Re: Schneier: ISPs should bear security burden
Oh, please. If you think that the Internet should remain an "every man for himself", wild wild west, Ok Corral, situation (not my words, mind you), then you better get with the powers that will steam-roll all of us if we let it -- money and marketing. This ain't no science project anymore. Bruce is right -- right as rain -- I don't give two damns whether you think it is an issue of marketing, or protecive self-advertising. The issue is that the _consumers_ want it, that's what they'll pay for, and it is the ISP's perogative to either honor that wish, or lose the business. We owe to our customers, and we owe it to ourselves, so let's just stop finding excise to side-step the issue. Sound about right? - ferg Owen DeLong <owen@delong.com> writes: So much for any sort of journalistic ethic, fact checking, or, unbiased reporting. -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg@netzero.net or fergdawg@sbcglobal.net ferg's tech blog: http://fergdawg.blogspot.com/
Sound about right?
No, not at all. I'm not advocating a wild west every man for himself, but, I think that solving end-node oriented problems at the transport layer is equally absurd. It's like expecting to be able to throw crude oil into a tanker at one end and demanding that the trucker deliver gasoline at the other. ISPs transport packets. That's what they do. That's what most consumers pay them to do. I haven't actually seen a lot of consumers asking for protected internet. I've seen lots of marketing hype pushing it, but, very little actual consumer demand. Sure, the hype will probably generate eventual demand, but, so far, it hasn't really. Do you really want an internet where everything has to run over ports 80 and 443 because those are all that's left that ISPs don't filter? That's where a lot of this crap is headed. Heck, Micr0$0ft is ready for that... They already tunnel almost all of the viruses through those two ports in order to facilitate them penetrating corporate firewalls and such. How much functionality are we going to destroy before we realize that you can't fix end-node problems in the transit network? Owen
I'm not advocating a wild west every man for himself, but, I think that solving end-node oriented problems at the transport layer is equally absurd.
That's not what was being suggested. The article suggested that ISPs, the providers of the transport layer service, should consider branching out and offering other value added services in addition to the transport layer, because customers want to buy value-added services and not just the raw, unfiltered transport layer. It's up to the ISP as to how they configure and manage those services. The company that I work for decided to build a separate global IP network in 20 countries to connect about 150 providers of application and data services to their customers, currently just under 11,000 of them. This IP network provides vastly higher levels of security than the public Internet and that is part of our contracts and SLAs. There is no technical reason why other ISPs could not offer similar value-add services other than a failure of the imagination. And we all know what "failure of the imagination" buys you. In the telecom industry it led to the rise of the ISP and the Internet because the incumbents could not imagine what we have today. In the U.S. political arena it led to 9/11 because the people charged with protecting the country could not imagine that a small group of people based in one of the most backward countries on earth could pose a threat to American soil. The report of the 911 commission makes interesting reading if one is able to see the abstract lessons that it draws. Many of those lessons relate to failure of imagination and failure to move on and change with the changing times.
ISPs transport packets. That's what they do.
You're wrong there. ISPs provide Internet services. That's what they have always done. In the early days they ran mail servers and web servers and news servers and terminal servers and many other things. We have gone through a period of specialization where ISPs have been differentiated into providing a subset of all possible Internet services. Some do indeed specialise in pure packet transport, but that is rare and they are usually part of a larger company that provides other services. In any case, it's time to move on and change some more, perhaps by adding new value-added services on that last mile connection.
I haven't actually seen a lot of consumers asking for protected internet.
That's because you don't work for Yahoo email or for AOL.
Do you really want an internet where everything has to run over ports 80 and 443 because those are all that's left that ISPs don't filter?
No. But I want an Internet in which different ISPs are free to offer different services rather than have a regulated environment that says that ISPs MUST offer a specific service in a specific way. I want choices. --Michael Dillon
On 27 Apr 2005, at 06:07, Owen DeLong wrote:
ISPs transport packets. That's what they do. That's what most consumers pay them to do. I haven't actually seen a lot of consumers asking for protected internet. I've seen lots of marketing hype pushing it, but, very little actual consumer demand. Sure, the hype will probably generate eventual demand, but, so far, it hasn't really.
