First are the consumers willing to pay for a "safer" internet DSL/dial/isdn? I believe if they were there would be a safer service available. I have seen several "secure" isp's fail in the last few years. If you have any data that shows that there is a market for a more secure dialup/DSL/isdn... please share it. 2nd blaming infected machines on the internet is similar to blaming your postal carrier for bringing you junk mail and bills. About 1/2 of all of the large "infection" events on the internet are the result of people running unpatched unsecured applications on their machines. The other half of the infections I see are due to an end user opening an email and running an attachment. Even with a secure OS this simple method of infection will continue to work. How and when did it become the responsibility of the ISP to protect the end users machines? Do ISP's get paid to protect end user machines? If you want to blame someone maybe the company that provided the insecure os that requires monthly patches to fix portions of the broken code they sold. Or you could blame the end users who open unknown attachments. I would like a real solution to the problem. Simply blocking ports is not successful. So I recommend 2 steps. First buy OS's that are more secure out of the box. 2nd Teach users NOT to click on every thing they see. Donald.Smith@qwest.com GCIA http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC Brian Kernighan jokingly named it the Uniplexed Information and Computing System (UNICS) as a pun on MULTICS.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Matthew Sullivan Sent: Sunday, June 13, 2004 5:02 PM To: nanog Subject: Re: "Default" Internet Service
Christopher L. Morrow wrote:
On Sat, 12 Jun 2004, John Curran wrote:
The real challenge here is that the "default" Internet service is wide-open Internet Protocol, w/o any safeties or controls. This made a lot of sense when the Internet was a few hundred sites, but is showing real scaling problems today (spam, major viruses, etc.)
One could imagine changing the paradigm (never easy) so that the normal Internet service was proxied for common applications and NAT'ed for everything else... This wouldn't eliminate all the problems, but would dramatically cut down the incident rate.
This sounds like a fantastic idea, for instance: How much direct IP does joe-average Internet user really require? Do they require anything more than imap(s)/pop(s)/smtp(+tls) and dns/http/https ? I suppose they also need: 1) internet gaming 2) voip 3) kazaa/p2p-app(s)-of-choice 4) IM
Actually I'm sure there are quite a few things they need, things which require either very smart NAT/Proxy devices or open access. The filtering of IP on the broad scale will hamper creativity and innovation. I'm fairly certain this was not what we want in the long term, is it?
I acutally suggested something like this at the recent AusCERT 2004 conference... It's not such a bad idea....
The real question being "why are we giving mum's and dad's who sign up to the internet, and know nothing about either the Internet or computers, full unrestricted incoming and outgoing access...?" ... answer because the more bandwidth they use the more the ISP earns... so the ISPs don't care (in some cases) if the mum's and dad's get trojaned, because it's all money.
My suggestion to the AusCERT delegates was to introduce a new default service which has very limited access, and if people ask for more, give them the access after they have read through various 'educational' pages.... Perhaps a simple online quiz at the end -just 3-5 questions with the answers being very clearly explained in the previous pages - just to show the people have actually read the pages, rather than skipped to the end and hit 'I accept'.
I also suggested that if ISPs have the technology perhaps a simple IP pools method of allocating the users IP, where they could turn on and turn off access to certain protocols - eg: have a pool for P2P users, a pool for VOIP etc...
/ Mat
Smith, Donald wrote:
First are the consumers willing to pay for a "safer" internet DSL/dial/isdn?
Why should they have to?
I believe if they were there would be a safer service available. I have seen several "secure" isp's fail in the last few years. If you have any data that shows that there is a market for a more secure dialup/DSL/isdn... please share it.
No, but it won't belong before you will find half a dozen reasons why as an ISP you will want to do it - but then it may be too late.
2nd blaming infected machines on the internet is similar to blaming your postal carrier for bringing you junk mail and bills.
Crap
About 1/2 of all of the large "infection" events on the internet are the result of people running unpatched unsecured applications on their machines. The other half of the infections I see are due to an end user opening an email and running an attachment.
Correct
Even with a secure OS this simple method of infection will continue to work.
Correct However you are ignoring the fact that once the machine is infected, the machine can be used by hundreds of people (skript kiddies) to damage other parts of the internet, further they can (and are) being used by organised crime to extort money out of large financial institutions and companies, and that's not to mention DDoS's on the smaller people who are just in the way.
How and when did it become the responsibility of the ISP to protect the end users machines?
