"Default" Internet Service

Sun Jun 13 11:59:53 UTC 2004

Sean Donelan wrote:
> Selling people barn doors and barn door audits is easier than figuring
> out how the rustlers are getting the horses. The problem is the horses
> aren't being rustled(?) through the barn doors.  If they were, you would
> expect to see a difference between barns with doors and barns without
> doors.  But in practice, we see people with and without firewalls with
> infected computers.  Network level controls aren't as effective as
> some people hope at stopping many things.  ISPs should stop porn, ISPs
> should stop music sharing, ISPs should stop viruses, ISPs should
> stop <insert here>.  Yet somehow users manage to find a way around
> all of them.
> So what makes some users more likely or less likely to have infected
> computers?  How do they become infected, but other users don't?  What's
> different between the two groups?
Skill, Desire and Luck - not always in that order.

I usually set out my stall on this one by making a the following 
assumptions -

1) any protective measure that relies on users having common sense will 
inevitably lead to astonishment at how uncommon common sense is (core rule)

2)Warning messages are now so common users don't read them, and web 
popup boxes even more so. By simple extension therefore, no warning 
message is of any value - users will read just enough to discover how to 
make it go away, and if the obvious way of doing so works, won't trouble 
themselves further. (case in point - "how did that porn dialler get 
there? I only visited a website or two. Yeah, there was some sort of 
popup box but I closed it")

3) not all machines will be vulnerable - either by skill, initial 
design, patching dilligence or obsolescence, some machines will be 
inherently protected against any given outbreak. Downside there is - 
said users will invariably decide they don't *need* to take protective 
measures because this one attack couldn't affect them (case in point - 
most linux users do not have AV software of any type, despite at least 
one being free and open source)

4) any scheme that relies on blocking users from what they want to do 
will be bypassed by at least some of those users; once some of the users 
know how to do it, the blackhats won't be far behind teaching their 
creations how to do it too, and the greyhats in writing little pretty 
gui tools to do it automagically - relying that users knowing how to 
bypass lockdowns being skilled enough to look after their own security 
therefore violates rule 1

5) anything that relies on convincing the users (or better yet their 
machine) that the action *is* what they want to do is onto a winner; see 
rule 3 and indeed rule 1 for details.

so back to your list.

 > ISPs should stop porn,
not going to work - prohibition just makes it harder to regulate stuff, 
even leaving aside the moral issues of trying to block online what can 
be bought in most newsagents.

 > ISPs should stop music sharing,
why? users obviously want to do it, and in many places it is not a 
criminal act (copyright violations being civil not criminal in most 
countries)
ISPs should of course co-operate with any lawful warrant or court order, 
and (for practical purposes) try to limit their own expenses in having 
to deal with copyright violations on websites and so forth but in the UK 
(Not sure about elsewhere) the real problem is commercial pirates 
selling dodgy copies from stalls or car boots, and that predates the web 
(and indeed the CD)

 > ISPs should stop viruses,
Sure. I don't think that should be free though - plenty of services out 
there offer filtered, reactive web access to remove all those nasty 
worms, email viruses and so forth as fast as is possible. Doing that 
work *costs* and has little or nothing to do with the business of 
pushing bits down wires. Yey the free market....

 > ISPs should stop <insert here>.
damn right. <insert here> has always bugged me :)