Re: Points on your Internet driver's license (was RE: Even you can
> ... > If we give some people an option to opt-out, most grandmothers will > probably follow Paul's example and save the few bucks every month and not > use the security features. Should ISPs charge for security like the > Universial Service Fund fee on your telephone bill, everyone (not just > grandmothers) has to pay it. The FCC (or your national equivalent) would > sets the rate every quarter, and it appears on everyone's ISP bill. You > have to pay it, even if you already have other security. i like the plan i suggested in reply to jcurran better than the above plan. however, i'm now seeing more spam from hosts in my private blackhole list, that's fed by a darkspace IDS running on ports 25 and 80, than i am from all of my "dynamic/dialup blackhole list" subscriptions combined. so, if an fcc-based universal tariff is the only way to get this done, i'm willing to pay -- even though i own the routers on both ends of my home t1. -- Paul Vixie
Re: "Default" Internet Service (was: Re: Points on your Internet
> >We have methods of dealing with these abuse problems today, unfortanately
> >as Paul Vixie often points out there are business reasons why these
> >problems persist. Often the 'business' reason isn't the tin-foil-
> >hat-brigade's reason so much as 'we can't afford to keep these abuse
> >folks around since they don't make money for the company'.
>
> I'll argue that we have don't effective methods of dealing with this today,
> and it's not the lack of abuse desk people as much as the philosophy of
> closing barn doors after the fact. The idea that we can leave everything
> wide open for automated exploit tools, and then clean up afterwards
> manually with labor-intensive efforts is fundamentally flawed.
and i'd agree. the trouble, when this problem was first isolated, was that
the costs and benefits were assymetric. the people who needed the added
services (filtering, training, remote OS upgrades/audits/management, etc)
were the ones least able/willing to pay extra for those services. the folks
who didn't need them have always complained that they have to pay more to
avoid getting them.
now, though, there's an opportunity to do a marketing U-turn on this. cable
and dsl providers in the USA can point to the national cybersecurity plan and
say that to comply with it they have to put infected computers in cyberjail,
with a fee of $N to get these machines audited, and if found clean, put back
on the net, noting that N doubles every time this process is invoked, and
that a deposit of $(0.5*N) is required as prepayment for the next incident,
refundable after one year if there are no further incidents. then offer to
remotely manage their host ("give me your root passwords, trust me!") for an
annual fee of $(0.75*N). if the initial value of N were $500, you might be
able to get the people who need this service to pay for it. it's worth a try?
--
Paul Vixie
Re: Points on your Internet driver's license (was RE: Even you can
[EMAIL PROTECTED] ("David Schwartz") writes:
> > ISPs don't put the pollution in the water, ISPs are trying to clean up
> > the water polluted by others. ISPs are spending a lot of money cleaning
> > up problems created by other people.
>
> ISPs do put the pollution in the water. They own/run the pipes that
> carry the pollution into the ocean. Nobody cares about pollution inside
> the ISP's own network, we only care about the pollution they put into our
> water. They own, run, and manage
"and profit from"
> the pipes that put the pollution where it can harm others. They have
> continuous control over the process and ultimately decide who does or
> does not put things into those pipes and influence the policies.
yea, verily.
--
Paul Vixie
Re: Points on your Internet driver's license (was RE: Even you can
> > so you aren't going to google for "chemical polluter business model", huh? > > I hope you also google for Nonpoint Source Pollution. > > ISPs don't put the pollution in the water, ISPs are trying to clean up > the water polluted by others. ISPs are spending a lot of money cleaning > up problems created by other people. where you got it from before you dumped it into the stream that feeds me is a yet another problem that i'd rather you resolved without my involvement.
