Tim Franklin wrote:
and another checklist with a magic acronym that has everything to do
with security theatre and nothing to do with either actual security or
the reality of operating a network.
Checklists come in handy in fact if many were followed (BCP checklists,
appropriate industry standard fw, system rules) the net would be a
cleaner place. What I've seen by many responses are feet dragging: "Ah
why bother it won't do nothing to stop it..." Without even trying. It
all begins with one's own network. The entire concept of peering was
built on trust of the peer. Would you knowingly allow someone to share
your hallway without taking precautionary measures or at least a
vigilant eye. What happens when you see something out of the norm, do
you continue to allow them without saying anything waiting for your
neighbor to speak. In doing so, how can you be assured the individual
won't try to creep up on your property.
// JC Dill wrote:
Yes, ISPs are going to have to "handle" the problem. But, IMHO the root
cause of the problem starts in Redmond, and ISPs should sue Redmond for
the lack of suitable security in their product, rendering it an
attractive nuisance and requiring ISPs to clean up after Redmond's
mess. It's not fair to expect ISPs to shoulder this burden, and it's
not fair to pass on the cost to customers as a blanket surcharge (and it
won't work from a business standpoint) as not all customer use
Microsoft's virus-vector software. And it's not really fair to expect
the end customer to shoulder this burden when it's Microsoft's fault for
failing to properly secure their software. But end user customers don't
have the resources to sue Microsoft, and then there's that whole EULA
problem.
ISPs who are NOT a party to the EULA between Microsoft and the user, but
who are impacted by Microsoft's shoddy security can (IMHO) make a valid
claim that Microsoft created an attractive nuisance (improperly secured
software), and should be held accountable for the vandal's use thereof,
used to access and steal resources (bandwidth, etc.) from the ISP thru
the ISP's customers infested Windows computer.
//
More finger pointing here. Should MS now sue Adobe for shoddy coding
because Adobe's PDF reader caused a compromise (improperly secured
software). Let's take it from the top down for a moment and focus on
what is going on. Operating systems are insecure it doesn't matter if it
was produced by a company in Redmond or hacked together on IRC. ANY
operating system that is in an attacking state (dishing out malware,
attacking other machines) is doing so via a network. If slash when you
see it, do you shrug it off and say not my problem, its because of
someone's lack of oversight in Redmond when you have the capability to
stop it.
ISP's don't "have to" handle the problem, they SHOULD handle the problem.
And "would damage the country" is a very fuzzy concept that you really don't
want to go anywhere near.
I wasn't drafting legislation; I was introducing a concept. I would
expect that actual
legislation would explicitly list which industries were subject to
such regulation.
Otherwise it might include all Internet PoPs and datacenters which
would be rather dumb.
--Michael Dillon
J. Oquendo wrote:
More finger pointing here.
You say that like it's a bad thing. I'm pointing fingers at the company that has a long history of selling software with shoddy security (including releasing newer versions with restored vulnerabilities that were found and "fixed" years earlier), and then passing the buck on fixing the issues it causes by hiding behind their EULA. Their EULA protects Microsoft from their own customers, but it does NOT protect Microsoft from the effects the damage causes on OTHERS who are not parties to the EULA. This is where "attractive nuisance" comes in.
ISP's don't "have to" handle the problem, they SHOULD handle the problem.
This whole thread is about ISPs not handling the problem and allowing the problem to affect others beyond the ISP. In this case we could claim the ISP is also allowing an attractive nuisance to damage others and hold that ISP responsible for the damage that extends outside their network. However, we don't need a legal framework to solve THAT problem - we can address it with appropriate network blocks etc. (UDP-style)
jc
Yep... Much the same as my suggestion merely involves applying the same product liability standards as
every other industry faces to software.
Owen
Going back then to a previous question, do we want more/any
regulation ?
Laws and regulation exist because people can't behave civilly and
be expected to respect the rights/boundries/property others.
CAN-SPAM exists because the e-mail marketing business refused to
self regulate and respect the wishes of consumers/administrators
Which is good, because it certainly eliminated most of the SPAM. --
NOT!
FDCPA exists because the debt collectors couldn't resist the
temptation to harass and intimidate consumers, and behave
ethically.
And of course, it has caused them all to do so, now, right? -- NOT!
These may not solve all problems, but it does give victims (at least in the case of debt collectors) the ability to club them in the face in court a few times to the tune of a thousand bucks or so an incident.
Nothing is more satisfying then being able to offer a debt collector the option to settle for $X amount. 
Lately, the courts have been ruling that companies like LimeWire
are responsible for their products being used for
piracy/downloading because they knew what was going on, but were
turning a blind eye.
This is a positive step, IMHO, but, now companies like Apple and
Micr0$0ft need to be held to similar standards.
Problem is, Microsoft and Apple, though being lax in their coding practices, can't entirely help it. Open Source software has the same problems, but do you really think that we should be charging Linus every time a Linux box is owned?
There comes a point where a program is so large and expansive that holes/exploits is a fact of life.
Why not apply the same standards to ISPs? If it can be shown that
you had knowledge of specific abuse coming from your network, but
for whatever reason, opted to ignore it and turn a blind eye, then
you are responsible.
I agree.
When I see abuse from my network or am made aware of it, I isolate
and drop on my edge the IPs in question, then investigate and
respond. Most times, it takes me maybe 10-15 minutes to track down
the user responsible, shut off their server or host, then terminate
their stupid self.
Yep.
A little bit of effort goes a long way. But, if you refuse to put
in the effort (I'm looking at you, GoDaddy Abuse Desk), then of
course the problems won't go away.
Agreed.
Now if only we could get certain providers to put some effort into it...