It hasn't, however the data coming from an ISPs network has always been the responsibility of the ISP.... and I would suggest if you cannot stop the endusers getting infected, then you should look at stopping those machines from abusing other machines on the internet.... If you will not do that you should not be peered.
Do ISP's get paid to protect end user machines?
No, they get paid for traffic, which is the reason some ISPs out there don't care if their customers are DDoSing anothers network.
If you want to blame someone maybe the company that provided the insecure os that requires monthly patches to fix portions of the broken code they sold. Or you could blame the end users who open unknown attachments.
Yup, we've been doing that for years, and they have been fixing things as fast as possible (not always, and not until more recently) however they are making steps in the right direction, so I feel it's about time ISP's started taking some of the responsibility for traffic on their network. As far as the attachments go, education is the only way - and if they cannot be educated they shouldn't be on the Internet.
I would like a real solution to the problem. Simply blocking ports is not successful. So I recommend 2 steps.
First buy OS's that are more secure out of the box.
That's not going to happen anytime soon, even with Microsoft starting to follow the 'right' road.
2nd Teach users NOT to click on every thing they see.
...and how are you going to do that? If you give a user a $10 account where they have full internet access they click on everything, then they get infected, their machine is controlled by someone else across the world and is used for DDoS attacks or spam (or..hacking, or...?) .. what are you going to do to educate them in the middle....? What is the ISP going to do to make sure that the enduser has been educated? What are you the ISP going to do to ensure the machine that was infected has now been disinfected...? I don't expect you the ISP to solve all these problems, nor do I expect you the ISP to stop your users from getting infected.... However you the ISP are responsible for traffic coming from and going to your users, and most of us don't care if you want to allow your users to get infected, however we do care if you allow your customers to attack us.... Whether it be an attack in the form of spam, DDoS or trojan/virus spreading. / Mat
--On Tuesday, June 15, 2004 7:26 +1000 Matthew Sullivan <matthew@sorbs.net> wrote:
Smith, Donald wrote:
First are the consumers willing to pay for a "safer" internet DSL/dial/isdn?
Why should they have to?
Because providing it costs more.
I believe if they were there would be a safer service available. I have seen several "secure" isp's fail in the last few years. If you have any data that shows that there is a market for a more secure dialup/DSL/isdn... please share it.
No, but it won't belong before you will find half a dozen reasons why as an ISP you will want to do it - but then it may be too late.
Such as?
2nd blaming infected machines on the internet is similar to blaming your postal carrier for bringing you junk mail and bills.
Crap
It's not crap. Infected machines are no more the fault of the internet than junkmail in your mailbox is the fault of the post office. There's literally no difference to the model. The post office delivers mail that is addressed to you. They don't care if it's junk mail or not. They deliver it.
About 1/2 of all of the large "infection" events on the internet are the result of people running unpatched unsecured applications on their machines. The other half of the infections I see are due to an end user opening an email and running an attachment.
Correct
Actually, I suspect it's a much larger fraction, more along the lines of 80 to 90%, possibly more.
Even with a secure OS this simple method of infection will continue to work.
Correct
And how is an ISP supposed to do anything about this?
However you are ignoring the fact that once the machine is infected, the machine can be used by hundreds of people (skript kiddies) to damage other parts of the internet, further they can (and are) being used by organised crime to extort money out of large financial institutions and companies, and that's not to mention DDoS's on the smaller people who are just in the way.
Right... So, you should be working really hard to get people not to allow their machines to be infected, and, to get ISPs to disconnect infected sites from the network. I support both of those moves. The rest is just a way to tax the clueful for the ignorance of the masses with little benefit.
How and when did it become the responsibility of the ISP to protect the end users machines?
It hasn't, however the data coming from an ISPs network has always been the responsibility of the ISP.... and I would suggest if you cannot stop the endusers getting infected, then you should look at stopping those machines from abusing other machines on the internet.... If you will not do that you should not be peered.
Sorry... The data ORIGINATING from the ISPs network is the responsibility of the ISP. The data transiting the ISPs network is just that. The ISP has no obligation, indeed, no right to look into the data beyond what is necessary for delivery and operation of the service (ECPA). I agree that ISPs should shut off sites that are demonstrably spewing abuse and notify those sites of the problem. I've repeatedly supported several models for doing just that. However, this is different from making the ISP responsible for breaking the users connectivity prior to such an event in the name of preventing the user from shooting themselves in the foot. I further like the idea of de-peering ISPs who don't do this, and, if you can get a critical mass of the major ISPs to do that, life will start to get better. If you can't, it won't.
