Points on your Internet driver's license (was RE: Even you can

So you claim even the ISPs you ran yourself have never attempted to do
any of these things?

the last access-side isp i had anything to do with running used uucp and
shell and was just getting going on c-slip when i pushed off. (i assure
that any rmail or rnews spam was grounds for suspension during my watch.)

my last gig at a colo-side isp ended with me moving over to paix due to
the board's discomfort over my policies toward certain colo-side customers
(who have since improved, yay.)

If you didn't do them, why do you think other people should?

so you aren't going to google for "chemical polluter business model", huh?

I hope you also google for Nonpoint Source Pollution.

ISPs don't put the pollution in the water, ISPs are trying to clean up
the water polluted by others. ISPs are spending a lot of money cleaning
up problems created by other people.

ISPs do put the pollution in the water. They own/run the pipes that carry
the pollution into the ocean. Nobody cares about pollution inside the ISP's
own network, we only care about the pollution they put into our water. They
own, run, and manage the pipes that put the pollution where it can harm
others. They have continuous control over the process and ultimately decide
who does or does not put things into those pipes and influence the policies.

  I think there's a serious disconnect between how ISPs see this issue and
how their customers do. I hold ISPs responsible for their customers behavior
once they are aware of that behavior. It has been many years since "I just
pass the traffic my customers tell me to pass" was an acceptable answer. In
fact, ISPs that take that attitude are (properly) ostracized today.

  If an ISP knows or suspected or should know that their customer is putting
pollution into the communal waters, they have an obligation to do whatever
it takes to stop that pollution. If that's notifying the customer,
disconnecting the customer, filtering, whatever, that's between the ISP and
the customer. I'm willing to make all kinds of allowances for what is and is
not possible. I don't expect a filter in minutes. I don't expect them to
disconnect a customer because they couldn't reach them. However, I do expect
them to track the issue with their customer until it's resolved. If they do
not do so, I hold them responsible to the extent that I am able to do so.

  Again, as I said, this in no way diminishes the responsiblity of the
customer, the author of the malware, the person who failed to install the
patch, the person who misconfigured the firewall (or decided they really
didn't need one). Responsibility does not have to sum to 100%, it's possible
for any number of parties to be wholly responsible.

  It amazes me how quick ISPs are to blame others, as if this diminshes their
responsibility. It does not. If I leave your car unlocked and someone steals
your CDs, no amount of blame I place on the thief diminshes my
responsibility.

  DS

The real challenge here is that the "default" Internet service is
wide-open Internet Protocol, w/o any safeties or controls. This
made a lot of sense when the Internet was a few hundred sites,
but is showing real scaling problems today (spam, major viruses,
etc.)

One could imagine changing the paradigm (never easy) so that
the normal Internet service was proxied for common applications
and NAT'ed for everything else... This wouldn't eliminate all the
problems, but would dramatically cut down the incident rate.

If a site wants wide-open access, just give it to them. If that turns
out to cause operational problems (due to open mail proxies, spam
origination, etc), then put 'em back behind the relays.

/John

One could imagine changing the paradigm (never easy) so that
the normal Internet service was proxied for common applications
and NAT'ed for everything else... This wouldn't eliminate all the
problems, but would dramatically cut down the incident rate.

If a site wants wide-open access, just give it to them. If that turns
out to cause operational problems (due to open mail proxies, spam
origination, etc), then put 'em back behind the relays.

guilty until proven innocent, eh? thanks mr ashcroft.

randy

Randy, are you objecting to the model for initial connectivity,
or the throwing them back behind relays w/o a formal trial?

/John

In the BBS days, how did most viruses get on computers? Have things
really changed that much?

Take a look how computers are being compromised. Its amazing just how
many compromised computers have NAT, firewalls, proxies, etc.

   1) pre-infected, i.e. already compromised before connecting to your
network (laptops are dangerous)
   2) self-infected, i.e. compromised because the user installed the
software containing the virus
   3) network-infected, i.e. compromised solely by being connected without
any action by the user

Some broadband providers have been selling service that includes a
NAT/firewall on the connection for several years. What is the difference
in infection rate of those users? Is it just wishfull thinking by some
people that NAT/firewalls/proxies will solve the problem? Or do they have
hard data to back them up?

