere recently regarding th3j35t3r, a person who is launching Denial of Service attacks against websites that sympathize with or actively promote Islamic terrorism. The questions being asked are not new: Do two wrongs make a right? Is it ethical to attack “the bad guys” with a taste of their own medicine? Should we be condemning, condoning, or congratulating such behavior?

Neal Stephenson put it best in Snow Crash that “Until a man is twenty-five, he still thinks, every so often, that under the right circumstances he could be the baddest mother&^%#er in the world.” I think that deep down in every InfoSec professional’s heart, we want to be that mother&^%#er. We think, every so often, that we could go rogue, drop off the radar, and launch a one man war against the script kiddies, mafia types, and general ne’er-do-wells that inhabit the Internet. I think that’s why some of us are having a tough time reconciling th3j3st3r’s actions within their own moral code of being one of the “good guys”. I think everyone agrees that the sites being attacked are “bad” in the incredible sliding scale of morality. The question that comes up is: Does leveraging methods such as DoS attacks against “bad” sites result in a “bad” or “good” outcome?

I think that this question can be answered by one of Hollywood’s legendary bad mother&^%#ers, Harry Callahan. In the 2nd film of the “Dirty Harry” series, Magnum Force, the plot revolves around a group of cops that have “gone rogue” and are taking out criminals in San Francisco. Now, anyone who has watched the “Dirty Harry” series (You have, haven’t you? If not, go order it on NetFlix and watch it. Go Ahead. I’ll wait… Back? Good, huh?) know that Callahan is a cop who gladly tosses out the rulebook when it gets in his way of getting the bad guy. While trying to reconcile the rogue cops methods against his own playbook, there is an important quote by Callahan: “I hate the goddamned system, but until someone comes along with changes that make sense, I’ll stick with it.” This should be the mantra of every information security professional who deals with the scum of the Internet day in and day out. There is a system that we use, such as takedowns and working with ISPs to get bad material removed, and while it fails on a regular basis, it’s what we have to work with. I know how difficult it can be, as I have been on the front lines desperately trying to work with ISPs to take down a phish or a piece of malware from their servers and running into stone wall after stone wall. I’ve often wished for some kind of more effective system. While I don’t think anyone can debate the effectiveness of th3j35t3r’s tactics, I feel they cross a line that should not be crossed. While I feel that the removal of such sites is a good thing, the methods in which it is accomplished is not.

The question of morality aside, no one knows exactly “how” th3j35t3r is DoSing these sites, th3j35t3r says it’s “like a DDOS attack, except without the first ‘D’. There is nothing ‘distributed’ about this. It is possible with very low bandwidth and a single low-spec linux machine.” While judging from his description I have an idea of what his tool of choice may be, we likely won’t know due to the sites he’s choosing since they aren’t the ones who are likely going to run to the authorities. The ones that are talking are making their own assumptions and are mostly conjecture. So, it’s likely we won’t know any time soon exactly what he, or she, is doing. Does it affect other sites on the same network? Could it be disrupting critical services hosted on the same netblock? Are the attacks being pivoted across systems that did not give permission to be involved? Is there any collateral damage? Until we know exactly what’s going on, we can only guess.

There’s another quote from Magnum Force that I want to toss out here. The quote is “A man’s got to know his limitations” and I feel sums up the debate correctly. I think that, at least in my case, I know my limitations, and I think that DoSing sites, no matter how bad they may be, is beyond my limitations ethically.

UPDATE: Shouts to @Shpantzer for pointing out my ability to make “people operating outside normal or desirable controls” into “red or pink cosmetics for coloring the cheeks or lips” with a single typo.

I’m on the D-List!

Andrew Hay has been doing a series of interviews with the various unsung heroes of the security industry calling it the “Security D-List”. I’m pleased to say that if anyone asks, I can now say where I rate.

I was bored during lunch. Can you tell?

Bored at lunch and sketched this out…

“Son, we live in a world that has firewalls, and those firewalls have to be administered by people with a clue. Who’s gonna do it? You? I have a greater responsibility than you could possibly fathom. You weep for your Internet access, and you curse the security admins. You have that luxury. You have the luxury of not knowing what I know. That the firewall rule set, while convoluted and not perfect, probably saved data. And my existence, while grotesque and incomprehensible to you, saves data. You don’t want the truth because deep down in places you don’t talk about at parties, you want me on that firewall, you need me on that firewall. We use words like “high availability”, “cloud”, “ISO 27001 compliance.” We use these words as the backbone of a life spent defending something. You use them as marketing fodder. I have neither the time nor the inclination to explain myself to a man who surfs and e-mails under the blanket of the very security that I provide, and then questions the manner in which I provide it. I would rather you just said thank you, and went on your way, Otherwise, I suggest you install an IDS console, and stand a post. Either way, I don’t give a damn what you think you are entitled to.”

“Did you block Facebook access from the company?”

“I did the job I…”

Did you block Facebook access from the company?

You’re Goddamned right I did!