Do ISP's get paid to protect end user machines?
No, they get paid for traffic, which is the reason some ISPs out there don't care if their customers are DDoSing anothers network.
No, they get paid for delivering packets. They don't get paid (currently) for handling abuse complaints. Paul Vixie has proposed, and, I have supported a model which ISPs could adopt which would change this fact. Most residential ISPs get paid the same whether the customer spews abuse or not. Their costs go up some when they get abuse complaints and when abuse starts using more bandwidth, so, for the most part, most residential ISPs have no incentive to support abuse, but, not enough incentive to pay to staff an abuse department sufficiently to be truly responsive. Further, most abuse departments don't get enough support from management when the sales and marketing departments come whining about how much revenue that abusing customer produces each month. This is one of the unfortunate realities of a free-market economy. It doesn't always tie profit to doing the right thing, and, it favors short-term thinking over long-term planning.
If you want to blame someone maybe the company that provided the insecure os that requires monthly patches to fix portions of the broken code they sold. Or you could blame the end users who open unknown attachments.
Yup, we've been doing that for years, and they have been fixing things as fast as possible (not always, and not until more recently) however they are making steps in the right direction, so I feel it's about time ISP's started taking some of the responsibility for traffic on their network. As far as the attachments go, education is the only way - and if they cannot be educated they shouldn't be on the Internet.
They continue to develop new and more exploitable services and features. They continue to improve upon techniques for bypassing corporate firewalls. They are not fixing things as fast as possible, they are fixing things as they become widely known and public. They are also showing no commitment to implementing new features in a secure way, nor, indeed, any willingness to give up features in order to presreve security. They have convinced themselves (and apparently the corporate world) that they are untouchable, and they continue to rake in profits while having no accountability to the parties that are injured by their actions.
I would like a real solution to the problem. Simply blocking ports is not successful. So I recommend 2 steps.
First buy OS's that are more secure out of the box.
That's not going to happen anytime soon, even with Microsoft starting to follow the 'right' road.
I haven't seen any indication that Micr0$0ft is following the right road, just that they are bending to some public pressure to pay some level of lip-service to security. Yes, they have fixed the 100 most gaping security holes in their code this week. No, they haven't shown that new code is being written with security as an important consideration.
2nd Teach users NOT to click on every thing they see.
...and how are you going to do that? If you give a user a $10 account where they have full internet access they click on everything, then they get infected, their machine is controlled by someone else across the world and is used for DDoS attacks or spam (or..hacking, or...?) .. what are you going to do to educate them in the middle....? What is the ISP going to do to make sure that the enduser has been educated? What are you the ISP going to do to ensure the machine that was infected has now been disinfected...?
So, let me see if I have this straight... The gas company is now expected to somehow stop me from feeding gas into the water heater they don't know I've installed, or refuse to sell me gas, until I can prove that I know how to install gas appliances, because, if they sell me gas without disabling my ability to connect it to other appliances, I might. Right... That's going to happen. ISPs are like utilities. They deliver a service. The service is the acceptance and delivery of properly formed IP datagrams. If you want something different, that's a separate value- added service and you should pay more for it.
I don't expect you the ISP to solve all these problems, nor do I expect you the ISP to stop your users from getting infected.... However you the ISP are responsible for traffic coming from and going to your users, and most of us don't care if you want to allow your users to get infected, however we do care if you allow your customers to attack us.... Whether it be an attack in the form of spam, DDoS or trojan/virus spreading.
This makes sense. I've supported this. That's not what Adi and others have been saying, and, it's not what some of your statements above say. Owen -- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery.
It's not crap. Infected machines are no more the fault of the internet than junkmail in your mailbox is the fault of the post office. There's literally no difference to the model. The post office delivers mail that is addressed to you. They don't care if it's junk mail or not. They deliver it.
So what about little envelopes with white powder? Does the post office still have an obligation to deliver it or should they be concerned about the welfare of their customers? Perhaps they should insist that customers are properly vaccinated.... Point I am making is that the post office is not responsible and/or liable for the content of the packages they deliver. However, if they deliver packages that are obviously visibly dangerous to the recipient they have an obligation to investigate and not deliver the package.
