On Sun, 13 May 2007, Florian Weimer wrote:
Fortunately, there is a simple solution to this kind of problem: ISPs are very likely liable if they fail to alert customers about security problems, and do not provide updates in a timely manner. After a few painful incidents, the ISPs will learn, and either ship better software (unlikely) or implement some kind of patch management. With a bit of luck, the latter does not just shift back liability back to the customer, but also helps to parly solve the problem (in the sense that CPE attacks are less attractive).
It won't solve the problem. ISPs will simply stop distributing CPE, and tell customers to buy CPE from their nearest electronics store (Best Buy, Radio Shack, or the equivilent in other countries). If you thought it was hard getting ISPs to patch CPE, try getting electronics stores to patch the CPE. Look at the ancient bugs in D-Link, Linksys, Netgear boxes that consumers haven't figured out how to patch for years. You really need to identify the sources and fix it there.