Sean Donelan wrote:
On Sun, 13 May 2007, Florian Weimer wrote:
Fortunately, there is a simple solution to this kind of problem: ISPs are very likely liable if they fail to alert customers about security problems, and do not provide updates in a timely manner. After a few painful incidents, the ISPs will learn, and either ship better software (unlikely) or implement some kind of patch management. With a bit of luck, the latter does not just shift back liability back to the customer, but also helps to parly solve the problem (in the sense that CPE attacks are less attractive).
It won't solve the problem. ISPs will simply stop distributing CPE, and tell customers to buy CPE from their nearest electronics store (Best Buy, Radio Shack, or the equivilent in other countries). If you thought it was hard getting ISPs to patch CPE, try getting electronics stores to patch the CPE. Look at the ancient bugs in D-Link, Linksys, Netgear boxes that consumers haven't figured out how to patch for years.
You really need to identify the sources and fix it there.
When your cpe costs $50 (to the consumer) it's not worth anyone's time (consumer, isp, manufacturer, store that sold it etc) to patch/upgrade the thing. If it's broken enough they'll eventually buy another one. or they'll buy another one because they decide they need some wazoo new feature, (802.11n, gigabit ethernet, p2p support, hard-disk etc)... The trick is insuring that when they do buy another one it;s tangibly better than the old one. Even if your cpe costs more (cisco 8xx) it's still not worth patching it if that is going to require external support (first time you call the tac you blow the profit on a cisco 800). Just remember, very few of these cpe devices existed 5 years ago, the probability that the same one's will be in use in 5 years seems pretty low. Deliver a compelling new technology platform and the users will upgrade en-masse (50mbit vdsl, ftfh, docsis 3 cable modems, fixed wimax, etc) It's my opinion that access isp's need to get out of the business of selling/delivering cpe because frankly the consumer will probably spend more on features and so forth, than the isp will when they lease you some crappy actiontec dsl router for 3-bucks a month. The isp's shoot themselves in the foot by shoveling the cheapest cpe they can out the door when the consumer would probably go out and pay for it if they felt like they weren't getting jacked.