ISPs' willingness to take action

I'm a little puzzled, and I hope people won't object to my asking about
this.

As I see it, we're experiencing an ever-increasing flood of garbage network
traffic. While not all of it is easy or appropriate to target, it seems to
me there's some "low hanging fruit" that could generate serious gains with
relatively little investment.

A few things that make sense to me (as a non-ISP network consultant)
include:

1) Summarily fencing/sandboxing/disconnecting clients sending high volumes
of spam, virii, etc. You might politely contact your commercial/static
clients first, but anyone connecting a "bare" PC on a broadband circuit is
too stupid to deserve coddling. The great majority of your clients would
thank you profusely.

So far as I can see, detection of serious abusers should pretty
straightforward. It wouldn't require any pretense at spam or virus
filtering, per se; just pick off the clients that are flagrant sources of
the plague of the month.

2) Notwithstanding the above, would it really be so hard to trap network
packets bearing clear signatures of the "plague of the month"? Sure, it
would create an extra load on routers or require special filtering
hardware, but wouldn't it be worth it? Again, no need to be comprehensive;
just blast the ones that are easy pickings.

3) There was a thread a little while ago that talked about a way to cut
down spam by simply restricting who you would accept SMTP traffic from.
Unfortunately, I don't recall the details, but at the time it struck me as
eminently sensible, and just required cooperation between ISPs to implement
effectively.

One problem for the average ISP would be the monitoring and updating of
plague control infrastructure. It would probably be a lot easier with a
bit of cooperation and sharing -- either that, or someone could get rich
offering services to ISPs for a fee.

By the way, can anybody explain to me a legitimate use for port 135/137
traffic across the Internet, like it's somebody's private LAN? Seems to me
anybody who still thinks that's legitimate is living in the past.

So, the big question: why don't ISPs do more of this? Are they afraid of
client reaction? Doesn't wash, for me: most clients would be highly
grateful, and all it really takes for the remainder is fair warning. Cost?
Again, you can judge for yourselves how low the fruit you choose to pick;
the biggest gains have the best ROI.

Happy clients, liberated bandwidth, faster servers -- what's to loose?

/kenw
Ken Wallewein CDP,CNE,MCSE,CCA,CCNA
K&M Systems Integration
Phone (403)274-7848
Fax (403)275-4535
kenw@kmsi.net
www.kmsi.net

ken,

---snip---
3) There was a thread a little while ago that talked about a way to cut
down spam by simply restricting who you would accept SMTP traffic from.
Unfortunately, I don't recall the details, but at the time it struck me as
eminently sensible, and just required cooperation between ISPs to

implement

effectively.
---snip---

so what you are saying is that you would like to go back to the fidonet
days, when site A had to agree to route site B's mail? a deny all, accept
some rule for smtp would horribly break all that is good in humanity. am i
missing something here?

paul

kenw@kmsi.net wrote:

As I see it, we're experiencing an ever-increasing flood of
garbage network traffic. While not all of it is easy or
appropriate to target, it seems to me there's some "low
hanging fruit" that could generate serious gains with
relatively little investment.

I agree to an extent, though I think there are much more reasonable
places to start rather than adding IDS functionality to ISP routers and
moving to whitelist-only SMTP. Anti-spoof/BGP filtering, DoS
tracking/sinkholing, working abuse@ addresses, etc. But the problem is
with the end-hosts, so a common viewpoint is that this is where the
majority of the cleanup work needs to be done. This was discussed at
length not long ago.

A few things that make sense to me (as a non-ISP network
consultant) include:

1) Summarily fencing/sandboxing/disconnecting clients sending
high volumes of spam, virii, etc. You might politely contact
your commercial/static clients first, but anyone connecting a
"bare" PC on a broadband circuit is too stupid to deserve
coddling. The great majority of your clients would thank you
profusely.

What if the great majority of your clients are bare PCs on broadband
circuits?

So, the big question: why don't ISPs do more of this?

