Re: Schneier: ISPs should bear security burden
On 27 Apr 2005, at 17:51, Pakojo Samm wrote:
Give me a *clear* unobstructed line (that stays up) at the cheapest price please.
Your attitude is very much the norm, however your requirements on connectivity are more stringent. All customers want unobstructed access and, we as an ISP, want to provide it. Obstructions to service, regardless of fault or utility, generate call volume. The vast majority of subscribers, measured in millions, are not obstructed by filtered internet services. Subscribers do not understand the benefits of complete end-to-end connectivity nor do they perceive filtered connections as less valuable than other services. For those subscribers who do notice these obstruction, we offer more robust connections at a different price point. The reasoning is simple: in order to provide the best connectivity possible, measured by least obstructions perceived by the user at the lowest price point, at the highest margin possible we need to relocate the operating cost to the appropriate party. Providing all users with unfiltered transit increases our operating expense without providing the customer with any added benefit. Providing a subset of users with unfiltered transit when necessary pushes that expense onto the users requesting additional service. As you said, customer desire the cheapest stable connection they can locate. Value added services aid in retention when cheaper rates are offered by competitors and we are not willing to match that price point. Subscribers are willing to pay more for connectivity instead of incurring the cost of replacing their email address, their ISP associated software, etc. On 28 Apr 2005, at 00:55, Owen DeLong wrote:
Who are you to decide that there is no damage to blocking residential customers?
The customer makes the decision when they subscribe to a service whether or not filtered service will meet their needs. Who are you to decide that unfiltered service is required to meet the needs of all customers?
Why should an ISP decide what a residential customer can or can't do with their internet connection.
The service provider should be able to decide what services they wish to offer. If a provider of any service chooses to differentiate services based on utility and the customer is made aware of these characteristics, how is this in anyway unfair? If your objection is that, in single provider markets, it may not be financially viable to obtain your desire service level i.e. the local cable provider does not offer unfiltered connectivity and there are no other residential high bandwidth options available then I suggest you encourage diversity in the market place. You are not entitled to unfiltered internet connectivity. If you want to be entitled to unfiltered internet connectivity then petition your local government to make transit a privatized utility with all the government oversight and bureaucracy that entails. --- James Baldwin hkp://pgp.mit.edu/jbaldwin@antinode.net "Syntatic sugar causes cancer of the semicolon."
On Thu, 28 Apr 2005 10:47:50 EDT, James Baldwin said:
in order to provide the best connectivity possible, measured by least obstructions perceived by the user at the lowest price point, at the highest margin possible we need to relocate the operating cost to the appropriate party. Providing all users with unfiltered transit increases our operating expense without providing the customer with any added benefit. Providing a subset of users with unfiltered transit when necessary pushes that expense onto the users requesting additional service.
It would seem that relocating the costs of doing extra (filtering, etc) *should* be passed on to the people who necessitated the extra handling by running software that needs extra protection. As it stands, you're charging the people who (in general) aren't the problem more for you *not* to do something... Car insurance companies figured this out long ago: They charge extra premiums to those customers who incur them more cost - that's why male teenagers pay more than middle-aged people, and why people with multiple tickets pay more. Would any car insurance company be able to stay in business long-term if they raised the premium for middle-aged men driving boring Toyota sedans because somebody else's teenager wrapped their Camaro around a tree? Why is it perceived as reasonable in this industry?
On 28 Apr 2005, at 11:51, Valdis.Kletnieks@vt.edu wrote:
It would seem that relocating the costs of doing extra (filtering, etc) *should* be passed on to the people who necessitated the extra handling by running software that needs extra protection. As it stands, you're charging the people who (in general) aren't the problem more for you *not* to do something...
"Extra" in the sense of this statement is incorrect. If filtered connectivity is the norm in our environment, then I would be charging people who require unfiltered access more to make an exception for them and allow them more flexible connectivity. Exceptions, even in the form of removing restrictions, are something.
Car insurance companies figured this out long ago: They charge extra premiums to those customers who incur them more cost - that's why male teenagers pay more than middle-aged people, and why people with multiple tickets pay more.
This is a poor analogy, which is why I have avoided them thus far. It is easier to assess blame in automobile incidents. It is, more often than not, the fault of a driver of one of the involved automobiles, not some nebulous third party. Insurances companies maintain records of traffic offenses on customers and check traffic records for prospective customers, there is no comparison within network abuse. It is difficult to assess responsibility in network abuse. Increasing the price point, or penalizing the customer, for network traffic generated by malware is an excellent way to promote churn and reduce revenue. It is more profitable to restrict customers from generating unfriendly network traffic in the first place than penalize them after the fact.
