At 7:07 PM -0700 2004-06-10, David Schwartz wrote:
Most of the people on this list see things from the ISP's perspective. However, step back a bit and see it from the user's perspective. Do you expect to pay for phone calls you didn't make or do you expect the person whose deliberate conscious action caused those calls to be made? Do you expect to be responsible for patrolling your electric lines to make sure someone hasn't plugged into your outside outlets?
If you had a PBX in your home that was misconfigured and allowed people to dial-in and then dial back out and get free long distance, and your telephone company warned you about this weakness, forgives your first month overages due to your being hacked, and yet you still refused to fix the system, then you're toast.
Under those circumstances, if someone makes $10M worth of long distance calls via your PBX, then you're going to have to pay up.
Of course, except in this case, the phone company can't easily tell the legitimate calls from the illegitimate ones and block only the illegitimate ones. Every analogy will break down, so don't expect to be able to convince people with analogies that seem so obviously right to you. Nothing is exactly accurate except the actual situation itself. And, again, alomst every contract has some insurance elements to it. There will be unusual cases where it's actually possible for the utility to lose money if something unusual happens. My main point is that the understanding that seems so obviously right to you may not seem so obviously right to your customers. As for all the people who talk about turning off their DSL access when they're away from home, they're missing the point. Obviously a person could do that. We could shut off our electricity when we leave home. We could have our telephone service temporarily disabled when we go on vacation too. A person could do all of these things. My point is that it's also perfectly reasonable for a person not to do these things. Because in general an ISP has more ability to control these things and it makes very little sense for a home user to insure an ISP, it makes more sense for the ISP to insure the user. In any unfortunate situation, you can find a hundred things that anyone could have done differently that would have avoided the situation. But that is not how you establish responsibility, financial or moral. You look at people who failed to use reasonable prudence. And, of course, the ISP always (or very nearly always) insures the user against the costs of inbound attack traffic that exceeds his line rate. The more demands you make of your customers, the more you decrease the value of your very own product. Frankly, if I ruled the world, obtaining Internet access would require a serious cluefulness test and you'd take a lot more responsiblity for generated traffic. I know a lot of people on this list wish things were the same way and sometimes want it so much that they're able to convince themselves that this is the way things actually are in the real world today. But they're not, and you may find that outside your group of friends, your views are found to be very odd by the majority of 'normal' (but, admittedly, inferior) people. The arguments that seem so obviously right to you may be greeted by amusement and the analogies you think work will be found unconvincing. This is because this argument is largely about other people's expectations. DS
This thread is quite amusing and interesting at the same time. If I read the original post right, Mr. Mike Bierstock was informed that he was generating an unusual amount of traffic, traffic he would have to pay for. He got the bill and had to deal with the consequences. What is wrong with that? Does it matter how this traffic was generated? Adi
the bottom line o if you want the internet to continue to innovate, then the end-to-end model is critical. it means that it takes only X colluding end-poits to deploy an new application which might be the next killer ap which drives your business. remember, email was not part of the original spec; http was not; jabber was not; ... this is in opposition to the telco model, where billions need to be spent uprading a smart middle to do anything new. and guess who gets the profits, if any considering what the deployment did to capex and opex. o this means that the network will also transport bad things; kinda like the phone network will carry obscene calls. damned shame, but that's the price you pay for liberty. or you can ask john poindexter (aka vigilante isps) to defend liberty for you and find all sorts of very unlovely and long term consequences. o this moves the burden for security to the edges, to the site boundaries, which may not care if their users can be early adopters of the next wannabe killer ap, and to the end-points, the hosts themselves. o but there are jillions of end-points; well yes, there are jillions of telephones too. and it's gonna be hell to clean up after the fact that they were designed without security, some have 80 jillion lines of code sitting on the laptops of naive users, blah blah. you want to support a free society, then the poupulace has to be educated. ain't no magic pixie dust here. they know how to recognize and maybe even report a 'breather' when they pick up the phone. we'll they gotta recognize a bad attachment when they get the email. and the software vendors have to clean up the jillions of lines of cr^h^hsoftware they have on the end users' desktops. and they are, half out of clue and half out of the smell of liability. but it will take a while. there ain't no free lunch. randy, who is clearly thinking of lunch, or maybe just out to lunch
In message <16586.8612.782504.433628@ran.psg.com>, Randy Bush writes:
the bottom line
o if you want the internet to continue to innovate, then the end-to-end model is critical.
What Randy said. (And all the rest of the post that I deleted to save a bit of bandwidth.) --Steve Bellovin, http://www.research.att.com/~smb
--On 11 June 2004 14:18 -0700 Randy Bush <randy@psg.com> wrote:
the bottom line
o if you want the internet to continue to innovate, then the end-to-end model is critical. it means that it
If there is a lesson here, seems to me it's that those innovative protocols should be designed such that it is relatively easy to prevent or at least discourage "bad traffic". Because that's in the long run easier (read cheaper for those of you of a free market bent) than educating users in an ever changing environment. It would be a bit rich to criticize SMTP (for instance) as misdesigned for not bearing this in mind given the difficulty of anticipating its success at the time, but there is a lesson here for other protocols. I can think of one rather obvious one which would seem to allow delivery of junk in many similar ways to SMTP; hadn't thought of this before but we should be learning from our mistakes^Wprevious valuable experience. Alex
I can agree with that and Randy pointed out when these idea's were created and writen, security was not part of the overall plan because there were trusted parties on either end of the spectrum. I think that my intent was noble and I am glad I started a controversy, because this is an issue that needs to be addressed as we move forward with internet development and secure application development. Working for a telecomm/datacomm company gives me some insight into the problem, I am looking into it deeper from a hardware perspective, of designing a solution that goes on a board among other system's issues... Yeah I brainstorm too, and also being an end user client I think about the end result of no solution and people overwhelemed with issues that lead to no solution to people so overwhelmed they think legislating law can fix broken code. It does help when the architects give me insight to the issue and how immense it is and what to look at when I am determining the end result of any of my efforts. -henry --- Alex Bligh <alex@alex.org.uk> wrote:
--On 11 June 2004 14:18 -0700 Randy Bush <randy@psg.com> wrote:
the bottom line
o if you want the internet to continue to innovate, then the end-to-end model is critical. it means that it
If there is a lesson here, seems to me it's that those innovative protocols should be designed such that it is relatively easy to prevent or at least discourage "bad traffic". Because that's in the long run easier (read cheaper for those of you of a free market bent) than educating users in an ever changing environment. It would be a bit rich to criticize SMTP (for instance) as misdesigned for not bearing this in mind given the difficulty of anticipating its success at the time, but there is a lesson here for other protocols. I can think of one rather obvious one which would seem to allow delivery of junk in many similar ways to SMTP; hadn't thought of this before but we should be learning from our mistakes^Wprevious valuable experience.
Alex
yes, we're gonna hack desperately for a decade to make up for asecure (innocent of, as contrasted with devoid of, security) application protocols and implementations. it'll take half that time for the ivtf and the vendors to realize how deeply complexity is our enemy. and until then we'll hack everywhere in our desperation. but in the long run, i don't think we can win with an active middle. the problem is that the the difference betwen good traffic and bad traffic is intent. did the sender intend to send / reveal those data? did the recipient wish to receive them? and, i don't think we can stand in the middle and judge. and there's the rub. the cute example is, as i said to you privately, that i have customers who wish to receive what is sent by what i think of as malicious folk. the recipients are security folk and net-sociometricians. so who am i to judge? some people even eat at macdonalds. randy, who enjoyed his lunch of seared ahi and asparagus
This thread is quite amusing and interesting at the same time. If I read the original post right, Mr. Mike Bierstock was informed that he was generating an unusual amount of traffic, traffic he would have to pay for. He got the bill and had to deal with the consequences. What is wrong with that? Does it matter how this traffic was generated?
Well, it depends upon the contract between the customer and the ISP. It matters if the traffic was actually delivered. For example, if the traffic was attack traffic that hit the ISP's filter, is it fair to charge the customer for the traffic because it came over their line? If the ISP had an obligation to stop attack traffic from their customers from getting onto the Internet, yes, it matters if the costs are due to the ISP failing in that obligation. As I understood this example, this was traffic that the ISP knew was generated by a worm. The ISP had an obligation to stop this traffic with filters or customer disconnection. They may or may not have complied with their obligation. Either way, it's hard to see why the customer should pay for traffic the ISP did not or should not have delivered. The customer could justifiably be billed for the extra costs he imposed upon his ISP in dealing with his attack traffic, but not for the traffic itself once it was identified. As I said, at the point the ISP should not have delivered it. Doing so creates more victims, and the ISP has a greated responsibility than the customer because they have greater knowledge and control. It doesn't matter much what the contract says if the ISP wrote it and the customer didn't understand it. Ask yourself a single yes or no question -- does an ISP have a responsibility to stop worm traffic generated by their customers from getting onto the Internet once they have identified it? And is so, does it matter whether or not the customer cooperates? DS
On Fri, 11 Jun 2004, David Schwartz wrote:
generated by a worm. The ISP had an obligation to stop this traffic with filters or customer disconnection. They may or may not have complied with their obligation. Either way, it's hard to see why the customer should pay for traffic the ISP did not or should not have delivered.
ISP's deliver properly addressed packets to their destination (the return address sometimes isn't checked). Do ISP's have obligation to stop certain packets, based on what? What does your contract say? Did you pay the ISP to provide filters? Did you include a phrase that said the ISP had to give you 30 days notice and reasonable time to cure the breach before the ISP could terminate your service? Did the contract say the ISP would block traffic generated by worms? As people regularly point out, the Internet is a dangerous place. Is it as dangerous as going to a baseball game? BOSTON, Massachusetts (AP) -- A woman who was seriously injured by a foul ball at Fenway Park has no grounds to sue because she assumed a risk by attending the baseball game, a state appeals court ruled. The Red Sox "had no duty to warn the plaintiff of the obvious danger of a foul ball being hit into the stands," the court said Wednesday in blocking Jane Costa's personal injury lawsuit from going to trial. It would be much easier if evil doers followed RFC3514. Determining "intent" from the bits is difficult. If you call a customer up and ask Did you know your computer is generating a lot of network traffic and your bill will be very large; the customer says Ok. What should you do? Assume the customer is an idiot, and even though they said Ok, you should cut off their Internet connection anyway. If your child borrows your credit card, and makes lots of unathorized charges, you may not have to pay more than $50; but the bank can go after your son or daughter for the money. Most parents end up paying, even if they didn't authorize their children to use the credit card. If the bank sends you an ATM or debit card statement, and you fail to report unauthorized transfers on the statement after 60 days you may be responsible for unlimited loss. You can lose a lot of money if you think its other people's responsibility to protect you. You are responsible for reviewing the statement and informing the bank of unauthorized activity; not the bank. Why do so many people ignore their ISP when told about problems with their computer? My computer can't be infected, I have a firewall. Paul Vixie proposed that people should be required to use personal Co-Lo so the co-lo provider has collateral to seize when the customer fails to keep the computer secure. Would customers complain if ISPs started seizing their computers instead of sending them large bills? Should ISP's charge customers cleanup fees to encourage them to keep their computers secure? $10 or $100 or $1,000 per incident? Should it be like points on your Internet driver's license? For the first incident you have to attend 8-hour traffic school, for the second incident in 12 months you have points put on your record and your insurance rates go up. Too many points, and your Internet privileges are revoked.
we americans do not readily accept responsibility for our [in]actions. we sue for being hit by a baseball while attending a game. we sue for spilling hot coffee on ourselves. we sue when we walki into open trenches and manholes. and we self-righteously torture, commit war crimes, and murder, at a digital distance, and expect immunity in the world opinion and courts. it's a small planet, but our culture still has the vision of the infinite resources of the frontier. so, if i can't get what i want, or if i get what i don't want, surely someone else is at fault. randy, who clearly has pontificated enough for the day
attending a game. we sue for spilling hot coffee on ourselves.
http://lawandhelp.com/q298-2.htm Interesting reading on that whole "woman sues for spilling hot coffee on herself" story. Sometimes there's a LOT more to the tale. :)
while i am no fan of macdonalds, and a good case is made for their negligence, perhaps you should follow the advice at the bottom of that web page The most important message this case has for you, the consumer, is to be aware of the potential danger posed by your early morning pick-me-up. randy
Randy Bush wrote:
while i am no fan of macdonalds, and a good case is made for their negligence, perhaps you should follow the advice at the bottom of that web page
The most important message this case has for you, the consumer, is to be aware of the potential danger posed by your early morning pick-me-up.
randy
Or, go see the movie "Super Size Me" - you might just give up McDonald's entirely, reducing your risk of burns from their overheated coffee. :)
Or, go see the movie "Super Size Me" - you might just give up McDonald's entirely, reducing your risk of burns from their overheated coffee. :)
Haven't been in one on over 2 years - and not through any great principal, I just stopped. Odd how our tastes change with age ;-) Peter
----- Original Message ----- From: "Randy Bush" <randy@psg.com> To: "Jonathan Nichols" <jnichols@pbp.net> Cc: <nanog@nanog.org> Sent: Friday, June 11, 2004 3:32 PM Subject: Re: Points on your Internet driver's license (was RE: Even you can be hacked)
while i am no fan of macdonalds, and a good case is made for their negligence, perhaps you should follow the advice at the bottom of that web page
The most important message this case has for you, the consumer, is to be aware of the potential danger posed by your early morning pick-me-up.
randy
Yep...and after 65 years (assuming she started drinking coffee at 16), "reasonable expectation" of the temperature comes to mind. I don't go to these kinds of places...has the temperature been climbing up in order to let you have a drinkable cup after (whatever you do) an hour? --Michael
If your child borrows your credit card, and makes lots of unathorized charges, you may not have to pay more than $50; but the bank can go after your son or daughter for the money. Most parents end up paying, even if they didn't authorize their children to use the credit card.
So the credit card company calls you and asks about a bunch of suspicious charges being placed on you card. Ok, just keep on charging. Now who's to blame for these charges by your sons and daughters and the russian mafia? I sell a client a metered product (gas, water, electricity, telephone, internet data, etc). I notice unusually high consumption. I inform the client that the bill is accumulating rather quick and I suspect a problem. I have done my job. The client either tells me to stop delivery until the problem is diagnosed and resolved or tells me to continue service. Either way, the ball in in the clients court. If the client chooses continuation of service despite high consumption and subsequent huge bill he has an obligation to pay, no matter WHY the usage was to high. Our society has a screwed up sense of responsibility. Everyone else is supposed to look out for me and take care of me. If something happens to me because I do something stupid or foolish someone failed to warn me, didn't make the sign big enough, didn't sound the horn loud enough, didn't lock me up so I couldn't hurt myself. This isn't true for everybody but way too many.... Adi
Scalable bandwidth is not new and is charged for, what is the issue about that? If the network is compromised and it is on the client end, that is what business insurance is for, so that everyone gets their's (payments, otherwise other types of arrangements need to be made, according to the doctrine of reasonable man.... -henry R Linneweh --- Adi Linden <adil@adis.on.ca> wrote:
If your child borrows your credit card, and makes lots of unathorized charges, you may not have to pay more than $50; but the bank can go after your son or daughter for the money. Most parents end up paying, even if they didn't authorize their children to use the credit card.