What's the ROI? The costs have to be offset somehow. How easy is it to
convince clients to pay more to be your customer because you're more
strict on garbage traffic originating from your network relative to your
competitors? Many feel that basic preventative measures like the ones I
mentioned are things that all ISPs "should" do for the sake of making
the Internet a better place, or however you want to phrase it. But the
decision makers at a lot of ISPs seem to take a different viewpoint,
perhaps because their primary concern, as businesses, are dollar signs.

-Terry

By the way, can anybody explain to me a legitimate use for port 135/137
traffic across the Internet, like it's somebody's private LAN? Seems to

me

anybody who still thinks that's legitimate is living in the past.

So, the big question: why don't ISPs do more of this? Are they afraid of
client reaction? Doesn't wash, for me: most clients would be highly
grateful, and all it really takes for the remainder is fair warning.

Cost?

Again, you can judge for yourselves how low the fruit you choose to pick;
the biggest gains have the best ROI.

Happy clients, liberated bandwidth, faster servers -- what's to loose?

Problem is, some applications, like Outlook for example (if I remember
correctly), like to use the 135, 137, 139 and others to connect to the
Exchange server. You block them, and it will start to croak. You have alot
of home users not using a VPN to connect to their office exchange servers.
I used to do this myself at times.

When you sell a service to someone, and neglect to mention you block certain
incoming ports, especially to a possible business user or home user trying
to access their office, you put yourself in a really bad position.

One significant contributing factor to the lack of care or clue by mid and large size ISPs is the level 1 helldesk. I do not intend to insult anybody who is doing level 1 support, but you are not going to find people with serious network engineering expertise for $12/hour (or when outsourcing tech support for $5/hour to India).

Far too many layer 1 people have to deal with clueless users who call in saying "Your mail server is haxxxing my firewall!". How do you seperate the legitimate abuse complaints from the chaff? That said, if somebody has a fast connection, hand-holding them through the process of using Windows Update by phone isn't terribly difficult.

I think one of the smartest things a DSL/Cable ISP could do is negotiate a bulk license purchase with an anti-virus software vendor such as Kaspersky (makers of AVP), which can provide licenses for as little as $10 each in bulk. Is $10 per customer per year too much to pay for comprehensive auto-updating virus-scanning of client PCs?

A few things that make sense to me (as a non-ISP network consultant)
include:

Most ISPs are relatively secure. Yes, occasionally a backbone
router shows up on some list with a password of "cisco." The major
problems are in the systems managed and installed on non-ISP networks
(i.e. end-users).

1) Summarily fencing/sandboxing/disconnecting clients sending high volumes
of spam, virii, etc. You might politely contact your commercial/static
clients first, but anyone connecting a "bare" PC on a broadband circuit is
too stupid to deserve coddling. The great majority of your clients would
thank you profusely.

Really? Most users are angry when their network connection is interrupted
for any reason, including their own mistakes. Read some of the articles
in the university newspapers when students were cut of from the network
after not fixing their computers.

How many people thank police officers when they are stopped for speeding,
reckless driving, drunk driving, burned out taillights, etc? Or instead
how many say things like the police should be out catching "real"
criminals (i.e. anyone other than them)?

As a non-ISP consultant, when a client asks you to configure their
Exchange server do you always conduct a top-to-bottom security analysis of
the client's entire business infrastructure and refuse to do business with
them until after they have corrected every deficiency? Or does the client
just say screw you, and hires a different consultant that will do what
the client wants?

2) Notwithstanding the above, would it really be so hard to trap network
packets bearing clear signatures of the "plague of the month"? Sure, it
would create an extra load on routers or require special filtering
hardware, but wouldn't it be worth it? Again, no need to be comprehensive;
just blast the ones that are easy pickings.

Routers (especially high end routers) are barely stable just routing
packets. Some high-end line cards don't support even a simple 2-line
access control list. With the market currently heading to the lowest
price possible, increasing costs doesn't appear to pay even for the niche
markets that are interested. Instead the extra equipment is installed
where there are clients willing to pay for it.