Not up to the same level of Hoff’s creativity, but I found it amusing…

Some speaking-related stuff…

So, a quick post about two things:

1st, I did a presentation to the Boston Chapter of the Association of Government Accountants for their monthly meeting as part of my day job. I’d like to think I did fairly well and there certainly was a fair amount of discussion afterward. In case any of them find their way here in an attempt to find my slide decks, I am happy to oblige:

  • Information Security and You PPT (1.4MB)
  • Information Security and You PDF (1.8MB)

2nd, I have been selected to speak at QuaghogCon in Providence, RI the weekend of April 24th and 25th. I’ll be departing from my usual “Information Security” speaking groove and instead will be evangelizing Amateur Radio. Sadly, this means I’ll be missing out on B-Sides Boston, but that’s the way the cookie crumbles. Registration is open now and I’ve heard rumors that attendance will be capped at 150, so even if you don’t want to hear me speak, buy a ticket; there are going to be some awesome presentations.

Threats to Amateur Spectrum, winnable battle or game over?

Mark, K6HX recently asked what people are thinking regarding the “looming spectrum crisis” and the various “spectrum inventory” acts that are currently winding their way through Congress. Mark and I seem to be more or less in agreement regarding what may be around the corner:

When we say that our “ham radio political leaders” should remain vigilant against possible spectrum reallocation, I think that we are shifting the responsibility (and in the future, likely the blame) to them, when the responsibility really lies with us. We as radio amateurs are simply not doing enough to justify our use of UHF+ spectrum. When we rely on political action committees to justify our use of this valuable public resource, we should be working hard to provide them with every possible justification that they can use. It isn’t Congress who is placing these frequencies in peril: it is our own inactivity which does so. If we lose 1.2GHz, or 220Mhz, or any of our other allocations, it will be because we frankly aren’t using them enough. If I thought that these frequencies could be effectively used to give Internet broadband to millions of underserved Americans, I’d have to say “take those frequencies, we will miss them, but we had our chance with them”.

Mark hits the nail right on the head with this statement. If we lose any bands it’s our own fault for lack of activity on them. While I don’t think 70cm (think PAVE PAWS) and below are in danger, everything else is fair game, and this includes my beloved 33cm. I am very much a “life begins at 50MHz” kind of amateur and I wish we would see more use of the GHz bands, especially 12cm (2.4GHz) but I realize that most Hams hardly venture above 148MHz, and 95% of the experimentation in the community is below 30MHz. What does this mean when the Feds come knocking on the ARRL’s door asking for spectrum?

Game Over Man! Game Over!

Game Over Man! Game Over!

Amateur Radio, in its current state, cannot justify the spectrum it’s given. Period. Full Stop. No amount of wharrgarbling about public service or what kind of value we provide is going to change that. Go ahead and read the ARRL’s Frequency Allocation page and ask yourself how many bands you’ve used in the past week, month, or year. Heck, even go back five years. I bet that most of you have never gone above 2M. Anthony, K3NG, takes an even more dower view in the comments section which I have a hard time disagreeing with:

Even if we would start using these bands more, I’m not sure that would be enough to keep them from being reallocated, even if we could get 50% of our active amateurs on them. If we calculate how many bits/hertz are currently being used in our spectrum versus what would be used if reallocated, and perhaps even take it a step further to model the geographical aspects and frequency reuse, it’s hard to objectively argue against mobile wireless use of these bands. Unfortunately we’re not going to be able to depend on the classic defense based on emcomm use or experimentation; the potential public benefit is just too great…

So, the question is, what can we do? I think we have two options, both of which, if they happen, will cause lamentations the like we have never seen across QRZ and eHam.

#1 Roll over – This is obvious. We lose, they win their spectrum, and we’re further sidelined into obscurity. While I don’t think this will happen and I’m sure that many of you agree, there is a distinct chance that the FCC will make a power grab for the “greater good” and legislate some of our bands out of existence without giving us a second look. Why? Because the amount of people served by expanded wireless service is pretty much a “no brainer” kind of decision. Since everyone on the federal level is hopping on the “broadband for everyone” bandwagon, passing off this kind of action will easily pass the “public approval” sniff test.

#2 Play lets make a deal – We play the cards we’ve been given and we proactively start making plans to give up bands and if we see the writing on the wall, we proactively approach the FCC with options. While, yes, you are correct, this approach did not work out well for Neville Chamberlain (Please note, I am *not* comparing the FCC to Hitler) we might be able to salvage concessions that guarantee the future of the hobby and bands. Give up 1.25M, 23cm, and 3300-3500 MHz for a law or something to guarantee the rest of our spectrum? I’d be OK with that.

These are not going to be easy decisions that are forthcoming if the Feds start scrounging for spectrum. I am pretty sure we’re going to lose any battle that comes to it. I think we as a hobby need to start figuring out what we are going to do now rather then run around like chickens with our heads cut off when the tax man cometh.

The other obvious part to this is that we should also start pushing the use of more of our spectrum. Why am I not seeing the ARRL start pushing for simple 2.4GHz data projects? With the demise of packet radio beyond APRS and the HUGE FREAKING SWATH OF IPv4 ADDRESS SPACE we have why don’t we see a organized effort for creating low cost homebrew builds? Instead, the ARRL is focusing on 40M while the HSMM page is so old it has dust on it. Way to go ARRL.