Preventing users from compromising their computers is a lot like
preventing users from accessing porn or music. Basically anything the
user wants could be potentially harmful, and the miscreants know that.
So how do you make sure users can only access "safe" content?

The real challenge here is that the "default" Internet service is
wide-open Internet Protocol, w/o any safeties or controls. This
made a lot of sense when the Internet was a few hundred sites,
but is showing real scaling problems today (spam, major viruses,
etc.)

One could imagine changing the paradigm (never easy) so that
the normal Internet service was proxied for common applications
and NAT'ed for everything else... This wouldn't eliminate all the
problems, but would dramatically cut down the incident rate.

This sounds like a fantastic idea, for instance: How much direct IP does
joe-average Internet user really require? Do they require anything more
than imap(s)/pop(s)/smtp(+tls) and dns/http/https ? I suppose they also
need:
1) internet gaming
2) voip
3) kazaa/p2p-app(s)-of-choice
4) IM

Actually I'm sure there are quite a few things they need, things which
require either very smart NAT/Proxy devices or open access. The filtering
of IP on the broad scale will hamper creativity and innovation. I'm fairly
certain this was not what we want in the long term, is it?

If a site wants wide-open access, just give it to them. If that turns
out to cause operational problems (due to open mail proxies, spam
origination, etc), then put 'em back behind the relays.

We have methods of dealing with these abuse problems today, unfortanately
as Paul Vixie often points out there are business reasons why these
problems persist. Often the 'business' reason isn't the
tin-foil-hat-brigade's reason so much as 'we can't afford to keep these
abuse folks around since they don't make money for the company'.

Downstream from the ISP, the individuals are not taking responsibility for
their actions/in-actions with respect to 'security'. Vendors are not
providing safe environments for their consumers either. I understand that
shipping an OS with 100% of things enabled might 'foster innovation' or
'make things easier for the end user', however, so would well thought
instructions for enabling (safely) these same features. 99% of computer
users never ever need to share files, yet file sharing is enabled by
defailt on some operating systems... This is a major vector for infection
and abuse.

Education and awareness are also lacking in the industry as a whole, well
not the 'industry' so much as 'the culture' I think. "Why should anyone
want to hack my machine? I'm not some big corporation with lots of
'secrets'." No, they want your machine for the simple fact it's connected
to the global Internet and it's NOT their ip address so abuse of it won't
harm 'them' :frowning:

-Chris

I'll argue that we have don't effective methods of dealing with this today,
and it's not the lack of abuse desk people as much as the philosophy of
closing barn doors after the fact. The idea that we can leave everything
wide open for automated exploit tools, and then clean up afterwards
manually with labor-intensive efforts is fundamentally flawed.

/John

that was the last part of my post, initial installs and supportable (end
user supportable) security really is the only way. (or that's my thoughts)

davids@webmaster.com ("David Schwartz") writes:

> ISPs don't put the pollution in the water, ISPs are trying to clean up
> the water polluted by others. ISPs are spending a lot of money cleaning
> up problems created by other people.

  ISPs do put the pollution in the water. They own/run the pipes that
carry the pollution into the ocean. Nobody cares about pollution inside
the ISP's own network, we only care about the pollution they put into our
water. They own, run, and manage

"and profit from"

the pipes that put the pollution where it can harm others. They have
continuous control over the process and ultimately decide who does or
does not put things into those pipes and influence the policies.

yea, verily.

>We have methods of dealing with these abuse problems today, unfortanately
>as Paul Vixie often points out there are business reasons why these
>problems persist. Often the 'business' reason isn't the tin-foil-
>hat-brigade's reason so much as 'we can't afford to keep these abuse
>folks around since they don't make money for the company'.

