“Where did I get the bad tacos from if not the cab driver?” You are being willfully ignorant now. Have a good day. -mel via cell On Jan 17, 2026, at 9:09 AM, Mike Simpson <mikie.simpson@gmail.com> wrote:  So where are they getting the malware from if not from their ISP? Should we hold the consumers responsible for their lack of tech knowhow when corporations with actual ITSEC departments get owned all the time or is that a total abrogation of responsibility from the people who are taking the money to provide the service or hardware? I think the “we aren’t responsible for anything that comes down the pipe to the end users because doing otherwise will cost $$$ and impact our revenue” is a stance that shouldn’t hold true anymore. I wonder how clearly you advertise the fact in your sales literature that a user needs to have more technical security knowhow or needs to care more than fortinet to safely connect to your network. That combined with all the reasons why having your users being infested is bad for you should make you want to do more about it. Being a diseased network spewing infection is surely seen as bad practice and “it’s the fault of the users and there is nothing we are willing to do to change that” shouldn’t be adequate. On 17 Jan 2026, at 16:26, Tom Beecher <beecher@beecher.cc> wrote:  If you didn’t want your customers being infected then don’t serve them malware and then blame them for getting owned and it impacting on your network or your upstreams. ISPs aren't 'serving customers malware'. Come on. There is a shared responsibility here. ISPs need to take reasonable precautions to block bad, while also ensuring that users can use the access they provide in the ways they chose to do so. End users need to have a basic level of understanding that the 'naked' internet is a nasty place, and many network enabled devices are poorly designed, so having some level of network security is important. On Sat, Jan 17, 2026 at 9:23 AM Mike Simpson via NANOG <nanog@lists.nanog.org<mailto:nanog@lists.nanog.org>> wrote: Again tho. What does it matter to the customer. It’s not impacting on their bottom line. They are used to fairly rubbish service for a huge multitude of reasons so their bandwidth being a bit slashdotted doesn’t matter to them. That’s why it’s a ddos. The only reason they got infected wasn’t their fault. It’s the fault of every company that believes that a eula is the end of their liability. If you didn’t want your customers being infected then don’t serve them malware and then blame them for getting owned and it impacting on your network or your upstreams. This is something that should have been sorted out after nimda but that wouldn’t have boosted shareholder value apparently. Your users aren’t aware that it’s not safe to plug stuff into the network you provide in the same way that they would expect a firewall not to get them owned or that a VPN device would be safe to use. -this is our fault, our failing, and we need to stop our knee jerk victim shaming and do better.

On 17 Jan 2026, at 12:49, Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> wrote:

Mike,

I agree with you where ISPs choose insecure CPE and force their customers to use it. But in the case of AISURU, It’s not the CPE causing the problem, it’s the customer’s buggy android-based IoT.

-mel

...

On Jan 17, 2026, at 4:16 AM, Mike Simpson <mikie.simpson@gmail.com<mailto:mikie.simpson@gmail.com>> wrote:

“immediately recognize any they own, which will drive home the point that this is their problem”

That’s some grade A victim blaming bs there.

“The rubbish CPE that we forced you to have is now owned and it’s upsetting our eyeballs only peering arrangements so you need to sort it out”

ISPs are only not accountable legally for the content of the packets they transport. That doesn’t mean they are not responsible for the terrible routers they give out.

Your customers in the main don’t care as they are used to flaky internet service. It’s the problem of the ISP as it only really impacts on them in an aggregated form so as that’s where the pain is, that’s who is “it” for solving it.

-don’t hand out cheap pos un-updatable CPE or do (shareholder value/ enshittification) and accept the consequences with good grace.

...

...

On 17 Jan 2026, at 02:10, Mel Beckman via NANOG <nanog@lists.nanog.org<mailto:nanog@lists.nanog.org>> wrote:

immediately recognize any they own, which will drive home the point that this is their problem

NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SAEZI4VP...