Broadband routers and botnets - being proactive

Gadi Evron ge at
Sun May 13 19:21:12 UTC 2007

On Sun, 13 May 2007, Sean Donelan wrote:
> On Sun, 13 May 2007, Florian Weimer wrote:
> > Fortunately, there is a simple solution to this kind of problem: ISPs
> > are very likely liable if they fail to alert customers about security
> > problems, and do not provide updates in a timely manner.  After a few
> > painful incidents, the ISPs will learn, and either ship better
> > software (unlikely) or implement some kind of patch management.  With
> > a bit of luck, the latter does not just shift back liability back to
> > the customer, but also helps to parly solve the problem (in the sense
> > that CPE attacks are less attractive).
> It won't solve the problem.  ISPs will simply stop distributing CPE, and
> tell customers to buy CPE from their nearest electronics store (Best Buy, 
> Radio Shack, or the equivilent in other countries).  If you thought it
> was hard getting ISPs to patch CPE, try getting electronics stores to
> patch the CPE.  Look at the ancient bugs in D-Link, Linksys, Netgear boxes
> that consumers haven't figured out how to patch for years.
> You really need to identify the sources and fix it there.

"Passing the buck! Buck passer!" (see below - skip to Dilbert link)

Not saying that you are wrong but... Ahh, these are out of our
control, nor will they do anything if we don't. Might as well tell users
not to patch their Windows systems as it's the responsibility of the store
who sold them the computer. Yes, it could help if the stores did

There is little to no financial incentive for ISPs to do something about
this problem right now, even if it is currently under their direct
control. Later on, when it is a problem - it will cost more.

Today? Some will do someting, others won't. It surprises me how many do
invest in this.

Almost everything we do in Internet security operations has nothing to do
with identifying the problem and fixing it. It's usually just about
identifying the sympthoms and getting rid of them. It's like I sometimes
tell law enforcement: "we can't afford to wait, we need to maintain
our networks". We wait anyway and end up eating a sock.

As to your suggestion here (quoting a /. user who wrote it down):

Dilbert is in the Boss's office.
Dilbert: I discovered a hole in our internet security.
Boss: What?!!
Boss: Good grief, man! How could you put a hole in our internet?
Dilbert, angry: I didn't PUT it there, I FOUND it.. and it's not...
Boss: It's your job to fix that hole. I want you to work 24-7!
Dilbert: Actually, that's NOT my job. But I'll inform our network
management group.
Dilbert: Forget it! There's no hole! It got better!
Boss: That's more like it.
Last panel, the boss is sitting alone smiling.
Boss thinks: I fixed the internet.

I found it on Google images:

More information about the NANOG mailing list