Tier1 blackholing policy?

Wed May 1 11:44:35 UTC 2013

On Tue, Apr 30, 2013 at 12:47:40PM -0400, Jared Mauch wrote:
> If the phishing attack is against an enterprise that is also an ISP,
> surely you can imagine a case where they might block traffic to prevent
> folks from being phished.

This is not an effective anti-phishing tactic, any more than "user education"
is an effective anti-phishing tactic.  (Let me quote Marcus Ranum on
the latter: "if it was going to work, it would have worked by now."
And let me observe: it's never worked; it's not working; it's never
going to work.)

> i think it's great that someone is blocking folks from being infected with either malware or giving up their private details improperly.

One person's "malware" is merely an interesting collection of inert
bits to someone else, just as "email virus" has no operational meaning
to anyone clueful enough to run a sensible mail client on a sensible
operating system.

Thus one undesirable effect of such blocking is that it denies access to
researchers who are at nearly zero risk of negative consequences *and*
who might be the very people in a position to understand the threat
(phishing, malware, etc.) and figure out how to mitigate it.  Another is
that it presents a false sense of security to the ignorant, the lazy,
and the careless.  While in the short term that may seem benevolent and
useful, I think in the long term it has a deleterious effect on security
as a whole.  And if we've arrived at a point in time where people are
actually considering making routing decisions based on longstanding design
and implementation defects in consumer operating systems and applications,
then I think "long term" equates to "right now".

---rsk