On Sat, 12 Jun 2004, Paul Vixie wrote:
in any other industry, you (the isp) would do a simple risk analysis and start treating the cause rather than the symptom.
What other industry do you know where you are expected to fix products you didn't sell and didn't cause for free? Should we revoke Carterphone? You can't connect a Tivo or unauthorized device to your ISP connection, and ISP would remotely control all the devices on your home network to ensure they are patched and secure. Send me your root passwords. Trust me.
for example you might offer inbound filtering,
Done. Effectiveness?
cleanup tools and services,
Done. Effectiveness?
and you would put their computer in cyberjail when it was known to be "infected",
Done. Effectiveness?
and you would certainly not offer your services without a clear idea of how to reach the customer and assist them in getting out of cyberjail --
Done. Effectiveness?
even if it meant rolling a technician.
Done. Effectiveness? Been there, done that. Got any new ideas?
no. there should be a forfeitable deposit, plus an per-incident fee which is mostly to pay for the cost of monitoring and the cost of auditing the host to ensure that it complies with the isp's security policy before it can be reattached. the deposit can be refunded after N years of incident-free behaviour, and should be doubled after each verified incident.
How much are you willing to pay? The bank industry makes billions from late payments, overdrafts, charge backs. It makes banks a lot of money, and puts people in bankruptcy, but doesn't seem to be very good at teaching people to handle credit wisely. People already think ISPs make money from infected computers and spammers. What incentive would there people to fix things instead of just paying them off? Is it Ok to spam, as long as you pay a lot? Is it Ok to leave an infected computer on the network, as long as you pay a lot? Haven't you just described what "bullet-proof" web hosting companies do? How do we create incentives for people to want to buy more secure products? Why do people continue to buy Windows instead of Macs? Cars have a gas guzzler tax to encourage fuel efficiency; should Windows computers have a security guzzler tax to encourage security?
Should it be like points on your Internet driver's license? For the first incident you have to attend 8-hour traffic school, for the second incident in 12 months you have points put on your record and your insurance rates go up. Too many points, and your Internet privileges are revoked.
alas. on the internet, nobody knows you're a dog.
Regulations could fix that. The US Postal Service has the Postal Inspection Service. They have jurisdiction anywhere the mail goes. The post office didn't create the Anthrax, they delivered the envelopes as addressed. Most railroads have railroad police with jurisdiction anywhere the railroad tracks go. Some railroad police departments have trans-national jurisdiction in multiple countries. Do we need an Internet Police with jurisdiction anywhere the Internet goes? Instead of waiting for the FBI to make a case, the ISP police could arrest people. Should ISPs be required to forward all their customer information and logs to the Department of Homeland Security (or other national equivalent) so they always know who is doing what. Would that solve the no one knows you're a dog problem?