Re: "Default" Internet Service (was: Re: Points on your Internet driver's license)
On Sun, 13 Jun 2004, John Curran wrote: > > At 4:21 AM + 6/13/04, Christopher L. Morrow wrote: > > > >We have methods of dealing with these abuse problems today, unfortanately > >as Paul Vixie often points out there are business reasons why these > >problems persist. Often the 'business' reason isn't the > >tin-foil-hat-brigade's reason so much as 'we can't afford to keep these > >abuse folks around since they don't make money for the company'. > > I'll argue that we have don't effective methods of dealing with this today, > and it's not the lack of abuse desk people as much as the philosophy of > closing barn doors after the fact. The idea that we can leave everything > wide open for automated exploit tools, and then clean up afterwards > manually with labor-intensive efforts is fundamentally flawed. that was the last part of my post, initial installs and supportable (end user supportable) security really is the only way. (or that's my thoughts)
Re: "Default" Internet Service (was: Re: Points on your Internet driver's license)
At 4:21 AM + 6/13/04, Christopher L. Morrow wrote: > >We have methods of dealing with these abuse problems today, unfortanately >as Paul Vixie often points out there are business reasons why these >problems persist. Often the 'business' reason isn't the >tin-foil-hat-brigade's reason so much as 'we can't afford to keep these >abuse folks around since they don't make money for the company'. I'll argue that we have don't effective methods of dealing with this today, and it's not the lack of abuse desk people as much as the philosophy of closing barn doors after the fact. The idea that we can leave everything wide open for automated exploit tools, and then clean up afterwards manually with labor-intensive efforts is fundamentally flawed. /John
Re: "Default" Internet Service (was: Re: Points on your Internet driver's license)
On Sat, 12 Jun 2004, John Curran wrote: > > The real challenge here is that the "default" Internet service is > wide-open Internet Protocol, w/o any safeties or controls. This > made a lot of sense when the Internet was a few hundred sites, > but is showing real scaling problems today (spam, major viruses, > etc.) > > One could imagine changing the paradigm (never easy) so that > the normal Internet service was proxied for common applications > and NAT'ed for everything else... This wouldn't eliminate all the > problems, but would dramatically cut down the incident rate. This sounds like a fantastic idea, for instance: How much direct IP does joe-average Internet user really require? Do they require anything more than imap(s)/pop(s)/smtp(+tls) and dns/http/https ? I suppose they also need: 1) internet gaming 2) voip 3) kazaa/p2p-app(s)-of-choice 4) IM Actually I'm sure there are quite a few things they need, things which require either very smart NAT/Proxy devices or open access. The filtering of IP on the broad scale will hamper creativity and innovation. I'm fairly certain this was not what we want in the long term, is it? > > If a site wants wide-open access, just give it to them. If that turns > out to cause operational problems (due to open mail proxies, spam > origination, etc), then put 'em back behind the relays. > We have methods of dealing with these abuse problems today, unfortanately as Paul Vixie often points out there are business reasons why these problems persist. Often the 'business' reason isn't the tin-foil-hat-brigade's reason so much as 'we can't afford to keep these abuse folks around since they don't make money for the company'. Downstream from the ISP, the individuals are not taking responsibility for their actions/in-actions with respect to 'security'. Vendors are not providing safe environments for their consumers either. I understand that shipping an OS with 100% of things enabled might 'foster innovation' or 'make things easier for the end user', however, so would well thought instructions for enabling (safely) these same features. 99% of computer users never ever need to share files, yet file sharing is enabled by defailt on some operating systems... This is a major vector for infection and abuse. Education and awareness are also lacking in the industry as a whole, well not the 'industry' so much as 'the culture' I think. "Why should anyone want to hack my machine? I'm not some big corporation with lots of 'secrets'." No, they want your machine for the simple fact it's connected to the global Internet and it's NOT their ip address so abuse of it won't harm 'them' :( -Chris
Re: Points on your Internet driver's license (was RE: Even you can
On Sat, 12 Jun 2004, Paul Vixie wrote: > > Send me your root passwords. Trust me. > > you should offer this service. most of us would urge our parents' > generation to sign up for it. (i hope you weren't joking.) As you keep pointing out, a problem with current Internet security is its "opt-in" nature. Why should Paul be allowed to walk around the security checks, but Paul's grandmother needs to be searched? Both Paul and Paul's grandmother needs to go through security. Allowing some people to opt-out would defeat the very thing you are trying to achieve. Most major ISPs offer a variety of Internet security products, if the user signs up for them, pays for them, installs them and uses them. AOL charges about $14/month, Earthlink charges about $6/month, MSN charges about $8/month, SBC charges about $5/month, Bellsouth charges about $7/month, etc. For a while, some broadband providers were even offering a $99 rebate when people bought a hardware nat/firewall device. Why don't more people take advantage of the security that is already available? Some people pay hundreds of dollars every month for bottled water, and filters on their faucets because they aren't satisfied with the quality of the water delivered by the local water company. If we give some people an option to opt-out, most grandmothers will probably follow Paul's example and save the few bucks every month and not use the security features. Should ISPs charge for security like the Universial Service Fund fee on your telephone bill, everyone (not just grandmothers) has to pay it. The FCC (or your national equivalent) would sets the rate every quarter, and it appears on everyone's ISP bill. You have to pay it, even if you already have other security.
Looking for a Akamai admin
If their is a Akamai Admin in the channel, please contact me off channel [EMAIL PROTECTED] Peter 301-340-1533
Re: "Default" Internet Service (was: Re: Points on your Internet driver's license)
On Sat, 12 Jun 2004, John Curran wrote: > One could imagine changing the paradigm (never easy) so that > the normal Internet service was proxied for common applications > and NAT'ed for everything else... This wouldn't eliminate all the > problems, but would dramatically cut down the incident rate. In the BBS days, how did most viruses get on computers? Have things really changed that much? Take a look how computers are being compromised. Its amazing just how many compromised computers have NAT, firewalls, proxies, etc. 1) pre-infected, i.e. already compromised before connecting to your network (laptops are dangerous) 2) self-infected, i.e. compromised because the user installed the software containing the virus 3) network-infected, i.e. compromised solely by being connected without any action by the user Some broadband providers have been selling service that includes a NAT/firewall on the connection for several years. What is the difference in infection rate of those users? Is it just wishfull thinking by some people that NAT/firewalls/proxies will solve the problem? Or do they have hard data to back them up? Preventing users from compromising their computers is a lot like preventing users from accessing porn or music. Basically anything the user wants could be potentially harmful, and the miscreants know that. So how do you make sure users can only access "safe" content?