So the credit card company calls you and asks about a bunch of suspicious charges being placed on you card. Ok, just keep on charging. Now who's to blame for these charges by your sons and daughters and the russian mafia?
I sell a client a metered product (gas, water, electricity, telephone, internet data, etc). I notice unusually high consumption. I inform the client that the bill is accumulating rather quick and I suspect a problem. I have done my job. The client either tells me to stop delivery until the problem is diagnosed and resolved or tells me to continue service. Either way, the ball in in the clients court. If the client chooses continuation of service despite high consumption and subsequent huge bill he has an obligation to pay, no matter WHY the usage was to high.
Our society has a screwed up sense of responsibility. Everyone else is supposed to look out for me and take care of me. If something happens to me because I do something stupid or foolish someone failed to warn me, didn't make the sign big enough, didn't sound the horn loud enough, didn't lock me up so I couldn't hurt myself. This isn't true for everybody but way too many....
Adi
sean@donelan.com (Sean Donelan) writes:
...
Why do so many people ignore their ISP when told about problems with their computer? My computer can't be infected, I have a firewall.
in any other industry, you (the isp) would do a simple risk analysis and start treating the cause rather than the symptom. for example you might offer inbound filtering, cleanup tools and services, and you would put their computer in cyberjail when it was known to be "infected", and you would certainly not offer your services without a clear idea of how to reach the customer and assist them in getting out of cyberjail -- even if it meant rolling a technician. but then you'd have to charge for all that. and in the isp business, you'd have competitors who wouldn't offer it and wouldn't charge for it, and you'd lose business or maybe even go out of business. with the unhappy result being that you just let it happen, which is bad for your customers, and bad for the rest of us on the internet, but not nearly as bad for you (the isp). for you (the isp), every possible cure is worse than the disease. but you don't seem to mind that the rest of us, and your customers, catch various diseases, as long as *you're* ok. feh.
Paul Vixie proposed that people should be required to use personal Co-Lo ^^^^^^^^^^^^^^^^^^(1) so the co-lo provider has collateral to seize when the customer fails to ^^^^^^^^^^^^^^^^^^^(2) keep the computer secure.
well, no. i (1) said that people who had personal co-lo boxes in better internet neighborhoods and who could just use their cable or dsl line for web browsing and for access to their personal co-lo box would have less of their e-mail rejected at the far end. and as for (2), i think that anyone who co-lo's a personal box is likely to first learn how to pay enough attention to it that it will not become a malagency for third parties, and that a co-lo operator who only had such customers would be able to charge enough to pay for some monitoring and cleanup and so on; the possibility of seizure is more for the case of deliberate abuse (like ddos'ing an irc server, or sending spam, or hosting spamvertized www) than third party abuse. see <http://www.vix.com/personalcolo/> for more information about all that. and note that i'm broadening it to include smtp-auth/webdav/ftp providers who want to serve basically the same market but without dedicated iron. so if you offer that and havn't told me, then please tell me now.
Would customers complain if ISPs started seizing their computers instead of sending them large bills?
that's so unsequitur that i don't even know how to read it let alone answer.
Should ISP's charge customers cleanup fees to encourage them to keep their computers secure?
yes.
$10 or $100 or $1,000 per incident?
no. there should be a forfeitable deposit, plus an per-incident fee which is mostly to pay for the cost of monitoring and the cost of auditing the host to ensure that it complies with the isp's security policy before it can be reattached. the deposit can be refunded after N years of incident-free behaviour, and should be doubled after each verified incident.
Should it be like points on your Internet driver's license? For the first incident you have to attend 8-hour traffic school, for the second incident in 12 months you have points put on your record and your insurance rates go up. Too many points, and your Internet privileges are revoked.
alas. on the internet, nobody knows you're a dog. -- Paul Vixie
alas. on the internet, nobody knows you're a dog.
http://www.nettime.org/Lists-Archives/nettime-l-0405/msg00057.html
On Sat, 12 Jun 2004, Paul Vixie wrote:
in any other industry, you (the isp) would do a simple risk analysis and start treating the cause rather than the symptom.
What other industry do you know where you are expected to fix products you didn't sell and didn't cause for free? Should we revoke Carterphone? You can't connect a Tivo or unauthorized device to your ISP connection, and ISP would remotely control all the devices on your home network to ensure they are patched and secure. Send me your root passwords. Trust me.
for example you might offer inbound filtering,
Done. Effectiveness?
cleanup tools and services,
Done. Effectiveness?
and you would put their computer in cyberjail when it was known to be "infected",
Done. Effectiveness?
and you would certainly not offer your services without a clear idea of how to reach the customer and assist them in getting out of cyberjail --
Done. Effectiveness?
even if it meant rolling a technician.
Done. Effectiveness? Been there, done that. Got any new ideas?
no. there should be a forfeitable deposit, plus an per-incident fee which is mostly to pay for the cost of monitoring and the cost of auditing the host to ensure that it complies with the isp's security policy before it can be reattached. the deposit can be refunded after N years of incident-free behaviour, and should be doubled after each verified incident.
How much are you willing to pay? The bank industry makes billions from late payments, overdrafts, charge backs. It makes banks a lot of money, and puts people in bankruptcy, but doesn't seem to be very good at teaching people to handle credit wisely. People already think ISPs make money from infected computers and spammers. What incentive would there people to fix things instead of just paying them off? Is it Ok to spam, as long as you pay a lot? Is it Ok to leave an infected computer on the network, as long as you pay a lot? Haven't you just described what "bullet-proof" web hosting companies do? How do we create incentives for people to want to buy more secure products? Why do people continue to buy Windows instead of Macs? Cars have a gas guzzler tax to encourage fuel efficiency; should Windows computers have a security guzzler tax to encourage security?
Should it be like points on your Internet driver's license? For the first incident you have to attend 8-hour traffic school, for the second incident in 12 months you have points put on your record and your insurance rates go up. Too many points, and your Internet privileges are revoked.
alas. on the internet, nobody knows you're a dog.
Regulations could fix that. The US Postal Service has the Postal Inspection Service. They have jurisdiction anywhere the mail goes. The post office didn't create the Anthrax, they delivered the envelopes as addressed. Most railroads have railroad police with jurisdiction anywhere the railroad tracks go. Some railroad police departments have trans-national jurisdiction in multiple countries. Do we need an Internet Police with jurisdiction anywhere the Internet goes? Instead of waiting for the FBI to make a case, the ISP police could arrest people. Should ISPs be required to forward all their customer information and logs to the Department of Homeland Security (or other national equivalent) so they always know who is doing what. Would that solve the no one knows you're a dog problem?
Sean Donelan wrote:
and you would certainly not offer your services without a clear idea of how to reach the customer and assist them in getting out of cyberjail --
Done. Effectiveness?
If you do this and keep them there until they are fixed, your network should qualify as a good neighborhood and the influx of email into your abuse@ addresses should be minimal. Eventually they´d either clean up or move elsewhere. If the places to move to would be small enough in numbers, they could be filtered from the rest of the Internet. Pete
Been there, done that. Got any new ideas?
Provide a safe network connection. I believe an ISP should provide a safe environment to play, assuming the customer is innocent granny. Your average DSL network connection should be safe by default, so a default Win98 (or any other OS) can be connected without fear of compromise. I really don't agree with the "Internet driver's license" concept as presented. It really is not an "Internet driver's license" but a "Microsoft Safe Operating License". A one fits all type arrangement. Who sets the standard? The plug that connects to the internet world needs to scale with the level of expertise of the user. This needs to include a beginners level for the clueless with safe email and safe browsing. Adi
On Saturday 12 June 2004 14:53, Adi Linden wrote:
Been there, done that. Got any new ideas?
Provide a safe network connection. I believe an ISP should provide a safe environment to play, assuming the customer is innocent granny. Your average DSL network connection should be safe by default, so a default Win98 (or any other OS) can be connected without fear of compromise.
I really don't agree with the "Internet driver's license" concept as presented. It really is not an "Internet driver's license" but a "Microsoft Safe Operating License". A one fits all type arrangement. Who sets the standard?
The plug that connects to the internet world needs to scale with the level of expertise of the user. This needs to include a beginners level for the clueless with safe email and safe browsing.
The problem with this is one of who pays for it. You are talking about an environment where the newcomers and non-experts require significantly more intervention in how things are done and what they can do than the more experienced hands. Do you charge the newbies more to cover this level of protection, or do you spread the charges across your entire userbase to avoid impacting one segment? If you raise the prices for newbies then you will automatically have newcomers going for the cheaper, more "raw", service and negating any advantages you have to a tiered product set with protection at the bottom. If you spread the charges then the users who require less handholding are going to get upset when their prices are hiked to cover functionality they will never use. The only real way to enforce product stratification on this scale where people are introduced safely and then educated and given more freedom is to enforce some kind of metric on what is a permissable clue level to move to the next stratum of service with less handholding. This means ISPs effectively having to vet all of their customers when they try to upsell. The alternative to this is a multilateral "driving license" whereby simply having the piece of paper gets you the cheaper, rawer service. If handholding was for everyone then AOL would be the only service provider and the rest of us wouldn't exist. None of the suits who run the companies represented here are going to do anything to impact their bottom line, so refusing to take customers on a skill basis isn't going to happen. I don't really see that it's the ISPs job to make the net less frightening for the customers. It should be down to the OS vendors of whatever shape and the application vendors to ensure that their products are as secure as they can reasonably be which is not currently the case. What you are proposing with the "protect granny at all costs" approach is giving software vendors an excuse to code crappy product because there won't be any impact. Do you fancy subsidising Microsoft in the long term? P.
The problem with this is one of who pays for it.
The customer.
You are talking about an environment where the newcomers and non-experts require significantly more intervention in how things are done and what they can do than the more experienced hands.
I am talking about an environment that applies significant filtering before packets are delivered to the customer. NAT, firewall, proxy.... I don't think it is all that difficult to do.
Do you charge the newbies more to cover this level of protection, or do you spread the charges across your entire userbase to avoid impacting one segment?
This protection is a basic service. Opening ports, supplying a real ip address, removing the proxy are the add-on items that increase the cost of the connection.
If you raise the prices for newbies then you will automatically have newcomers going for the cheaper, more "raw", service and negating any advantages you have to a tiered product set with protection at the bottom.
Raise the price of the "raw" service. Keeping in mind I am talking about broadband connections to homes and small offices, not bandwidth for larger organizations that should have an IT department.
If you spread the charges then the users who require less handholding are going to get upset when their prices are hiked to cover functionality they will never use.
An ISP has a responsibility in regards of the packets transported. I get the impression that most ISP's prefer to be "packet movers". Move packets from point A to point B without monitoring, intervention or any other responsibilities or obligations. This is quite appropriate for an ISP serving corporate clients with large pipes, where IP space is assigned from the ISP to the client. Once we're talking about providers that server homes and small offices this should be different. The ISP holds the IP space so it should be held responsible for the packets originating form these IPs to some degree. In other words, if I provide proof that ip w.x.y.z is the source of unsolicited email (these days probably because of a compromised host) I firmly believe that it is the ISPs responsiblity to either provide contact information on who owns this IP and/or manage the traffic to eliminate the abuse. I am convinced that the cost of looking after the "raw" clients will be much greater then the cost of providing "conditioned" bandwidth. Adi
----- Original Message ----- From: "Adi Linden" <adil@adis.on.ca>
Provide a safe network connection. I believe an ISP should provide a safe environment to play, assuming the customer is innocent granny. Your average DSL network connection should be safe by default, so a default Win98 (or any other OS) can be connected without fear of compromise.
That's like saying provide safe electricity. If someone has a toaster where the wire cracks and they electrocute themselves, or a hair dryer that isn't safe in the bathtub, do you complain that the electric company should provide safe electricity? How is bandwidth any different? There is no "safe bandwidth". No matter how you look at it it's a two way communications and it's never going to be "safe" as far as the bandwidth goes, just like electricity is power and it's never going to be safe. It's the devices you plug in that need to be made safe. The only thing ISP's can do is damper bandwidth, try and limit feedback/flow rates so we don't have a single tree take out the electrical network in the northeast. Geo.
Maybe I'm a little slow on the draw, but I've just now realized that we've come full circle, in a strange sort of way. 8 to 10 years ago the discussions were dominated by Karl D(1), where *everything* was defined as to whether is was "actionable" or not. Now the discussions are dominated by many people, acting like Karl D, where their view is solely based on whether their contract supports either what they do or don't do. -mark (1) Actual name not shown to avoid being sued.
8 to 10 years ago the discussions were dominated by Karl D(1), where *everything* was defined as to whether is was "actionable" or not.
Googling for "Karl Denninger" and "actionable" only gets 30 hits but, oh the nostalgia of it all... Check out http://www.denninger.net to see that he is still alive and kicking and protesting one thing or another.
* Michael.Dillon@radianz.com (Michael.Dillon@radianz.com) [Mon 14 Jun 2004, 12:20 CEST]:
Check out http://www.denninger.net to see that he is still alive and kicking and protesting one thing or another.
Would you buy an anti-spam solution from a man that requires the inclusion of certain keywords in the subject in order to avoid getting trapped in his own spam filters? -- Niels. -- (from the bottom of www.denninger.net/democrat.htm, which is a load of trite anyway, ``Please insert the word "advocacy" or "agree" in the subject line of your message to avoid my spam filters.'')
Wow he has changed and toned down a lot from those days -Henry --- Michael.Dillon@radianz.com wrote:
8 to 10 years ago the discussions were dominated by Karl D(1), where *everything* was defined as to whether is was "actionable" or not.
Googling for "Karl Denninger" and "actionable" only gets 30 hits but, oh the nostalgia of it all...
Check out http://www.denninger.net to see that he is still alive and kicking and protesting one thing or another.
That's like saying provide safe electricity. If someone has a toaster where the wire cracks and they electrocute themselves, or a hair dryer that isn't safe in the bathtub, do you complain that the electric company should provide safe electricity?
