On Wed, 16 May 2007, Ross Hosman wrote:
Gadi,
I appreciate your well thought out email but I sit here and wonder what exactly you are trying to accomplish with it? Are you just trying to shame the two ISPs listed publicly or are you trying to spark a discussion about something that many people here can't fix?
Many businesses today are focused on driving revenue and fixing old CPE equipment doesn't generate revenue, it only ties up money and resources that can be used elsewhere to drive revenue. If I were you I would try to spin this problem in a way where you can show large ISPs by fixing CPE's it will free up network resources and staff which can be used elsewhere.
The people that can fix these problems are usually unaware of them so try to educate those people. Write CEOs/CTOs/CSOs educating them and push the security teams for these companies to escalate these issues to their upper management (on that note I would say this type of discussion would be better suited for a security mailing list for the reason I stated before, many people here can't fix these problems).
Simply stating that there is a problem and shunning ISPs with this problem isn't a fix for the problem, it just makes them ignore you and the problem.
You are quite right. Thank you. I found some ways of showing several issues to be revenue-tied, such as blocking port 25, etc. This issue is something I am at a stage of exploring, and like it or not.. network operators are the ones who deal with this (on whatever level they do). I am unsure of where else to go with this, and if some ISPs do something for now, that is a step in the right direction until a better way shows itself. Whichever way we discover, for now, raising awareness is all I can think of. On a sarcastic evil tone, we may just plan to release a "fix" worm to harden all these devices world-wide. Right! Because that worked so well for us before. :>
-Ross
Gadi.