Re: "Default" Internet Service (was: Re: Points on your Internet driver's license)
At 6:58 PM -0700 6/12/04, Randy Bush wrote: > > One could imagine changing the paradigm (never easy) so that >> the normal Internet service was proxied for common applications >> and NAT'ed for everything else... This wouldn't eliminate all the >> problems, but would dramatically cut down the incident rate. >> >> If a site wants wide-open access, just give it to them. If that turns >> out to cause operational problems (due to open mail proxies, spam >> origination, etc), then put 'em back behind the relays. > >guilty until proven innocent, eh? thanks mr ashcroft. Randy, are you objecting to the model for initial connectivity, or the throwing them back behind relays w/o a formal trial? /John
Re: "Default" Internet Service (was: Re: Points on your Internet driver's license)
> One could imagine changing the paradigm (never easy) so that > the normal Internet service was proxied for common applications > and NAT'ed for everything else... This wouldn't eliminate all the > problems, but would dramatically cut down the incident rate. > > If a site wants wide-open access, just give it to them. If that turns > out to cause operational problems (due to open mail proxies, spam > origination, etc), then put 'em back behind the relays. guilty until proven innocent, eh? thanks mr ashcroft. randy
"Default" Internet Service (was: Re: Points on your Internet driver's license)
The real challenge here is that the "default" Internet service is wide-open Internet Protocol, w/o any safeties or controls. This made a lot of sense when the Internet was a few hundred sites, but is showing real scaling problems today (spam, major viruses, etc.) One could imagine changing the paradigm (never easy) so that the normal Internet service was proxied for common applications and NAT'ed for everything else... This wouldn't eliminate all the problems, but would dramatically cut down the incident rate. If a site wants wide-open access, just give it to them. If that turns out to cause operational problems (due to open mail proxies, spam origination, etc), then put 'em back behind the relays. /John
RE: Points on your Internet driver's license (was RE: Even you can
> On Sun, 13 Jun 2004, Paul Vixie wrote: > > > If you didn't do them, why do you think other people should? > > so you aren't going to google for "chemical polluter business > model", huh? > I hope you also google for Nonpoint Source Pollution. > ISPs don't put the pollution in the water, ISPs are trying to clean up > the water polluted by others. ISPs are spending a lot of money cleaning > up problems created by other people. ISPs do put the pollution in the water. They own/run the pipes that carry the pollution into the ocean. Nobody cares about pollution inside the ISP's own network, we only care about the pollution they put into our water. They own, run, and manage the pipes that put the pollution where it can harm others. They have continuous control over the process and ultimately decide who does or does not put things into those pipes and influence the policies. I think there's a serious disconnect between how ISPs see this issue and how their customers do. I hold ISPs responsible for their customers behavior once they are aware of that behavior. It has been many years since "I just pass the traffic my customers tell me to pass" was an acceptable answer. In fact, ISPs that take that attitude are (properly) ostracized today. If an ISP knows or suspected or should know that their customer is putting pollution into the communal waters, they have an obligation to do whatever it takes to stop that pollution. If that's notifying the customer, disconnecting the customer, filtering, whatever, that's between the ISP and the customer. I'm willing to make all kinds of allowances for what is and is not possible. I don't expect a filter in minutes. I don't expect them to disconnect a customer because they couldn't reach them. However, I do expect them to track the issue with their customer until it's resolved. If they do not do so, I hold them responsible to the extent that I am able to do so. Again, as I said, this in no way diminishes the responsiblity of the customer, the author of the malware, the person who failed to install the patch, the person who misconfigured the firewall (or decided they really didn't need one). Responsibility does not have to sum to 100%, it's possible for any number of parties to be wholly responsible. It amazes me how quick ISPs are to blame others, as if this diminshes their responsibility. It does not. If I leave your car unlocked and someone steals your CDs, no amount of blame I place on the thief diminshes my responsibility. DS
Re: Points on your Internet driver's license (was RE: Even you can
On Sun, 13 Jun 2004, Paul Vixie wrote: > > If you didn't do them, why do you think other people should? > > so you aren't going to google for "chemical polluter business model", huh? I hope you also google for Nonpoint Source Pollution. ISPs don't put the pollution in the water, ISPs are trying to clean up the water polluted by others. ISPs are spending a lot of money cleaning up problems created by other people.
