Re: Points on your Internet driver's license (was RE: Even you can
Eventually all the bad customers end up with the same ISP, then filtering is as easy as running loose uRPF and filtering on their AS on input. And that's why we can all safely dump anything from aol.com into /dev/null, right? ;) Rob Nelson [EMAIL PROTECTED]
Re: Points on your Internet driver's license (was RE: Even you can
* [EMAIL PROTECTED] (Owen DeLong) [Sun 13 Jun 2004, 18:38 CEST]: I'd much rather see the people who don't pay for security get disconnected when abuse spews forth from their network. Then, they should have to clean up their site and pay a cleanup fee to get reconnected. ... To their new ISP, which they will very likely move to, after getting disconnected one time too many by their old one? After round three, this will have changed the current setup how? (Except that the then-negligent ISPs have ended up with all the income.) -- Niels.
Re: Points on your Internet driver's license (was RE: Even you can be
8 to 10 years ago the discussions were dominated by Karl D(1), where *everything* was defined as to whether is was actionable or not. Googling for Karl Denninger and actionable only gets 30 hits but, oh the nostalgia of it all... Check out http://www.denninger.net to see that he is still alive and kicking and protesting one thing or another.
Re: Points on your Internet driver's license (was RE: Even you can
Niels Bakker wrote: ... To their new ISP, which they will very likely move to, after getting disconnected one time too many by their old one? After round three, this will have changed the current setup how? (Except that the then-negligent ISPs have ended up with all the income.) Eventually all the bad customers end up with the same ISP, then filtering is as easy as running loose uRPF and filtering on their AS on input. Pete
Re: Points on your Internet driver's license (was RE: Even you can be
* [EMAIL PROTECTED] ([EMAIL PROTECTED]) [Mon 14 Jun 2004, 12:20 CEST]: Check out http://www.denninger.net to see that he is still alive and kicking and protesting one thing or another. Would you buy an anti-spam solution from a man that requires the inclusion of certain keywords in the subject in order to avoid getting trapped in his own spam filters? -- Niels. -- (from the bottom of www.denninger.net/democrat.htm, which is a load of trite anyway, ``Please insert the word advocacy or agree in the subject line of your message to avoid my spam filters.'')
Re: Points on your Internet driver's license (was RE: Even you can be
Wow he has changed and toned down a lot from those days -Henry --- [EMAIL PROTECTED] wrote: 8 to 10 years ago the discussions were dominated by Karl D(1), where *everything* was defined as to whether is was actionable or not. Googling for Karl Denninger and actionable only gets 30 hits but, oh the nostalgia of it all... Check out http://www.denninger.net to see that he is still alive and kicking and protesting one thing or another.
Re: Points on your Internet driver's license (was RE: Even you can
No... The negligent ISPs end up with all the abusing customers and have a hard time getting transit themselves. Eventually, you end up with two internets... One run by and for the abusers and negligent, one for everyone else. I have no problem with that. Owen pgpRbSMzhv6Mo.pgp Description: PGP signature
Re: Points on your Internet driver's license (was RE: Even you can be
- Original Message - From: Adi Linden [EMAIL PROTECTED] Clean internet is more than just valid IP datagrams to my IP address. If I connect to my ISP and do nothing beyond that, not a single packet, I expect to not receive any packets either. If I initiate a GET request to a web server I expect the webservers response to be returned unaltered. If I have an email account with my ISP I expect only valid email to be delivered to my email address. I consider this clean internet service from the perspective of the average home user. Apply your phone analogy to this, you want a phone, but nobody on the planet should be allowed to call you unless you call them first. If you do call someone, they shouldn't be allowed to use improper language, if you also have voicemail, nobody who you don't want to hear from should be allowed to leave you a message. So you want the phoneco to block inbound calls, install a voice recognition system to stop improper language, and manage your voicemail. You don't want phone service, you want a secretary. You should call your phone company and have them send one over right away, and don't forget to tell them you aren't going to pay more than the standard $30/month for the service.. George Roettger
Re: Points on your Internet driver's license (was RE: Even you can be
- Original Message - From: Adi Linden [EMAIL PROTECTED] if I send an ISP reasonable proof that a broadband customer hits my mailserver with thousands of emails an hour I should be able to expect an immediate response. Not hours, days or weeks, minutes and the originating account should be shut down. Great, next time you get shut down mid auction because the ISP trusts the log file I send him, remember you asked for it. Geo.
