Customers squeezed as ISPs close in on viruses

By Jim Hu
Staff Writer, CNET

High-speed Internet service providers are increasingly putting their
customers in the security hot seat, as they try to fight recent virus
attacks that turn computers into spam factories.
Still, the question remains whether the techniques broadband ISPs are
implementing are enough. Some say the onus is on ISPs, which should play a
role in protecting their networks for the greater good of their
subscribers and the Internet at large. Critics say ISPs should manage
their networks to ensure that all users are safe.

Heh. How appropos.

I feel it to be worth it to take pause and recognize a particular testament
to the industry proven by the abundance of network professionals (namely in
this group) speaking ardently against expropriation of network controls by
providers in the name of security.

That providers act on subscribers' behalf should be, I would think, by virtue
of business similar to utility provision. However, I imagine that a healthy
base of patrons are content to surrender control over and visibility into the
guts of the upstreams to avoid bringing certain responsibilities in-house and
into local pockets.

I recognize the heterogeniety of proposed deployments and solutions, and it's
cool to hear the varietal spins on tactical approach, as well as to see how
many of those avenues do not result in "leave it up to the provider to secure
the end user."

That said, with the prevailing opinion (mine included) seeming to be that
providers should generally avoid monkeying with the safe passage of legitimate
traffic, I would be interested to hear more of the vox populi on how
subscribers feel their providers should react to the points raised in this

I'm also wondering if people feel differently about appropriate prescriptions
when thinking of the end stations as home networks vs. as business networks?

Another question: if providers throw up hands and decline to be more
restrictive/invasive with traffic, would it be more appropriate to reach that
conclusion because it is resource-intensive/fiscally draining, or because it
is unethical/bad business practice/privacy-invasive to enact such restriction?

This is just a lunchtime poll, so please feel free to reply on or off-list
if you are so inclined.


"ISPs need to encourage users to enable automatic patch updates for their Windows systems, evangelize weekly visits to and, and offer crosslinking or bundles with the latest antivirus and firewall software vendors,"

"We can't sit there and say: 'You're spamming--we're going to knock you off the wire,'" said Scott Lebredo, a senior technical manager at Verizon Online. "It's your access. You're responsible for it, but you must be educated about how to combat it."

"It would be very unfriendly to scan customers' machines," said Mary Youngblood, the manager of the abuse team at ISP EarthLink. "It would be deemed by some people as a privacy violation."

"I wouldn't expect to boil my own water; I expect it to treated upstream," said Mark Sunner, the chief technology officer at MessageLabs, which sells a virus detection service for corporate networks. "The correct groundswell needs to be focused on the Internet level, where you can be proactive rather than reactive."