Points on your Internet driver's license (was RE: Even you can be

Paul Vixie vixie at vix.com
Sat Jun 12 05:48:32 UTC 2004


sean at donelan.com (Sean Donelan) writes:

> ...
> 
> Why do so many people ignore their ISP when told about problems with
> their computer?  My computer can't be infected, I have a firewall.

in any other industry, you (the isp) would do a simple risk analysis
and start treating the cause rather than the symptom.  for example you
might offer inbound filtering, cleanup tools and services, and you would
put their computer in cyberjail when it was known to be "infected", and
you would certainly not offer your services without a clear idea of how
to reach the customer and assist them in getting out of cyberjail --
even if it meant rolling a technician.

but then you'd have to charge for all that.  and in the isp business,
you'd have competitors who wouldn't offer it and wouldn't charge for it,
and you'd lose business or maybe even go out of business.

with the unhappy result being that you just let it happen, which is bad
for your customers, and bad for the rest of us on the internet, but not
nearly as bad for you (the isp).  for you (the isp), every possible cure
is worse than the disease.  but you don't seem to mind that the rest of
us, and your customers, catch various diseases, as long as *you're* ok.

feh.

> Paul Vixie proposed that people should be required to use personal Co-Lo
                                  ^^^^^^^^^^^^^^^^^^(1)
> so the co-lo provider has collateral to seize when the customer fails to
                            ^^^^^^^^^^^^^^^^^^^(2)
> keep the computer secure.

well, no.  i (1) said that people who had personal co-lo boxes in better
internet neighborhoods and who could just use their cable or dsl line
for web browsing and for access to their personal co-lo box would have
less of their e-mail rejected at the far end.  and as for (2), i think
that anyone who co-lo's a personal box is likely to first learn how to
pay enough attention to it that it will not become a malagency for third
parties, and that a co-lo operator who only had such customers would be
able to charge enough to pay for some monitoring and cleanup and so on;
the possibility of seizure is more for the case of deliberate abuse (like
ddos'ing an irc server, or sending spam, or hosting spamvertized www)
than third party abuse.

see <http://www.vix.com/personalcolo/> for more information about all that.
and note that i'm broadening it to include smtp-auth/webdav/ftp providers
who want to serve basically the same market but without dedicated iron.  so
if you offer that and havn't told me, then please tell me now.

> Would customers complain if ISPs started seizing their computers instead
> of sending them large bills?

that's so unsequitur that i don't even know how to read it let alone answer.

> Should ISP's charge customers cleanup fees to encourage them to keep
> their computers secure?

yes.

> $10 or $100 or $1,000 per incident?

no.  there should be a forfeitable deposit, plus an per-incident fee which is
mostly to pay for the cost of monitoring and the cost of auditing the host
to ensure that it complies with the isp's security policy before it can be
reattached.  the deposit can be refunded after N years of incident-free
behaviour, and should be doubled after each verified incident.

> Should it be like points on your Internet driver's license?  For the
> first incident you have to attend 8-hour traffic school, for the second
> incident in 12 months you have points put on your record and your
> insurance rates go up.  Too many points, and your Internet privileges are
> revoked.

alas.  on the internet, nobody knows you're a dog.
-- 
Paul Vixie



More information about the NANOG mailing list