Most residential ISPs get paid the same whether the customer spews abuse or not. Their costs go up some when they get abuse complaints and when abuse starts using more bandwidth, so, for the most part, most residential ISPs have no incentive to support abuse, but, not enough incentive to pay to staff an abuse department sufficiently to be truly responsive. Further, most abuse departments don't get enough support from management when the sales and marketing departments come whining about how much revenue that abusing customer produces each month. This is one of the unfortunate realities of a free-market economy. It doesn't always tie profit to doing the right thing, and, it favors short-term thinking over long-term planning.
Who do you suppose pays for the abuse department staff? Those are operational costs passed on to all customers. If increasing abuse results in increasing staff, hopefully eventually, these cost will most likely be passed on to all customer. It would be nice to see per incident billing so only offenders and repeat offenders pay. I doubt that'll happen (just a gut feeling, no other justification). Adi
Owen DeLong <owen@delong.com> writes:
It's not crap. Infected machines are no more the fault of the internet than junkmail in your mailbox is the fault of the post office. There's literally no difference to the model. The post office delivers mail that is addressed to you. They don't care if it's junk mail or not. They deliver it.
* adil@adis.on.ca (Adi Linden) [Tue 15 Jun 2004, 00:58 CEST]:
So what about little envelopes with white powder? Does the post office still have an obligation to deliver it or should they be concerned about the welfare of their customers? Perhaps they should insist that customers are properly vaccinated....
Don't you think you're stretching this analogy way past its breaking point? Besides, the post office (supposedly) cares about its workers and as such has a problem with delivering dangerous packages...
Point I am making is that the post office is not responsible and/or liable for the content of the packages they deliver. However, if they deliver packages that are obviously visibly dangerous to the recipient they have an obligation to investigate and not deliver the package.
If they were so obviously visibly dangerous, why did postal workers die during the first few anthrax scares? Again, the analogy breaks down. (Packets don't kill people, packages do?) Don't junk mailers pay extra anyway? Or is that an urban legend... -- Niels.
--On Monday, June 14, 2004 17:57 -0500 Adi Linden <adil@adis.on.ca> wrote:
It's not crap. Infected machines are no more the fault of the internet than junkmail in your mailbox is the fault of the post office. There's literally no difference to the model. The post office delivers mail that is addressed to you. They don't care if it's junk mail or not. They deliver it.
So what about little envelopes with white powder? Does the post office still have an obligation to deliver it or should they be concerned about the welfare of their customers? Perhaps they should insist that customers are properly vaccinated....
That depends... Is it an envelope covered in suspicious white powder, or, is it a well sealed envelope that happens to contain a plastic baggy of white powder? If it's the former, then, there is obvious reason, and, this would be equivalent to a malformed IP datagram, which most (all) ISPs will drop. If it's the latter, then, the post office has no legitimate way to know that the envelope contains white powder, nor, does it know what the white powder is. Also, the primary reason/responsibility the post office has in not delivering the white powder on the outside of the envelope is to protect postal employees. Secondarily, the mail may come into contact with other than it's intended target. The post office does not, in my opinion, have an obligation to protect you from mail properly addressed to you.
Point I am making is that the post office is not responsible and/or liable for the content of the packages they deliver. However, if they deliver packages that are obviously visibly dangerous to the recipient they have an obligation to investigate and not deliver the package.
Actually, there is some debate about that. However, there are also strong boundaries on that. The obligation you speak of applies to things that endanger human life. If you send a diskette mailer to someone with the label "Diskette inside contains live computer virus", I bet the post office will probably deliver it. That's every bit as harmful as the packets you're complaining about the ISPs delivering.
Most residential ISPs get paid the same whether the customer spews abuse or not. Their costs go up some when they get abuse complaints and when abuse starts using more bandwidth, so, for the most part, most residential ISPs have no incentive to support abuse, but, not enough incentive to pay to staff an abuse department sufficiently to be truly responsive. Further, most abuse departments don't get enough support from management when the sales and marketing departments come whining about how much revenue that abusing customer produces each month. This is one of the unfortunate realities of a free-market economy. It doesn't always tie profit to doing the right thing, and, it favors short-term thinking over long-term planning.
Who do you suppose pays for the abuse department staff? Those are operational costs passed on to all customers. If increasing abuse results in increasing staff, hopefully eventually, these cost will most likely be passed on to all customer. It would be nice to see per incident billing so only offenders and repeat offenders pay. I doubt that'll happen (just a gut feeling, no other justification).