The easiest, most effective place to catch packets is at the edge/end-users.
An end-user firewall is $0-$50. Anywhere in the core is very difficult.
What is the cost of a single OC192 firewall? Look at the post office, it
doesn't try to find Anthrax in most of the mail. Instead a few locations
at the edge of the postal system, e.g. the White House, Congress, etc,
have added security precautions. The rest of the mail just flys through
the system.

3) There was a thread a little while ago that talked about a way to cut
down spam by simply restricting who you would accept SMTP traffic from.
Unfortunately, I don't recall the details, but at the time it struck me as
eminently sensible, and just required cooperation between ISPs to implement
effectively.

Again, look the postal mail system. One proposal required everyone mail
letters in person at the post office, and show id to the postal clerk.
The problem is it really doesn't solve the problem. Third-party trust
systems don't scale well beyone one or two degrees of separation. And
there is only one major postal system.

But it doesn't require cooperation from the ISP to accept mail from only
people you know. You can do that today. The question is why don't more
people do it? The ISP doesn't know who you know. Should ISPs require you
to register your friends & family in order to receive mail? I don't know
if it has come to that.

And we all know how effective Caller-ID has been in cutting down
telemarketing phone calls at dinner time. And the related caller-id
blocking, and block caller-id blocking, and block block caller-id
blocking, etc.

By the way, can anybody explain to me a legitimate use for port 135/137
traffic across the Internet, like it's somebody's private LAN? Seems to me
anybody who still thinks that's legitimate is living in the past.

Bits on the wire using ports 135/137 are not intrinsically less safe than
any other bits. And vendors have shown a willingness to add ways around
port filters in the network, not by developing more secure protocols but
by developing ways to send the same packets between insecure systems on
other ports.

Sendmail and BIND have more CERT/CC advisories than any other application,
including NETBIOS. How many people are suggesting blocking port 53 and
port 25?

So, the big question: why don't ISPs do more of this? Are they afraid of
client reaction? Doesn't wash, for me: most clients would be highly
grateful, and all it really takes for the remainder is fair warning. Cost?
Again, you can judge for yourselves how low the fruit you choose to pick;
the biggest gains have the best ROI.

Happy clients, liberated bandwidth, faster servers -- what's to loose?

Angry clients, increased bandwidth costs, slower servers doing more
checks?

ISPs are doing a lot to protect end-users. Some examples include

Education campaigns
Free anti-virus software
Free personal firewall software
Port filters (port 80 anyone?)
Notification of compromised systems
Incident Response
Intrusion Detection/Intrusion Prevention
Managed Security Services

Unfortunately some of the argument is a bit like the old cries for public
payphone companies were responsible for the drug dealers in poor
neighborhoods. So they removed public payphones. The drug dealing
problem wasn't solved.

Most ISPs are relatively secure. Yes, occasionally a backbone
router shows up on some list with a password of "cisco." The major
problems are in the systems managed and installed on non-ISP networks
(i.e. end-users).

Maybe all the ISPs I've been involved with in the past ten years have been exceptions, but there are only a small handful of them that I would elevate to the status of "relatively secure".

Really? Most users are angry when their network connection is interrupted
for any reason, including their own mistakes.

Every now and then some acquaintance or relative hauls me in my capacity as unpaid "computer expert", so that I can stare bemusedly at their windows problem and mutter things like "buy a mac" under my breath.

My experience every time is that end users are amazingly tolerant of breakage. The fact that there are popups all over the screen, or that it takes five minutes to open their mail client, or that machines freeze up every ten minutes and require a hard boot appear to be simply accommodated as "that's what computers do".

As a non-ISP consultant, when a client asks you to configure their
Exchange server do you always conduct a top-to-bottom security analysis of
the client's entire business infrastructure and refuse to do business with
them until after they have corrected every deficiency? Or does the client
just say screw you, and hires a different consultant that will do what
the client wants?