I'll argue that we have don't effective methods of dealing with this today,
and it's not the lack of abuse desk people as much as the philosophy of
closing barn doors after the fact. The idea that we can leave everything
wide open for automated exploit tools, and then clean up afterwards
manually with labor-intensive efforts is fundamentally flawed.

and i'd agree. the trouble, when this problem was first isolated, was that
the costs and benefits were assymetric. the people who needed the added
services (filtering, training, remote OS upgrades/audits/management, etc)
were the ones least able/willing to pay extra for those services. the folks
who didn't need them have always complained that they have to pay more to
avoid getting them.

now, though, there's an opportunity to do a marketing U-turn on this. cable
and dsl providers in the USA can point to the national cybersecurity plan and
say that to comply with it they have to put infected computers in cyberjail,
with a fee of $N to get these machines audited, and if found clean, put back
on the net, noting that N doubles every time this process is invoked, and
that a deposit of $(0.5*N) is required as prepayment for the next incident,
refundable after one year if there are no further incidents. then offer to
remotely manage their host ("give me your root passwords, trust me!") for an
annual fee of $(0.75*N). if the initial value of N were $500, you might be
able to get the people who need this service to pay for it. it's worth a try?

One could imagine changing the paradigm (never easy) so that
the normal Internet service was proxied for common applications
and NAT'ed for everything else... This wouldn't eliminate all the
problems, but would dramatically cut down the incident rate.

If a site wants wide-open access, just give it to them. If that turns
out to cause operational problems (due to open mail proxies, spam
origination, etc), then put 'em back behind the relays.

guilty until proven innocent, eh? thanks mr ashcroft.

Randy, are you objecting to the model for initial connectivity,
or the throwing them back behind relays w/o a formal trial?

the former, see previous post about the e2e internet

if you can actually diagnose bad traffic, then you may
have a right to act

randy

:
: now, though, there's an opportunity to do a marketing U-turn on this. cable
: and dsl providers in the USA can point to the national cybersecurity plan and
: say that to comply with it they have to put infected computers in cyberjail,
: with a fee of $N to get these machines audited, and if found clean, put back
: on the net, noting that N doubles every time this process is invoked, and
: that a deposit of $(0.5*N) is required as prepayment for the next incident,
: refundable after one year if there are no further incidents. then offer to
: remotely manage their host ("give me your root passwords, trust me!") for an
: annual fee of $(0.75*N). if the initial value of N were $500, you might be
: able to get the people who need this service to pay for it. it's worth a
try?
: --
: Paul Vixie
:

If I read Paul's post correctly, then I would have to agree that the costs of
cleaning up the problem customers should be placed on the customer (miscreant)
as opposed to the rest of us. This would be far more preferable than putting
in place controls by the respective ISP that would limit my own use of my
connection, on which I have spent considerable time, money and education to
make sure it is secure and beyond that, compliant with the ISP Acceptable Use
policies.

Doug

the 'customer' is most often NOT the 'miscreant', they are more often than
not your mother/sister/brother/innocent-user#35 penalizing them is a
touchy proposition.

-Chris

Selling people barn doors and barn door audits is easier than figuring
out how the rustlers are getting the horses. The problem is the horses
aren't being rustled(?) through the barn doors. If they were, you would
expect to see a difference between barns with doors and barns without
doors. But in practice, we see people with and without firewalls with
infected computers. Network level controls aren't as effective as
some people hope at stopping many things. ISPs should stop porn, ISPs
should stop music sharing, ISPs should stop viruses, ISPs should
stop <insert here>. Yet somehow users manage to find a way around
all of them.

What are good predictors? There aren't any great ones, but there are
some. Can we use them effectively?

So what makes some users more likely or less likely to have infected
computers? How do they become infected, but other users don't? What's
different between the two groups?

Sean Donelan wrote:

Selling people barn doors and barn door audits is easier than figuring
out how the rustlers are getting the horses. The problem is the horses
aren't being rustled(?) through the barn doors. If they were, you would
expect to see a difference between barns with doors and barns without
doors. But in practice, we see people with and without firewalls with
infected computers. Network level controls aren't as effective as
some people hope at stopping many things. ISPs should stop porn, ISPs
should stop music sharing, ISPs should stop viruses, ISPs should
stop <insert here>. Yet somehow users manage to find a way around
all of them.
So what makes some users more likely or less likely to have infected
computers? How do they become infected, but other users don't? What's
different between the two groups?

Skill, Desire and Luck - not always in that order.