Right... that's why I support the "abuser pays" model of charging cleanup fees for users that get infected. That's what I'd like to see too. Arguing for ISPs to filter customers arbitrarily, distracts from this. Owen
Owen DeLong wrote:
--On Monday, June 14, 2004 17:57 -0500 Adi Linden <adil@adis.on.ca> wrote:
It's not crap. Infected machines are no more the fault of the internet than junkmail in your mailbox is the fault of the post office. There's literally no difference to the model. The post office delivers mail that is addressed to you. They don't care if it's junk mail or not. They deliver it.
So what about little envelopes with white powder? Does the post office still have an obligation to deliver it or should they be concerned about the welfare of their customers? Perhaps they should insist that customers are properly vaccinated....
That depends... Is it an envelope covered in suspicious white powder, or, is it a well sealed envelope that happens to contain a plastic baggy of white powder? If it's the former, then, there is obvious reason, and, this would be equivalent to a malformed IP datagram, which most (all) ISPs will drop. If it's the latter, then, the post office has no legitimate way to know that the envelope contains white powder, nor, does it know what the white powder is. Also, the primary reason/responsibility the post office has in not delivering the white powder on the outside of the envelope is to protect postal employees. Secondarily, the mail may come into contact with other than it's intended target. The post office does not, in my opinion, have an obligation to protect you from mail properly addressed to you.
And yet the UK postoffice xrays all parcels looking for bombs (confirmable with the UK post office).... AFAIK they also now use sniffer technology to look for other 'nasties' (this is completely unconfirmed)
Point I am making is that the post office is not responsible and/or liable for the content of the packages they deliver. However, if they deliver packages that are obviously visibly dangerous to the recipient they have an obligation to investigate and not deliver the package.
Actually, there is some debate about that. However, there are also strong boundaries on that. The obligation you speak of applies to things that endanger human life. If you send a diskette mailer to someone with the label "Diskette inside contains live computer virus", I bet the post office will probably deliver it. That's every bit as harmful as the packets you're complaining about the ISPs delivering.
And to the same respect you send a package with 'The package contains the Anthrax virus" they'll probably deliver it as well... (wouldn't recommed anyone testing it though ;-))
Most residential ISPs get paid the same whether the customer spews abuse or not. Their costs go up some when they get abuse complaints and when abuse starts using more bandwidth, so, for the most part, most residential ISPs have no incentive to support abuse, but, not enough incentive to pay to staff an abuse department sufficiently to be truly responsive. Further, most abuse departments don't get enough support from management when the sales and marketing departments come whining about how much revenue that abusing customer produces each month. This is one of the unfortunate realities of a free-market economy. It doesn't always tie profit to doing the right thing, and, it favors short-term thinking over long-term planning.
Who do you suppose pays for the abuse department staff? Those are operational costs passed on to all customers. If increasing abuse results in increasing staff, hopefully eventually, these cost will most likely be passed on to all customer. It would be nice to see per incident billing so only offenders and repeat offenders pay. I doubt that'll happen (just a gut feeling, no other justification).
Right... that's why I support the "abuser pays" model of charging cleanup fees for users that get infected. That's what I'd like to see too.
Hear hear..
Arguing for ISPs to filter customers arbitrarily, distracts from this.
No it doesn't - it's two different models - I'm sure some customers would prefer filtered access rather than risk a cleanup charge being dumped on them... / Mat
Folks, it's time to end these threads. If I have to read one more political/social analogy, I'm going to pass out ...
On Jun 15, 8:55am, Susan Harris <srh@merit.edu> wrote:
Folks, it's time to end these threads. If I have to read one more political/social analogy, I'm going to pass out ...
Can I help? Please? Pretty please? Pretty pretty pluuuheeeese? :-) -- Per
On Mon, 14 Jun 2004, Owen DeLong wrote:
Point I am making is that the post office is not responsible and/or liable for the content of the packages they deliver. However, if they deliver packages that are obviously visibly dangerous to the recipient they have an obligation to investigate and not deliver the package.
Actually, there is some debate about that. However, there are also strong boundaries on that. The obligation you speak of applies to things that endanger human life. If you send a diskette mailer to someone with the label "Diskette inside contains live computer virus", I bet the post office will probably deliver it. That's every bit as harmful as the packets you're complaining about the ISPs delivering.
