Points on your Internet driver's license (was RE: Even you can be

Sat Jun 12 07:25:11 UTC 2004

On Sat, 12 Jun 2004, Paul Vixie wrote:
> in any other industry, you (the isp) would do a simple risk analysis
> and start treating the cause rather than the symptom.

What other industry do you know where you are expected to fix products
you didn't sell and didn't cause for free?  Should we revoke Carterphone?
You can't connect a Tivo or unauthorized device to your ISP connection,
and ISP would remotely control all the devices on your home network to
ensure they are patched and secure.

Send me your root passwords.  Trust me.

> for example you
> might offer inbound filtering,

Done. Effectiveness?

> cleanup tools and services,

Done. Effectiveness?

> and you would put their computer in cyberjail when it was known to be
> "infected",

Done. Effectiveness?

> and you would certainly not offer your services without a clear idea of how
> to reach the customer and assist them in getting out of cyberjail --

Done. Effectiveness?

> even if it meant rolling a technician.

Done. Effectiveness?

Been there, done that.  Got any new ideas?

> no.  there should be a forfeitable deposit, plus an per-incident fee which is
> mostly to pay for the cost of monitoring and the cost of auditing the host
> to ensure that it complies with the isp's security policy before it can be
> reattached.  the deposit can be refunded after N years of incident-free
> behaviour, and should be doubled after each verified incident.

How much are you willing to pay?

The bank industry makes billions from late payments, overdrafts, charge
backs.  It makes banks a lot of money, and puts people in bankruptcy, but
doesn't seem to be very good at teaching people to handle credit wisely.

People already think ISPs make money from infected computers and spammers.
What incentive would there people to fix things instead of just paying
them off?  Is it Ok to spam, as long as you pay a lot?  Is it Ok to leave
an infected computer on the network, as long as you pay a lot?  Haven't
you just described what "bullet-proof" web hosting companies do?

How do we create incentives for people to want to buy more secure
products?  Why do people continue to buy Windows instead of Macs?
Cars have a gas guzzler tax to encourage fuel efficiency; should Windows
computers have a security guzzler tax to encourage security?

> > Should it be like points on your Internet driver's license?  For the
> > first incident you have to attend 8-hour traffic school, for the second
> > incident in 12 months you have points put on your record and your
> > insurance rates go up.  Too many points, and your Internet privileges are
> > revoked.
>
> alas.  on the internet, nobody knows you're a dog.

Regulations could fix that.

The US Postal Service has the Postal Inspection Service.  They have
jurisdiction anywhere the mail goes.  The post office didn't create
the Anthrax, they delivered the envelopes as addressed.

Most railroads have railroad police with jurisdiction anywhere the
railroad tracks go.  Some railroad police departments have trans-national
jurisdiction in multiple countries.

Do we need an Internet Police with jurisdiction anywhere the Internet
goes?  Instead of waiting for the FBI to make a case, the ISP police
could arrest people.

Should ISPs be required to forward all their customer information
and logs to the Department of Homeland Security (or other national
equivalent) so they always know who is doing what.  Would that solve
the no one knows you're a dog problem?