"Default" Internet Service

• Previous message (by thread): "Default" Internet Service
• Next message (by thread): "Default" Internet Service
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Owen DeLong wrote:

>
>
> --On Tuesday, June 15, 2004 7:26 +1000 Matthew Sullivan 
> <matthew at sorbs.net> wrote:
>
>>
>> Smith, Donald wrote:
>>
>>> First are the consumers willing to pay for a "safer" internet
>>> DSL/dial/isdn?
>>>
>> Why should they have to?
>>
> Because providing it costs more.
>
>>> I believe if they were there would be a safer service available. I have
>>> seen several "secure" isp's fail in the last
>>> few years. If you have any data that shows that there is a market for a
>>> more secure dialup/DSL/isdn... please share it.
>>
>> No, but it won't belong before you will find half a dozen reasons why as
>> an ISP you will want to do it - but then it may be too late.
>
> Such as? 

That I am bound not to say unfortunately, however all will become clear 
soon (it'll be in the press).

>>> 2nd blaming infected machines on the internet is similar to blaming 
>>> your
>>> postal carrier for bringing you junk mail and bills.
>>
>> Crap
>
> It's not crap.  Infected machines are no more the fault of the 
> internet than
> junkmail in your mailbox is the fault of the post office.  There's 
> literally
> no difference to the model.  The post office delivers mail that is 
> addressed
> to you.  They don't care if it's junk mail or not.  They deliver it. 

If you're a water company, and you deliver rusty water through your 
pipes - you are responsible

> Actually, I suspect it's a much larger fraction, more along the lines
> of 80 to 90%, possibly more. 

Agreed

>>> Even with a secure OS this simple method of infection will continue to
>>> work.
>>
>> Correct
>
> And how is an ISP supposed to do anything about this? 

Education... and how to educate - well if they don't want to do it for 
their own personal gain, force them.... How to force them... don't give 
them access until they have learnt the basics...  Hitting them 
financially when they get it wrong will force most to learn rather than 
get caught again, but it would be nice to stop them in the first 
place.... further what are you going to do with those who you try to 
'fine' and they just go to another ISP...? (I do have some experience 
with this don't forget - much to the annoyance of some) ... Anyhow 
remember this:

Prevention is better than a cure...

>> However you are ignoring the fact that once the machine is infected, the
>> machine can be used by hundreds of people (skript kiddies) to damage
>> other parts of the internet, further they can (and are) being used by
>> organised crime to extort money out of large financial institutions and
>> companies, and that's not to mention DDoS's on the smaller people who 
>> are
>> just in the way.
>
> Right... So, you should be working really hard to get people not to allow
> their machines to be infected, and, to get ISPs to disconnect infected
> sites from the network.  I support both of those moves.  The rest is just
> a way to tax the clueful for the ignorance of the masses with little 
> benefit. 

We're already being taxed... In Australia we are forced to pay for 
incoming and outgoing traffic - so DDoSes and Spam cost the recipient.

>>> How and when did it become the responsibility of the ISP to protect the
>>> end users machines?
>>
>> It hasn't, however the data coming from an ISPs network has always been
>> the responsibility of the ISP.... and I would suggest if you cannot stop
>> the endusers getting infected, then you should look at stopping those
>> machines from abusing other machines on the internet....  If you will 
>> not
>> do that you should not be peered.
>
> Sorry... The data ORIGINATING from the ISPs network is the responsibility
> of the ISP.

I did say 'data coming from an ISP'...

>   The data transiting the ISPs network is just that.  The ISP
> has no obligation, indeed, no right to look into the data beyond what is
> necessary for delivery and operation of the service (ECPA). 

Now that is debatable - and probably not best discussed here or in this 
thread.... AFAIAC the traffic coming from an ISP is the responsibility 
of that ISP - if it's transiting they are still responsible...  It's the 
'car accident' principle..  3 cars (A,B & C) pull up at a stop sign, B 
stops behind A, C runs into B and pushed B into A...  A doesn't sue 
C.... A sues B for A's damage, and B sues C for B's damage, A's damage 
and costs.

> I agree that ISPs should shut off sites that are demonstrably spewing
> abuse and notify those sites of the problem.  I've repeatedly supported
> several models for doing just that.  However, this is different from 
> making
> the ISP responsible for breaking the users connectivity prior to such
> an event in the name of preventing the user from shooting themselves 
> in the
> foot.  I further like the idea of de-peering ISPs who don't do this, and,
> if you can get a critical mass of the major ISPs to do that, life will
> start to get better.  If you can't, it won't. 

...and in the current economical enviroment, and the size of the 'worst' 
ISPs is going to stop tha from happening.

>>> Do ISP's get paid to protect end user machines?
>>
>> No, they get paid for traffic, which is the reason some ISPs out there
>> don't care if their customers are DDoSing anothers network.
>
> No, they get paid for delivering packets.  They don't get paid 
> (currently)
> for handling abuse complaints.  Paul Vixie has proposed, and, I have
> supported a model which ISPs could adopt which would change this fact.