Actually postal and freight services require you to label dangerous goods and may not accept some types of dangerous goods to start with. If they believe you've sent dangerous goods that has not been labeled as such they have the right to return the packege to sender or conduct their own investigation and delay the shipment. So in a sense if you send somebody an envelope and specify that it contains "dangerous white powder" and they actually accepted the shipment, they should deliver it. But if they see that it contains this powder and its labeled "love letter", then they should in fact open the envelope and test it or return it to sender to get more clarification about what it is. Now that's great in theory, obviously in practie this does not work and viruses do not get labeled as such. However my feeling is that most users don't at all object to ISP checking their received email for viruses, eventhough it maybe invasion of their private mailbox. Similarly I don't think its outside the scope of ISP on the origin side of email to do similar checks on behalf of the sender.
Most residential ISPs get paid the same whether the customer spews abuse or not. Their costs go up some when they get abuse complaints and when abuse starts using more bandwidth, so, for the most part, most residential ISPs have no incentive to support abuse, but, not enough incentive to pay to staff an abuse department sufficiently to be truly responsive. Further, most abuse departments don't get enough support from management when the sales and marketing departments come whining about how much revenue that abusing customer produces each month.
Its not like a big spamhaus that orders gigabit line, we're talking about individual dsl users most interested in cheapest kind of inet connection. There is not much revenue in that and cost of dealing with spam reports when their insecure system becomes zombie is much greater. -- William Leibzon Elan Networks william@elan.net
Actually postal and freight services require you to label dangerous goods and may not accept some types of dangerous goods to start with. If they believe you've sent dangerous goods that has not been labeled as such they have the right to return the packege to sender or conduct their own investigation and delay the shipment.
Yes, you must label dangerous goods. However, if I send a sealed plastic bag of powdered sugar to somoene, the post office has no reason to automatically assume that my package contains dangerous goods. In fact, arguably, if I have packed it correctly, they have no legitimate means to know that it is a white powder. So, unless you can tell me some way that you believe that package (assuming it is properly packaged, not leaking, doesn't have traces of white powder on the outside, etc.) would be returned, I think we can both acknowledge that this comes closer to what most worm traffic looks like.
So in a sense if you send somebody an envelope and specify that it contains "dangerous white powder" and they actually accepted the shipment, they should deliver it. But if they see that it contains this powder and its labeled "love letter", then they should in fact open the envelope and test it or return it to sender to get more clarification about what it is.
Right... See above.
Now that's great in theory, obviously in practie this does not work and viruses do not get labeled as such. However my feeling is that most users don't at all object to ISP checking their received email for viruses, eventhough it maybe invasion of their private mailbox. Similarly I don't think its outside the scope of ISP on the origin side of email to do similar checks on behalf of the sender.
Well, users that don't object are welcome to ask their ISP and subscribe to that service. I don't want my ISP doing anything other than sending the appropriate packets to port 25 on my mail server. If the ISP is hosting the users mailbox on their system, that's a different issue. However, if my ISP tries to block my mailserver from talking to other mailservers, or, starts inspecting SMTP packets coming towards me for viruses, I am indeed, going to be initiating legal proceedings against them under ECPA. If an ISP is hosting a users mailbox, that is a separate value added service from "internet" service. I don't expect the ISP to tamper with email on the internet service. What they do in the mailbox service is a matter of that contract. It's not a service I want to subscribe to, so, I'm not as worried about what it does or doesn't do. The customer and ISP can agree on that contract, and, as far as I'm concerned, it's outside the scope of this discussion. We are, after all, talking about internet service, not mailbox hosting service.
Most residential ISPs get paid the same whether the customer spews abuse or not. Their costs go up some when they get abuse complaints and when abuse starts using more bandwidth, so, for the most part, most residential ISPs have no incentive to support abuse, but, not enough incentive to pay to staff an abuse department sufficiently to be truly responsive. Further, most abuse departments don't get enough support from management when the sales and marketing departments come whining about how much revenue that abusing customer produces each month.
Its not like a big spamhaus that orders gigabit line, we're talking about individual dsl users most interested in cheapest kind of inet connection. There is not much revenue in that and cost of dealing with spam reports when their insecure system becomes zombie is much greater.
Right, and, there isn't enough revenue in it to cover protecting the user from himself. That's why most major dialup ISPs have a really lousy abuse process. Now, if they'd start billing their end-users to cover the cost of a good abuse department, then things might change. Making non-abusive customers subsidize the abusive customers isn't the solution. Owen
AL> Date: Mon, 14 Jun 2004 17:57:21 -0500 (CDT) AL> From: Adi Linden AL> Who do you suppose pays for the abuse department staff? Those AL> are operational costs passed on to all customers. Unless one does nothing, in which case the cost goes to the rest of the world. I'd rather take on a handful of infected users and hosts on the inside than deal with crud from the rest of the world. Yet another slew of NANOG threads with hundreds of posts that boil down to sociotechnical issues and how to shift the costs to the guilty parties. Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses : blacklist@brics.com -or- alfra@intc.net -or- curbjmp@intc.net Sending mail to spambait addresses is a great way to get blocked.