When I was a consultant, I was never sufficiently mercenary to ask for money in return for what I *knew* to be bad advice. I'd far rather they buy their bad advice elsewhere.

Joe

...
As a non-ISP consultant, when a client asks you to configure their
Exchange server do you always conduct a top-to-bottom security analysis of
the client's entire business infrastructure and refuse to do business with
them until after they have corrected every deficiency? Or does the client
just say screw you, and hires a different consultant that will do what
the client wants?
...

I said "low hanging fruit". I didn't say "top-to-bottom security
analysis".

...

3) There was a thread a little while ago that talked about a way to cut
down spam by simply restricting who you would accept SMTP traffic from.
Unfortunately, I don't recall the details, but at the time it struck me as
eminently sensible, and just required cooperation between ISPs to implement
effectively.

Does NOBODY remember that thread?

Again, look the postal mail system. One proposal required everyone mail
letters in person at the post office, and show id to the postal clerk.

Straw dogs... come on! It's like saying we can't take drastic,
inappropriate measures, so we can't take any at all.

...
ISPs are doing a lot to protect end-users. Some examples include

Education campaigns
Free anti-virus software
Free personal firewall software
Port filters (port 80 anyone?)
Notification of compromised systems
Incident Response
Intrusion Detection/Intrusion Prevention
Managed Security Services

And if all ISPs were doing all these thing (as you try to imply) we'd all
be a lot better off, wouldn't we?

Unfortunately some of the argument is a bit like the old cries for public
payphone companies were responsible for the drug dealers in poor
neighborhoods. So they removed public payphones. The drug dealing
problem wasn't solved.

"A strong conviction that something must be done is the parent
of many bad measures." -- Daniel Webster

So, am I advocating bad measures?

/kenw
Ken Wallewein CDP,CNE,MCSE,CCA,CCNA
K&M Systems Integration
Phone (403)274-7848
Fax (403)275-4535
kenw@kmsi.net
www.kmsi.net

An article appeared today on The Register, talking about people connecting
"bare" machines to the net. It discusses the level of clue posessed by the
"typical American computer user" and is quite a sobering read. From the
article:

"I'm here to tell the security pros reading this that we are in deeeeeep
trouble when it comes to securing the computers of these people.

"Security is just not a concept that "normal" folks focus on. It's not
even on the radar screen. It's just not thought about at all."

Online at
http://www.theregister.co.uk/content/56/33599.html

Cheers,

Jonathan

> Most ISPs are relatively secure. Yes, occasionally a backbone
> router shows up on some list with a password of "cisco." The major
> problems are in the systems managed and installed on non-ISP networks
> (i.e. end-users).

Maybe all the ISPs I've been involved with in the past ten years have
been exceptions, but there are only a small handful of them that I
would elevate to the status of "relatively secure".

That's why I said relative. I didn't say they were very secure or had
great security. But when out-running the bear you don't have to be
faster than the bear, just faster than than the other guy.

If you compared the "average" ISP security with the "average" end-user
security, relatively speaking which would be more secure?

Of course, we all have some relatives we'd prefer not to invite to holiday
dinner.

My experience every time is that end users are amazingly tolerant of
breakage. The fact that there are popups all over the screen, or that
it takes five minutes to open their mail client, or that machines
freeze up every ten minutes and require a hard boot appear to be simply
accommodated as "that's what computers do".

They are amazingly toloerant of "that's what computers do." They are
amazingly intolorant when someone else "breaks" it.

I said "low hanging fruit". I didn't say "top-to-bottom security
analysis".

If I fixed every computer on the Internet today, tomorrow Microsoft would
sell 17,000 new insecure installs of Windows.

Low-hanging fruit would be to get Microsoft to change its defaults. Then
instead tomorrow, there would be 17,000 new "secure" installs of Windows.

Does NOBODY remember that thread?

I remember it well. I also remember ISPs removing the filters after a few
hours/days due to customer complaints because the applications they
wanted to use across the Internet stopped working.

