On Sun, 13 Jun 2004, John Curran wrote:
I'll argue that we have don't effective methods of dealing with this today, and it's not the lack of abuse desk people as much as the philosophy of closing barn doors after the fact. The idea that we can leave everything wide open for automated exploit tools, and then clean up afterwards manually with labor-intensive efforts is fundamentally flawed.
Selling people barn doors and barn door audits is easier than figuring out how the rustlers are getting the horses. The problem is the horses aren't being rustled(?) through the barn doors. If they were, you would expect to see a difference between barns with doors and barns without doors. But in practice, we see people with and without firewalls with infected computers. Network level controls aren't as effective as some people hope at stopping many things. ISPs should stop porn, ISPs should stop music sharing, ISPs should stop viruses, ISPs should stop <insert here>. Yet somehow users manage to find a way around all of them. What are good predictors? There aren't any great ones, but there are some. Can we use them effectively? So what makes some users more likely or less likely to have infected computers? How do they become infected, but other users don't? What's different between the two groups?