I'd be interested to see that... I don't have a problem with most ideas 
like that.

> Most residential ISPs get paid the same whether the customer spews
> abuse or not.  Their costs go up some when they get abuse complaints
> and when abuse starts using more bandwidth, so, for the most part, most
> residential ISPs have no incentive to support abuse, but, not enough
> incentive to pay to staff an abuse department sufficiently to be truly
> responsive.  Further, most abuse departments don't get enough support
> from management when the sales and marketing departments come whining
> about how much revenue that abusing customer produces each month.
> This is one of the unfortunate realities of a free-market economy.  It
> doesn't always tie profit to doing the right thing, and, it favors
> short-term thinking over long-term planning. 

Agreed

>>> If you want to blame someone maybe the company that provided the
>>> insecure os that requires monthly patches to fix portions of the broken
>>> code they sold. Or you could blame the end users who open unknown
>>> attachments.
>>>
>> Yup, we've been doing that for years, and they have been fixing 
>> things as
>> fast as possible (not always, and not until more recently) however they
>> are making steps in the right direction, so I feel it's about time ISP's
>> started taking some of the responsibility for traffic on their network.
>> As far as the attachments go, education is the only way - and if they
>> cannot be educated they shouldn't be on the Internet.
>>
> They continue to develop new and more exploitable services and features.
> They continue to improve upon techniques for bypassing corporate 
> firewalls.
> They are not fixing things as fast as possible, they are fixing things as
> they become widely known and public.  They are also showing no commitment
> to implementing new features in a secure way, nor, indeed, any 
> willingness
> to give up features in order to presreve security.  They have convinced
> themselves (and apparently the corporate world) that they are 
> untouchable,
> and they continue to rake in profits while having no accountability to
> the parties that are injured by their actions. 

Agreed, however they have publically acknowledged the problem, which for 
me is a major milestone.

>>> I would like a real solution to the problem. Simply blocking ports is
>>> not successful.
>>> So I recommend 2 steps.
>>>
>>> First buy OS's that are more secure out of the box.
>>>
>> That's not going to happen anytime soon, even with Microsoft starting to
>> follow the 'right' road.
>>
> I haven't seen any indication that Micr0$0ft is following the right 
> road, just
> that they are bending to some public pressure to pay some level of 
> lip-service
> to security.  Yes, they have fixed the 100 most gaping security holes 
> in their
> code this week.  No, they haven't shown that new code is being written 
> with
> security as an important consideration. 

Hey, I am a Miro$oft hater, but I conceed that the 'default the firewall 
to on' feature of the next service pack is a good thing - the only issue 
is the part about not installing on pirated OS's and that they are 
taking way too long to release it.... but it is a start - we've been 
trying to get M$ to even start for how many years now?

>>> 2nd Teach users NOT to click on every thing they see.
>>
>> ...and how are you going to do that?  If you give a user a $10 account
>> where they have full internet access they click on everything, then they
>> get infected, their machine is controlled by someone else across the
>> world and is used for DDoS attacks or spam (or..hacking, or...?) .. what
>> are you going to do to educate them in the middle....?  What is the ISP
>> going to do to make sure that the enduser has been educated?   What are
>> you the ISP going to do to ensure the machine that was infected has now
>> been disinfected...?
>
> So, let me see if I have this straight...
>
> The gas company is now expected to somehow stop me from feeding gas
> into the water heater they don't know I've installed, or refuse to sell
> me gas, until I can prove that I know how to install gas appliances,
> because, if they sell me gas without disabling my ability to connect
> it to other appliances, I might. 

Actually this is what happens in the UK by law....  If you have a gas 
heater installed by a non-approved technician, the gas supply will not 
be connected until it is checked and approved by an approved installer 
or gas technician.  Similarly if the heater doesn't meet certain 
standards it will never be connected to the gas supply in the UK....  Of 
course this doesn't stop people getting the gas connected and then doing 
a DIY gas installation, but people can go to jail for that.

> Right... That's going to happen.  ISPs are like utilities.  They deliver
> a service.  The service is the acceptance and delivery of properly formed
> IP datagrams.  If you want something different, that's a separate value-
> added service and you should pay more for it.
>
>> I don't expect you the ISP to solve all these problems, nor do I expect
>> you the ISP to stop your users from getting infected.... However you the
>> ISP are responsible for traffic coming from and going to your users, and
>> most of us don't care if you want to allow your users to get infected,
>> however we do care if you allow your customers to attack us....  Whether
>> it be an attack in the form of spam, DDoS or trojan/virus spreading.
>>
> This makes sense.  I've supported this.  That's not what Adi and others
> have been saying, and, it's not what some of your statements above say. 

It is what I mean to say - I have never been good at communicating by 
written word - probably something to do with the fact I am dyslexic.

/ Mat

>
>
> Owen
>

• Previous message (by thread): "Default" Internet Service
• Next message (by thread): "Default" Internet Service
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]