Why shouldn't people be able to use NETBIOS, or Telnet or FTP or any other
insecure protocol across the Internet? The security problems aren't due
to the packets crossing the Internet. The security problems happen when
the packets reach an insecure end-host.

It is possible to use NETBIOS securely across the Internet withOUT a VPN.
I wouldn't recommend it, but I don't understand why ISPs should prohibit
the use of any particular 16-bit port number in a TCP/UDP header.

And if all ISPs were doing all these thing (as you try to imply) we'd all
be a lot better off, wouldn't we?

And are you implying ISPs aren't doing anything?

So, am I advocating bad measures?

Naive measures.

Please bear in mind that much of this might be my take on viability,
practicality, or past activity related to some of these suggestions.
Moreover, this may not represent even my own opinions on the appropriate
course of action. Inline...

On Sun, Oct 26, 2003 at 06:01:09PM -0700, kenw@kmsi.net said something to the effect of:

..snip snip..>

1) Summarily fencing/sandboxing/disconnecting clients sending high volumes
of spam, virii, etc. You might politely contact your commercial/static
clients first, but anyone connecting a "bare" PC on a broadband circuit is
too stupid to deserve coddling.

Unfortunately, you have described the standard home user. Would love
to think that most have trusty firewalls guarding meticulously-patched
(non-Windows) boxen, but...

I expect our customers to watch their own backs, heed our admonitions, and
go so far to hope that they find the appropriate clues to be responsible,
but I can't imagine someone like Cox or CW or AOL or somesuch other alienating
a prevailing chunk of their customer base with one nasty-gram followed by
clobbering a switch port.

The great majority of your clients would thank you profusely.

I beg to differ on the last line. The happy ones would say nothing. And
we may not be able to hear them if they did over the yowling from the
unhappy ones who do not understand why we would do such a thing.

I may be wrong, but it seems to me that most of us (service providers, that
is) have some degree of a more involved customer notification process
that must be followed before we can begin swinging the ax like that.
Contractual obligation may often preclude a provider's harsh response to
abusive or patently irresponsible network activity more often than failure to
notice or give a flying fsck that it has transpired.

2) Notwithstanding the above, would it really be so hard to trap network
packets bearing clear signatures of the "plague of the month"?

<not_sarcasm>
Trap and do what with?
</not_sarcasm>

Sure, it
would create an extra load on routers or require special filtering
hardware, but wouldn't it be worth it? Again, no need to be comprehensive;
just blast the ones that are easy pickings.

Any other ISP that toyed with/deployed the filtering NetBIOS and/or 92-byte
ICMP packets will remember how grossly unpopular we became for doing so.
Accusations by customers and downstream engineers alike branded us fascist
iconoclasts with no consideration for the aphoristic hands that feed us, and
complete disregard for the needs of those who pay us for the evil service we
restrict providing. Search the convocations (circa 08/2003) on this list even
to get a feel for the dissent among the ranks regarding the feasibility and
wired morality of such an action.

Another trickier problem is fueled by the nature of the sploit-du-jour. If
some lamer opts to poke surreptitious holes or generate static by way of
a random, obscure, generally ignored port, the choice to filter is not
as difficult a one, beyond *poof* conjuring up resources to reign in
the resulting management nightmare. However, whether it be because of the
inherently pregnable code or a malware creator's awareness of the
impracticality (read: near impossibility) of recon and restricition of
certain types of traffic, many of these evasive maneuvers can ride the
clown car across critical service ports. Forget crippling a network by
filtering them, which is frequently the case; we wind up in some seriously
hot water for violating customer contracts, which forbid selective inhibition
of legit traffic along with the anomolous. It becomes a dichotomy of
casualties of war vs. curing the disease by killing the patient.

(fwiw...i break more than my fair share of eggs...)

