On Wed, 16 May 2007, Ross Hosman wrote:
>
> Gadi,
>
> I appreciate your well thought out email but I sit here and wonder
> what exactly you are trying to accomplish with it? Are you just trying
> to shame the two ISPs listed publicly or are you trying to spark a
> discussion about something that many people here can't fix?
>
> Many businesses today are focused on driving revenue and fixing old
> CPE equipment doesn't generate revenue, it only ties up money and
> resources that can be used elsewhere to drive revenue. If I were you I
> would try to spin this problem in a way where you can show large ISPs
> by fixing CPE's it will free up network resources and staff which can
> be used elsewhere.
>
> The people that can fix these problems are usually unaware of them so
> try to educate those people. Write CEOs/CTOs/CSOs educating them and
> push the security teams for these companies to escalate these issues
> to their upper management (on that note I would say this type of
> discussion would be better suited for a security mailing list for the
> reason I stated before, many people here can't fix these problems).
>
> Simply stating that there is a problem and shunning ISPs with this
> problem isn't a fix for the problem, it just makes them ignore you and
> the problem.
You are quite right. Thank you.
I found some ways of showing several issues to be revenue-tied, such as
blocking port 25, etc. This issue is something I am at a stage of
exploring, and like it or not.. network operators are the ones who deal
with this (on whatever level they do).
I am unsure of where else to go with this, and if some ISPs do something
for now, that is a step in the right direction until a better way shows
itself. Whichever way we discover, for now, raising awareness is all I can
think of.
On a sarcastic evil tone, we may just plan to release a "fix" worm to
harden all these devices world-wide. Right! Because that worked so well
for us before. :>
>
> -Ross
>
Gadi.
