"Default" Internet Service

Smith, Donald Donald.Smith at qwest.com
Mon Jun 14 14:54:55 UTC 2004


First are the consumers willing to pay for a "safer" internet
DSL/dial/isdn?
I believe if they were there would be a safer service available. I have
seen several "secure" isp's fail in the last
few years. If you have any data that shows that there is a market for a
more secure dialup/DSL/isdn... please share it.

2nd blaming infected machines on the internet is similar to blaming your
postal carrier for bringing you junk mail and bills. About 1/2 of all of
the large "infection" events on the internet are the result of people
running unpatched unsecured applications on their machines. The other
half of the infections I see are due to an end user opening an email and
running an attachment. Even with a secure OS this simple method of
infection will continue to work.

How and when did it become the responsibility of the ISP to protect the
end users machines? 
Do ISP's get paid to protect end user machines?
If you want to blame someone maybe the company that provided the
insecure os that requires monthly patches to fix portions of the broken
code they sold. Or you could blame the end users who open unknown
attachments. 

I would like a real solution to the problem. Simply blocking ports is
not successful. 
So I recommend 2 steps. 

First buy OS's that are more secure out of the box.

2nd Teach users NOT to click on every thing they see.

Donald.Smith at qwest.com GCIA
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
pgpFingerPrint:9CE4 227B B9B3 601F B500  D076 43F1 0767 AF00 EDCC
Brian Kernighan jokingly named it the Uniplexed Information and
Computing System (UNICS) as a pun on MULTICS.

> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On 
> Behalf Of Matthew Sullivan
> Sent: Sunday, June 13, 2004 5:02 PM
> To: nanog
> Subject: Re: "Default" Internet Service
> 
> 
> 
> Christopher L. Morrow wrote:
> 
> >On Sat, 12 Jun 2004, John Curran wrote:
> >
> >  
> >
> >>The real challenge here is that the "default" Internet service is
> >>wide-open Internet Protocol, w/o any safeties or controls.   This
> >>made a lot of sense when the Internet was a few hundred 
> sites, but is 
> >>showing real scaling problems today (spam, major viruses,
> >>etc.)
> >>
> >>One could imagine changing the paradigm (never easy) so that the 
> >>normal Internet service was proxied for common applications 
> and NAT'ed 
> >>for everything else...  This wouldn't eliminate all the 
> problems, but 
> >>would dramatically cut down the incident rate.
> >>    
> >>
> >
> >This sounds like a fantastic idea, for instance: How much direct IP 
> >does joe-average Internet user really require? Do they 
> require anything 
> >more than imap(s)/pop(s)/smtp(+tls) and dns/http/https ? I 
> suppose they 
> >also
> >need:
> >1) internet gaming
> >2) voip
> >3) kazaa/p2p-app(s)-of-choice
> >4) IM
> >
> >Actually I'm sure there are quite a few things they need, 
> things which 
> >require either very smart NAT/Proxy devices or open access. The 
> >filtering of IP on the broad scale will hamper creativity and 
> >innovation. I'm fairly certain this was not what we want in the long 
> >term, is it?
> >  
> >
> I acutally suggested something like this at the recent AusCERT 2004 
> conference...  It's not such a bad idea....
> 
> The real question being "why are we giving mum's and dad's 
> who sign up 
> to the internet, and know nothing about either the Internet or 
> computers, full unrestricted incoming and outgoing access...?"  ... 
> answer because the more bandwidth they use the more the ISP 
> earns... so 
> the ISPs don't care (in some cases) if the mum's and dad's 
> get trojaned, 
> because it's all money.
> 
> My suggestion to the AusCERT delegates was to introduce a new default 
> service which has very limited access, and if people ask for 
> more, give 
> them the access after they have read through various 'educational' 
> pages....  Perhaps a simple online quiz at the end -just 3-5 
> questions 
> with the answers being very clearly explained in the previous pages - 
> just to show the people have actually read the pages, rather than 
> skipped to the end and hit 'I accept'.
> 
> I also suggested that if ISPs have the technology perhaps a simple IP 
> pools method of allocating the users IP, where they could turn on and 
> turn off access to certain protocols - eg: have a pool for 
> P2P users, a 
> pool for VOIP etc...
> 
> / Mat
> 
> 
> 
> 



More information about the NANOG mailing list