I'm not sure I agree with this statement. Our customers are retained based on our value added services, including protected internet initiatives, more than for the Internet service we provide. Internet service is becoming commoditized to the end user, with multiple choices at competitive pricing in many markets. Consumers within single provider markets might expect ISPs to only "transport" packets, however in multi vendor markets the ISPs are being chosen for offerings above and beyond network access. This is becoming especially true for companies like AOL, which are attempting to move their value added services independently of their Internet access in anticipation of dropping profit margins on network access as well as an attempt to break into new single vendor markets. Moving packets is no longer enough for ISPs. If customer retention is based on value added services then consumers are making market decisions based on more than network transit. I expect NSPs to transport packets. I expect ISPs to provide Internet services, including security services. On 27 Apr 2005, at 06:43, Owen DeLong wrote:
I'm sorry, but, I simply do not share your belief that the educated should be forced to subsidize the ignorant. This belief is at the heart of a number of today's socialogical problems, and, I, for one, would rather not expand its influence.
It is becoming more expensive for ISPs to cater to the educated than to restrict the ignorant. I appears you would prefer the ignorant bear the burden for the educated. Unfortunately, there are many more ignorant who are willing to purchase restricted internet than educated who require unfettered access, moreover the educated understand the value of unrestricted internet access. As it has a value above and beyond restricted access, in the sense of unrestricted traffic transport, it should be billed at a higher rate accordingly. On 27 Apr 2005, at 16:33, Owen DeLong wrote:
However, eliminating end-node abuse at the transit just adds more cost and is, in the long run, an ineffective solution at best, usually with unintended side consequences.
For many problems, eliminating the issue at the transit level increases cost to the transit provider but reduces cost to the consumer. This cost reduction can be recouped through effective marketing and having the customer realize those cost savings. If you reduce customer rollover you can tolerate or encourage core infrastructure cost increases as your bottom line can remain the same or increase. --- James Baldwin hkp://pgp.mit.edu/jbaldwin@antinode.net "Syntatic sugar causes cancer of the semicolon."
--On Wednesday, April 27, 2005 5:09 PM -0400 James Baldwin <jbaldwin@antinode.net> wrote:
On 27 Apr 2005, at 06:07, Owen DeLong wrote:
ISPs transport packets. That's what they do. That's what most consumers pay them to do. I haven't actually seen a lot of consumers asking for protected internet. I've seen lots of marketing hype pushing it, but, very little actual consumer demand. Sure, the hype will probably generate eventual demand, but, so far, it hasn't really.
I'm not sure I agree with this statement. Our customers are retained based on our value added services, including protected internet initiatives, more than for the Internet service we provide. Internet service is becoming commoditized to the end user, with multiple choices at competitive pricing in many markets. Consumers within single provider markets might expect ISPs to only "transport" packets, however in multi vendor markets the ISPs are being chosen for offerings above and beyond network access.
Hey, if you've got customes willing to shell out for that, then more power to you. However, I'm not (and won't be) one of those customers. I'm willing to take responsibility for protecting my systems and choosing what traffic I do and don't want. I don't want someone else doing it for me. I certainly don't want someone telling my ISP that they have to take that choice away from me, and, finally, I _REALLY_ don't want to have to pay more for internet service because other users are too stupid to properly configure a firewall.
This is becoming especially true for companies like AOL, which are attempting to move their value added services independently of their Internet access in anticipation of dropping profit margins on network access as well as an attempt to break into new single vendor markets. Moving packets is no longer enough for ISPs.
Yep... That's fine... I am not opposed to a market for such services, so long as I can still buy actual internet connectivity and not some censored watered-down garbage. Further, I still think that such "value added" services are short-sighted. It creates an arms race between the value adds and the malware providers, destroying more and more functionality in the name of better and better protection from worse and worse malware. Eventually, you end up with things like the TSA and the war on drugs. Problems don't get solved because you continue to attack the symptoms instead of the causes.