Owen DeLong wrote:
--On Tuesday, June 15, 2004 7:26 +1000 Matthew Sullivan <matthew@sorbs.net> wrote:
Smith, Donald wrote:
First are the consumers willing to pay for a "safer" internet DSL/dial/isdn?
Why should they have to?
Because providing it costs more.
I believe if they were there would be a safer service available. I have seen several "secure" isp's fail in the last few years. If you have any data that shows that there is a market for a more secure dialup/DSL/isdn... please share it.
No, but it won't belong before you will find half a dozen reasons why as an ISP you will want to do it - but then it may be too late.
Such as?
That I am bound not to say unfortunately, however all will become clear soon (it'll be in the press).
2nd blaming infected machines on the internet is similar to blaming your postal carrier for bringing you junk mail and bills.
Crap
It's not crap. Infected machines are no more the fault of the internet than junkmail in your mailbox is the fault of the post office. There's literally no difference to the model. The post office delivers mail that is addressed to you. They don't care if it's junk mail or not. They deliver it.
If you're a water company, and you deliver rusty water through your pipes - you are responsible
Actually, I suspect it's a much larger fraction, more along the lines of 80 to 90%, possibly more.
Agreed
Even with a secure OS this simple method of infection will continue to work.
Correct
And how is an ISP supposed to do anything about this?
Education... and how to educate - well if they don't want to do it for their own personal gain, force them.... How to force them... don't give them access until they have learnt the basics... Hitting them financially when they get it wrong will force most to learn rather than get caught again, but it would be nice to stop them in the first place.... further what are you going to do with those who you try to 'fine' and they just go to another ISP...? (I do have some experience with this don't forget - much to the annoyance of some) ... Anyhow remember this: Prevention is better than a cure...
However you are ignoring the fact that once the machine is infected, the machine can be used by hundreds of people (skript kiddies) to damage other parts of the internet, further they can (and are) being used by organised crime to extort money out of large financial institutions and companies, and that's not to mention DDoS's on the smaller people who are just in the way.
Right... So, you should be working really hard to get people not to allow their machines to be infected, and, to get ISPs to disconnect infected sites from the network. I support both of those moves. The rest is just a way to tax the clueful for the ignorance of the masses with little benefit.
We're already being taxed... In Australia we are forced to pay for incoming and outgoing traffic - so DDoSes and Spam cost the recipient.
How and when did it become the responsibility of the ISP to protect the end users machines?
It hasn't, however the data coming from an ISPs network has always been the responsibility of the ISP.... and I would suggest if you cannot stop the endusers getting infected, then you should look at stopping those machines from abusing other machines on the internet.... If you will not do that you should not be peered.
Sorry... The data ORIGINATING from the ISPs network is the responsibility of the ISP.
I did say 'data coming from an ISP'...
The data transiting the ISPs network is just that. The ISP has no obligation, indeed, no right to look into the data beyond what is necessary for delivery and operation of the service (ECPA).
Now that is debatable - and probably not best discussed here or in this thread.... AFAIAC the traffic coming from an ISP is the responsibility of that ISP - if it's transiting they are still responsible... It's the 'car accident' principle.. 3 cars (A,B & C) pull up at a stop sign, B stops behind A, C runs into B and pushed B into A... A doesn't sue C.... A sues B for A's damage, and B sues C for B's damage, A's damage and costs.
I agree that ISPs should shut off sites that are demonstrably spewing abuse and notify those sites of the problem. I've repeatedly supported several models for doing just that. However, this is different from making the ISP responsible for breaking the users connectivity prior to such an event in the name of preventing the user from shooting themselves in the foot. I further like the idea of de-peering ISPs who don't do this, and, if you can get a critical mass of the major ISPs to do that, life will start to get better. If you can't, it won't.
...and in the current economical enviroment, and the size of the 'worst' ISPs is going to stop tha from happening.
Do ISP's get paid to protect end user machines?
No, they get paid for traffic, which is the reason some ISPs out there don't care if their customers are DDoSing anothers network.
