Points on your Internet driver's license (was RE: Even you can

Sat Jun 12 16:15:09 UTC 2004

sean at donelan.com (Sean Donelan) writes:

> > in any other industry, you (the isp) would do a simple risk analysis
> > and start treating the cause rather than the symptom.
> 
> What other industry do you know where you are expected to fix products
> you didn't sell and didn't cause for free?

risk management doesn't mean fixing other people's problems for free, it
means building your business with knowledge of those problems, and making
sure your business copes with them.

> You can't connect a Tivo or unauthorized device to your ISP connection,
> and ISP would remotely control all the devices on your home network to
> ensure they are patched and secure.
> 
> Send me your root passwords.  Trust me.

you should offer this service.  most of us would urge our parents'
generation to sign up for it.  (i hope you weren't joking.)

> > for example you
> > might offer inbound filtering,
> 
> Done. Effectiveness?
> 
> > cleanup tools and services,
> 
> Done. Effectiveness?
> 
> > and you would put their computer in cyberjail when it was known to be
> > "infected",
> 
> Done. Effectiveness?
> 
> > and you would certainly not offer your services without a clear idea of
> > how to reach the customer and assist them in getting out of cyberjail
> 
> Done. Effectiveness?
> 
> > even if it meant rolling a technician.
> 
> Done. Effectiveness?
> 
> Been there, done that.  Got any new ideas?

with all due respect, which is in fact waning due to your sarcastic attitude,
none of those things have been done.  oh, sure, various isp's have waved at
those problems, and some have paid some lip service to them, but it has not
been seriously tried, because there's no way to do insist on them and still
make money.  if you or any other isp seriously "Done."'d those things, then
the few customers you'd have left would be very happy, and the rest of us who
are not your customers would also be very happy with the lack of swill coming
from your network.

> People already think ISPs make money from infected computers and spammers.

only because i've been an insider at a couple of places where it was arguable.

> What incentive would there people to fix things instead of just paying
> them off?

i believe i mentioned doubling the forfeitable deposit on each verified
incident.

> Is it Ok to spam, as long as you pay a lot?  Is it Ok to leave an
> infected computer on the network, as long as you pay a lot?  Haven't you
> just described what "bullet-proof" web hosting companies do?

i don't accept e-mail from rackspace.com or any of their customers, because
this appears to be their business model.  on http://www.vix.com/personalcolo/
i present what i call a "good internet neighborhood" model.  a "bullet proof
hosting" company wouldn't qualify, no matter what deposit they collected or
how much customer equipment they had on-site.

> > alas.  on the internet, nobody knows you're a dog.
> 
> Regulations could fix that.

no, really, they couldn't.  bad guys can cons up a new identity every week
if that's what it takes to avoid driving with a bad internet driver's license.

> Most railroads have railroad police with jurisdiction anywhere the
> railroad tracks go.  Some railroad police departments have trans-national
> jurisdiction in multiple countries.

several times i've suggested that only by upgrading this problem to the level
of inter-national treaty, as has been done with other offenses like drugs and
fraud and violence, will we begin to see the beginnings of "containment."

you, sean, were party to at least one of those threads.  perhaps you can do
some homework and answer now what you didn't bother to answer then.

> Do we need an Internet Police with jurisdiction anywhere the Internet
> goes?  Instead of waiting for the FBI to make a case, the ISP police
> could arrest people.
> 
> Should ISPs be required to forward all their customer information and
> logs to the Department of Homeland Security (or other national
> equivalent) so they always know who is doing what.  Would that solve the
> no one knows you're a dog problem?

no, it wouldn't.  until the cost of creating new identities can be driven up,
then nothing adhering to identity, such as reputation, will be of any real
value in stopping repeat abusers.

a dsl or cable provider is in a unique position in this regard.  you know who
your customers are and you know where they live.  as a favour to the rest of
us, it would be a fine thing if you would take advantage of this position to
cause a general increase in the reputation-level of your customers' IP addrs.
whether you do that with deposits, truck rolls, filtering, cyberjails, weekly
training seminars, and/or lawsuits against microsoft and apple, is your
problem not ours, since you make the profit from these customers.  how you
remain profitable and competitive while managing these risks is also your
problem, again since you make the profit from these customers.

google for "chemical polluter business model" if you want more background.
-- 
Paul Vixie