[In the message entitled "Re: Nato warns of strike against cyber attackers" on Jun 8, 13:33, Owen DeLong writes:]
I realize your fond of punishing all of us to subsidize the ignorant, =
but I would rather see those with compromised machines pay the bill for =
letting their machines get compromised than have to subsidize their =
ignorant or worse behavior.
I'm fond of getting the issues addressed by getting the ISPs to be involved
with the problem. If that means users get charged "clean up" fees instead
of a "security" fee, that's fine.
ISPs remain in the unique position of being able to identify the customer,
the machine, and to verify the traffic. It can be done.
why you will penalize with fees the end customer that may not know
that her system has been compromised because what she pays to Joe
Antivirus/Security/Firewall/Crapware is not effective against Billy
the nerd insecure code programmer ?
No doubt ISPs can do something, but without additional regulation and
safeguards that they wont be sued for sniffing or filtering traffic
nothing will ever happen. Do we want more/any regulation ? who will
oversee it ?
On the other hand think as the Internet being a vast ocean where the
bad guys keep dumping garbage, you can't control or filter the
currents that are constantly changing and you neither can inspect
every water molecule, then what do you do to find and penalize the
ones that drop or permit their systems to drop garbage on the ocean ?
Bad analogy. There's some plumes of oil in the Gulf of Mexico that are
getting mapped out very well by only a few ships. You don't have to
examine every molecule to find parts-per-million oil, or to figure out
who's oil rig the oil came from.
And you don't need to look at every packet to find abusive traffic
either - in most cases, simply letting the rest of the net do the work
for you and just reading your abuse@ mailbox and actually dealing with
the reports is 95% of what's needed.
I'm fond of getting the issues addressed by getting the ISPs to be involved
with the problem. If that means users get charged "clean up" fees instead
of a "security" fee, that's fine.
"I urge all my competitors to do that."
The problem isn't that this is a bad idea, the problem is that it's a bad idea to be the first to do it. You want to be the last to do it. You want all other companies to do it first - to charge their customers more (while you don't charge more and take away some of their business) to pay for this cost.
It only works if everyone has to charge their customers, and the change (from no surcharge to mandatory charge) will have to happen universally and at the same time - which will never happen. Welcome to the anarchy.
Again, you can all continue to dance around and ignore the problem & chance
the probability that the U.S. Government will step in and force you to do
it.
why you will penalize with fees the end customer that may not know
that her system has been compromised because what she pays to Joe
Antivirus/Security/Firewall/Crapware is not effective against Billy
the nerd insecure code programmer ?
So? If said end customer is operating a network-connected system without
sufficient knowledge to properly maintain it and prevent it from doing mischief
to the rest of the network, why should the rest of us subsidize her negligence?
I don't see where making her pay is a bad thing.
No doubt ISPs can do something, but without additional regulation and
safeguards that they wont be sued for sniffing or filtering traffic
nothing will ever happen. Do we want more/any regulation ? who will
oversee it ?
Those safeguards are already in place. There are specific exemptions in the
law for data collection related to maintaining the service and you'd be very
hard pressed to claim that identifying and correcting malicious activity is not
part of maintaining the service.
On the other hand think as the Internet being a vast ocean where the
bad guys keep dumping garbage, you can't control or filter the
currents that are constantly changing and you neither can inspect
every water molecule, then what do you do to find and penalize the
ones that drop or permit their systems to drop garbage on the ocean ?
Your initial premise is flawed, so the conclusion is equally flawed.
The internet may be a vast ocean where bad guys keep dumping garbage,
but, if software vendors stopped building highly exploitable code and ISPs
started disconnecting abusing systems rapidly, it would have a major effect
on the constantly changing currents. If abuse departments were fully funded
by cleanup fees charged to negligent users who failed to secure their systems
properly, it would both incentivize users to do proper security _AND_ provide
for more responsive abuse departments as issues are reduced and their
budget scales linearly with the amount of abuse being conducted.
Heck, at this point, I'd be OK with it being a regulatory issue. Perhaps we need regulators to
step in and put forth something like the following:
1. An ISP who receives an abuse complaint against one of their customers shall not be
held liable for damages to the complainant or other third parties IF:
A. Said ISP investigates and takes remedial action for valid complaints within 24
hours of receipt of said complaint.
B. Said ISP responds to said abuse complaint within 4 hours of their determination
including the determination made and what, if any, remedial action was taken.
and
C. If the complaint was legitimate, the remedial action taken by said ISP causes
the reported abuse to stop.
2. Any ISP who takes remedial action against one of their customers as outlined
in the previous section shall charge their customer a fee which shall not be
less than $100 and not more than the ISP's full costs of investigation and
remedial action.
I'm not saying I necessarily like the idea of more regulation, but, if we as an industry
are unwilling to solve this because of the above competitive concerns, then, perhaps
that is what is necessary to get us to act.