Re: Points on your Internet driver's license (was RE: Even you can be
To compare this with the electricity company, the average home with a 200A service is equivalent to NATed and firewalled internet bandwidth. As your electricity demands grow (for whatever reason) the electricity company upgrades your service, to 3 phase, 600V, whatever. Same with internet bandwidth, get a public ip, get a static ip, get ports opened, run servers. Just as the upgraded electricity service requires more knowledge and equipment so does the upgraded internet bandwidth. The biggest problem with this is that, so long as the lines support it, your electric company will send you as few or as many amps as you need, when you need it. They also make sure they don't send you 1200 amps on a #14 wire, which would probably cause a significant portion of your wiring to smoke, if not burn. With internet access, how easy is it to suddenly turn off NAT, stop redirecting all SMTP access to your anti-everything spam free SMTP server, remove the firewalls blocking outbound IPSec packets and inbound SSH? How quickly can it be done? How much should be charged for it? The better analogy is what happens when you leave your oven on for 8 days straight? Assuming your house doesn't burn down, should you have to pay the electric bill for those 8 days? Hell yeah. It's impossible to separate what was "legit" energy use and what was from the oven, and it's not their fault you didn't turn it off anyway. And in the worst case, if your house burns down, it's STILL not their fault! Commodity internet access is a one-size-fits-all game plan. At most, there's a second size, residential or business. But any user of either plan can be compared to any other user of the same plan, and the provider will treat them the same. It's too difficult, and doesn't pay, to try and treat them differently. The extra $10 a month isn't going to justify the $20 spent making the changes or talking to the person on the phone. Rob Nelson [EMAIL PROTECTED]
Re: Points on your Internet driver's license (was RE: Even you can
> So you claim even the ISPs you ran yourself have never attempted to do > any of these things? the last access-side isp i had anything to do with running used uucp and shell and was just getting going on c-slip when i pushed off. (i assure that any rmail or rnews spam was grounds for suspension during my watch.) my last gig at a colo-side isp ended with me moving over to paix due to the board's discomfort over my policies toward certain colo-side customers (who have since improved, yay.) > If you didn't do them, why do you think other people should? so you aren't going to google for "chemical polluter business model", huh?
Re: Points on your Internet driver's license (was RE: Even you can
On Sat, 12 Jun 2004, Paul Vixie wrote: > with all due respect, which is in fact waning due to your sarcastic attitude, > none of those things have been done. oh, sure, various isp's have waved at > those problems, and some have paid some lip service to them, but it has not > been seriously tried, because there's no way to do insist on them and still > make money. if you or any other isp seriously "Done."'d those things, then > the few customers you'd have left would be very happy, and the rest of us who > are not your customers would also be very happy with the lack of swill coming > from your network. So you claim even the ISPs you ran yourself have never attempted to do any of these things? If you didn't do them, why do you think other people should?
Re: AboveNet major backbone issues
In a message written on Sat, Jun 12, 2004 at 01:02:54PM -0500, Edward Henigin wrote: > Anyone have any more information? Leo? We loaded some global config changes last night. Sometime after they were loaded BadThings(tm) happened. We're still working with vendors to find the exact causes and ensure that we don't have further problems going forward. Things appear stable at this time, but we may have to make additional changes depending on what the vendors tell us to work around the issues involved. The plan is still evolving, and I'm not leading that charge so I have limited data at this time. Customers who have problems should send in a traceroute (bidirectional if at all possible) to the usual support channels. Sometimes you're the windshield, sometimes your the bug. -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org pgpi22LJJNBhG.pgp Description: PGP signature
RE: AboveNet major backbone issues
Actually I'm not sure if it is related or not but Above.Net did have what they called a "Global Maintenance" window last night in order to configure MPLS. And now that I see it, they did say "These changes will be transparent and will not involve routing interruptions." So it's probably something completely different. I mean who would actually jinx themselves with such a statement. :) -Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Lewis Sent: Saturday, June 12, 2004 1:56 PM To: [EMAIL PROTECTED] Subject: Re: AboveNet major backbone issues Maybe they told him. :) They don't say exactly what's broken, but Above.net did send out a notice Date: Sat, 12 Jun 2004 10:11:27 -0700 (PDT) Subject: Network Issues US & Europe ~12:03 EDT June 12, 2004
Re: Points on your Internet driver's license (was RE: Even you can be
> If we would properly follow the analogy above, ISPs should provide a > "security fuse" which would disconnect the user when blown. Paul called > this "cyberjail" if I follow his thoughts. All efforts above this should > be charged separately or be part of "better general level of service". > You can also charge for letting people out of the jail. Make it $50 or > $100 a pop, not to be outrageous but justifiable. Absolutely. Properly managing ones bandwidth needs to be less expensive than the penalty for abuse. Adi
Re: Points on your Internet driver's license (was RE: Even you can be