I usually set out my stall on this one by making a the following assumptions -

1) any protective measure that relies on users having common sense will inevitably lead to astonishment at how uncommon common sense is (core rule)

2)Warning messages are now so common users don't read them, and web popup boxes even more so. By simple extension therefore, no warning message is of any value - users will read just enough to discover how to make it go away, and if the obvious way of doing so works, won't trouble themselves further. (case in point - "how did that porn dialler get there? I only visited a website or two. Yeah, there was some sort of popup box but I closed it")

3) not all machines will be vulnerable - either by skill, initial design, patching dilligence or obsolescence, some machines will be inherently protected against any given outbreak. Downside there is - said users will invariably decide they don't *need* to take protective measures because this one attack couldn't affect them (case in point - most linux users do not have AV software of any type, despite at least one being free and open source)

4) any scheme that relies on blocking users from what they want to do will be bypassed by at least some of those users; once some of the users know how to do it, the blackhats won't be far behind teaching their creations how to do it too, and the greyhats in writing little pretty gui tools to do it automagically - relying that users knowing how to bypass lockdowns being skilled enough to look after their own security therefore violates rule 1

5) anything that relies on convincing the users (or better yet their machine) that the action *is* what they want to do is onto a winner; see rule 3 and indeed rule 1 for details.

so back to your list.

> ISPs should stop porn,
not going to work - prohibition just makes it harder to regulate stuff, even leaving aside the moral issues of trying to block online what can be bought in most newsagents.

> ISPs should stop music sharing,
why? users obviously want to do it, and in many places it is not a criminal act (copyright violations being civil not criminal in most countries)
ISPs should of course co-operate with any lawful warrant or court order, and (for practical purposes) try to limit their own expenses in having to deal with copyright violations on websites and so forth but in the UK (Not sure about elsewhere) the real problem is commercial pirates selling dodgy copies from stalls or car boots, and that predates the web (and indeed the CD)

> ISPs should stop viruses,
Sure. I don't think that should be free though - plenty of services out there offer filtered, reactive web access to remove all those nasty worms, email viruses and so forth as fast as is possible. Doing that work *costs* and has little or nothing to do with the business of pushing bits down wires. Yey the free market....

> ISPs should stop <insert here>.
damn right. <insert here> has always bugged me :slight_smile:

One of the core skills required by an abuse desk person, and in
particular an abuse team manager, is an ability to evangelise to higher
management the business benefits of effective Acceptable Use Policy
enforcement.

For example, how many legitimate prospective customers does the
following:

   Found 187 SBL listings for IPs under the responsibility
   of mci.com

   Listings in yellow are known spam gangs with ROKSO records

http://www.spamhaus.org/sbl/listings.lasso

Cause to decide not to even consider you as a supplier of bandwidth
and/or hosting services? When one also factors into the equation
the fact that spammers (of whatever type) tend historically to be
bad payers, it is not unlikely that your apparent business related
decision to provide safe haven to such folks is actually a cause of
net revenue loss, not gain.

If you're asserting that having firewalls in the path doesn't have
any impact on rate of infection, please provide a link to this data.
Sure, I've even seen infected computers in rooms that don't (or
should not have had) any connectivity, but that just means it is
not a perfect world. Lot's of things make it through firewalls
(email-based worms come to mind) but from what I've seen they
are quite effective at protecting networks of otherwise helpless
comes-out-of-the-box-wide-open PC's.

/John

In a perfect world, ISPs shouldn't have to worry about content. There
is no way to "know" whether the user wants a particular message and
methods at guessing are always imperfect. Despite this, a lot of users
would like their ISP to try to do their best to filter spam and viruses out
of their mail stream, etc. It really should be an local issue but users ask,
so the service appears.

However, distinguish content from access. Typical users, particularly
in broadband residential connections, have no desire to have anyone
remotely access their machine. The same is true with most small
business customers. Upon arrival of their first Internet connection,
the systems do not magically recognize that end-to-end now could
be any endpoint in the Internet and install appropriate filters. Why
doesn't it make sense to change the default model so that such are
in place under the user demonstrates some understanding of the
situation by asking them to be removed?

To add one more analogy to the mix, we blindly install on-ramps to
the freeway to anyone who asks and certainly a few folks know
what is in store once connected. However, the vast majority of
ramps are connected to suburban driveways, skate board parks,
and middle school playgrounds. It's amazing that we all act
surprised when innocents get run over...

/John