Heck, at this point, I'd be OK with it being a regulatory issue.
What entity do you see as having any possibility of effective regulatory control over the internet?
The reason we have these problems to begin with is because there is no way for people (or government regulators) in the US to control ISPs in eastern Europe etc.
If you guys can't wrap your brains around the problem, and can't come up
with suitable solutions to abate criminal activity, then the hammer drops
in a way which none of us will appreciate.
I think that is pretty clear.
The U.S. Government doesn't care about ISPs in The Netherlands or Christmas
Islands, because it is not within their jurisdiction.
The reason we have these problems is because NO government is taking action. If each government
took the action I suggested locally against the ISPs in their region, it would be just as effective.
In fact, the more governments that take the action I suggested, the more effective it would be.
On the other hand think as the Internet being a vast ocean where the
bad guys keep dumping garbage, you can't control or filter the
currents that are constantly changing and you neither can inspect
every water molecule, then what do you do to find and penalize the
ones that drop or permit their systems to drop garbage on the ocean ?
Bad analogy. There's some plumes of oil in the Gulf of Mexico that are
getting mapped out very well by only a few ships. You don't have to
examine every molecule to find parts-per-million oil, or to figure out
who's oil rig the oil came from.
May be, but that is a particular case where you can exactly finger
point who made the mess and make him accountable and responsible to
cleaning it. But it's another example that shows that companies make
decisions based not on what is right or wrong to do but what is more
or less profitable to do within a risk management context.
And you don't need to look at every packet to find abusive traffic
either - in most cases, simply letting the rest of the net do the work
for you and just reading your abuse@ mailbox and actually dealing with
the reports is 95% of what's needed.
Agreed, but you still have no control about what happens on the other
side of the ocean, and if you don't provide a liability waiver to the
abuse@ guy they may have their hands tied by their legal department to
do anything.
I'll give you another bad analogy, for sure we need to keep an eye and
deal with transport and distribution, but the only way to eradicate
drugs (most unlikely because of the amount of $$$ it moves) is to go
after production and particularly consume, meanwhile the only thing
you can do is damage control and contention.
If it is still so freaking easy for the crocks to have a profitable
criminal biz on the net, they will find the workaround to keep making
money while its easy.
My point is, go hard after the crocks and fix the holes, things like
why the heck access to the power grid control systems are accessible
over the net from Hackertistan ? And if there is a real reason for it
to be on the net put the necessary amount of money and technology to
make it as secure as possible.
Heck, at this point, I'd be OK with it being a regulatory issue.
What entity do you see as having any possibility of effective regulatory
control over the internet?
Doesn't matter as long as it enables radial outbound finger pointing.
The reason we have these problems to begin with is because there is no
way for people (or government regulators) in the US to control ISPs in
eastern Europe etc.
Or in the US.
But what we see here is what is what is wrong with "regulation"--the
regulated specify the regulation, primarily to protect the economic
interests of the entrenched.
Heck, at this point, I'd be OK with it being a regulatory issue.
What entity do you see as having any possibility of effective regulatory control over the internet?
The reason we have these problems to begin with is because there is no way for people (or government regulators) in the US to control ISPs in eastern Europe etc.
What happ3ens if you replace the word "government" with the word "person"?
(And since the cost is the only thing that matters, how much does
"government" cost? I suppose that is something somebody else should
worry about too.)
The reason we have these problems is because NO government is taking action. If each government
took the action I suggested locally against the ISPs in their region, it would be just as effective.
In fact, the more governments that take the action I suggested, the more effective it would be.
It is my strongly held belief that with my substitution a lot would get
done and at a much lower individual cost.
Heck, at this point, I'd be OK with it being a regulatory issue.
What entity do you see as having any possibility of effective regulatory control over the internet?
Doesn't matter as long as it enables radial outbound finger pointing.
It does matter because THERE IS NO SUCH ENTITY.
The reason we have these problems to begin with is because there is no way for people (or government regulators) in the US to control ISPs in eastern Europe etc.
Or in the US.
But what we see here is what is what is wrong with "regulation"--the
regulated specify the regulation, primarily to protect the economic
interests of the entrenched.
IMHO it is impossible to regulate the internet as a whole. It is built out of too many different unregulated fragments (IP registries, domain registries, ASs, Tier 1 networks, smaller networks, etc.) and there will never be enough willingness for the unregulated entities to voluntarily become regulated - if some of them agree to become regulated then others will tout their unregulated (and cheaper) services. IMHO it would require a massive effort of great firewalls (such as China has in place) to *begin* to force regulation on the internet as a whole.
This situation has led to the growth of blacklists, and whitelists of all sorts. These, at least have some potential to drive dollars to hosts/providers with better records of behavior. Not a silver bullet.. and not without controversy. And of course the cost is paid by victims up-front. Law and order in the wild west..