Adi Linden wrote: To compare this with the electricity company, the average home with a 200A service is equivalent to NATed and firewalled internet bandwidth. As your electricity demands grow (for whatever reason) the electricity company upgrades your service, to 3 phase, 600V, whatever. Same with internet bandwidth, get a public ip, get a static ip, get ports opened, run servers. Just as the upgraded electricity service requires more knowledge and equipment so does the upgraded internet bandwidth. If we would properly follow the analogy above, ISPs should provide a "security fuse" which would disconnect the user when blown. Paul called this "cyberjail" if I follow his thoughts. All efforts above this should be charged separately or be part of "better general level of service". You can also charge for letting people out of the jail. Make it $50 or $100 a pop, not to be outrageous but justifiable. Pete
Re: Points on your Internet driver's license (was RE: Even you can be
> That's like saying provide safe electricity. If someone has a toaster where > the wire cracks and they electrocute themselves, or a hair dryer that isn't > safe in the bathtub, do you complain that the electric company should > provide safe electricity? The problem with all the comparisions is what you are comparing. Your utility has an obligation to provide safe electricity. If your holding your hair dryer while the utility company sends you 25,000 Volts instead of 120 Volts you should complain. > How is bandwidth any different? It is not any different. > There is no "safe bandwidth". No matter how you look at it it's a two way > communications and it's never going to be "safe" as far as the bandwidth > goes, just like electricity is power and it's never going to be safe. It's > the devices you plug in that need to be made safe. Computers are devices that are supposed to magically do anything. If I purchase a computer to browse the web and send email I should be able to obtain "safe bandwidth" that provides web access and email. To compare this with the electricity company, the average home with a 200A service is equivalent to NATed and firewalled internet bandwidth. As your electricity demands grow (for whatever reason) the electricity company upgrades your service, to 3 phase, 600V, whatever. Same with internet bandwidth, get a public ip, get a static ip, get ports opened, run servers. Just as the upgraded electricity service requires more knowledge and equipment so does the upgraded internet bandwidth. Adi
Re: AboveNet major backbone issues
On Sat, 12 Jun 2004, Randy Bush wrote: > > >> it might be interesting to know how you determined this and what > >> are "major worldwide backbone issues" in the sense of how they are > >> defined and measured. > > Maybe they told him. :) > > damn. and i really meant my question. a lot of researchers > are investing a lot of effort into recognizing and sizing > major network problems from general/external evidence, e.g. > route-views, traces, ippm measurements, ... So, would RIPE's RIS project or some of the other route monitoring projects have noticed this as well? What is a 'major backbone outage' versus a peering link bounce from their perspective? Could they/should they monitor and report to some 'central' place when these larger events happen? What's the cutoff from 'minor' to 'major' event? -Chris
Re: AboveNet major backbone issues
Edward Henigin wrote: It appears that AboveNet is having major worldwide backbone issues at the moment. We were seeing high latency from the US to Europe, and now some European routes are no longer being advertised to the US. We are seeing those European routes again. Looks like the downtime for the European routes was from 11:00am to 12:15pm central time. Anyone have any more information? Leo? Ed
Re: Points on your Internet driver's license (was RE: Even you can be
> The problem with this is one of who pays for it. The customer. > You are talking about an environment where the newcomers and non-experts > require significantly more intervention in how things are done and what they > can do than the more experienced hands. I am talking about an environment that applies significant filtering before packets are delivered to the customer. NAT, firewall, proxy I don't think it is all that difficult to do. > Do you charge the newbies more to cover this level of protection, or do you > spread the charges across your entire userbase to avoid impacting one > segment? This protection is a basic service. Opening ports, supplying a real ip address, removing the proxy are the add-on items that increase the cost of the connection. > If you raise the prices for newbies then you will automatically have newcomers > going for the cheaper, more "raw", service and negating any advantages you > have to a tiered product set with protection at the bottom. Raise the price of the "raw" service. Keeping in mind I am talking about broadband connections to homes and small offices, not bandwidth for larger organizations that should have an IT department. > If you spread the charges then the users who require less handholding are > going to get upset when their prices are hiked to cover functionality they > will never use. An ISP has a responsibility in regards of the packets transported. I get the impression that most ISP's prefer to be "packet movers". Move packets from point A to point B without monitoring, intervention or any other responsibilities or obligations. This is quite appropriate for an ISP serving corporate clients with large pipes, where IP space is assigned from the ISP to the client. Once we're talking about providers that server homes and small offices this should be different. The ISP holds the IP space so it should be held responsible for the packets originating form these IPs to some degree. In other words, if I provide proof that ip w.x.y.z is the source of unsolicited email (these days probably because of a compromised host) I firmly believe that it is the ISPs responsiblity to either provide contact information on who owns this IP and/or manage the traffic to eliminate the abuse. I am convinced that the cost of looking after the "raw" clients will be much greater then the cost of providing "conditioned" bandwidth. Adi
Re: AboveNet major backbone issues