If customer retention is based on value added services then consumers are making market decisions based on more than network transit. I expect NSPs to transport packets. I expect ISPs to provide Internet services, including security services.
OK... Whatever... I guess I'm an NSP customer, then. I don't draw a distinction between NSPs and ISPs on the lines you do, and, telling ISPs that they should all filter their end users connections still doesn't sit well with me. ISPs that want to offer that as an optional value added service for a fee, I have no problem. Owen -- If it wasn't crypto-signed, it probably didn't come from me.
Hey, if you've got customes willing to shell out for that, then more power to you. However, I'm not (and won't be) one of those customers. I'm willing to take responsibility for protecting my systems and choosing what traffic I do and don't want. I don't want someone else doing it for me.
Hmmm... when you're driving on a public street there is certain safety equipment you are required to have and use. You're paying more for your vehicle because of seatbelts, airbags and all the other things that are supposed to lessen the impact of an accident. Even if you're an expert driver, you don't have the privilege of not paying for these features. Adi
On 28-apr-2005, at 15:53, Adi Linden wrote:
Hey, if you've got customes willing to shell out for that, then more power to you. However, I'm not (and won't be) one of those customers. I'm willing to take responsibility for protecting my systems and choosing what traffic I do and don't want. I don't want someone else doing it for me.
Hmmm... when you're driving on a public street there is certain safety equipment you are required to have and use. You're paying more for your vehicle because of seatbelts, airbags and all the other things that are supposed to lessen the impact of an accident. Even if you're an expert driver, you don't have the privilege of not paying for these features.
And how exactly does that translate to the online world? Despite the safety and environmental regulations and the fact that you have to have a driver's license and insurance (at least here in NL), there is no requirement that your locks are industrial strength. Or that your car can be locked at all, for that matter. The fact that a compromised computer doesn't really hurt you all that much in the real world is exactly the reason why so many users don't care about security. When driving a car they at least have to be drunk to reach that level of carelessness.
And how exactly does that translate to the online world?
It doesn't. There is none or very little punishment for lawlessness and missbehaviour in the online world.
Despite the safety and environmental regulations and the fact that you have to have a driver's license and insurance (at least here in NL), there is no requirement that your locks are industrial strength. Or that your car can be locked at all, for that matter.
There is a clear understanding of right and wrong in the general population. There is law enforcement and meaning full punishment for crooks and thieves. In the online world I have no recurse against anyone compromising my computer.
The fact that a compromised computer doesn't really hurt you all that much in the real world is exactly the reason why so many users don't care about security. When driving a car they at least have to be drunk to reach that level of carelessness.
The fact is that in the online world the abuser is laughing while the abused is left to clean up the damage. Because a compromised computer doesn't really hurt most do not even know that they are a victim. Adi
Hmmm... when you're driving on a public street there is certain safety equipment you are required to have and use. You're paying more for your vehicle because of seatbelts, airbags and all the other things that are supposed to lessen the impact of an accident. Even if you're an expert driver, you don't have the privilege of not paying for these features.
This simply isn't true. You can purchase a vehicle without any of those devices. Sure, it restricts you to older vehicles, but, they are still available. Additionally, if you so choose, you can build your own vehicle without those devices. There are exemptions in most of the laws for vehicles manufactured without them. Owen -- If it wasn't crypto-signed, it probably didn't come from me.
At 04:17 PM 4/28/2005, you wrote:
Hmmm... when you're driving on a public street there is certain safety equipment you are required to have and use. You're paying more for your vehicle because of seatbelts, airbags and all the other things that are supposed to lessen the impact of an accident. Even if you're an expert driver, you don't have the privilege of not paying for these features.
This simply isn't true. You can purchase a vehicle without any of those devices. Sure, it restricts you to older vehicles, but, they are still available. Additionally, if you so choose, you can build your own vehicle without those devices. There are exemptions in most of the laws for vehicles manufactured without them.
