North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: "Default" Internet Service

  • From: Owen DeLong
  • Date: Mon Jun 14 18:14:23 2004



--On Tuesday, June 15, 2004 7:26 +1000 Matthew Sullivan <[email protected]> wrote:

Smith, Donald wrote:

First are the consumers willing to pay for a "safer" internet
DSL/dial/isdn?

Why should they have to?

Because providing it costs more.

I believe if they were there would be a safer service available. I have
seen several "secure" isp's fail in the last
few years. If you have any data that shows that there is a market for a
more secure dialup/DSL/isdn... please share it.

No, but it won't belong before you will find half a dozen reasons why as
an ISP you will want to do it - but then it may be too late.

Such as?

2nd blaming infected machines on the internet is similar to blaming your
postal carrier for bringing you junk mail and bills.

Crap

It's not crap.  Infected machines are no more the fault of the internet than
junkmail in your mailbox is the fault of the post office.  There's literally
no difference to the model.  The post office delivers mail that is addressed
to you.  They don't care if it's junk mail or not.  They deliver it.

About 1/2 of all of
the large "infection" events on the internet are the result of people
running unpatched unsecured applications on their machines. The other
half of the infections I see are due to an end user opening an email and
running an attachment.

Correct

Actually, I suspect it's a much larger fraction, more along the lines
of 80 to 90%, possibly more.

Even with a secure OS this simple method of infection will continue to
work.

Correct

And how is an ISP supposed to do anything about this?

However you are ignoring the fact that once the machine is infected, the
machine can be used by hundreds of people (skript kiddies) to damage
other parts of the internet, further they can (and are) being used by
organised crime to extort money out of large financial institutions and
companies, and that's not to mention DDoS's on the smaller people who are
just in the way.

Right... So, you should be working really hard to get people not to allow
their machines to be infected, and, to get ISPs to disconnect infected
sites from the network. I support both of those moves. The rest is just
a way to tax the clueful for the ignorance of the masses with little benefit.

How and when did it become the responsibility of the ISP to protect the
end users machines?

It hasn't, however the data coming from an ISPs network has always been
the responsibility of the ISP.... and I would suggest if you cannot stop
the endusers getting infected, then you should look at stopping those
machines from abusing other machines on the internet....  If you will not
do that you should not be peered.

Sorry... The data ORIGINATING from the ISPs network is the responsibility
of the ISP.  The data transiting the ISPs network is just that.  The ISP
has no obligation, indeed, no right to look into the data beyond what is
necessary for delivery and operation of the service (ECPA).

I agree that ISPs should shut off sites that are demonstrably spewing
abuse and notify those sites of the problem.  I've repeatedly supported
several models for doing just that.  However, this is different from making
the ISP responsible for breaking the users connectivity prior to such
an event in the name of preventing the user from shooting themselves in the
foot.  I further like the idea of de-peering ISPs who don't do this, and,
if you can get a critical mass of the major ISPs to do that, life will
start to get better.  If you can't, it won't.

Do ISP's get paid to protect end user machines?

No, they get paid for traffic, which is the reason some ISPs out there
don't care if their customers are DDoSing anothers network.

No, they get paid for delivering packets.  They don't get paid (currently)
for handling abuse complaints.  Paul Vixie has proposed, and, I have
supported a model which ISPs could adopt which would change this fact.
Most residential ISPs get paid the same whether the customer spews
abuse or not.  Their costs go up some when they get abuse complaints
and when abuse starts using more bandwidth, so, for the most part, most
residential ISPs have no incentive to support abuse, but, not enough
incentive to pay to staff an abuse department sufficiently to be truly
responsive.  Further, most abuse departments don't get enough support
from management when the sales and marketing departments come whining
about how much revenue that abusing customer produces each month.
This is one of the unfortunate realities of a free-market economy.  It
doesn't always tie profit to doing the right thing, and, it favors
short-term thinking over long-term planning.

If you want to blame someone maybe the company that provided the
insecure os that requires monthly patches to fix portions of the broken
code they sold. Or you could blame the end users who open unknown
attachments.

Yup, we've been doing that for years, and they have been fixing things as
fast as possible (not always, and not until more recently) however they
are making steps in the right direction, so I feel it's about time ISP's
started taking some of the responsibility for traffic on their network.
As far as the attachments go, education is the only way - and if they
cannot be educated they shouldn't be on the Internet.

They continue to develop new and more exploitable services and features.
They continue to improve upon techniques for bypassing corporate firewalls.
They are not fixing things as fast as possible, they are fixing things as
they become widely known and public.  They are also showing no commitment
to implementing new features in a secure way, nor, indeed, any willingness
to give up features in order to presreve security.  They have convinced
themselves (and apparently the corporate world) that they are untouchable,
and they continue to rake in profits while having no accountability to
the parties that are injured by their actions.

I would like a real solution to the problem. Simply blocking ports is
not successful.
So I recommend 2 steps.

First buy OS's that are more secure out of the box.

That's not going to happen anytime soon, even with Microsoft starting to
follow the 'right' road.

I haven't seen any indication that Micr0$0ft is following the right road, just
that they are bending to some public pressure to pay some level of lip-service
to security. Yes, they have fixed the 100 most gaping security holes in their
code this week. No, they haven't shown that new code is being written with
security as an important consideration.

2nd Teach users NOT to click on every thing they see.


...and how are you going to do that?  If you give a user a $10 account
where they have full internet access they click on everything, then they
get infected, their machine is controlled by someone else across the
world and is used for DDoS attacks or spam (or..hacking, or...?) .. what
are you going to do to educate them in the middle....?  What is the ISP
going to do to make sure that the enduser has been educated?   What are
you the ISP going to do to ensure the machine that was infected has now
been disinfected...?

So, let me see if I have this straight...

The gas company is now expected to somehow stop me from feeding gas
into the water heater they don't know I've installed, or refuse to sell
me gas, until I can prove that I know how to install gas appliances,
because, if they sell me gas without disabling my ability to connect
it to other appliances, I might.

Right... That's going to happen.  ISPs are like utilities.  They deliver
a service.  The service is the acceptance and delivery of properly formed
IP datagrams.  If you want something different, that's a separate value-
added service and you should pay more for it.

I don't expect you the ISP to solve all these problems, nor do I expect
you the ISP to stop your users from getting infected.... However you the
ISP are responsible for traffic coming from and going to your users, and
most of us don't care if you want to allow your users to get infected,
however we do care if you allow your customers to attack us....  Whether
it be an attack in the form of spam, DDoS or trojan/virus spreading.

This makes sense.  I've supported this.  That's not what Adi and others
have been saying, and, it's not what some of your statements above say.

Owen

--
If this message was not signed with gpg key 0FE2AA3D, it's probably
a forgery.

Attachment: pgp00045.pgp
Description: PGP signature