On Sat, 12 Jun 2004, Randy Bush wrote: > > > It appears that AboveNet is having major worldwide backbone issues at > > the moment. We were seeing high latency from the US to Europe, and now > > some European routes are no longer being advertised to the US. > > it might be interesting to know how you determined this and what > are "major worldwide backbone issues" in the sense of how they are > defined and measured. agreed, as a datapoint though, I noticed some things I monitor on above.net went unreachable several times while I was attempting to sleep in :) -Chris
Re: AboveNet major backbone issues
>> it might be interesting to know how you determined this and what >> are "major worldwide backbone issues" in the sense of how they are >> defined and measured. > Maybe they told him. :) damn. and i really meant my question. a lot of researchers are investing a lot of effort into recognizing and sizing major network problems from general/external evidence, e.g. route-views, traces, ippm measurements, ... randy
Re: AboveNet major backbone issues
On Sat, 12 Jun 2004, Randy Bush wrote: > > > It appears that AboveNet is having major worldwide backbone issues at > > the moment. We were seeing high latency from the US to Europe, and now > > some European routes are no longer being advertised to the US. > > it might be interesting to know how you determined this and what > are "major worldwide backbone issues" in the sense of how they are > defined and measured. Maybe they told him. :) They don't say exactly what's broken, but Above.net did send out a notice Date: Sat, 12 Jun 2004 10:11:27 -0700 (PDT) Subject: Network Issues US & Europe ~12:03 EDT June 12, 2004 I think someone was thinking faster than they were typing though. At approximately 12:03 EDT widespread networking issues. This is causing networking issues through out our network. We are now diagnosing the problem. We do not know what caused the failure at this time. Apparently networking issues are causing networking issues on their network. I hate it when that happens. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: AboveNet major backbone issues
> It appears that AboveNet is having major worldwide backbone issues at > the moment. We were seeing high latency from the US to Europe, and now > some European routes are no longer being advertised to the US. it might be interesting to know how you determined this and what are "major worldwide backbone issues" in the sense of how they are defined and measured. randy
AboveNet major backbone issues
It appears that AboveNet is having major worldwide backbone issues at the moment. We were seeing high latency from the US to Europe, and now some European routes are no longer being advertised to the US. Ed
Re: Points on your Internet driver's license (was RE: Even you can
[EMAIL PROTECTED] (Sean Donelan) writes: > > in any other industry, you (the isp) would do a simple risk analysis > > and start treating the cause rather than the symptom. > > What other industry do you know where you are expected to fix products > you didn't sell and didn't cause for free? risk management doesn't mean fixing other people's problems for free, it means building your business with knowledge of those problems, and making sure your business copes with them. > You can't connect a Tivo or unauthorized device to your ISP connection, > and ISP would remotely control all the devices on your home network to > ensure they are patched and secure. > > Send me your root passwords. Trust me. you should offer this service. most of us would urge our parents' generation to sign up for it. (i hope you weren't joking.) > > for example you > > might offer inbound filtering, > > Done. Effectiveness? > > > cleanup tools and services, > > Done. Effectiveness? > > > and you would put their computer in cyberjail when it was known to be > > "infected", > > Done. Effectiveness? > > > and you would certainly not offer your services without a clear idea of > > how to reach the customer and assist them in getting out of cyberjail > > Done. Effectiveness? > > > even if it meant rolling a technician. > > Done. Effectiveness? > > Been there, done that. Got any new ideas? with all due respect, which is in fact waning due to your sarcastic attitude, none of those things have been done. oh, sure, various isp's have waved at those problems, and some have paid some lip service to them, but it has not been seriously tried, because there's no way to do insist on them and still make money. if you or any other isp seriously "Done."'d those things, then the few customers you'd have left would be very happy, and the rest of us who are not your customers would also be very happy with the lack of swill coming from your network. > People already think ISPs make money from infected computers and spammers. only because i've been an insider at a couple of places where it was arguable. > What incentive would there people to fix things instead of just paying > them off? i believe i mentioned doubling the forfeitable deposit on each verified incident. > Is it Ok to spam, as long as you pay a lot? Is it Ok to leave an > infected computer on the network, as long as you pay a lot? Haven't you > just described what "bullet-proof" web hosting companies do? i don't accept e-mail from rackspace.com or any of their customers, because this appears to be their business model. on http://www.vix.com/personalcolo/ i present what i call a "good internet neighborhood" model. a "bullet proof hosting" company wouldn't qualify, no matter what deposit they collected or how much customer equipment they had on-site. > > alas. on the internet, nobody knows you're a dog. > > Regulations could fix that. no, really, they couldn't. bad guys can cons up a new identity every week if that's what it takes to avoid driving with a bad internet driver's license. > Most railroads have railroad police with jurisdiction anywhere the > railroad tracks go. Some railroad police departments have trans-national > jurisdiction in multiple countries. several times i've suggested that only by upgrading this problem to the level of inter-national treaty, as has been done with other offenses like drugs and fraud and violence, will we begin to see the beginnings