The problem with all the comparisions is what you are comparing. Your utility has an obligation to provide safe electricity. If your holding your hair dryer while the utility company sends you 25,000 Volts instead of 120 Volts you should complain.
How is bandwidth any different?
It is not any different.
There is no "safe bandwidth". No matter how you look at it it's a two way communications and it's never going to be "safe" as far as the bandwidth goes, just like electricity is power and it's never going to be safe. It's the devices you plug in that need to be made safe.
Computers are devices that are supposed to magically do anything. If I purchase a computer to browse the web and send email I should be able to obtain "safe bandwidth" that provides web access and email. To compare this with the electricity company, the average home with a 200A service is equivalent to NATed and firewalled internet bandwidth. As your electricity demands grow (for whatever reason) the electricity company upgrades your service, to 3 phase, 600V, whatever. Same with internet bandwidth, get a public ip, get a static ip, get ports opened, run servers. Just as the upgraded electricity service requires more knowledge and equipment so does the upgraded internet bandwidth. Adi
Adi Linden wrote:
To compare this with the electricity company, the average home with a 200A
service is equivalent to NATed and firewalled internet bandwidth. As your electricity demands grow (for whatever reason) the electricity company upgrades your service, to 3 phase, 600V, whatever. Same with internet bandwidth, get a public ip, get a static ip, get ports opened, run servers. Just as the upgraded electricity service requires more knowledge and equipment so does the upgraded internet bandwidth.
If we would properly follow the analogy above, ISPs should provide a "security fuse" which would disconnect the user when blown. Paul called this "cyberjail" if I follow his thoughts. All efforts above this should be charged separately or be part of "better general level of service". You can also charge for letting people out of the jail. Make it $50 or $100 a pop, not to be outrageous but justifiable. Pete
If we would properly follow the analogy above, ISPs should provide a "security fuse" which would disconnect the user when blown. Paul called this "cyberjail" if I follow his thoughts. All efforts above this should be charged separately or be part of "better general level of service". You can also charge for letting people out of the jail. Make it $50 or $100 a pop, not to be outrageous but justifiable.
Absolutely. Properly managing ones bandwidth needs to be less expensive than the penalty for abuse. Adi
To compare this with the electricity company, the average home with a 200A service is equivalent to NATed and firewalled internet bandwidth. As your electricity demands grow (for whatever reason) the electricity company upgrades your service, to 3 phase, 600V, whatever. Same with internet bandwidth, get a public ip, get a static ip, get ports opened, run servers. Just as the upgraded electricity service requires more knowledge and equipment so does the upgraded internet bandwidth.
The biggest problem with this is that, so long as the lines support it, your electric company will send you as few or as many amps as you need, when you need it. They also make sure they don't send you 1200 amps on a #14 wire, which would probably cause a significant portion of your wiring to smoke, if not burn. With internet access, how easy is it to suddenly turn off NAT, stop redirecting all SMTP access to your anti-everything spam free SMTP server, remove the firewalls blocking outbound IPSec packets and inbound SSH? How quickly can it be done? How much should be charged for it? The better analogy is what happens when you leave your oven on for 8 days straight? Assuming your house doesn't burn down, should you have to pay the electric bill for those 8 days? Hell yeah. It's impossible to separate what was "legit" energy use and what was from the oven, and it's not their fault you didn't turn it off anyway. And in the worst case, if your house burns down, it's STILL not their fault! Commodity internet access is a one-size-fits-all game plan. At most, there's a second size, residential or business. But any user of either plan can be compared to any other user of the same plan, and the provider will treat them the same. It's too difficult, and doesn't pay, to try and treat them differently. The extra $10 a month isn't going to justify the $20 spent making the changes or talking to the person on the phone. Rob Nelson ronelson@vt.edu
The better analogy is what happens when you leave your oven on for 8 days straight? Assuming your house doesn't burn down, should you have to pay the electric bill for those 8 days? Hell yeah. It's impossible to separate what was "legit" energy use and what was from the oven, and it's not their fault you didn't turn it off anyway. And in the worst case, if your house burns down, it's STILL not their fault!
This had somewhat deviated from the original post and who is responsible for the bandwidth bill. When you buy a metered service, be it electricity, water, bandwidth, you pay what you use. It is not the suppliers responsiblility to determine what you do with it and question your consumption. I think it is foolish to buy a metered service without ceiling and leave things wide open. When I buy metered bandwidth I demand a hard limit. If I reach this hard limit I expect to be notified and cut off. If my upstream neglects to cut me off, consumption above and beyond the hard limit is their burden since they didn't meet their contractual obligation. A simple solution.
Commodity internet access is a one-size-fits-all game plan. At most, there's a second size, residential or business. But any user of either plan can be compared to any other user of the same plan, and the provider will treat them the same. It's too difficult, and doesn't pay, to try and treat them differently. The extra $10 a month isn't going to justify the $20 spent making the changes or talking to the person on the phone.
And that is a problem. Unlike your electricity, where the supplier has an obligation to provide a certain level of clean energy, there is nothing like it with internet bandwidth. All the crud and exploits are dutyfully forwarded to the customer. Some argue that clueful internet consumers are the answer. Prove your knowledge in being able to secure devices connected to the internet and maintain them properly. The "Internet driver's license" is proof of proficiency in this case. I argue that this is way overboard. I don't believe anyone should require any particular knowledge to obtain an internet connection and use the internet. Instead internet needs to be available as a clean conditioned service for consumption by the clueless. The reason this isn't economical today is because ISP lack any responsiblity. It is cheaper for an ISP to buy more bandwidth and pass the worms and viruses customers PCs spew to the internet than it is to deal with the problem. Seriously, if I send an ISP reasonable proof that a broadband customer hits my mailserver with thousands of emails an hour I should be able to expect an immediate response. Not hours, days or weeks, minutes and the originating account should be shut down. If this doesn't happen I should be able to go to the upstream of the ISP, present my case, and have connectivity to the ISP suspended. Adi
On Sun, Jun 13, 2004, Adi Linden wrote:
The reason this isn't economical today is because ISP lack any responsiblity. It is cheaper for an ISP to buy more bandwidth and pass the worms and viruses customers PCs spew to the internet than it is to deal with the problem. Seriously, if I send an ISP reasonable proof that a broadband customer hits my mailserver with thousands of emails an hour I should be able to expect an immediate response. Not hours, days or weeks, minutes and the originating account should be shut down. If this doesn't happen I should be able to go to the upstream of the ISP, present my case, and have connectivity to the ISP suspended.
Then, start an ISP, charge extra for that kind of maintainence and compete in the marketplace. See how it works out. I wish you the best of luck, I really do. Secondly, I WANT my ISP to require more than just some third party saying "holy crap, someone's spitting out crap at me. Suspend!". Obviously you've not been handed Norton Personal firewall logs which CONCLUSIVELY PROVE, as far as the user is concerned, that MY SQUID reverse proxy server is spewing out INVALID TCP FLAGS. Not that they could possibly comprehend what the hell Invalid TCP flags are with the help Norton gives. I've seen ISPs get "friendly" emails from people who say that they've been hacked by ${FOO}, received nasty email from ${FOO}, all kinds of crazy stuff. I'd hate to have my internet connection disabled every week because some random person decides I'm doing something illegal. I can understand your point of you. Personally, I'd love it if internet access was a simple, secure, managed commodity. But it isn't. There are far, far too many factors involved which you just Don't Get with water or electricity networks. Specifically, the things you hook up to your electricity or water network are government controlled with government guidelines. There are strict penalties for those who break the rules and there are licences for those who work on them. I don't see any of this with the internet. You can hook Anything you want up to an internet connection and have it work if it has a relatively recent (1990?) TCP/IP stack. There's no _specific_ guidelines on what can and can't be connected. The ISP has _no_ legal basis in a lot of cases for terminating accounts when "we" (being the people making noise on this list) would hope they would. If they do, they possibly expose themselves legally. Can you imagine the SOHO owner who screams because he's lost revenue because you shut down his internet connection for a worm? Even if you have a "bullet proof AUP" you may still end up having to deal with lawyers and possibly some court time. So, please explain again, why should an ISP get involved right now? $AUD0.02. Adrian -- Adrian Chadd I'm only a fanboy if <adrian@creative.net.au> I emailed Wesley Crusher.
The reason this isn't economical today is because ISP lack any responsiblity. It is cheaper for an ISP to buy more bandwidth and pass the worms and viruses customers PCs spew to the internet than it is to deal with the problem. Seriously, if I send an ISP reasonable proof that a broadband customer hits my mailserver with thousands of emails an hour I should be able to expect an immediate response. Not hours, days or weeks, minutes and the originating account should be shut down. If this doesn't happen I should be able to go to the upstream of the ISP, present my case, and have connectivity to the ISP suspended.
Then, start an ISP, charge extra for that kind of maintainence and compete in the marketplace. See how it works out. I wish you the best of luck, I really do.
Today ISP are not held accountable for the traffic that originates from their network. If they were the economics would be different. Support costs for wide open broadband connections to the home would sky rocket. I am convinced that providing a safe internet connection to the home user would be quite viable at this point.
I can understand your point of you. Personally, I'd love it if internet access was a simple, secure, managed commodity. But it isn't.
Correct. The answer is to make it a simple, secure, managed commodity. Not to demand that granny has a degree to send and receive email.
The ISP has _no_ legal basis in a lot of cases for terminating accounts when "we" (being the people making noise on this list) would hope they would. If they do, they possibly expose themselves legally. Can you imagine the SOHO owner who screams because he's lost revenue because you shut down his internet connection for a worm? Even if you have a "bullet proof AUP" you may still end up having to deal with lawyers and possibly some court time.
Correct. Today there is less hassle and less risk to an ISP if pollution by their customers is just ignored and allowed to happen. The penalties for polluting are non-existant. The internet is a commodity supplied to customers. As such an ISP should have an obligation to supply it as clean and secure as possible. As much as the customer has an obigation to ensure that internet connected devices do not pollute the internet, so does the ISP have an obligation not to pass this pollution to customers.
So, please explain again, why should an ISP get involved right now?
Because it is the right place to start. It is just lacking incentive. Adi
adrian@creative.net.au (Adrian Chadd) writes:
... I WANT my ISP to require more than just some third party saying "holy crap, someone's spitting out crap at me. Suspend!". Obviously you've not been handed Norton Personal firewall logs which CONCLUSIVELY PROVE, as far as the user is concerned, that MY SQUID reverse proxy server is spewing out INVALID TCP FLAGS. ...