No, they get paid for delivering packets. They don't get paid (currently) for handling abuse complaints. Paul Vixie has proposed, and, I have supported a model which ISPs could adopt which would change this fact.
I'd be interested to see that... I don't have a problem with most ideas like that.
Most residential ISPs get paid the same whether the customer spews abuse or not. Their costs go up some when they get abuse complaints and when abuse starts using more bandwidth, so, for the most part, most residential ISPs have no incentive to support abuse, but, not enough incentive to pay to staff an abuse department sufficiently to be truly responsive. Further, most abuse departments don't get enough support from management when the sales and marketing departments come whining about how much revenue that abusing customer produces each month. This is one of the unfortunate realities of a free-market economy. It doesn't always tie profit to doing the right thing, and, it favors short-term thinking over long-term planning.
Agreed
If you want to blame someone maybe the company that provided the insecure os that requires monthly patches to fix portions of the broken code they sold. Or you could blame the end users who open unknown attachments.
Yup, we've been doing that for years, and they have been fixing things as fast as possible (not always, and not until more recently) however they are making steps in the right direction, so I feel it's about time ISP's started taking some of the responsibility for traffic on their network. As far as the attachments go, education is the only way - and if they cannot be educated they shouldn't be on the Internet.
They continue to develop new and more exploitable services and features. They continue to improve upon techniques for bypassing corporate firewalls. They are not fixing things as fast as possible, they are fixing things as they become widely known and public. They are also showing no commitment to implementing new features in a secure way, nor, indeed, any willingness to give up features in order to presreve security. They have convinced themselves (and apparently the corporate world) that they are untouchable, and they continue to rake in profits while having no accountability to the parties that are injured by their actions.
Agreed, however they have publically acknowledged the problem, which for me is a major milestone.
I would like a real solution to the problem. Simply blocking ports is not successful. So I recommend 2 steps.
First buy OS's that are more secure out of the box.
That's not going to happen anytime soon, even with Microsoft starting to follow the 'right' road.
I haven't seen any indication that Micr0$0ft is following the right road, just that they are bending to some public pressure to pay some level of lip-service to security. Yes, they have fixed the 100 most gaping security holes in their code this week. No, they haven't shown that new code is being written with security as an important consideration.
Hey, I am a Miro$oft hater, but I conceed that the 'default the firewall to on' feature of the next service pack is a good thing - the only issue is the part about not installing on pirated OS's and that they are taking way too long to release it.... but it is a start - we've been trying to get M$ to even start for how many years now?
2nd Teach users NOT to click on every thing they see.
...and how are you going to do that? If you give a user a $10 account where they have full internet access they click on everything, then they get infected, their machine is controlled by someone else across the world and is used for DDoS attacks or spam (or..hacking, or...?) .. what are you going to do to educate them in the middle....? What is the ISP going to do to make sure that the enduser has been educated? What are you the ISP going to do to ensure the machine that was infected has now been disinfected...?
So, let me see if I have this straight...
The gas company is now expected to somehow stop me from feeding gas into the water heater they don't know I've installed, or refuse to sell me gas, until I can prove that I know how to install gas appliances, because, if they sell me gas without disabling my ability to connect it to other appliances, I might.
Actually this is what happens in the UK by law.... If you have a gas heater installed by a non-approved technician, the gas supply will not be connected until it is checked and approved by an approved installer or gas technician. Similarly if the heater doesn't meet certain standards it will never be connected to the gas supply in the UK.... Of course this doesn't stop people getting the gas connected and then doing a DIY gas installation, but people can go to jail for that.
Right... That's going to happen. ISPs are like utilities. They deliver a service. The service is the acceptance and delivery of properly formed IP datagrams. If you want something different, that's a separate value- added service and you should pay more for it.
I don't expect you the ISP to solve all these problems, nor do I expect you the ISP to stop your users from getting infected.... However you the ISP are responsible for traffic coming from and going to your users, and most of us don't care if you want to allow your users to get infected, however we do care if you allow your customers to attack us.... Whether it be an attack in the form of spam, DDoS or trojan/virus spreading.
This makes sense. I've supported this. That's not what Adi and others have been saying, and, it's not what some of your statements above say.
It is what I mean to say - I have never been good at communicating by written word - probably something to do with the fact I am dyslexic. / Mat
Owen
participants (9)
-
Adi Linden -
Edward B. Dreger -
Matthew Sullivan -
Niels Bakker -
Owen DeLong -
Per Gregers Bilse -
Smith, Donald -
Susan Harris -
william(at)elan.net