Nato warns of strike against cyber attackers
owen at delong.com
Wed Jun 9 00:18:09 CDT 2010
On Jun 8, 2010, at 8:01 PM, Jorge Amodio wrote:
> Sent from my iToilet
> why you will penalize with fees the end customer that may not know
> that her system has been compromised because what she pays to Joe
> Antivirus/Security/Firewall/Crapware is not effective against Billy
> the nerd insecure code programmer ?
So? If said end customer is operating a network-connected system without
sufficient knowledge to properly maintain it and prevent it from doing mischief
to the rest of the network, why should the rest of us subsidize her negligence?
I don't see where making her pay is a bad thing.
> No doubt ISPs can do something, but without additional regulation and
> safeguards that they wont be sued for sniffing or filtering traffic
> nothing will ever happen. Do we want more/any regulation ? who will
> oversee it ?
Those safeguards are already in place. There are specific exemptions in the
law for data collection related to maintaining the service and you'd be very
hard pressed to claim that identifying and correcting malicious activity is not
part of maintaining the service.
> On the other hand think as the Internet being a vast ocean where the
> bad guys keep dumping garbage, you can't control or filter the
> currents that are constantly changing and you neither can inspect
> every water molecule, then what do you do to find and penalize the
> ones that drop or permit their systems to drop garbage on the ocean ?
Your initial premise is flawed, so the conclusion is equally flawed.
The internet may be a vast ocean where bad guys keep dumping garbage,
but, if software vendors stopped building highly exploitable code and ISPs
started disconnecting abusing systems rapidly, it would have a major effect
on the constantly changing currents. If abuse departments were fully funded
by cleanup fees charged to negligent users who failed to secure their systems
properly, it would both incentivize users to do proper security _AND_ provide
for more responsive abuse departments as issues are reduced and their
budget scales linearly with the amount of abuse being conducted.
> My .02
>> I'm fond of getting the issues addressed by getting the ISPs to be involved
>> with the problem. If that means users get charged "clean up" fees instead
>> of a "security" fee, that's fine.
>> ISPs remain in the unique position of being able to identify the customer,
>> the machine, and to verify the traffic. It can be done.
More information about the NANOG