the hosts on the list below (which sean's /12 that contains the /19 i reported on earlier) is of hosts who connected to an ip address that has no dns pointing to it and delivered well-known malware matching some kind of pattern. mostly they're probing to see if i'm running a microsoft web server by trying to overflow one of its buffers and put executable code on my stack. i think it's safe to say that if i present sean with evidence that this occurred, he ought to immediately disco that customer and then, when the customer calls, fines or training should be demanded, along with auditing before reconn -- and the fines should be progressive, with deposits. note the "LIMIT 500" which keeps this list from containing the other many tens of thousands of infected hosts on just one of sean's /12 blocks. and note that i'm now displaying the span from oldest to newest as "days" and sorting by it. the ones at the top of the list have been attacking me the longest. ties in "days" are broken by looking at the number of times they have attacked me during that span. sean, i really think there's a problem and that the river looks better upstream of your factory than downstream. and if you weren't making so much money from my pain, i wouldn't keep harping about this, really, i wouldn't. if you'd like this report without the "LIMIT 500" clause, and for all of your netblocks rather than just this /12, send me the list. i don't promise not to blackhole them all, but i will give you the report. since i also save the http payloads, i can give you those as well, but i confess i can't think of a format for the two or three dvd-roms they'd fit on. --- SELECT MIN(DATE(entered)) AS began, MAX(DATE(entered)) - MIN(DATE(entered)) + 1 AS days, SRCADDR, COUNT(srcaddr) AS count FROM trans WHERE srcaddr << '63.192.0.0/12' GROUP BY srcaddr ORDER BY days DESC, count DESC LIMIT 500; began | days | srcaddr | count ------------+------+----------------+------- 2002-12-16 | 542 | 63.203.75.13 | 8 2002-12-14 | 534 | 63.204.134.249 | 3 2002-11-07 | 533 | 63.199.230.184 | 2 2002-12-18 | 531 | 63.204.119.190 | 6 2002-12-15 | 530 | 63.204.250.99 | 2 2002-12-22 | 523 | 63.196.6.209 | 33 2002-11-11 | 522 | 63.204.179.129 | 2 2002-12-11 | 520 | 63.199.200.60 | 49 2002-11-10 | 515 | 63.199.61.90 | 147 2002-12-17 | 515 | 63.202.172.46 | 3 2002-12-11 | 513 | 63.207.61.138 | 17 2002-12-12 | 513 | 63.207.252.60 | 17 2002-12-17 | 513 | 63.207.142.25 | 16 2002-12-18 | 513 | 63.203.76.76 | 2 2002-12-17 | 512 | 63.206.139.252 | 11 2002-12-12 | 509 | 63.199.230.148 | 7 2002-12-18 | 509 | 63.204.133.195 | 2 2002-12-16 | 509 | 63.199.241.16 | 2 2002-12-16 | 506 | 63.196.240.192 | 8 2002-12-11 | 504 | 63.202.127.13 | 202 2002-12-13 | 503 | 63.202.127.14 | 18 2003-01-16 | 501 | 63.206.139.27 | 8 2002-12-23 | 499 | 63.205.196.100 | 17 2002-12-18 | 499 | 63.205.138.164 | 3 2003-01-19 | 498 | 63.202.109.53 | 2 2002-12-11 | 496 | 63.196.189.88 | 2 2002-12-14 | 491 | 63.202.248.34 | 114 2003-01-06 | 488 | 63.204.107.197 | 25 2002-12-20 | 487 | 63.196.6.126 | 33 2002-12-19 | 486 | 63.206.194.9 | 3 2003-01-08 | 486 | 63.199.245.255 | 2 2003-01-17 | 485 | 63.200.36.71 | 8 2003-02-02 | 484 | 63.207.60.154 | 17 2003-01-13 | 484 | 63.199.245.209 | 11 2002-12-17 | 484 | 63.205.185.38 | 2 2002-12-05 | 484 | 63.201.26.94 | 2 2002-12-26 | 483 | 63.199.245.182 | 3 2002-12-17 | 483 | 63.205.185.125 | 3 2003-02-04 | 481 | 63.207.140.93 | 49 2003-01-08 | 480 | 63.203.207.119 | 17 2003-01-13 | 480 | 63.202.21.72 | 13 2003-01-18 | 480 | 63.204.249.143 | 3 2002-12-15 | 479 | 63.207.142.24 | 8 2003-01-15 | 479 | 63.201.201.252 | 2 2003-01-17 | 478 | 63.196.242.191 | 3 2002-12-19 | 478 | 63.205.197.54 | 3 2002-12-10 | 477 | 63.202.49.254 | 1151 2002-12-11 | 477 | 63.207.253.244 | 81 2002-12-12 | 476 | 63.206.88.122 | 30 2002-12-16 | 476 | 63.207.140.162 | 5 2002-12-11 | 473 | 63.203.159.240 | 25 2003-02-09 | 473 | 63.199.201.84 | 17 2002-12-28 | 473 | 63.207.14.157 | 17 2002-12-22 | 473 | 63.207.61.234 | 17 2002-12-15 | 473 | 63.199.241.223 | 2 2002-12-15 | 472 | 63.196.6.184 | 22 2003-02-11 | 472 | 63.207.253.53 | 17 2003-01-16 | 471 | 63.205.184.153 | 2 2002-12-17 | 470 | 63.207.129.175 | 5 2003-01-17 | 469 | 63.199.245.69 | 5 2003-01-11 | 469 | 63.206.143.10 | 3 2003-01-11 | 468 | 63.201.96.56 | 6 2003-01-24 | 467 | 63.206.213.116 | 17 2002-12-11 | 467 | 63.196.4.24 | 11 2003-01-10 | 466 | 63.206.139.219 | 21 2003-01-11 | 466 | 63.206.235.189 | 9 2002-12-11 | 466 | 63.206.88.87 | 3 2002-12-28 | 464 | 63.203.97.61 | 33 2002-12-27 | 464 | 63.206.195.10 | 17 2002-12-13 | 464 | 63.206.212.222 | 2 2002-12-16 | 463 | 63.196.244.203 | 3 2002-12-18 | 463 | 63.196.240.118 | 2 2003-02-09 | 462 | 63.205.13.36 | 14 2003-01-07 | 462 | 63.205.136.127 | 8 2002-12-12 | 462 | 63.206.116.95 | 2 2002-12-19 | 459 | 63.195.112.115 | 127 2002-12-29 | 459 | 63.207.103.187 | 49 2003-01-11 | 459 | 63.206.213.18 | 2 2002-12-17 | 458 | 63.198.190.44 | 45 2002-12-26 | 458 | 63.206.91.170 | 7 2003-01-26 | 457 | 63.198.142.26 | 33 2002-12-18 | 457 | 63.202.23.183 | 7 2002-12-22 | 456 | 63.206.232.85 | 65 2003-01-09 | 456 | 63.205.185.206 | 3 2002-12-18 | 456 | 63.199.230.48 | 2 2003-01-01 | 455 | 63.198.238.251 | 98 2003-01-15 | 454 | 63.199.244.17 | 4 2003-02-18 | 453 | 63.206.232.136 | 49 2003-01-16 | 453 | 63.207.61.131 | 17 2003-01-07 | 452 | 63.201.80.36 | 4 2003-01-03 | 451 | 63.198.142.206 | 17 2003-01-14 | 451 | 63.202.110.203 | 5 2003-01-11 | 450 | 63.206.139.2 | 2 2003-01-13 | 449 | 63.201.33.245 | 3 2003-01-15 | 449 | 63.201.80.105 | 2 2003-01-16 | 448 | 63.196.58.51 | 9 2003-01-15 | 448 | 63.199.231.162 | 2 2003-01-11 | 446 | 63.202.20.111 | 7 2003-01-16 | 446 | 63.205.64.132 | 6 2003-02-09 | 445 | 63.204.117.83 | 15 2003-01-07 | 445 | 63.207.141.95 | 9 2003-02-10 | 444 | 63.207.60.219 | 49 2003-02-13 | 444 | 63.207.254.0 | 18 2003-01-16 | 443 | 63.201.80.31 | 3 2003-02-21 | 442 | 63.207.12.202 | 59 2003-02-12 | 442 | 63.202.127.10 | 49 2003-02-03 | 442 | 63.197.32.197 | 17 2003-02-26 | 441 | 63.207.254.94 | 17 2003-01-11 | 441 | 63.202.21.26 | 3 2003-02-11 | 440 | 63.206.49.178 | 12 2003-01-11 | 440 | 63.196.241.49 | 6 2003-01-19 | 439 | 63.204.248.248 | 2 2003-02-19 | 437 | 63.207.254.51 | 33 2003-02-09 | 437 | 63.200.53.76 | 10 2003-01-15 | 437 | 63.205.186.98 | 7 2003-01-15 | 437 | 63.203.98.207 | 4 2003-01-12 | 437 | 63.202.175.43 | 2 2003-01-17 | 434 | 63.196.244.249 | 4 2003-02-13 | 433 | 63.205.142.47 | 21 2003-01-18 | 433 | 63.207.100.44 | 17 2003-01-15 | 433 | 63.205.66.74 | 9 2003-01-15 | 433 | 63.205.47.120 | 3 2003-01-18 | 433 | 63.205.130.138 | 2 2003-02-13 | 432 | 63.205.186.175 | 3 2003-03-06 | 431 | 63.192.100.58 | 17 2003-02-09 | 430 | 63.200.55.196 | 3 2003-02-16 | 430 | 63.207.129.221 | 2 2003-02-05 | 429 | 63.203.75.249 | 81 2003-02-12 | 429 | 63.202.49.248 | 33 2003-02-07 | 429 | 63.203.97.150 | 33 2003-03-07 | 428 | 63.204.105.234 | 7 2003-02-16 | 428 | 63.199.201.38 | 5 2003-02-13 | 428 | 63.205.44.107 | 3 2003-02-13 | 428 | 63.200.54.52 | 2 2003-03-27 | 428 | 63.205.136.203 | 2 2002-12-18 | 427 | 63.204.216.228 | 1611 2003-01-17 | 427 | 63.202.235.12 | 25 2003-01-29 | 427 | 63.205.66.205 | 17 2003-01-29 | 427 | 63.207.254.166 | 17 2003-02-24 | 427 | 63.204.116.18 | 4 2003-02-12 | 427 | 63.206.235.145 | 4 2003-02-14 | 427 | 63.205.66.190 | 2 2003-01-26 | 426 | 63.206.49.215 | 17 2003-01-19 | 426 | 63.206.232.179 | 2 2003-02-13 | 425 | 63.200.49.104 | 15 2003-01-19 | 425 | 63.201.25.189 | 6 2003-02-14 | 425 | 63.200.52.252 | 3 2003-03-15 | 425 | 63.205.66.24 | 2 2003-02-12 | 424 | 63.198.19.141 | 2 2003-02-17 | 422 | 63.196.188.174 | 2 2003-02-25 | 421 | 63.205.137.160 | 18 2003-02-14 | 421 | 63.202.108.184 | 3 2003-04-08 | 420 | 63.206.136.34 | 19 2003-03-12 | 420 | 63.207.255.165 | 17 2003-02-06 | 419 | 63.199.202.133 | 97 2003-02-13 | 418 | 63.206.139.96 | 2 2003-01-29 | 417 | 63.205.64.195 | 17 2003-02-12 | 417 | 63.196.198.127 | 4 2003-04-08 | 417 | 63.201.59.195 | 2 2003-02-16 | 417 | 63.207.130.60 | 2 2003-02-12 | 416 | 63.204.119.87 | 25 2003-02-15 | 416 | 63.207.239.171 | 2 2003-02-20 | 414 | 63.196.5.21 | 17 2003-02-14 | 414 | 63.205.130.224 | 2 2003-03-17 | 414 | 63.205.140.13 | 2 2003-02-07 | 413 | 63.206.136.235 | 17 2003-03-13 | 413 | 63.203.77.112 | 2 2003-04-12 | 413 | 63.204.116.216 | 2 2003-03-26 | 412 | 63.207.252.44 | 15 2003-02-03 | 411 | 63.199.225.39 | 17 2003-03-25 | 411 | 63.202.20.234 | 3 2003-01-16 | 410 | 63.206.122.149 | 46 2003-02-15 | 410 | 63.206.232.12 | 7 2003-02-04 | 408 | 63.207.143.204 | 33 2003-04-03 | 408 | 63.206.92.42 | 3 2003-04-17 | 407 | 63.206.212.65 | 47 2003-02-11 | 407 | 63.193.188.72 | 12 2003-01-13 | 407 | 63.205.13.166 | 4 2003-02-11 | 403 | 63.207.142.22 | 10 2003-03-27 | 403 | 63.205.137.129 | 3 2003-02-10 | 403 | 63.207.140.68 | 3 2003-04-09 | 402 | 63.201.59.115 | 9 2003-03-30 | 400 | 63.205.137.67 | 4 2003-03-26 | 399 | 63.202.49.229 | 27 2003-02-15 | 398 | 63.201.37.215 | 3 2003-03-18 | 398 | 63.196.247.218 | 2 2003-04-08 | 398 | 63.201.94.119 | 2 2003-03-04 | 396 | 63.202.49.242 | 19 2003-04-08 | 395 | 63.202.173.141 | 6 2003-04-12 | 395 | 63.207.60.8 | 4 2003-03-06 | 394 | 63.207.253.222 | 49 2003-03-18 | 394 | 63.207.253.86 | 5 2003-03-11 | 394 | 63.200.54.202 | 3 2003-03-31 | 394 | 63.206.91.154 | 2 2003-04-04 | 391 | 63.206.137.14 | 53 2003-03-13 | 391 | 63.202.179.159 | 5 2003-01-15 | 391 | 63.206.141.140 | 5 2003-04-15 | 391 | 63.196.199.35 | 3 2003-03-12 | 391 | 63.205.57.174 | 3 2003-03-12 | 391 | 63.205.13.131 | 2 2003-04-03 | 390 | 63.201.59.98 | 7 2003-04-18 | 390 | 63.204.73.155 | 3 2003-03-17 | 389 | 63.199.230.198 | 17 2003-03-18 | 387 | 63.207.254.147 | 2 2003-04-02 | 386 | 63.207.253.203 | 11 2003-03-25 | 385 | 63.196.4.175 | 3 2003-04-11 | 385 | 63.206.93.222 | 2 2003-02-10 | 385 | 63.200.52.183 | 2 2003-04-01 | 384 | 63.206.95.60 | 5 2003-05-11 | 384 | 63.206.123.188 | 3 2003-05-10 | 384 | 63.198.18.56 | 2 2003-04-16 | 383 | 63.205.185.229 | 34 2003-03-02 | 383 | 63.205.47.28 | 17 2003-03-26 | 383 | 63.205.65.7 | 2 2003-04-26 | 382 | 63.204.249.53 | 3 2003-03-16 | 381 | 63.207.227.186 | 10 2003-04-30 | 381 | 63.198.19.92 | 9 2003-05-14 | 380 | 63.203.98.119 | 7 2003-04-30 | 380 | 63.201.210.97 | 2 2003-04-26 | 380 | 63.205.130.22 | 2 2003-04-16 | 379 | 63.206.88.154 | 3 2003-05-16 | 379 | 63.202.187.47 | 2 2003-04-26 | 379 | 63.206.122.37 | 2 2003-03-11 | 376 | 63.206.123.132 | 44 2003-04-04 | 376 | 63.202.176.245 | 4 2003-04-15 | 375 | 63.204.105.241 | 2 2003-02-11 | 374 | 63.202.181.103 | 5 2003-03-13 | 371 | 63.205.9.131 | 4 2003-03-29 | 370 | 63.199.30.253 | 2 2003-04-04 | 369 | 63.206.136.117 | 91 2003-03-26 | 369 | 63.203.103.202 | 7 2003-04-23 | 369 | 63.205.128.158 | 5 2003-04-20 | 367 | 63.203.98.156 | 222 2003-03-27 | 367 | 63.205.141.178 | 4 2003-03-26 | 366 | 63.205.140.114 | 2 2003-05-11 | 365 | 63.201.201.48 | 3 2003-04-03 | 364 | 63.207.255.224 | 61 2003-04-07 | 363 | 63.196.245.128 | 52 2003-03-28 | 363 | 63.202.178.215 | 4 2003-05-05 | 362 | 63.201.208.217 | 4 2003-06-01 | 362 | 63.204.117.33 | 3 2003-05-11 | 361 | 63.201.201.144 | 3 2003-05-20 | 361 | 63.205.135.43 | 2 2003-05-12 | 359 | 63.207.252.5 | 132 