On Sun, 13 May 2007, Sean Donelan wrote:
On Sun, 13 May 2007, Florian Weimer wrote:
Fortunately, there is a simple solution to this kind of problem: ISPs are very likely liable if they fail to alert customers about security problems, and do not provide updates in a timely manner. After a few painful incidents, the ISPs will learn, and either ship better software (unlikely) or implement some kind of patch management. With a bit of luck, the latter does not just shift back liability back to the customer, but also helps to parly solve the problem (in the sense that CPE attacks are less attractive).
It won't solve the problem. ISPs will simply stop distributing CPE, and tell customers to buy CPE from their nearest electronics store (Best Buy, Radio Shack, or the equivilent in other countries). If you thought it was hard getting ISPs to patch CPE, try getting electronics stores to patch the CPE. Look at the ancient bugs in D-Link, Linksys, Netgear boxes that consumers haven't figured out how to patch for years.
You really need to identify the sources and fix it there.
"Passing the buck! Buck passer!" (see below - skip to Dilbert link) Not saying that you are wrong but... Ahh, these are out of our control, nor will they do anything if we don't. Might as well tell users not to patch their Windows systems as it's the responsibility of the store who sold them the computer. Yes, it could help if the stores did something. There is little to no financial incentive for ISPs to do something about this problem right now, even if it is currently under their direct control. Later on, when it is a problem - it will cost more. Today? Some will do someting, others won't. It surprises me how many do invest in this. Almost everything we do in Internet security operations has nothing to do with identifying the problem and fixing it. It's usually just about identifying the sympthoms and getting rid of them. It's like I sometimes tell law enforcement: "we can't afford to wait, we need to maintain our networks". We wait anyway and end up eating a sock. As to your suggestion here (quoting a /. user who wrote it down): Dilbert is in the Boss's office. Dilbert: I discovered a hole in our internet security. Boss: What?!! Boss: Good grief, man! How could you put a hole in our internet? Dilbert, angry: I didn't PUT it there, I FOUND it.. and it's not... Boss: It's your job to fix that hole. I want you to work 24-7! Dilbert: Actually, that's NOT my job. But I'll inform our network management group. Boss, yelling: PASSING THE BUCK!!! YOU'RE A BUCK PASSER!!! Dilbert: Forget it! There's no hole! It got better! Boss: That's more like it. Last panel, the boss is sitting alone smiling. Boss thinks: I fixed the internet. I found it on Google images: http://stderr.de/funstuff/dilbert_fixed_the_internet.jpg