sean@donelan.com (Sean Donelan) writes:
in any other industry, you (the isp) would do a simple risk analysis and start treating the cause rather than the symptom.
What other industry do you know where you are expected to fix products you didn't sell and didn't cause for free?
risk management doesn't mean fixing other people's problems for free, it means building your business with knowledge of those problems, and making sure your business copes with them.
You can't connect a Tivo or unauthorized device to your ISP connection, and ISP would remotely control all the devices on your home network to ensure they are patched and secure.
Send me your root passwords. Trust me.
you should offer this service. most of us would urge our parents' generation to sign up for it. (i hope you weren't joking.)
for example you might offer inbound filtering,
Done. Effectiveness?
cleanup tools and services,
Done. Effectiveness?
and you would put their computer in cyberjail when it was known to be "infected",
Done. Effectiveness?
and you would certainly not offer your services without a clear idea of how to reach the customer and assist them in getting out of cyberjail
Done. Effectiveness?
even if it meant rolling a technician.
Done. Effectiveness?
Been there, done that. Got any new ideas?
with all due respect, which is in fact waning due to your sarcastic attitude, none of those things have been done. oh, sure, various isp's have waved at those problems, and some have paid some lip service to them, but it has not been seriously tried, because there's no way to do insist on them and still make money. if you or any other isp seriously "Done."'d those things, then the few customers you'd have left would be very happy, and the rest of us who are not your customers would also be very happy with the lack of swill coming from your network.
People already think ISPs make money from infected computers and spammers.
only because i've been an insider at a couple of places where it was arguable.
What incentive would there people to fix things instead of just paying them off?
i believe i mentioned doubling the forfeitable deposit on each verified incident.
Is it Ok to spam, as long as you pay a lot? Is it Ok to leave an infected computer on the network, as long as you pay a lot? Haven't you just described what "bullet-proof" web hosting companies do?
i don't accept e-mail from rackspace.com or any of their customers, because this appears to be their business model. on http://www.vix.com/personalcolo/ i present what i call a "good internet neighborhood" model. a "bullet proof hosting" company wouldn't qualify, no matter what deposit they collected or how much customer equipment they had on-site.
alas. on the internet, nobody knows you're a dog.
Regulations could fix that.
no, really, they couldn't. bad guys can cons up a new identity every week if that's what it takes to avoid driving with a bad internet driver's license.
Most railroads have railroad police with jurisdiction anywhere the railroad tracks go. Some railroad police departments have trans-national jurisdiction in multiple countries.
several times i've suggested that only by upgrading this problem to the level of inter-national treaty, as has been done with other offenses like drugs and fraud and violence, will we begin to see the beginnings of "containment." you, sean, were party to at least one of those threads. perhaps you can do some homework and answer now what you didn't bother to answer then.
Do we need an Internet Police with jurisdiction anywhere the Internet goes? Instead of waiting for the FBI to make a case, the ISP police could arrest people.
Should ISPs be required to forward all their customer information and logs to the Department of Homeland Security (or other national equivalent) so they always know who is doing what. Would that solve the no one knows you're a dog problem?
no, it wouldn't. until the cost of creating new identities can be driven up, then nothing adhering to identity, such as reputation, will be of any real value in stopping repeat abusers. a dsl or cable provider is in a unique position in this regard. you know who your customers are and you know where they live. as a favour to the rest of us, it would be a fine thing if you would take advantage of this position to cause a general increase in the reputation-level of your customers' IP addrs. whether you do that with deposits, truck rolls, filtering, cyberjails, weekly training seminars, and/or lawsuits against microsoft and apple, is your problem not ours, since you make the profit from these customers. how you remain profitable and competitive while managing these risks is also your problem, again since you make the profit from these customers. google for "chemical polluter business model" if you want more background. -- Paul Vixie