2003-03-06 | 359 | 63.196.217.6 | 14 2003-04-06 | 359 | 63.203.98.48 | 13 2003-04-28 | 359 | 63.206.90.185 | 3 2003-01-07 | 358 | 63.200.69.116 | 120 2003-05-22 | 358 | 63.206.138.41 | 61 2003-05-18 | 358 | 63.202.109.132 | 2 2003-04-29 | 356 | 63.200.36.2 | 8 2003-04-12 | 356 | 63.196.240.14 | 4 2002-12-17 | 356 | 63.196.117.115 | 3 2003-06-08 | 356 | 63.204.116.65 | 2 2003-05-01 | 355 | 63.204.248.171 | 2 2003-05-19 | 353 | 63.205.133.214 | 2 2003-05-15 | 353 | 63.206.88.254 | 2 2003-05-02 | 351 | 63.207.254.60 | 27 2003-05-01 | 351 | 63.207.253.123 | 18 2003-05-13 | 351 | 63.201.211.198 | 2 2003-04-16 | 351 | 63.204.106.206 | 2 2003-05-28 | 350 | 63.204.119.195 | 2 2003-01-15 | 349 | 63.205.154.19 | 82 2003-05-06 | 349 | 63.202.177.154 | 3 2003-04-22 | 348 | 63.207.252.3 | 9 2003-06-15 | 348 | 63.205.133.117 | 2 2003-04-06 | 347 | 63.207.128.222 | 154 2003-05-12 | 347 | 63.207.253.141 | 5 2003-04-19 | 346 | 63.206.136.245 | 17 2003-01-09 | 346 | 63.205.185.19 | 3 2003-06-19 | 346 | 63.206.95.55 | 2 2003-05-16 | 345 | 63.204.249.75 | 4 2002-12-16 | 345 | 63.204.251.172 | 2 2003-05-08 | 344 | 63.206.89.223 | 2 2003-06-01 | 343 | 63.204.105.175 | 3 2003-05-10 | 343 | 63.198.239.20 | 2 2003-04-18 | 342 | 63.202.175.198 | 2 2003-05-09 | 342 | 63.196.7.221 | 2 2003-04-18 | 341 | 63.195.184.75 | 11 2003-04-28 | 341 | 63.206.168.91 | 2 2003-05-20 | 341 | 63.207.131.15 | 2 2003-06-08 | 340 | 63.206.212.160 | 37 2002-12-02 | 340 | 63.207.254.148 | 33 2003-06-24 | 340 | 63.204.105.60 | 3 2003-05-20 | 339 | 63.205.131.8 | 2 2003-06-28 | 339 | 63.206.91.191 | 2 2003-05-14 | 338 | 63.203.99.80 | 36 2003-05-20 | 338 | 63.202.49.204 | 29 2003-05-03 | 338 | 63.201.96.170 | 3 2003-05-30 | 338 | 63.201.210.231 | 3 2003-04-29 | 338 | 63.206.170.227 | 2 2003-05-22 | 336 | 63.202.49.235 | 12 2003-05-21 | 336 | 63.198.18.108 | 4 2003-06-14 | 336 | 63.204.117.0 | 2 2003-06-05 | 336 | 63.204.119.97 | 2 2003-04-27 | 335 | 63.204.248.42 | 3 2003-05-01 | 334 | 63.199.203.49 | 16 2003-04-27 | 333 | 63.204.248.3 | 3 2003-06-13 | 332 | 63.206.234.65 | 19 2003-05-28 | 331 | 63.204.249.170 | 4 2003-05-23 | 330 | 63.206.139.239 | 103 2003-05-22 | 330 | 63.206.122.53 | 2 2003-06-01 | 329 | 63.204.119.72 | 4 2003-04-26 | 329 | 63.205.132.151 | 2 2003-05-04 | 328 | 63.197.31.134 | 39 2003-05-02 | 327 | 63.205.198.137 | 21 2003-07-05 | 327 | 63.206.122.26 | 5 2003-07-09 | 327 | 63.206.120.111 | 3 2003-05-19 | 325 | 63.205.134.43 | 2 2003-05-10 | 324 | 63.198.207.124 | 141 2003-05-03 | 324 | 63.207.61.90 | 22 2003-05-13 | 324 | 63.207.255.70 | 22 2003-05-09 | 324 | 63.200.54.244 | 5 2003-01-26 | 322 | 63.202.84.149 | 22 2003-06-13 | 322 | 63.204.106.45 | 5 2003-06-17 | 322 | 63.204.118.37 | 4 2003-05-01 | 322 | 63.201.96.41 | 3 2003-05-21 | 322 | 63.205.131.168 | 2 2003-06-05 | 321 | 63.202.176.7 | 8 2003-05-08 | 321 | 63.202.179.7 | 3 2003-05-07 | 321 | 63.198.238.99 | 2 2003-05-23 | 320 | 63.206.95.192 | 3 2003-05-10 | 320 | 63.206.121.91 | 2 2003-06-16 | 319 | 63.204.107.108 | 4 2003-05-31 | 319 | 63.204.249.129 | 2 2003-05-26 | 318 | 63.204.116.111 | 4 2003-05-12 | 318 | 63.202.107.154 | 3 2003-05-28 | 317 | 63.205.135.207 | 3 2003-05-27 | 317 | 63.205.128.3 | 2 2003-05-27 | 316 | 63.206.120.201 | 15 2003-05-27 | 316 | 63.204.105.208 | 3 2003-05-20 | 316 | 63.201.209.21 | 2 2003-06-27 | 315 | 63.206.194.47 | 20 2003-01-18 | 315 | 63.196.240.225 | 4 2003-06-08 | 315 | 63.204.119.43 | 2 2003-06-29 | 315 | 63.196.57.86 | 2 2003-07-04 | 315 | 63.204.248.169 | 2 2003-06-16 | 315 | 63.205.129.24 | 2 2003-01-16 | 314 | 63.201.96.31 | 3 2003-05-20 | 313 | 63.198.206.86 | 90 2003-01-11 | 313 | 63.198.238.188 | 27 2003-05-28 | 313 | 63.204.251.17 | 3 2003-05-28 | 313 | 63.206.94.96 | 2 2002-11-16 | 312 | 63.194.104.101 | 1754 2003-07-06 | 312 | 63.204.117.242 | 6 2003-05-31 | 311 | 63.206.212.58 | 145 2003-07-03 | 311 | 63.206.120.55 | 3 2003-07-04 | 310 | 63.205.130.83 | 4 2003-05-20 | 310 | 63.205.133.221 | 2 2003-05-14 | 309 | 63.203.96.200 | 173 2003-06-21 | 309 | 63.200.48.106 | 97 2003-06-08 | 309 | 63.204.249.11 | 2 2003-06-08 | 308 | 63.205.132.218 | 16 2003-06-20 | 308 | 63.204.104.135 | 7 2003-07-08 | 308 | 63.206.90.170 | 4 2003-06-16 | 308 | 63.206.233.10 | 3 2003-07-04 | 308 | 63.205.134.4 | 2 2003-06-15 | 306 | 63.203.98.140 | 241 2003-05-21 | 306 | 63.203.97.220 | 119 2003-06-19 | 306 | 63.196.244.210 | 13 2002-12-12 | 305 | 63.206.88.119 | 74 2003-05-21 | 305 | 63.205.129.215 | 2 2003-05-25 | 304 | 63.206.139.162 | 97 2003-07-31 | 304 | 63.202.82.56 | 33 2003-06-27 | 304 | 63.203.97.66 | 2 2003-07-02 | 304 | 63.204.104.52 | 2 2003-06-10 | 303 | 63.206.90.252 | 3 2003-06-10 | 302 | 63.205.131.179 | 7 2003-06-13 | 302 | 63.204.105.42 | 2 2003-01-27 | 301 | 63.199.244.131 | 17 2003-06-10 | 300 | 63.204.105.178 | 5 2003-07-04 | 300 | 63.204.251.86 | 3 2003-06-10 | 300 | 63.204.134.253 | 2 2003-07-04 | 299 | 63.205.133.87 | 4 2003-08-20 | 299 | 63.201.36.43 | 2 2003-07-18 | 298 | 63.196.194.178 | 61 2003-07-23 | 298 | 63.206.120.19 | 2 2003-07-18 | 297 | 63.206.120.79 | 18 2003-06-11 | 297 | 63.204.104.57 | 2 2003-06-12 | 296 | 63.201.92.68 | 6 2003-06-14 | 296 | 63.204.249.201 | 5 2003-05-27 | 296 | 63.204.250.242 | 4 2003-06-27 | 296 | 63.202.176.177 | 3 2003-06-12 | 296 | 63.206.120.218 | 3 2003-06-03 | 295 | 63.204.248.58 | 2 2003-06-30 | 294 | 63.204.106.176 | 6 2003-06-02 | 294 | 63.206.93.83 | 2 2003-06-18 | 291 | 63.204.104.187 | 4 2003-06-27 | 291 | 63.203.97.49 | 3 2003-06-07 | 291 | 63.206.140.214 | 2 2002-12-12 | 290 | 63.206.211.46 | 32 2003-06-09 | 290 | 63.207.129.192 | 4 2003-07-07 | 290 | 63.206.90.147 | 3 2003-07-09 | 290 | 63.206.95.48 | 2 2003-06-25 | 289 | 63.204.104.61 | 2 2003-06-08 | 289 | 63.204.106.177 | 2 2003-06-13 | 289 | 63.204.105.232 | 2 2003-07-18 | 288 | 63.204.74.114 | 33 2003-07-04 | 288 | 63.205.133.121 | 3 2003-03-18 | 288 | 63.206.95.239 | 2 2003-07-18 | 287 | 63.196.7.77 | 3 2003-06-09 | 287 | 63.204.250.100 | 3 2002-12-13 | 287 | 63.206.92.148 | 3 2003-06-18 | 287 | 63.206.92.89 | 3 2003-06-09 | 286 | 63.203.79.68 | 4 2003-06-13 | 286 | 63.198.136.220 | 2 2003-06-07 | 285 | 63.204.107.99 | 2 2003-07-03 | 284 | 63.207.61.251 | 7 2003-08-22 | 284 | 63.203.101.210 | 2 2003-08-22 | 284 | 63.205.41.147 | 2 2003-06-15 | 284 | 63.204.251.158 | 2 2003-06-18 | 283 | 63.206.120.13 | 2 2003-06-27 | 283 | 63.206.136.81 | 2 2003-07-01 | 282 | 63.204.105.61 | 2 2003-09-07 | 281 | 63.193.119.28 | 6 2003-06-14 | 281 | 63.204.249.100 | 4 2003-06-04 | 281 | 63.204.104.18 | 2 2003-06-30 | 280 | 63.196.7.160 | 5 2003-06-13 | 280 | 63.205.134.146 | 4 2003-08-22 | 280 | 63.205.58.228 | 2 2003-07-14 | 279 | 63.206.123.128 | 2 2003-06-18 | 278 | 63.205.133.64 | 2 2003-07-22 | 278 | 63.206.122.129 | 2 2003-02-12 | 277 | 63.203.100.136 | 11 2003-07-22 | 277 | 63.202.81.148 | 2 2003-08-29 | 277 | 63.205.57.109 | 2 2003-07-10 | 276 | 63.206.94.199 | 4 2003-08-30 | 276 | 63.202.235.38 | 3 2003-06-26 | 276 | 63.206.92.201 | 2 2003-08-03 | 275 | 63.206.120.161 | 8 2003-08-28 | 274 | 63.198.142.215 | 12 2003-08-31 | 274 | 63.196.245.151 | 2 2003-08-30 | 274 | 63.200.37.244 | 2 2003-07-02 | 273 | 63.203.206.20 | 20 2003-09-02 | 273 | 63.205.186.152 | 2 2003-07-03 | 272 | 63.205.40.16 | 17 2003-01-09 | 272 | 63.201.88.163 | 10 2003-08-24 | 272 | 63.194.126.122 | 5 2003-01-07 | 272 | 63.202.174.222 | 2 2003-06-27 | 271 | 63.203.96.157 | 5 2003-09-02 | 271 | 63.202.82.101 | 2 2003-09-04 | 271 | 63.205.67.184 | 2 2002-12-14 | 270 | 63.205.44.139 | 2 2003-07-09 | 269 | 63.206.89.74 | 2 2003-06-29 | 267 | 63.196.7.80 | 10 2003-03-25 | 265 | 63.202.20.148 | 4 2003-09-09 | 265 | 63.196.247.132 | 4 2003-03-12 | 264 | 63.202.173.199 | 31 2003-06-28 | 264 | 63.204.119.174 | 4 2003-09-07 | 264 | 63.199.242.98 | 2 2003-07-23 | 263 | 63.206.122.218 | 2 2003-09-11 | 262 | 63.207.140.229 | 3 2003-09-12 | 262 | 63.198.18.253 | 2 2003-08-23 | 262 | 63.204.119.215 | 2 2003-08-06 | 261 | 63.205.57.61 | 33 2003-08-24 | 261 | 63.207.227.65 | 2 2003-08-27 | 260 | 63.202.234.224 | 2 2003-09-15 | 260 | 63.207.60.221 | 2 2003-08-25 | 260 | 63.207.129.135 | 2 2003-08-25 | 259 | 63.198.142.248 | 2 2003-08-30 | 259 | 63.205.140.131 | 2 2003-08-05 | 259 | 63.206.122.14 | 2 2003-08-25 | 259 | 63.207.60.141 | 2 2003-09-17 | 258 | 63.199.227.102 | 2 2003-09-01 | 258 | 63.204.106.108 | 2 2003-09-14 | 257 | 63.196.25.29 | 2 2003-09-17 | 257 | 63.203.99.64 | 2 2003-08-31 | 257 | 63.200.55.193 | 2 2003-07-06 | 256 | 63.196.7.128 | 5 2003-09-19 | 256 | 63.201.89.72 | 2 2003-09-01 | 256 | 63.199.201.36 | 2 2003-08-26 | 256 | 63.203.103.185 | 2 2003-08-31 | 255 | 63.204.133.185 | 37 2003-07-12 | 254 | 63.201.38.133 | 17 2003-04-05 | 254 | 63.206.138.39 | 9 2003-07-09 | 254 | 63.196.7.72 | 7 2003-09-02 | 254 | 63.203.156.138 | 4 2003-09-02 | 254 | 63.200.50.67 | 3 2003-09-17 | 254 | 63.205.57.156 | 2 2003-09-04 | 254 | 63.196.5.161 | 2 2003-09-03 | 254 | 63.205.58.117 | 2 2003-08-24 | 253 | 63.199.240.138 | 2 2003-09-23 | 253 | 63.205.41.231 | 2 2003-07-30 | 252 | 63.193.188.255 | 81 2003-08-28 | 252 | 63.205.141.19 | 2 2003-08-24 | 252 | 63.196.246.39 | 2 2003-08-27 | 252 | 63.206.234.230 | 2 2003-07-11 | 251 | 63.204.106.66 | 2 2003-08-28 | 251 | 63.204.248.86 | 2 2003-08-11 | 250 | 63.207.61.76 | 8 2003-09-08 | 250 | 63.204.105.120 | 3 2003-08-30 | 250 | 63.205.187.65 | 3 2003-08-30 | 250 | 63.204.118.58 | 2 2003-07-13 | 250 | 63.205.64.62 | 2 2003-09-02 | 250 | 63.205.135.210 | 2 2003-08-22 | 249 | 63.201.38.49 | 355 2003-09-22 | 249 | 63.203.72.209 | 325 2003-08-27 | 249 | 63.203.157.78 | 3 2003-08-24 | 249 | 63.207.141.20 | 2 2002-12-28 | 247 | 63.199.186.142 | 97 (500 rows) -- Paul Vixie
And that is a problem. Unlike your electricity, where the supplier has an obligation to provide a certain level of clean energy, there is nothing like it with internet bandwidth. All the crud and exploits are dutyfully forwarded to the customer.
Clean internet service is internet service that delivers only valid IP datagrams. Most internet service is clean internet service. Any internet service that looks above layer 3 to make forwarding decisions is not clean internet service.
I argue that this is way overboard. I don't believe anyone should require any particular knowledge to obtain an internet connection and use the internet. Instead internet needs to be available as a clean conditioned service for consumption by the clueless.
I agree that the IDL is overboard. I even agree with your second sentence. Consumers need to demand software which does not support these exploits from their software vendors. That is the real solution. The internet is a transport, just like the phone line coming into your home. Nothing prevents someone from making an obscene phone call to your house. The most common problem software today is like having a telephone that won't let you hang up on the prank caller, then, demanding that the phone company prevent those calls from coming in the first place. Problem is that people understand that TPC can't tell a prank call from a legitimate one, but, for some reason, they expect ISPs to be able to magically tell whether this HTTP session is an exploit while this other one isn't.