Re: Points on your Internet driver's license (was RE: Even you can
Owen DeLong wrote: No... The negligent ISPs end up with all the abusing customers and have a hard time getting transit themselves. Eventually, you end up with two internets... One run by and for the abusers and negligent, one for everyone else. I have no problem with that. There should be a twelve-step program for people like me who can't stay out of a discussion I think we are already on our way to a multiple-Internet world, with the CB-radio model of everybody shouting about all manner of stuff ranging from very useful to utter sewage (uttered sewage?), and the vpn model (note lowercase attempt at a generalizing term) of encrypted tunnels, firewall rules, DNSBLs, challenged response, SPF, et alia. Implicit in the latter is a prior negotiation and rules-of-contact setting, meaning no contact via the Internet by parties unknown. I wonder if a 500 kc-like calling channel with very tight and enforced rules will emerge somehow. -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
Re: Points on your Internet driver's license (was RE: Even you can be
A response doesn't mean the ISP doesn't also investigate. Reasonable proof is reasonable proof. The logs are a good start, but, the ISP should review his own logs, and, check the currently active traffic patterns too. If there isn't any evidence, the ISP shouldn't shut the customer down. If the ISP can see continuing abuse, the ISP should shut the customer down. That's not unreasonable. That's what I'm asking fore, and, what I understood Adi to be asking for in this case. Owen --On Sunday, June 13, 2004 6:34 PM -0400 Geoincidents [EMAIL PROTECTED] wrote: - Original Message - From: Adi Linden [EMAIL PROTECTED] if I send an ISP reasonable proof that a broadband customer hits my mailserver with thousands of emails an hour I should be able to expect an immediate response. Not hours, days or weeks, minutes and the originating account should be shut down. Great, next time you get shut down mid auction because the ISP trusts the log file I send him, remember you asked for it. Geo. -- If it wasn't crypto-signed, it probably didn't come from me. pgpnoZQzgJNIM.pgp Description: PGP signature
Re: Points on your Internet driver's license (was RE: Even you can
* [EMAIL PROTECTED] (Petri Helenius) [Mon 14 Jun 2004, 13:07 CEST]: Niels Bakker wrote: ... To their new ISP, which they will very likely move to, after getting disconnected one time too many by their old one? After round three, this will have changed the current setup how? (Except that the then-negligent ISPs have ended up with all the income.) Eventually all the bad customers end up with the same ISP, then filtering is as easy as running loose uRPF and filtering on their AS on input. Except that the majority of people may have ended up at such ISPs (note plural). Can you afford not to talk to them? For how long did you stick with just UUCP after SMTP entered the scene? -- Niels.
Re: Points on your Internet driver's license (was RE: Even you can
Niels Bakker wrote: Except that the majority of people may have ended up at such ISPs (note plural). Can you afford not to talk to them? Majority of people living in bad neighborhoods would be news. I´ll take sides if that happens. For how long did you stick with just UUCP after SMTP entered the scene? We actually run UUCP over telnet for quite a while after SMTP happened. Pete
Re: Points on your Internet driver's license (was RE: Even you can
On Monday 14 June 2004 21:35, Petri Helenius wrote: Niels Bakker wrote: Except that the majority of people may have ended up at such ISPs (note plural). Can you afford not to talk to them? Majority of people living in bad neighborhoods would be news. I´ll take sides if that happens. For how long did you stick with just UUCP after SMTP entered the scene? We actually run UUCP over telnet for quite a while after SMTP happened. I know of one ISP who, in the spirit of customer service, are still providing UUCP to two customers now who are still running Wildcat 4.x and Terminus on OS/2. It's not dead yet, although many have tried to kill it. P.
Re: Points on your Internet driver's license (was RE: Even you can
On Mon, 14 Jun 2004, Paul S. Brown wrote: On Monday 14 June 2004 21:35, Petri Helenius wrote: Niels Bakker wrote: Except that the majority of people may have ended up at such ISPs (note plural). Can you afford not to talk to them? Majority of people living in bad neighborhoods would be news. I´ll take sides if that happens. For how long did you stick with just UUCP after SMTP entered the scene? We actually run UUCP over telnet for quite a while after SMTP happened. I know of one ISP who, in the spirit of customer service, are still providing UUCP to two customers now who are still running Wildcat 4.x and Terminus on OS/2. I think there might be another which still has 25 or so UUCP customers... -Chris
Re: Points on your Internet driver's license (was RE: Even you can
Niels Bakker wrote: Except that the majority of people may have ended up at such ISPs (note plural). Can you afford not to talk to them? For how long did you stick with just UUCP after SMTP entered the scene? * [EMAIL PROTECTED] (Christopher L. Morrow) [Mon 14 Jun 2004, 23:35 CEST]: I think there might be another which still has 25 or so UUCP customers... And. Can they afford not to talk to any SMTP host? Or do they accept mail from those newfangled .COM sites not listed in any UUCP map? Because that's at the heart of this argument, not whether some nostalgic folks still know what HDB stands for. -- Niels (who has met Honeyman)
Re: Points on your Internet driver's license (was RE: Even you can
i support four sites uucp over tcp, and i don't really know why they want it. i support one with good old-fashioned dial-up pots uucp. randy
Re: Points on your Internet driver's license (was RE: Even you can
On Mon, 14 Jun 2004, Niels Bakker wrote: Niels Bakker wrote: Except that the majority of people may have ended up at such ISPs (note plural). Can you afford not to talk to them? For how long did you stick with just UUCP after SMTP entered the scene? * [EMAIL PROTECTED] (Christopher L. Morrow) [Mon 14 Jun 2004, 23:35 CEST]: I think there might be another which still has 25 or so UUCP customers... And. Can they afford not to talk to any SMTP host? Or do they accept mail from those newfangled .COM sites not listed in any UUCP map? good question, I assume that they MX to some mailbag place and just forward everything back over uucp to the same place. Because that's at the heart of this argument, not whether some nostalgic folks still know what HDB stands for. This teaches me to jump in midstream on a topic I've been deleting for 5 days :(
