Points on your Internet driver's license (was RE: Even you can
Scott A Crosby
scrosby at cs.rice.edu
Sun Jun 13 11:33:35 UTC 2004
On Sun, 13 Jun 2004 00:10:56 -0400 (EDT), Sean Donelan <sean at donelan.com> writes:
> Should ISPs charge for security like the Universial Service Fund fee
> on your telephone bill, everyone (not just grandmothers) has to pay
> it. The FCC (or your national equivalent) would sets the rate every
> quarter, and it appears on everyone's ISP bill. You have to pay it,
> even if you already have other security.
Not that this solves the problem, but I'll argue that the party
responsible for the bill should be the same as the party responsible
for the security. Anything else would be a subsidy and perhaps even
discourage secure behavior.
If users are assumed to have ultimate responsibility, then why would
users be proactively secure when they'll be forced to subsidize
insecure users.
If vendor X builds notoriously insecure software, and vendor Y
doesn't, then a scheme that allows vendor X to push the costs onto
their non-customers is also a subsidy. In particular, the USF doesn't
seem to incentivize the creation or installing of more secure software
because neither vendor X nor its users are directly responsible for
the aftermarket maintainance and patching costs.
The costs should be born by whomever is deemed responsible for the
problem. I think that this ultimately comes down to users. They choose
what and how their computers are secure and they choose what software
to install.
I don't think breaking end-to-end by NAT, firwall, or proxy proposals
for ordinary users is an acceptable solution. It'll make it much
harder to deploy new protocols, and it'll encourage universal
tunneling over port 80.
Scott
More information about the NANOG
mailing list