The reason this isn't economical today is because ISP lack any responsibility. It is cheaper for an ISP to buy more bandwidth and pass the worms and viruses customers PCs spew to the internet than it is to deal with the problem. Seriously, if I send an ISP reasonable proof that a broadband customer hits my mailserver with thousands of emails an hour I should be able to expect an immediate response. Not hours, days or weeks, minutes and the originating account should be shut down. If this doesn't happen I should be able to go to the upstream of the ISP, present my case, and have connectivity to the ISP suspended.
The reason is that the ISPs can't tell the exploits from the legitimate traffic in most cases, and, even if they did, do you really want ISPs making value judgement about content on behalf of their users? That's a really bad model. It's just not good for innovation, free speech, mom, or apple pie. Yes, ISPs should investigate abuse complaints and immediately disconnect users that are spewing abuse. Yes, this needs to happen more consistently and more rapidly. However, content filtration at the ISP level is not a solution, it's just a different problem. Owen -- If it wasn't crypto-signed, it probably didn't come from me.
And that is a problem. Unlike your electricity, where the supplier has an obligation to provide a certain level of clean energy, there is nothing like it with internet bandwidth. All the crud and exploits are dutyfully forwarded to the customer.
Clean internet service is internet service that delivers only valid IP datagrams. Most internet service is clean internet service. Any internet service that looks above layer 3 to make forwarding decisions is not clean internet service.
Perhaps this is where our opinions greatly differ. If I am a customer with my own block of routable ip space I agree with you 100%. But this about the average home user that receives a dynamic ip leased from the ISP. Clean internet is more than just valid IP datagrams to my IP address. If I connect to my ISP and do nothing beyond that, not a single packet, I expect to not receive any packets either. If I initiate a GET request to a web server I expect the webservers response to be returned unaltered. If I have an email account with my ISP I expect only valid email to be delivered to my email address. I consider this clean internet service from the perspective of the average home user.
I argue that this is way overboard. I don't believe anyone should require any particular knowledge to obtain an internet connection and use the internet. Instead internet needs to be available as a clean conditioned service for consumption by the clueless.
I agree that the IDL is overboard. I even agree with your second sentence. Consumers need to demand software which does not support these exploits from their software vendors. That is the real solution. The internet is a transport, just like the phone line coming into your home. Nothing prevents someone from making an obscene phone call to your house. The most common problem software today is like having a telephone that won't let you hang up on the prank caller, then, demanding that the phone company prevent those calls from coming in the first place.
As a telephone customer I expect to pickup the phone make a call and hang up. I expect to receive calls and hang up. If the phone crashes in the middle of a conversation I am not happy, if it cost me money because LD charges continue to apply I am even less happy. The manufacturer of the phone has a given set of specifications to work with and the phone company has a given set of parameters of what the signal of the phone line should look like. What if I call you and put an awful tone on the line that blows your eardrums, locks up your phone and causes it to dial on it's own and do the same to all your friend from your phone. As bonus you'll get a LD bill from the phone company for all the calls your phone made without your permission. Who's to blame? The phone company because they transmitted harmful signals? The phone manufacturer for building a phone without accounting for the possibility of this sound? The customer for picking up the phone? How do you prevent future events of this sort? Customer education? All of todays software has flaws, some more some less. While some of these flaws should simply not exist while others are an oversight. Many of the current exploits have one thing in common, malformed packets addressed at machines that never requested the packets they are receiving to begin with. Stopping these packets from reaching their target is just as important as having the target immune to the attack. The ISP provides a service to a customer, the ISP should be sensible to the customers requirements. If the customer requires clean internet service than this is what the ISP should strive for. This doesn't relieve the customer from being responsible (like opening any and every attachment received) but it is just another layer in reducing the enormous amount of garbage traffic we are seeing. Adi
----- Original Message ----- From: "Adi Linden" <adil@adis.on.ca>
Clean internet is more than just valid IP datagrams to my IP address. If I connect to my ISP and do nothing beyond that, not a single packet, I expect to not receive any packets either. If I initiate a GET request to a web server I expect the webservers response to be returned unaltered. If I have an email account with my ISP I expect only valid email to be delivered to my email address. I consider this clean internet service from the perspective of the average home user.
Apply your phone analogy to this, you want a phone, but nobody on the planet should be allowed to call you unless you call them first. If you do call someone, they shouldn't be allowed to use improper language, if you also have voicemail, nobody who you don't want to hear from should be allowed to leave you a message. So you want the phoneco to block inbound calls, install a voice recognition system to stop improper language, and manage your voicemail. You don't want phone service, you want a secretary. You should call your phone company and have them send one over right away, and don't forget to tell them you aren't going to pay more than the standard $30/month for the service.. George Roettger
----- Original Message ----- From: "Adi Linden" <adil@adis.on.ca>
if I send an ISP reasonable proof that a broadband customer hits my mailserver with thousands of emails an hour I should be able to expect an immediate response. Not hours, days or weeks, minutes and the originating account should be shut down.
Great, next time you get shut down mid auction because the ISP trusts the log file I send him, remember you asked for it. Geo.
A response doesn't mean the ISP doesn't also investigate. Reasonable proof is reasonable proof. The logs are a good start, but, the ISP should review his own logs, and, check the currently active traffic patterns too. If there isn't any evidence, the ISP shouldn't shut the customer down. If the ISP can see continuing abuse, the ISP should shut the customer down. That's not unreasonable. That's what I'm asking fore, and, what I understood Adi to be asking for in this case. Owen --On Sunday, June 13, 2004 6:34 PM -0400 Geoincidents <geoincidents@nls.net> wrote:
----- Original Message ----- From: "Adi Linden" <adil@adis.on.ca>
if I send an ISP reasonable proof that a broadband customer hits my mailserver with thousands of emails an hour I should be able to expect an immediate response. Not hours, days or weeks, minutes and the originating account should be shut down.
Great, next time you get shut down mid auction because the ISP trusts the log file I send him, remember you asked for it.
Geo.
-- If it wasn't crypto-signed, it probably didn't come from me.
--On Saturday, June 12, 2004 1:17 PM -0500 Adi Linden <adil@adis.on.ca> wrote:
That's like saying provide safe electricity. If someone has a toaster where the wire cracks and they electrocute themselves, or a hair dryer that isn't safe in the bathtub, do you complain that the electric company should provide safe electricity?
The problem with all the comparisions is what you are comparing. Your utility has an obligation to provide safe electricity. If your holding your hair dryer while the utility company sends you 25,000 Volts instead of 120 Volts you should complain.
Right... And if my ISP started sending me IPX or VINES, I would complain. However, as long as what they are delivering is properly formed IP packets with destination addresses within my address ranges, then I have no complaint. They are delivering what I expect them to deliver.
How is bandwidth any different?
It is not any different.
So, we agree... As long as my ISP delivers IP, life is good. If they deliver IPX, I should complain.
There is no "safe bandwidth". No matter how you look at it it's a two way communications and it's never going to be "safe" as far as the bandwidth goes, just like electricity is power and it's never going to be safe. It's the devices you plug in that need to be made safe.
Computers are devices that are supposed to magically do anything. If I purchase a computer to browse the web and send email I should be able to obtain "safe bandwidth" that provides web access and email.
Put down the crack pipe before someone gets hurt. Computers are devices that are tools, just like hammers, power drills, telephones, chain saws, and weed whackers. If you want a computer that is safe to browse the web and receive mail, you should buy a computer with an appropriate configuration to support that. Expecting your ISP to change the internet to suit your desires is like expecting the power company to provide you with 50 cycle power because you happened to buy an electric drill that came from Europe instead of one which was designed for the US electrical system. (US power is 60 cycles, Europe is 50). If you use tools, you can get hurt if you don't take appropriate safety precautions. You don't expect the hardware store to make it impossible for you to hit your thumb with the hammer. You don't expect the power company to make it impossible for you to drill a hole in your foot with your electric drill. You don't expect the phone company to make it impossible for you to make a crank call, and, you don't expect the hardware store to make it impossible for you to saw off your leg with the chain saw. Why do you expect your ISP to make it impossible for your improper use of an incorrectly configured computer to get hacked, misuesed, etc.?
To compare this with the electricity company, the average home with a 200A service is equivalent to NATed and firewalled internet bandwidth. As your electricity demands grow (for whatever reason) the electricity company upgrades your service, to 3 phase, 600V, whatever. Same with internet bandwidth, get a public ip, get a static ip, get ports opened, run servers. Just as the upgraded electricity service requires more knowledge and equipment so does the upgraded internet bandwidth.
Sorry... I don't agree. The average home with a 200A service is perfectly capable of using that electricity to power any electrical device they wish up to that load. 200A service is equivalent to DSL, but, nothing in that 200A service prevents me from running a toaster, microwave, or refrigerator. Noting in that 200A service limits me to a television and a clock-radio. NATed Firewalled internet service would be equivalent to electrical service that would only work with televisions and clock-radios, but, would disable any attempt to run a microwave, refirgerator, toaster, or night-light. I certainly don't want that from my electric company, and, I don't want my internet screwed up that way either. 600A three phase is about bigger bandwidth, not different services. True, there are devices that require three phase power, but, if they don't require more power than is available in a 200A 220V services, guess what, they can be run off of household service by using a transformer to convert the household service to 3phase and handle the voltage conversion as well. A transformer is a simple, and, generally inexpensive device which the user could even make themselves if they so desired (although I don't recommend this). To continue the analogy, 200A 220V household service is like DSL or Cable. 600A 208V three phase is like a T1. 2000A 7KV three phase is like a DS3. To the best of my knowledge, all of these services can be made to work with any electrical device that doesn't require more power (bandwidth) than the service can deliver. Owen -- If it wasn't crypto-signed, it probably didn't come from me.
At 9:02 AM -0700 6/13/04, Owen DeLong wrote:
600A three phase is about bigger bandwidth, not different services. True, there are devices that require three phase power, but, if they don't require more power than is available in a 200A 220V services, guess what, they can be run off of household service by using a transformer to convert the household service to 3phase and handle the voltage conversion as well. A transformer is a simple, and, generally inexpensive device which the user could even make themselves if they so desired (although I don't recommend this).
To continue the analogy, 200A 220V household service is like DSL or Cable. 600A 208V three phase is like a T1. 2000A 7KV three phase is like a DS3. To the best of my knowledge, all of these services can be made to work with any electrical device that doesn't require more power (bandwidth) than the service can deliver.
In most states, the power company cannot connect service to a home or business until it has been inspected by a building inspector... This is to keep the number of fried customers to the lower possible value. And yes, it is possible to do your own power box work, but expect the inspector to be very thorough if you aren't also a licensed electrician. So, who's checking these local LAN's to make sure they don't melt or burst into flame once hooked up? /John
In most states, the power company cannot connect service to a home or business until it has been inspected by a building inspector... This is to keep the number of fried customers to the lower possible value. And yes, it is possible to do your own power box work, but expect the inspector to be very thorough if you aren't also a licensed electrician.
So, who's checking these local LAN's to make sure they don't melt or burst into flame once hooked up?
very broken analogy. as opposed to the house wiring, the lan is not the problem. it's the stove, aka ms windoze. and you don't need to go to the home to inspect it, you know it was broken when it was shipped from the factory. and the user was neither sufficiently warned nor sufficiently educated on how to avoid its worst risks. randy
My inbox overflows with complaints about the analogy, and the fact that it's the appliances that are shipped broken... I hereby acknowledge the faulty analogy, you can discard your edit buffer if you're in the process of sending me such a note... :-) Hopefully, the appliances (e.g. MS Windows) will get better over time, but in the meanwhile, how do we limit the damage? The end-user wants email and web access, and we give him raw IP access and watch the fireworks... If user education is the answer, then let the user get educated enough to figure out he's NAT'ed and proxied, and then ask to have the raw IP service. /John At 11:26 AM -0700 6/13/04, Randy Bush wrote:
In most states, the power company cannot connect service to a home or business until it has been inspected by a building inspector... This is to keep the number of fried customers to the lower possible value. And yes, it is possible to do your own power box work, but expect the inspector to be very thorough if you aren't also a licensed electrician.
So, who's checking these local LAN's to make sure they don't melt or burst into flame once hooked up?
very broken analogy. as opposed to the house wiring, the lan is not the problem. it's the stove, aka ms windoze. and you don't need to go to the home to inspect it, you know it was broken when it was shipped from the factory. and the user was neither sufficiently warned nor sufficiently educated on how to avoid its worst risks.
randy
My inbox overflows with complaints about the analogy
and, undoubtedly, you think your isp should block that traffic. :-)/2
Hopefully, the appliances (e.g. MS Windows) will get better over time, but in the meanwhile, how do we limit the damage?
If user education is the answer, then let the user get educated enough to figure out he's NAT'ed and proxied, and then ask to have the raw IP service.
how is the user going know the brokenness you net vigilantes propose to impose from the brokenness the other miscreants impose? tell us, john, when you were at xo and gt&e, how much did you educate your users as to to the perils of running open; how much education and notification did you give them about applying security patches; ...? perhaps before we screw 'em we could give 'em a bit of sex ed? just to bore you, i'll repeat a bit from a couple of days ago. randy --- From: Randy Bush <randy@psg.com> Date: Fri, 11 Jun 2004 16:37:27 -0700 To: Henry Linneweh <hrlinneweh@sbcglobal.net> Cc: nanog@merit.edu Subject: RE: Even you can be hacked yes, we're gonna hack desperately for a decade to make up for asecure (innocent of, as contrasted with devoid of, security) application protocols and implementations. it'll take half that time for the ivtf and the vendors to realize how deeply complexity is our enemy. and until then we'll hack everywhere in our desperation. but in the long run, i don't think we can win with an active middle. the problem is that the the difference betwen good traffic and bad traffic is intent. did the sender intend to send / reveal those data? did the recipient wish to receive them? and, i don't think we can stand in the middle and judge. and there's the rub. ...
At 12:15 PM -0700 6/13/04, Randy Bush wrote:
tell us, john, when you were at xo and gt&e, how much did you educate your users as to to the perils of running open; how much education and notification did you give them about applying security patches; ...?
Reasonable question.... business customers were indeed asked at installation what they were connecting for mail and web servers, told that a firewall was a good idea and pointing at both online and reference books that could get. I don't know what consumer DSL got, but I imagine it was a lot less. In the pre-GTE-I (i.e. BBN) days, we actually went on-site to help customers with their mail relay and local routing configurations. For consumer connections, this just doesn't scale. The consumer is going to acknowledge/clickthru/sign whatever disclaimer you put in front of them in order to get their high speed access. And as much as ISPs might want to fix the problem, they're not going to require a networking quiz before taking the order.
how is the user going know the brokenness you net vigilantes propose to impose from the brokenness the other miscreants impose?
