ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]

J. Oquendo sil at infiltrated.net
Wed Jun 9 13:35:04 CDT 2010


Jorge Amodio wrote:
> Unfortunately in the software industry you get (when you do, not
> always) the alert and the patch after the fact, ie the exploit has
> been already out there and your machine may probably have been already
> compromised.
>
> I never seen any operating system coming with a sign saying "Use at
> your own risk", why when I buy a piece of software I have to assume it
> to be insecure, and why I have to spend extra money on a recurring
> basis to make it less insecure, when there is no guarantee whatsoever
> that after maintenance, upgrades, patches and extra money my system
> will not get compromised because a moron forgot to include a term
> inside an if before compiling.
>
> Insecurity and exploitable software is a huge business. I don't expect
> software to be 100% safe or correct, but some of the holes and issues
> are derived form bad quality stuff and as car manufacturers the
> software producers should have a recall/replacement program at their
> own cost.
>
> My .02
> Jorge
>   

Again, apples and oranges to a degree. Car owners don't receive a "use
at your own risk" disclaimer either. Yet some Toyota owners faced
horrifying instances of "subpar" prechecks. GM recalled a million or so
cars and the list will always go on and on. Mistakes happen period and
when mistakes DON'T happen Murphy's Law does. I can speak for any
software vendor but I can speak about insecurity and exploitability of
software. That too is what it is from any standpoint be it anywhere in
Redmond to any other location. Look at Sun's horrible misstep with telnet:

<humor>


      Highlights

The Solaris 10 Operating System, the most secure OS on the planet,
provides security features previously only found in Sun's military-grade
Trusted Solaris OS.

</humor>

Really?
http://blogs.securiteam.com/index.php/archives/814

9 Vulnerabilities for Microsoft *ANYTHING* of the first 60 published.
But again, this is irrelevant. I don't care for any operating system
anymore. I care for the one that accomplishes what I need to do at any
given time. Be it Linux, Windows, BSD, Solaris heck get me plan9 with
Rio, I could care less. However, myself as an end user, I'm the one
responsible for my machine as I am the one running it. If I find it to
be insecure or "virus/trojan/malware/exploitability" prone, there is no
one shoving it down my throat. Even if I didn't know any better. So for
those who are unaware of what's going on, how difficult would it be to
create a function within an ISP tasked with keeping a network structured
to avoid allowing OUTBOUND malicious traffic.

We could argue about: "But that would be snooping" where I could always
point at that a NAC could be set up prior to allowing a client to
connect. Can anyone honestly tell me that one of their clients would be
upset slash disturbed slash alarmed about an ISP protecting them (the
customer) as well as other "neighbors" (customers)? That's like saying:
"Oh they set up a neighborhood watch association... and they're watching
over my house when I'm not home or capable of watching all sides of my
house... HOW DARE THEY!" Sorry I can't picture that happening. What I
picture is fear and people dragging their feet.

I can tell you what though, for the first company to pick up on that
framework, I can guarantee you the turnover rate wouldn't be as high as
say being on a network where now the business connection is lagged
because of spam, botnets and other oddities that could have been prevented.


-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E





More information about the NANOG mailing list