of "containment." you, sean, were party to at least one of those threads. perhaps you can do some homework and answer now what you didn't bother to answer then. > Do we need an Internet Police with jurisdiction anywhere the Internet > goes? Instead of waiting for the FBI to make a case, the ISP police > could arrest people. > > Should ISPs be required to forward all their customer information and > logs to the Department of Homeland Security (or other national > equivalent) so they always know who is doing what. Would that solve the > no one knows you're a dog problem? no, it wouldn't. until the cost of creating new identities can be driven up, then nothing adhering to identity, such as reputation, will be of any real value in stopping repeat abusers. a dsl or cable provider is in a unique position in this regard. you know who your customers are and you know where they live. as a favour to the rest of us, it would be a fine thing if you would take advantage of this position to cause a general increase in the reputation-level of your customers' IP addrs. whether you do that with deposits, truck rolls, filtering, cyberjails, weekly training seminars, and/or lawsuits against microsoft and apple, is your problem not ours, since you make the profit from these customers. how you remain profitable and competitive while managing these risks is also your problem, again since you make the profit from these customers. google for "chemical polluter business model" if you want more backgr
Re: Points on your Internet driver's license (was RE: Even you can be
Maybe I'm a little slow on the draw, but I've just now realized that we've come full circle, in a strange sort of way. 8 to 10 years ago the discussions were dominated by Karl D(1), where *everything* was defined as to whether is was "actionable" or not. Now the discussions are dominated by many people, acting like Karl D, where their view is solely based on whether their contract supports either what they do or don't do. -mark (1) Actual name not shown to avoid being sued.
Re: Points on your Internet driver's license (was RE: Even you can be
- Original Message - From: "Adi Linden" <[EMAIL PROTECTED]> > Provide a safe network connection. I believe an ISP should provide a safe > environment to play, assuming the customer is innocent granny. Your > average DSL network connection should be safe by default, so a default > Win98 (or any other OS) can be connected without fear of compromise. That's like saying provide safe electricity. If someone has a toaster where the wire cracks and they electrocute themselves, or a hair dryer that isn't safe in the bathtub, do you complain that the electric company should provide safe electricity? How is bandwidth any different? There is no "safe bandwidth". No matter how you look at it it's a two way communications and it's never going to be "safe" as far as the bandwidth goes, just like electricity is power and it's never going to be safe. It's the devices you plug in that need to be made safe. The only thing ISP's can do is damper bandwidth, try and limit feedback/flow rates so we don't have a single tree take out the electrical network in the northeast. Geo.
Re: Points on your Internet driver's license (was RE: Even you can be
On Saturday 12 June 2004 14:53, Adi Linden wrote: > > Been there, done that. Got any new ideas? > > Provide a safe network connection. I believe an ISP should provide a safe > environment to play, assuming the customer is innocent granny. Your > average DSL network connection should be safe by default, so a default > Win98 (or any other OS) can be connected without fear of compromise. > > I really don't agree with the "Internet driver's license" concept as > presented. It really is not an "Internet driver's license" but a > "Microsoft Safe Operating License". A one fits all type arrangement. Who > sets the standard? > > The plug that connects to the internet world needs to scale with the level > of expertise of the user. This needs to include a beginners level for the > clueless with safe email and safe browsing. > The problem with this is one of who pays for it. You are talking about an environment where the newcomers and non-experts require significantly more intervention in how things are done and what they can do than the more experienced hands. Do you charge the newbies more to cover this level of protection, or do you spread the charges across your entire userbase to avoid impacting one segment? If you raise the prices for newbies then you will automatically have newcomers going for the cheaper, more "raw", service and negating any advantages you have to a tiered product set with protection at the bottom. If you spread the charges then the users who require less handholding are going to get upset when their prices are hiked to cover functionality they will never use. The only real way to enforce product stratification on this scale where people are introduced safely and then educated and given more freedom is to enforce some kind of metric on what is a permissable clue level to move to the next stratum of service with less handholding. This means ISPs effectively having to vet all of their customers when they try to upsell. The alternative to this is a multilateral "driving license" whereby simply having the piece of paper gets you the cheaper, rawer service. If handholding was for everyone then AOL would be the only service provider and the rest of us wouldn't exist. None of the suits who run the companies represented here are going to do anything to impact their bottom line, so refusing to take customers on a skill basis isn't going to happen. I don't really see that it's the ISPs job to make the net less frightening for the customers. It should be down to the OS vendors of whatever shape and the application vendors to ensure that their products are as secure as they can reasonably be which is not currently the case. What you are proposing with the "protect granny at all costs" approach is giving software vendors an excuse to code crappy product because there won't be any impact. Do you fancy subsidising Microsoft in the long term? P.