To balance and consider both factions, providers are being tasked with
stepping up to the plate and scrutinizing large streams of traffic to
discern between the good and the bad based on other criteria. So now we're
faced with other issues that require extremely intuitive and invasive packet
inspection. Some of this is vaporware and is still skating around conference
tables of pitch men all over the place, others are gaining credibility and
becoming technologies many providers are striving toward actualizing.
Intrusion and extrusion detection are fabulous...nay...will set you free...and
ultimately necessary things, but some of what I'm seeing suggested here borders
on impossible to put to work without absurd overhead or flirting with serious
invasion of privacy.

For the record, I am by no means disagreeing with the logic of the suggestion,
but am merely playing experienced devil's advocate among those who may still
be sporting the collective bruise from past actions of this sort.

3) There was a thread a little while ago that talked about a way to cut
down spam by simply restricting who you would accept SMTP traffic from.
Unfortunately, I don't recall the details, but at the time it struck me as
eminently sensible, and just required cooperation between ISPs to implement
effectively.

There have also been numerous threads from a little while ago flaming AOL
and the like for deploying whitelist-type or no-auth-no-pass countermeasures
for spam. Again, I don't know what the right answer here is, but I can see
that, like every other coin, there are two diametrically opposed sides and
teams going to bat over this issue.

Perhaps the fault, dear Brutus, in this particular case continues to lie more
inarguably and blatantly than ever with the end users and in smtp itself,
which may honestly be dead. Clearly the protocol was not meant to withstand
the rigors and abuse (no pun intended) to which it is nowadays being
subjected. Its design over 20 years ago was intended to service a kinder,
gentler, more honest, and less devious Internet. Perhaps, if we're looking
to do the responsible thing and undo spam damage (and other similar ilks), we
should belly up to the bar and work to bolster the protocols and technologies. That may be all the more hand we as technologists can have in the matter.

One problem for the average ISP would be the monitoring and updating of
plague control infrastructure. It would probably be a lot easier with a
bit of cooperation and sharing -- either that, or someone could get rich
offering services to ISPs for a fee.

Average ISP, as in, what size? Tier 1? 2? 3? Managed service provider?

By the way, can anybody explain to me a legitimate use for port 135/137
traffic across the Internet, like it's somebody's private LAN? Seems to me
anybody who still thinks that's legitimate is living in the past.

That would be Microsoft. NetBIOS has no business on the Internet. End
of story.

So, the big question: why don't ISPs do more of this? Are they afraid of
client reaction? Doesn't wash, for me: most clients would be highly
grateful, and all it really takes for the remainder is fair warning. Cost?

Fair warning gives spammers time to migrate addresses and infected users
time to infect countless others. And the customers will not be unusually
happy; they have a right to expect exemplary service, as they are promised
and pay for it. I don't imagine that most of our subscribers are phoning
in to confirm and praise receipt of five-9s.

Again, you can judge for yourselves how low the fruit you choose to pick;
the biggest gains have the best ROI.

One last time...I agree with you that ISPs need to keep an eye on their
brood. I'm simply offering gentle explanations of why, perhaps, providers
haven't been able to more neatly and elegantly (and swiftly) mitigate the
burdens you note with the suggestions you raise. With that, regarding your
last point...

Be careful what you wish for. Let's do it! But...this will take everyone's
participation to work. I can see it now...sleazier ISPs will sell 135-139
access wide open on the black market by way of some crazy out-of-the-way
transit hole...

Happy clients, liberated bandwidth, faster servers -- what's to loose?

Show me the first and I'll be much quicker to follow. I'd settle for the tooth
fairy sometimes, as I'm not sure those happy clients really exist...

Best of luck to you. Let me know if you find the answer? I'll put cycles
behind a worthy cause anyday...

ymmv,
--ra

Well, you might just find that small ISPs, then BIG ISPs, stop accepting
mail from your dynamic IP customers. As a start.

One significant contributing factor to the lack of care or clue by mid and
large size ISPs is the level 1 helldesk. I do not intend to insult

anybody

who is doing level 1 support, but you are not going to find people with
serious network engineering expertise for $12/hour (or when outsourcing
tech support for $5/hour to India).