Nicely put. How about: if their mail and web access works, then its the fault of the net vigilantes and filtered Internet service. If their machine is running 100% on the CPU and rebooting at random after just a few minutes online, then it's those other miscreants... /John
how is the user going know the brokenness you net vigilantes propose to impose from the brokenness the other miscreants impose? Nicely put. How about: if their mail and web access works, then its the fault of the net vigilantes and filtered Internet service. If their machine is running 100% on the CPU and rebooting at random after just a few minutes online, then it's those other miscreants...
as an exercise, try to write the end-user-level document on how a typical end user can tell if application X, for a very large range of X, is not working because of an isp-imposed firewall or filter, miscreantware, or the application is actually broken. if you can't write this, i suggest you have real problems justifying firewalling/filtering without the users' *informed* consent. think about "i am suing because you just cost me three days of lost revenue, six people's work, ... because my critical application was broken by your ...". i am sure keith moore will be glad to help you with such a document:-). randy
as an exercise, try to write the end-user-level document on how a typical end user can tell if application X, for a very large range of X, is not working because of an isp-imposed firewall or
OK... I'll give it a whirl :-) Dear <user>, Thank you for selecting CensorCo Bicycle Company's Internet with TrainingWheels(tm). We would like you to know that we've made every effort to keep your internet experience safe, but, depending on your usage and other factors, some unexpected things may still happen. First, your safe internet connection supports only the following services: 1. Your access to web sites via HTTP and HTTPS. 2. Your ability to send mail through our mail relay via SMTP to mail.censorco.net. 3. Your ability to look up DNS records through DNS to ns1.censorco.net and ns2.censorco.net. All other traffic will be blocked. This means that if you are using any other internet-based applications, such as on-line gaming, peer to peer file-sharing, etc., they will not work with Censorco. These applications have been demonstrated to be unsafe, and, are not accessible while still using the TrainingWheels(tm) service. If you want to do this, you will need to contact your account representative, pass a brief internet knowledge and security test, and sign the appropriate waiver. We will then remove the TrainingWheels(tm) from your internet service and you will receive a full, unfiltered, unsafe connection to the internet. In the meantime, here is a step-by-step guide to determining if your problem is due to an unexpected situation, or, due to a characteristic of the TraningWheels(tm) service. 1. Are you trying to browse the web? If yes: 1a: Does the URL you are having difficulty with start with http: or https:? If Yes, then, most likely this is an unexpected situation. If no, proceed to step 2. 2. Are you trying to send email? If yes: 2a: Please check that your outbound server is set to mail.censorco.net. If not, this is your problem. If so, proceed to step 2b. 2b: See if you can go to http://mail.censorco.net in your web browser. If so, you are suffering from an unexpected situation. If not, chances are that you are having DNS problems. Proceed to step 5 below. If no, proceed to step 3. 3. Are you trying to look up information in DNS? If you don't know what this means, the answer is most likely no. If Yes, proceed to step 5. If no, then proceed to step 4. 4. Your problem is that you are trying to use an unsupported internet application. This application will not work with the TrainingWheels(tm) service. Please contact your account representative to have your TrainingWheels(tm) taken off. This concludes your troubleshooting. Please do not proceed to the next step. 5. If your web browser says "Host Not found" when you try to visit http://mail.censorco.net, you have an unexpected DNS problem. Call censorco technical support for assistance. If your browser is saying anything like "NXDOMAIN", "Nameserver Error", "Could not find host", etc., then these are the same as "Host Not found" above. Otherwise, your problem is most likely caused by an actual problem with nameservice on the internet in general or an effort to access a host which no longer exists. These things happen from time to time. You may want to try your request again later. If it still doesn't work, then it is likely the server you were trying to reach no longer exists. This is not something that CensorCo controls, and, as such, we cannot really help you with this situation. ================================================================= Sure, no marketing department on the planet is going to be happy with it, but, it does provide a reasonable set of steps that allows you to determine if our problem is due to complete filtration, or, other issues. Owen -- If it wasn't crypto-signed, it probably didn't come from me.
Hopefully, the appliances (e.g. MS Windows) will get better over time, but in the meanwhile, how do we limit the damage? The end-user wants email and web access, and we give him raw IP access and watch the fireworks...
If user education is the answer, then let the user get educated enough to figure out he's NAT'ed and proxied, and then ask to have the raw IP service.
"(MS Windows) will get better over time", but in the meanwhile, with regard to the "Swiss cheese"OS ; no offense to Swiss, OS of Windows . I and many others are spending our weekends installing Opera and disabling MSIE on workstations and converting mail accounts as well. I remember when 3.1's file manager could poke right through a firewall. MS 3.1 is gone or is it? And have they (MS) become better or will they continue to bring half baked pies to the market just to call them fresh, when it reality they are just unfinished pies. With the brewing of Windows "Longhorn" I don't see this any hope of that they will get better over time. Users and employees are like sheep as many employers already know. They perform the same repetitive task without questions and they will continue to click those free coupon installers, despite being terminated for doing so. So do we license the network admins as the MVA or do we issue handicapped tags for the morons? -Peter
Pete wrote:
"(MS Windows) will get better over time", but in the meanwhile, with regard to the "Swiss cheese"OS ; no offense to Swiss, OS of Windows . I and many others are spending our weekends installing Opera and disabling MSIE on workstations and converting mail accounts as well. I remember when 3.1's
Hope you´re using the paid-for version of Opera, since the ad-sponsored version contains software to report your surfing habits to interested parties. For spyware-less free alternative, I would suggest Mozilla or Firefox, although occasional donation would also help their cause. Pete
In most states, the power company cannot connect service to a home or business until it has been inspected by a building inspector... This is to keep the number of fried customers to the lower possible value. And yes, it is possible to do your own power box work, but expect the inspector to be very thorough if you aren't also a licensed electrician.
So, who's checking these local LAN's to make sure they don't melt or burst into flame once hooked up?
In this aspect, the ISP is providing the connection on the WAN side, not the LAN side. Unless you're paying $400 for them to install an $80 wireless system or some such, in which case I'll do it for $200 ;) Rob Nelson ronelson@vt.edu
sean@donelan.com (Sean Donelan) writes:
in any other industry, you (the isp) would do a simple risk analysis and start treating the cause rather than the symptom.
What other industry do you know where you are expected to fix products you didn't sell and didn't cause for free?
risk management doesn't mean fixing other people's problems for free, it means building your business with knowledge of those problems, and making sure your business copes with them.
You can't connect a Tivo or unauthorized device to your ISP connection, and ISP would remotely control all the devices on your home network to ensure they are patched and secure.
Send me your root passwords. Trust me.
you should offer this service. most of us would urge our parents' generation to sign up for it. (i hope you weren't joking.)
for example you might offer inbound filtering,
Done. Effectiveness?
cleanup tools and services,
Done. Effectiveness?
and you would put their computer in cyberjail when it was known to be "infected",
Done. Effectiveness?
and you would certainly not offer your services without a clear idea of how to reach the customer and assist them in getting out of cyberjail
Done. Effectiveness?
even if it meant rolling a technician.
Done. Effectiveness?
Been there, done that. Got any new ideas?
with all due respect, which is in fact waning due to your sarcastic attitude, none of those things have been done. oh, sure, various isp's have waved at those problems, and some have paid some lip service to them, but it has not been seriously tried, because there's no way to do insist on them and still make money. if you or any other isp seriously "Done."'d those things, then the few customers you'd have left would be very happy, and the rest of us who are not your customers would also be very happy with the lack of swill coming from your network.
People already think ISPs make money from infected computers and spammers.
only because i've been an insider at a couple of places where it was arguable.
What incentive would there people to fix things instead of just paying them off?
i believe i mentioned doubling the forfeitable deposit on each verified incident.
Is it Ok to spam, as long as you pay a lot? Is it Ok to leave an infected computer on the network, as long as you pay a lot? Haven't you just described what "bullet-proof" web hosting companies do?
i don't accept e-mail from rackspace.com or any of their customers, because this appears to be their business model. on http://www.vix.com/personalcolo/ i present what i call a "good internet neighborhood" model. a "bullet proof hosting" company wouldn't qualify, no matter what deposit they collected or how much customer equipment they had on-site.
alas. on the internet, nobody knows you're a dog.
Regulations could fix that.
no, really, they couldn't. bad guys can cons up a new identity every week if that's what it takes to avoid driving with a bad internet driver's license.
Most railroads have railroad police with jurisdiction anywhere the railroad tracks go. Some railroad police departments have trans-national jurisdiction in multiple countries.
several times i've suggested that only by upgrading this problem to the level of inter-national treaty, as has been done with other offenses like drugs and fraud and violence, will we begin to see the beginnings of "containment." you, sean, were party to at least one of those threads. perhaps you can do some homework and answer now what you didn't bother to answer then.
Do we need an Internet Police with jurisdiction anywhere the Internet goes? Instead of waiting for the FBI to make a case, the ISP police could arrest people.
Should ISPs be required to forward all their customer information and logs to the Department of Homeland Security (or other national equivalent) so they always know who is doing what. Would that solve the no one knows you're a dog problem?
no, it wouldn't. until the cost of creating new identities can be driven up, then nothing adhering to identity, such as reputation, will be of any real value in stopping repeat abusers. a dsl or cable provider is in a unique position in this regard. you know who your customers are and you know where they live. as a favour to the rest of us, it would be a fine thing if you would take advantage of this position to cause a general increase in the reputation-level of your customers' IP addrs. whether you do that with deposits, truck rolls, filtering, cyberjails, weekly training seminars, and/or lawsuits against microsoft and apple, is your problem not ours, since you make the profit from these customers. how you remain profitable and competitive while managing these risks is also your problem, again since you make the profit from these customers. google for "chemical polluter business model" if you want more background. -- Paul Vixie
On Sat, 12 Jun 2004, Paul Vixie wrote:
with all due respect, which is in fact waning due to your sarcastic attitude, none of those things have been done. oh, sure, various isp's have waved at those problems, and some have paid some lip service to them, but it has not been seriously tried, because there's no way to do insist on them and still make money. if you or any other isp seriously "Done."'d those things, then the few customers you'd have left would be very happy, and the rest of us who are not your customers would also be very happy with the lack of swill coming from your network.
So you claim even the ISPs you ran yourself have never attempted to do any of these things? If you didn't do them, why do you think other people should?
On Sat, 12 Jun 2004, Paul Vixie wrote:
Send me your root passwords. Trust me.
you should offer this service. most of us would urge our parents' generation to sign up for it. (i hope you weren't joking.)
As you keep pointing out, a problem with current Internet security is its "opt-in" nature. Why should Paul be allowed to walk around the security checks, but Paul's grandmother needs to be searched? Both Paul and Paul's grandmother needs to go through security. Allowing some people to opt-out would defeat the very thing you are trying to achieve. Most major ISPs offer a variety of Internet security products, if the user signs up for them, pays for them, installs them and uses them. AOL charges about $14/month, Earthlink charges about $6/month, MSN charges about $8/month, SBC charges about $5/month, Bellsouth charges about $7/month, etc. For a while, some broadband providers were even offering a $99 rebate when people bought a hardware nat/firewall device. Why don't more people take advantage of the security that is already available? Some people pay hundreds of dollars every month for bottled water, and filters on their faucets because they aren't satisfied with the quality of the water delivered by the local water company. If we give some people an option to opt-out, most grandmothers will probably follow Paul's example and save the few bucks every month and not use the security features. Should ISPs charge for security like the Universial Service Fund fee on your telephone bill, everyone (not just grandmothers) has to pay it. The FCC (or your national equivalent) would sets the rate every quarter, and it appears on everyone's ISP bill. You have to pay it, even if you already have other security.
... If we give some people an option to opt-out, most grandmothers will probably follow Paul's example and save the few bucks every month and not use the security features. Should ISPs charge for security like the Universial Service Fund fee on your telephone bill, everyone (not just grandmothers) has to pay it. The FCC (or your national equivalent) would sets the rate every quarter, and it appears on everyone's ISP bill. You have to pay it, even if you already have other security.
i like the plan i suggested in reply to jcurran better than the above plan. however, i'm now seeing more spam from hosts in my private blackhole list, that's fed by a darkspace IDS running on ports 25 and 80, than i am from all of my "dynamic/dialup blackhole list" subscriptions combined. so, if an fcc-based universal tariff is the only way to get this done, i'm willing to pay -- even though i own the routers on both ends of my home t1. -- Paul Vixie
On Sun, 13 Jun 2004 00:10:56 -0400 (EDT), Sean Donelan <sean@donelan.com> writes:
Should ISPs charge for security like the Universial Service Fund fee on your telephone bill, everyone (not just grandmothers) has to pay it. The FCC (or your national equivalent) would sets the rate every quarter, and it appears on everyone's ISP bill. You have to pay it, even if you already have other security.