Owen
If one is going to use the car analogy, then the ISP is the street, not the car. The car is the user's computer or customer premise equipment. Streets do not have airbags. (Though that is an interesting concept.) At best, streets have features that influence safety & traffic such as stop signs and guard rails, but even a well designed street does not actually prevent car accidents or dictate what kind of person is riding in a car. But this analogy breaks down on so many levels, so I recommend not using it. The street system is a government controlled monopoly and...well lets not use this analogy. John
On Thu, 28 Apr 2005, John Dupuy wrote:
But this analogy breaks down on so many levels, so I recommend not using it. The street system is a government controlled monopoly and...well lets not use this analogy.
If you really want some analogy for Internet independent of the telecom sector or governent infrastructure, best is to compare internet & ISPs to retail product distribution. In both cases you have produces (content or manufactures) with many different kind of products and brands consumers want and complex distribution channels to get from the produces to the stores (ISPs) where end-users actually buy it. But in majority of retail products, the origin product can not be contaminated or dangerous to end-users, but if you compare groceries (a subset) then its a lot more interesting and product can easily get spoiled or otherwise be dangerous and a lot more regulations exist to make sure what consumers get is good and supermarkets also routingly check themselve quality of products they receive (especially for produce and dairy). -- William Leibzon Elan Networks william@elan.net
On Thu, Apr 28, 2005 at 05:01:42PM -0500, John Dupuy wrote:
If one is going to use the car analogy, then the ISP is the street, not the car. The car is the user's computer or customer premise equipment. Streets do not have airbags. (Though that is an interesting concept.) At best, streets have features that influence safety & traffic such as stop signs and guard rails, but even a well designed street does not actually prevent car accidents or dictate what kind of person is riding in a car.
I disagree. The street is the transit providers. Road Runner is the car. (Well, *bus*, actually :-). If I put my kid on the bus, yes, I expect it to protect him. Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Designer Baylink RFC 2100 Ashworth & Associates The Things I Think '87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
On Sun, 01 May 2005 12:23:43 EDT, "Jay R. Ashworth" said:
The street is the transit providers.
Road Runner is the car. (Well, *bus*, actually :-).
If I put my kid on the bus, yes, I expect it to protect him.
Small but important correction here: We expect the bus company to protect the passengers *while on the bus*. I don't think *anybody* seriously expects the bus company to deny passage to people who happen to be burglars using public transportation to get to their next work site....
On Wed, Apr 27, 2005 at 03:07:47AM -0700, Owen DeLong wrote:
Sound about right? No, not at all.
I'm not advocating a wild west every man for himself, but, I think that solving end-node oriented problems at the transport layer is equally absurd.
It's like expecting to be able to throw crude oil into a tanker at one end and demanding that the trucker deliver gasoline at the other.
Owen, I may be wrong... but it sounds to me like half the people in this conversation are talking about things *the retail gas station ought to do*, assuming that the people on the other side realize this, and the other side is reacting as if the first group is advocating that *refineries and pipeline operators* ought to be doing those things. Certainly backbone ops shouldn't be doing this sort of filtering, and if you're big enough and willing to pay enough, you ought to be able to get a hose free of such filters. But *what you're paying for* there is the right to pollute the commons, and no, people paying $1/MB's for their Verizon FTTH connection probably ought not to expect a raw unfiltered connection. It's not *just* about bandwidth... Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Designer Baylink RFC 2100 Ashworth & Associates The Things I Think '87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
It's not a buck a meg. 15/2 service is about $45/month: over $3/Mbps downstream over $22/Mbps for the upstream 30/5 service is almost $200/month: over $6/Mbps downstream about $40/Mbps for the upstream There should be a little money in their model to provide guidance and/or software to the consumer. Hopefully enough to fund an aggressive abuse department. At 05:34 PM 4/30/2005, you wrote:
On Wed, Apr 27, 2005 at 03:07:47AM -0700, Owen DeLong wrote:
Sound about right? No, not at all.
I'm not advocating a wild west every man for himself, but, I think that solving end-node oriented problems at the transport layer is equally absurd.
It's like expecting to be able to throw crude oil into a tanker at one end and demanding that the trucker deliver gasoline at the other.
Owen, I may be wrong... but it sounds to me like half the people in this conversation are talking about things *the retail gas station ought to do*, assuming that the people on the other side realize this, and the other side is reacting as if the first group is advocating that *refineries and pipeline operators* ought to be doing those things.