Re: Points on your Internet driver's license (was RE: Even you can be
> Been there, done that. Got any new ideas? Provide a safe network connection. I believe an ISP should provide a safe environment to play, assuming the customer is innocent granny. Your average DSL network connection should be safe by default, so a default Win98 (or any other OS) can be connected without fear of compromise. I really don't agree with the "Internet driver's license" concept as presented. It really is not an "Internet driver's license" but a "Microsoft Safe Operating License". A one fits all type arrangement. Who sets the standard? The plug that connects to the internet world needs to scale with the level of expertise of the user. This needs to include a beginners level for the clueless with safe email and safe browsing. Adi
Re: Points on your Internet driver's license (was RE: Even you can be
Sean Donelan wrote: and you would certainly not offer your services without a clear idea of how to reach the customer and assist them in getting out of cyberjail -- Done. Effectiveness? If you do this and keep them there until they are fixed, your network should qualify as a good neighborhood and the influx of email into your abuse@ addresses should be minimal. Eventually they´d either clean up or move elsewhere. If the places to move to would be small enough in numbers, they could be filtered from the rest of the Internet. Pete
Re: Points on your Internet driver's license (was RE: Even you can be hacked)
- Original Message - From: "Randy Bush" <[EMAIL PROTECTED]> To: "Jonathan Nichols" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, June 11, 2004 3:32 PM Subject: Re: Points on your Internet driver's license (was RE: Even you can be hacked) > > > http://lawandhelp.com/q298-2.htm > > while i am no fan of macdonalds, and a good case is made for > their negligence, perhaps you should follow the advice at the > bottom of that web page > > The most important message this case has for you, the > consumer, is to be aware of the potential danger posed > by your early morning pick-me-up. > > randy > Yep...and after 65 years (assuming she started drinking coffee at 16), "reasonable expectation" of the temperature comes to mind. I don't go to these kinds of places...has the temperature been climbing up in order to let you have a drinkable cup after (whatever you do) an hour? --Michael
Re: Points on your Internet driver's license (was RE: Even you can be
On Sat, 12 Jun 2004, Paul Vixie wrote: > in any other industry, you (the isp) would do a simple risk analysis > and start treating the cause rather than the symptom. What other industry do you know where you are expected to fix products you didn't sell and didn't cause for free? Should we revoke Carterphone? You can't connect a Tivo or unauthorized device to your ISP connection, and ISP would remotely control all the devices on your home network to ensure they are patched and secure. Send me your root passwords. Trust me. > for example you > might offer inbound filtering, Done. Effectiveness? > cleanup tools and services, Done. Effectiveness? > and you would put their computer in cyberjail when it was known to be > "infected", Done. Effectiveness? > and you would certainly not offer your services without a clear idea of how > to reach the customer and assist them in getting out of cyberjail -- Done. Effectiveness? > even if it meant rolling a technician. Done. Effectiveness? Been there, done that. Got any new ideas? > no. there should be a forfeitable deposit, plus an per-incident fee which is > mostly to pay for the cost of monitoring and the cost of auditing the host > to ensure that it complies with the isp's security policy before it can be > reattached. the deposit can be refunded after N years of incident-free > behaviour, and should be doubled after each verified incident. How much are you willing to pay? The bank industry makes billions from late payments, overdrafts, charge backs. It makes banks a lot of money, and puts people in bankruptcy, but doesn't seem to be very good at teaching people to handle credit wisely. People already think ISPs make money from infected computers and spammers. What incentive would there people to fix things instead of just paying them off? Is it Ok to spam, as long as you pay a lot? Is it Ok to leave an infected computer on the network, as long as you pay a lot? Haven't you just described what "bullet-proof" web hosting companies do? How do we create incentives for people to want to buy more secure products? Why do people continue to buy Windows instead of Macs? Cars have a gas guzzler tax to encourage fuel efficiency; should Windows computers have a security guzzler tax to encourage security? > > Should it be like points on your Internet driver's license? For the > > first incident you have to attend 8-hour traffic school, for the second > > incident in 12 months you have points put on your record and your > > insurance rates go up. Too many points, and your Internet privileges are > > revoked. > > alas. on the internet, nobody knows you're a dog. Regulations could fix that. The US Postal Service has the Postal Inspection Service. They have jurisdiction anywhere the mail goes. The post office didn't create the Anthrax, they delivered the envelopes as addressed. Most railroads have railroad police with jurisdiction anywhere the railroad tracks go. Some railroad police departments have trans-national jurisdiction in multiple countries. Do we need an Internet Police with jurisdiction anywhere the Internet goes? Instead of waiting for the FBI to make a case, the ISP police could arrest people. Should ISPs be required to forward all their customer information and logs to the Department of Homeland Security (or other national equivalent) so they always know who is doing what. Would that solve the no one knows you're a dog problem?
OT Re: Points on your Internet driver's license (was RE: Even you can be hacked)
> Or, go see the movie "Super Size Me" - you might just give up McDonald's > entirely, reducing your risk of burns from their overheated coffee. :) Haven't been in one on over 2 years - and not through any great principal, I just stopped. Odd how our tastes change with age ;-) Peter