Not that this solves the problem, but I'll argue that the party responsible for the bill should be the same as the party responsible for the security. Anything else would be a subsidy and perhaps even discourage secure behavior. If users are assumed to have ultimate responsibility, then why would users be proactively secure when they'll be forced to subsidize insecure users. If vendor X builds notoriously insecure software, and vendor Y doesn't, then a scheme that allows vendor X to push the costs onto their non-customers is also a subsidy. In particular, the USF doesn't seem to incentivize the creation or installing of more secure software because neither vendor X nor its users are directly responsible for the aftermarket maintainance and patching costs. The costs should be born by whomever is deemed responsible for the problem. I think that this ultimately comes down to users. They choose what and how their computers are secure and they choose what software to install. I don't think breaking end-to-end by NAT, firwall, or proxy proposals for ordinary users is an acceptable solution. It'll make it much harder to deploy new protocols, and it'll encourage universal tunneling over port 80. Scott
I'd much rather see the people who don't pay for security get disconnected when abuse spews forth from their network. Then, they should have to clean up their site and pay a cleanup fee to get reconnected. Perhaps what is needed is a reporting agency, similar to the credit reporting agencies, where ISPs can register chronic problem-customers. Eventually, your internet credit rating deteriorates to the point that no ISP will offer you service. Owen
owen@delong.com (Owen DeLong) writes:
Perhaps what is needed is a reporting agency, similar to the credit reporting agencies, where ISPs can register chronic problem-customers. Eventually, your internet credit rating deteriorates to the point that no ISP will offer you service.
it is with some discomfort that i watch the last decade or so of ultimate final solutions to spam be rediscovered on a sleepy nanog weekend. the reason the above analogy fails to hold (and why that proposal isn't a solution) is that credit reporting agencies have an established standard for what "bad" is -- days overdue on payments. there is no similar standard for a tcp/ip endsystem, and there can be none. a week doesn't go by without some goober-with-firewall complaining that f-root is portscanning him. as112 gets it every day at least two or three times. someone else here reports that his squid proxy is regularly reported by norton's tools because it sets unusual bits in the tcp header. and so on. -- Paul Vixie
Paul, Actually, credit agencies don't have a single standard for what "bad" is; they are obligated to only keep factual data (as can be best determined) in the files. When you cause a credit report to be checked, one or more algorithms are used to score your credit, but the algorithm used is up to the particular inquirer and credit bureau. It's not that hard to make this one work for spammers, but you need some key pieces to all be in place: 1. Common definition for what information is kept 2. ISP's need customer contracts which allow reporting of incidents and terminations to any/all such bureaus 3. ISP's need to figure out how to handle a "new" site which has no listings. Spammers already figured out that some ISPs do D&B credit checks, and have gotten very good at appearing as a new "startup" a week later. /John At 4:50 PM +0000 6/13/04, Paul Vixie wrote:
owen@delong.com (Owen DeLong) writes:
Perhaps what is needed is a reporting agency, similar to the credit reporting agencies, where ISPs can register chronic problem-customers. Eventually, your internet credit rating deteriorates to the point that no ISP will offer you service.
it is with some discomfort that i watch the last decade or so of ultimate final solutions to spam be rediscovered on a sleepy nanog weekend. the reason the above analogy fails to hold (and why that proposal isn't a solution) is that credit reporting agencies have an established standard for what "bad" is -- days overdue on payments. there is no similar standard for a tcp/ip endsystem, and there can be none. a week doesn't go by without some goober-with-firewall complaining that f-root is portscanning him. as112 gets it every day at least two or three times. someone else here reports that his squid proxy is regularly reported by norton's tools because it sets unusual bits in the tcp header. and so on. -- Paul Vixie
As I said earlier in private mail to John, I think this will only work if the reporting is done on indivuduals, not companies. For non-corporate business entities, the president of the company should be used as a stand-in for the company. For corporate business entities, the CEO or chairman of the board should be used. I'm betting that spammers will rapidly run out of people willing to forego future internet access in the name of continuing their business fairly rapidly. Owen --On Sunday, June 13, 2004 1:14 PM -0400 John Curran <jcurran@istaff.org> wrote:
Paul,
Actually, credit agencies don't have a single standard for what "bad" is; they are obligated to only keep factual data (as can be best determined) in the files. When you cause a credit report to be checked, one or more algorithms are used to score your credit, but the algorithm used is up to the particular inquirer and credit bureau.
It's not that hard to make this one work for spammers, but you need some key pieces to all be in place:
1. Common definition for what information is kept 2. ISP's need customer contracts which allow reporting of incidents and terminations to any/all such bureaus 3. ISP's need to figure out how to handle a "new" site which has no listings. Spammers already figured out that some ISPs do D&B credit checks, and have gotten very good at appearing as a new "startup" a week later.
/John
At 4:50 PM +0000 6/13/04, Paul Vixie wrote:
owen@delong.com (Owen DeLong) writes:
Perhaps what is needed is a reporting agency, similar to the credit reporting agencies, where ISPs can register chronic problem-customers. Eventually, your internet credit rating deteriorates to the point that no ISP will offer you service.
it is with some discomfort that i watch the last decade or so of ultimate final solutions to spam be rediscovered on a sleepy nanog weekend. the reason the above analogy fails to hold (and why that proposal isn't a solution) is that credit reporting agencies have an established standard for what "bad" is -- days overdue on payments. there is no similar standard for a tcp/ip endsystem, and there can be none. a week doesn't go by without some goober-with-firewall complaining that f-root is portscanning him. as112 gets it every day at least two or three times. someone else here reports that his squid proxy is regularly reported by norton's tools because it sets unusual bits in the tcp header. and so on. -- Paul Vixie
-- If it wasn't crypto-signed, it probably didn't come from me.
You underestimate the profitability of spam and the creativity of such folks in filling out applications. I do think that it's workable, but just don't presume that its going to be airtight. /John At 10:45 AM -0700 6/13/04, Owen DeLong wrote:
As I said earlier in private mail to John, I think this will only work if the reporting is done on indivuduals, not companies. For non-corporate business entities, the president of the company should be used as a stand-in for the company. For corporate business entities, the CEO or chairman of the board should be used. I'm betting that spammers will rapidly run out of people willing to forego future internet access in the name of continuing their business fairly rapidly.
Owen
At this point, I'll settle for 10% effective or better. I just want to make SPAM at least as hard as Identity theft. Owen --On Sunday, June 13, 2004 2:57 PM -0400 John Curran <jcurran@istaff.org> wrote:
You underestimate the profitability of spam and the creativity of such folks in filling out applications. I do think that it's workable, but just don't presume that its going to be airtight.
/John
At 10:45 AM -0700 6/13/04, Owen DeLong wrote:
As I said earlier in private mail to John, I think this will only work if the reporting is done on indivuduals, not companies. For non-corporate business entities, the president of the company should be used as a stand-in for the company. For corporate business entities, the CEO or chairman of the board should be used. I'm betting that spammers will rapidly run out of people willing to forego future internet access in the name of continuing their business fairly rapidly.
Owen
-- If it wasn't crypto-signed, it probably didn't come from me.
[edited to fix top posting; snipped for bandwidth] John Curran wrote:
At 4:50 PM +0000 6/13/04, Paul Vixie wrote:
owen@delong.com (Owen DeLong) writes:
Perhaps what is needed is a reporting agency, similar to the credit reporting agencies, where ISPs can register chronic problem-customers. Eventually, your internet credit rating deteriorates to the point that no ISP will offer you service.
... the reason the above analogy fails to hold ... is that credit reporting agencies have an established standard for what "bad" is -- days overdue on payments.
True enough, but there is even a more important point on credit agencies, one I suspect applies here as well. Credit agencies can show that you have good to excellent credit, and they certainly show many of those that don't, but they cannot protect against anyone who is willing to break the law. Identity theft is all about masquerading as someone with good credit (spoofing).
Actually, credit agencies don't have a single standard for what "bad" is; they are obligated to only keep factual data (as can be best determined) in the files. When you cause a credit report to be checked, one or more algorithms are used to score your credit, but the algorithm used is up to the particular inquirer and credit bureau.
In addition, they are known to keep inaccurate data, and it is HARD to correct inaccurate data (think various DNS/Email blacklists here). They also don't have all the data. Do you rent or lease an apartment? Whether or not you pay on time is not sent in. Evictions may or may not be sent in. They're called "Credit" bureaus for a reason. The data they keep is narrow.
It's not that hard to make this one work for spammers, but you need some key pieces to all be in place:
It'll be very hard, and there's no good business model for doing so. If you're proposing yet another SORBS or MAPS, please don't. Otherwise, you have to decide how someone can profit from maintaining this data. I don't know about the others, but I can GUARANTEE that the profit margin within Experian (formely known as TRW) is very, very, very slim. If it's slim for someone successful, how do you propose that the business model for this will work?
... Spammers already figured out that some ISPs do D&B credit checks, and have gotten very good at appearing as a new "startup" a week later.
Absolutely. Just like criminals visit graveyards and county records, spammers and other miscreants are happy to create new, fake identification, and don't really care if they have to keep doing it. The real problem, is how to you make the business model of spamming unproductive? -- Life at university, with its intellectual and inconclusive discussions at a postgraduate level is on the whole a bad training for the real world. Only men of very strong character surmount this handicap. (Paul Chambers)
* owen@delong.com (Owen DeLong) [Sun 13 Jun 2004, 18:38 CEST]:
I'd much rather see the people who don't pay for security get disconnected when abuse spews forth from their network. Then, they should have to clean up their site and pay a cleanup fee to get reconnected.
... To their new ISP, which they will very likely move to, after getting disconnected one time too many by their old one? After round three, this will have changed the current setup how? (Except that the then-negligent ISPs have ended up with all the income.) -- Niels.
Niels Bakker wrote:
... To their new ISP, which they will very likely move to, after getting
disconnected one time too many by their old one?
After round three, this will have changed the current setup how? (Except that the then-negligent ISPs have ended up with all the income.)
Eventually all the "bad" customers end up with the same ISP, then filtering is as easy as running loose uRPF and filtering on their AS on input. Pete
* pete@he.iki.fi (Petri Helenius) [Mon 14 Jun 2004, 13:07 CEST]:
Niels Bakker wrote:
... To their new ISP, which they will very likely move to, after getting disconnected one time too many by their old one?
After round three, this will have changed the current setup how? (Except that the then-negligent ISPs have ended up with all the income.) Eventually all the "bad" customers end up with the same ISP, then filtering is as easy as running loose uRPF and filtering on their AS on input.
Except that the majority of people may have ended up at such ISPs (note plural). Can you afford not to talk to them? For how long did you stick with just UUCP after SMTP entered the scene? -- Niels.
Niels Bakker wrote:
Except that the majority of people may have ended up at such ISPs (note plural). Can you afford not to talk to them?
Majority of people living in bad neighborhoods would be news. I´ll take sides if that happens.
For how long did you stick with just UUCP after SMTP entered the scene?
We actually run UUCP over telnet for quite a while after SMTP happened. Pete
On Monday 14 June 2004 21:35, Petri Helenius wrote:
Niels Bakker wrote:
Except that the majority of people may have ended up at such ISPs (note plural). Can you afford not to talk to them?
Majority of people living in bad neighborhoods would be news. I´ll take sides if that happens.
For how long did you stick with just UUCP after SMTP entered the scene?
We actually run UUCP over telnet for quite a while after SMTP happened.
I know of one ISP who, in the spirit of customer service, are still providing UUCP to two customers now who are still running Wildcat 4.x and Terminus on OS/2. It's not dead yet, although many have tried to kill it. P.
On Mon, 14 Jun 2004, Paul S. Brown wrote:
On Monday 14 June 2004 21:35, Petri Helenius wrote:
Niels Bakker wrote:
Except that the majority of people may have ended up at such ISPs (note plural). Can you afford not to talk to them?
Majority of people living in bad neighborhoods would be news. I´ll take sides if that happens.
For how long did you stick with just UUCP after SMTP entered the scene?
We actually run UUCP over telnet for quite a while after SMTP happened.
I know of one ISP who, in the spirit of customer service, are still providing UUCP to two customers now who are still running Wildcat 4.x and Terminus on OS/2.
I think there might be another which still has 25 or so UUCP customers... -Chris
Niels Bakker wrote:
Except that the majority of people may have ended up at such ISPs (note plural). Can you afford not to talk to them? For how long did you stick with just UUCP after SMTP entered the scene?
* christopher.morrow@mci.com (Christopher L. Morrow) [Mon 14 Jun 2004, 23:35 CEST]:
I think there might be another which still has 25 or so UUCP customers...
And. Can they afford not to talk to any SMTP host? Or do they accept mail from those newfangled .COM sites not listed in any UUCP map? Because that's at the heart of this argument, not whether some nostalgic folks still know what HDB stands for. -- Niels (who has met Honeyman)
On Mon, 14 Jun 2004, Niels Bakker wrote:
Niels Bakker wrote:
Except that the majority of people may have ended up at such ISPs (note plural). Can you afford not to talk to them? For how long did you stick with just UUCP after SMTP entered the scene?
* christopher.morrow@mci.com (Christopher L. Morrow) [Mon 14 Jun 2004, 23:35 CEST]:
I think there might be another which still has 25 or so UUCP customers...
And. Can they afford not to talk to any SMTP host? Or do they accept mail from those newfangled .COM sites not listed in any UUCP map?
good question, I assume that they MX to some mailbag place and just forward everything back over uucp to the same place.
Because that's at the heart of this argument, not whether some nostalgic folks still know what HDB stands for.
This teaches me to jump in midstream on a topic I've been deleting for 5 days :(
i support four sites uucp over tcp, and i don't really know why they want it. i support one with good old-fashioned dial-up pots uucp. randy
Eventually all the "bad" customers end up with the same ISP, then filtering is as easy as running loose uRPF and filtering on their AS on input.
And that's why we can all safely dump anything from aol.com into /dev/null, right? ;) Rob Nelson ronelson@vt.edu
Rob Nelson wrote:
Eventually all the "bad" customers end up with the same ISP, then filtering is as easy as running loose uRPF and filtering on their AS on input.
And that's why we can all safely dump anything from aol.com into /dev/null, right? ;)
That´s somewhat to the same urban legends of spam being sourced off Asia instead of Florida. In our research which compares a few metrics to the number of incidents exceeding certain tresholds AOL (if we´re talking about AS1668 here) comes up quite favourably. Not your model student but compared to a lot of population out there, very nice. Pete
No... The negligent ISPs end up with all the abusing customers and have a hard time getting transit themselves. Eventually, you end up with two internets... One run by and for the abusers and negligent, one for everyone else. I have no problem with that. Owen
Owen DeLong wrote:
No... The negligent ISPs end up with all the abusing customers and have a hard time getting transit themselves. Eventually, you end up with two internets... One run by and for the abusers and negligent, one for everyone else. I have no problem with that.
There should be a twelve-step program for people like me who can't stay out of a discussion.... I think we are already on our way to a multiple-Internet world, with the CB-radio model of everybody shouting about all manner of stuff ranging from very useful to utter sewage (uttered sewage?), and the vpn model (note lowercase attempt at a generalizing term) of encrypted tunnels, firewall rules, DNSBLs, challenged response, SPF, et alia. Implicit in the latter is a prior negotiation and rules-of-contact setting, meaning no contact via the Internet by parties unknown. I wonder if a 500 kc-like "calling" channel with very tight and enforced rules will emerge somehow. -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
participants (27)
-
Adi Linden -
Adrian Chadd -
Alex Bligh -
Christopher L. Morrow -
David Schwartz -
Etaoin Shrdlu -
Geoincidents -
George Roettger
-
Henry Linneweh -
John Curran -
Jonathan Nichols -
Laurence F. Sheldon, Jr. -
Mark Kent -
Michael Painter -
Michael.Dillon@radianz.com -
Niels Bakker -
Owen DeLong -
Paul S. Brown -
Paul Vixie -
Pete -
Peter Galbavy -
Petri Helenius -
Randy Bush -
Rob Nelson -
Scott A Crosby -
Sean Donelan -
Steven M. Bellovin