Certainly backbone ops shouldn't be doing this sort of filtering, and if you're big enough and willing to pay enough, you ought to be able to get a hose free of such filters.
But *what you're paying for* there is the right to pollute the commons, and no, people paying $1/MB's for their Verizon FTTH connection probably ought not to expect a raw unfiltered connection.
It's not *just* about bandwidth...
Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Designer Baylink RFC 2100 Ashworth & Associates The Things I Think '87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274
If you can read this... thank a system administrator. Or two. --me
On 5/1/05, Robert M. Enger <enger@comcast.net> wrote:
It's not a buck a meg.
There should be a little money in their model to provide guidance and/or software to the consumer. Hopefully enough to fund an aggressive abuse department.
Both things that any provider who hands fat pipes to customers must do There wont be any money at all in their model if they hand a raw, unfiltered feed to customers .. and I seriously doubt if the customers will want or need one (the vast majority I mean, the people who know enough to switch on their PC / laptop and let their wifi network card pick up a connection, or maybe know a little more like "the blue cable goes from the back of my PC to that bright blue colored box the verizon tech dropped off at my place") There are some providers who think there is money in charging premium rates to give unfiltered feeds to clued users (speakeasy for example, though it resells dsl from providers who wouldnt give you the same sort of feed or service if you bought directly from them). There are others who see more money in providing filtered feeds to a mass market that only wants to get on the internet, check their email and then spend time streaming music / movies / gaming etc. -- Suresh Ramasubramanian (ops.lists@gmail.com)
On Wed, 27 Apr 2005, Fergie (Paul Ferguson) wrote:
Oh, please.
If you think that the Internet should remain an "every man for himself", wild wild west, Ok Corral, situation (not my words, mind you), then you better get with the powers that will steam-roll all of us if we let it -- money and marketing.
This ain't no science project anymore.
Bruce is right -- right as rain -- I don't give two damns whether you think it is an issue of marketing, or protecive self-advertising. The issue is that the _consumers_ want it, that's what they'll pay for, and it is the ISP's perogative to either honor that wish, or lose the business.
We owe to our customers, and we owe it to ourselves, so let's just stop finding excise to side-step the issue.
Sound about right?
No. Not at all. I agree that if customers are willing to pay for managed security services that ISP's should provide them. However, an ISP that does not provide them is not lazy and irresponsible, as characterized in the article. As for security, intelligent ISPs will be monitoring their network and will have sensors in place to alert them to abnormal traffic (NetFlow, Snort, SNMP Traps, Log watchers) patterns and take action, but that does NOT extend to enforcing a security policy on the public without their consent. If the public agrees to it, and requests it, that is one thing. Universally filtering packets because it makes our lives easier is another. No one said this business would be easy. -- Vice President of N2Net, a New Age Consulting Service, Inc. Company http://www.n2net.net Where everything clicks into place! KP-216-121-ST
Fergie (Paul Ferguson) wrote:
We owe to our customers, and we owe it to ourselves, so let's just stop finding excise to side-step the issue.
So are you saying that managed security services are not avaialble for paying consumers in USA? Pete
On Wed, 27 Apr 2005, Petri Helenius wrote:
We owe to our customers, and we owe it to ourselves, so let's just stop finding excise to side-step the issue.
So are you saying that managed security services are not avaialble for paying consumers in USA?
I think the debate is if default should be managed or unanaged. And some here are concerned that if default becomes managed throught the industry, they'd never be able to get unmanaged from anyone. -- William Leibzon Elan Networks william@elan.net
participants (14)
-
Adi Linden
-
Fergie (Paul Ferguson)
-
Greg Boehnlein
-
Iljitsch van Beijnum
-
James Baldwin
-
Jay R. Ashworth
-
John Dupuy
-
Michael.Dillon@radianz.com
-
Owen DeLong
-
Petri Helenius
-
Robert M. Enger
-
Suresh Ramasubramanian
-
Valdis.Kletnieks@vt.edu
-
william(at)elan.net