* It's $9 to $12/hour ... and it isn't the reason that the management is
clueless. There are some pretty sharp persons in Level 1 Tech Support,
although not a LOT of them. That's why they have such a turnover, the good
ones move on to more money. The clueless ones stay there forever. But
network engineering expertise isn't the job for Level 1 support anyway ...
if they don't know how to handle it, that call or incident should be
escalated to another level. There is some level there that has a care or a
clue, although that level may be severely constrained by management and
budget constraints.

I spent a lot of time at level 3 tech support ... handling the escalated
calls. (You know, I'm the guy that gets frowned at by the rest of the call
center crew when I help a customer with Linux or with a Router So I know
what it is like.

If level 1 spent time helping every customer install firewall software,
anti-virus software, (and it goes on to residential gateway routers and
wireless access devices) then you're gonna need more people to cover the
phones. IMHO this is why some ISPs are starting to try and charge more for
certain levels of service, including HOME NETWORKING.

Far too many layer 1 people have to deal with clueless users who call in
saying "Your mail server is haxxxing my firewall!". How do you seperate
the legitimate abuse complaints from the chaff? That said, if somebody

has

a fast connection, hand-holding them through the process of using Windows
Update by phone isn't terribly difficult.

* Yep, that is true, and it comes both by phone calls as well as email. And
again, IMHO, you gotta draw the line somewhere as to what your going to
hand-hold for. You start doing Windows Update, and end up hand-holding
entire Windows installations ... maybe even Hardware installations. And what
is Windows Update going to fix related to Viruses and Spamming anyway? Most
users get hand-held going on to sites like: symantec.com to get the virus
remove tool. And if that bombs out or they have other serious problems ...
they get offered a service call to their home (which they have to pay for)
or they can have anyone do the service call for them.

I think one of the smartest things a DSL/Cable ISP could do is negotiate a
bulk license purchase with an anti-virus software vendor such as Kaspersky
(makers of AVP), which can provide licenses for as little as $10 each in
bulk. Is $10 per customer per year too much to pay for comprehensive
auto-updating virus-scanning of client PCs?

* Hmmmm, $10 per customer times 10,000 or 15,000 or 30,000 or more. And once
you open the AV software door, you also have to open the Personal Firewall
door. Ohhhh this is getting ugly. The management and bean counters are not
gonna like this. What about the many homes with multiple PCs? You have to
give them one software package for each PC and Laptop? Might as well throw
in that residential gateway and support the whole home network.

[snip]

Some good thoughts in this thread. I think Sean is right about this being an
end-user problem, and although we _can_ mitigate that problem somewhat at
other parts of the network, that amounts to treating the symptoms rather than
the disease.

The 3 things that would do the most to help eliminate this problem (millions
of easily 0wned end-user hosts) right now are all things that lie in
Microsoft's domain:

1) enable Internet Connection Firewall by default;
2) enable automatic Windows Update patch installation by defuault; [*]
3) modify the HTML engine in Outlook/OE such that it can ONLY render HTML,
and any active content is ignored - in other words, replace MSIE as a backend
HTML rendering engine with, say, lynx. [**]

(and even if the above were all incorporated into all subsequent releases of
Windows, it might take years before the old insecure hosts were finally
replaced ...)

Nothing new to this crowd, I'm sure, but I sure wish there was a way to make
this a priority to the folks at MS, who are really the only people with the
ability to make this happen. Without their compliance, the problem will never
improve (not as long as they're as dominant as they currently are).

Top posting self-reply: looks like a lot of what I've suggested may have
finally been acknowledged by MS, according to a recent Register.co.uk
article.
http://www.theregister.co.uk/content/56/33599.html

We can only hope ...

Scott Francis wrote:

Top posting self-reply: looks like a lot of what I've suggested may have
finally been acknowledged by MS, according to a recent Register.co.uk
article.
http://www.theregister.co.uk/content/56/33599.html

We can only hope ...

I read that article when it was new, a long article, however a damn good read, and IMO worth 10 minutes to read it properly.

Yours

Mat