Would any car insurance company be able to stay in business long-term if they raised the premium for middle-aged men driving boring Toyota sedans because somebody else's teenager wrapped their Camaro around a tree? Why is it perceived as reasonable in this industry?
Again, this is a poor analogy. I am not penalizing customers who act responsibly. There is no direct correlation between users who are responsible and users who require unfiltered internet access. There are millions of subscribers who are responsible using filtered internet connectivity and they are not penalized for it. In fact, they are rewarded as they are paying a lower price point for this adequate and restricted service. Please, stop making the assumption that all responsible users require unfiltered internet access. --- James Baldwin hkp://pgp.mit.edu/jbaldwin@antinode.net "Syntatic sugar causes cancer of the semicolon."
James Baldwin wrote:
Again, this is a poor analogy. I am not penalizing customers who act responsibly. There is no direct correlation between users who are responsible and users who require unfiltered internet access. There are millions of subscribers who are responsible using filtered internet connectivity and they are not penalized for it. In fact, they are rewarded as they are paying a lower price point for this adequate and restricted service.
Please, stop making the assumption that all responsible users require unfiltered internet access. --- James Baldwin hkp://pgp.mit.edu/jbaldwin@antinode.net "Syntatic sugar causes cancer of the semicolon."
Well said. I also want to point out that, I believe several people discussing this thread are confusing ISP's who just provide Internet Services direct to end users, with transit providers who are soley providing transit to other ISP's. In my own opinion, I would not expect a transit provider to filter anything other than my BGP announcements. However, I would expect my ISP to filter a possible worm infection port(s), as it would completely saturate my lowly-end-user datapipe if they did not, making network access worthless, even if my host was secure. Ofcourse, I would also, not expect to pay a higher fee for this filtering. Additionally, I am curious why any time a technical issue comes up on NANOG (or any other operator list), people resort to terrible analogies that have little to do with the actual content of the discussion? --- Andy
In my own opinion, I would not expect a transit provider to filter anything other than my BGP announcements. However, I would expect my ISP to filter a possible worm infection port(s), as it would completely saturate my lowly-end-user datapipe if they did not, making network access worthless, even if my host was secure. Ofcourse, I would also, not expect to pay a higher fee for this filtering.
I'm probably one of the ones you think is confused. However, I am not, I simply don't think that they need different policies about what packets flow. If the customer doesn't ask for something to be blocked, it shouldn't be blocked. The most probabl worm infection port is 80 or 443. Do you really want those filtered by your ISP? I don't... It would wreak havoc with my web servers.
Additionally, I am curious why any time a technical issue comes up on NANOG (or any other operator list), people resort to terrible analogies that have little to do with the actual content of the discussion?
Personally, I think the analogy was a pretty good one. Just because it doesn't support your point of view doesn't make it a bad analogy. No matter how much you and the person you qouted would like to obscure the fact, default filtration is bad policy for a number of reasons: + It inflicts an unfair cost burden on responsible users who want full internet connectivity. + It inflicts an unfair cost burden on responsible users who don't need full internet connectivity, but, don't need ISP-side filtration, either. + It taxes responsible users in order to reduce the costs of irresponsible users. + It is a transit solution to an end-host problem, thus creating a number of undesirable side-effects, not the least of which is the cost of a continuing arms race between the filters and the malware. Owen
--- Andy
-- If it wasn't crypto-signed, it probably didn't come from me.
--On Thursday, April 28, 2005 12:18 PM -0400 James Baldwin <jbaldwin@antinode.net> wrote:
On 28 Apr 2005, at 11:51, Valdis.Kletnieks@vt.edu wrote:
It would seem that relocating the costs of doing extra (filtering, etc) *should* be passed on to the people who necessitated the extra handling by running software that needs extra protection. As it stands, you're charging the people who (in general) aren't the problem more for you *not* to do something...
"Extra" in the sense of this statement is incorrect. If filtered connectivity is the norm in our environment, then I would be charging people who require unfiltered access more to make an exception for them and allow them more flexible connectivity. Exceptions, even in the form of removing restrictions, are something.
No, it isn't. The fact that filtered is becoming the norm is what many of us are taking exception to. I shouldn't have to pay extra for unfiltered intenet just because the majority of your customers are too ignorant to correctly deal with it. Fortunately for me, as long as there are ISPs that don't see the world your way, I won't have to be your customer, so, have fun.
Car insurance companies figured this out long ago: They charge extra premiums to those customers who incur them more cost - that's why male teenagers pay more than middle-aged people, and why people with multiple tickets pay more.
This is a poor analogy, which is why I have avoided them thus far. It is easier to assess blame in automobile incidents. It is, more often than not, the fault of a driver of one of the involved automobiles, not some nebulous third party. Insurances companies maintain records of traffic offenses on customers and check traffic records for prospective customers, there is no comparison within network abuse. It is difficult to assess responsibility in network abuse.
Actually, it's an excellent analogy. If your system is a source of abuse, you are responsible, one way or another. Either you chose to run exploitable software and failed to patch it, or, you chose to run the exploit. Either way, you have responsibility for abuse originating from your machine. Sure, there's a contributing factor in a lot of internet abuse from a nebulous third party, but, people running exploitable systems should be held responsible for the abuse those systems generate.
Increasing the price point, or penalizing the customer, for network traffic generated by malware is an excellent way to promote churn and reduce revenue. It is more profitable to restrict customers from generating unfriendly network traffic in the first place than penalize them after the fact.
While I believe we don't currently have a better process than capitalism available, this is an example of how capitalism does not necessarily lead to the correct conclusions in a market. Destroying existing and future valid capabilities of the network to avoid solving the real problem because solving the real problem might eat into revenues is exactly why I think we need to modify our thinking on this.
Would any car insurance company be able to stay in business long-term if they raised the premium for middle-aged men driving boring Toyota sedans because somebody else's teenager wrapped their Camaro around a tree? Why is it perceived as reasonable in this industry?
Again, this is a poor analogy. I am not penalizing customers who act responsibly. There is no direct correlation between users who are responsible and users who require unfiltered internet access. There are millions of subscribers who are responsible using filtered internet connectivity and they are not penalized for it. In fact, they are rewarded as they are paying a lower price point for this adequate and restricted service.
Yes you are. You are penalizing users who act responsibly and want to use the full capability of the network instead of some subset in order to subsidize the costs of your other users who don't know and don't care. It is an excellent analogy, it just doesn't support your point of view. Your statement that their price point is lower is absurd. It costs money to put filters in place. It doesn't cost money to not filter, except to the extent that irresponsible actions which filtration would prevent are not blocked. Therefore, any increased costs in unfiltered connections are the direct result of irresponsible use. Absent irresponsible use, unfiltered connections will, by definition, cost less.
Please, stop making the assumption that all responsible users require unfiltered internet access.
That isn't the assumption. The assertion is that unfiltered use costs less than filtered use unless there is abuse or irresponsible use to be filtered. The further assertion is that ISPs should not be the ones determining what level of access end users require. ISPs should filter what end users ask them to filter. End users should not be charged extra for access to the whole internet. Owen -- If it wasn't crypto-signed, it probably didn't come from me.
On Thu, Apr 28, 2005 at 03:13:06PM -0700, Owen DeLong wrote:
Your statement that their price point is lower is absurd. It costs money to put filters in place. It doesn't cost money to not filter, except to the extent that irresponsible actions which filtration would prevent are not blocked. Therefore, any increased costs in unfiltered connections are the direct result of irresponsible use. Absent irresponsible use, unfiltered connections will, by definition, cost less.
In this context, Owen, why isn't that a circular argument? Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Designer Baylink RFC 2100 Ashworth & Associates The Things I Think '87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
On 28 Apr 2005, at 00:55, Owen DeLong wrote:
Who are you to decide that there is no damage to blocking residential customers?
The customer makes the decision when they subscribe to a service whether or not filtered service will meet their needs. Who are you to decide that unfiltered service is required to meet the needs of all customers?
I never said they did. I simply said ISPs shouldn't decide this for their customers, as some do.
Why should an ISP decide what a residential customer can or can't do with their internet connection.
The service provider should be able to decide what services they wish to offer. If a provider of any service chooses to differentiate services based on utility and the customer is made aware of these characteristics, how is this in anyway unfair? If your objection is that, in single provider markets, it may not be financially viable to obtain your desire service level i.e. the local cable provider does not offer unfiltered connectivity and there are no other residential high bandwidth options available then I suggest you encourage diversity in the market place.
I do encourage diversity in the market place. However, that doesn't necessarily change the current reality.
You are not entitled to unfiltered internet connectivity. If you want to be entitled to unfiltered internet connectivity then petition your local government to make transit a privatized utility with all the government oversight and bureaucracy that entails.
In some locations, that is becoming the case. I'm not sure that's necessarily such a bad idea. I'd rather encourage providers to do the right thing without the extra overhead, however. Owen
--- James Baldwin hkp://pgp.mit.edu/jbaldwin@antinode.net "Syntatic sugar causes cancer of the semicolon."
-- If it wasn't crypto-signed, it probably didn't come from me.
participants (5)
-
Andy Johnson
-
James Baldwin
-
Jay R. Ashworth
-
Owen DeLong
-
Valdis.Kletnieks@vt.edu