Re: Points on your Internet driver's license (was RE: Even you can
... If we give some people an option to opt-out, most grandmothers will probably follow Paul's example and save the few bucks every month and not use the security features. Should ISPs charge for security like the Universial Service Fund fee on your telephone bill, everyone (not just grandmothers) has to pay it. The FCC (or your national equivalent) would sets the rate every quarter, and it appears on everyone's ISP bill. You have to pay it, even if you already have other security. i like the plan i suggested in reply to jcurran better than the above plan. however, i'm now seeing more spam from hosts in my private blackhole list, that's fed by a darkspace IDS running on ports 25 and 80, than i am from all of my dynamic/dialup blackhole list subscriptions combined. so, if an fcc-based universal tariff is the only way to get this done, i'm willing to pay -- even though i own the routers on both ends of my home t1. -- Paul Vixie
Re: Default Internet Service (was: Re: Points on your Internet driver's license)
One could imagine changing the paradigm (never easy) so that the normal Internet service was proxied for common applications and NAT'ed for everything else... This wouldn't eliminate all the problems, but would dramatically cut down the incident rate. If a site wants wide-open access, just give it to them. If that turns out to cause operational problems (due to open mail proxies, spam origination, etc), then put 'em back behind the relays. guilty until proven innocent, eh? thanks mr ashcroft. Randy, are you objecting to the model for initial connectivity, or the throwing them back behind relays w/o a formal trial? the former, see previous post about the e2e internet if you can actually diagnose bad traffic, then you may have a right to act randy
Re: Default Internet Service (was: Re: Points on your Internet driver's license)
On Sun, 13 Jun 2004, John Curran wrote: I'll argue that we have don't effective methods of dealing with this today, and it's not the lack of abuse desk people as much as the philosophy of closing barn doors after the fact. The idea that we can leave everything wide open for automated exploit tools, and then clean up afterwards manually with labor-intensive efforts is fundamentally flawed. Selling people barn doors and barn door audits is easier than figuring out how the rustlers are getting the horses. The problem is the horses aren't being rustled(?) through the barn doors. If they were, you would expect to see a difference between barns with doors and barns without doors. But in practice, we see people with and without firewalls with infected computers. Network level controls aren't as effective as some people hope at stopping many things. ISPs should stop porn, ISPs should stop music sharing, ISPs should stop viruses, ISPs should stop insert here. Yet somehow users manage to find a way around all of them. What are good predictors? There aren't any great ones, but there are some. Can we use them effectively? So what makes some users more likely or less likely to have infected computers? How do they become infected, but other users don't? What's different between the two groups?
Re: Default Internet Service (was: Re: Points on your Internet driver's license)
On Sun, Jun 13, 2004 at 04:21:03AM +, Christopher L. Morrow wrote: We have methods of dealing with these abuse problems today, unfortanately as Paul Vixie often points out there are business reasons why these problems persist. Often the 'business' reason isn't the tin-foil-hat-brigade's reason so much as 'we can't afford to keep these abuse folks around since they don't make money for the company'. One of the core skills required by an abuse desk person, and in particular an abuse team manager, is an ability to evangelise to higher management the business benefits of effective Acceptable Use Policy enforcement. For example, how many legitimate prospective customers does the following: Found 187 SBL listings for IPs under the responsibility of mci.com Listings in yellow are known spam gangs with ROKSO records http://www.spamhaus.org/sbl/listings.lasso Cause to decide not to even consider you as a supplier of bandwidth and/or hosting services? When one also factors into the equation the fact that spammers (of whatever type) tend historically to be bad payers, it is not unlikely that your apparent business related decision to provide safe haven to such folks is actually a cause of net revenue loss, not gain. -- Anthony Edwards * [EMAIL PROTECTED] Abuse Team Manager * Easynet UK Abuse Team Easynet Ltd * DDI: 0161 227 0707 http://www.uk.easynet.net* Fax: 0845 333 4503
Re: Default Internet Service (was: Re: Points on your Internet driver's license)
At 6:31 AM -0400 6/13/04, Sean Donelan wrote: If they were, you would expect to see a difference between barns with doors and barns without doors. But in practice, we see people with and without firewalls with infected computers. If you're asserting that having firewalls in the path doesn't have any impact on rate of infection, please provide a link to this data. Sure, I've even seen infected computers in rooms that don't (or should not have had) any connectivity, but that just means it is not a perfect world. Lot's of things make it through firewalls (email-based worms come to mind) but from what I've seen they are quite effective at protecting networks of otherwise helpless comes-out-of-the-box-wide-open PC's. /John
Re: Default Internet Service (was: Re: Points on your Internet driver's license)
At 6:31 AM -0400 6/13/04, Sean Donelan wrote: Network level controls aren't as effective as some people hope at stopping many things. ISPs should stop porn, ISPs should stop music sharing, ISPs should stop viruses, ISPs should stop insert here. Yet somehow users manage to find a way around all of them. In a perfect world, ISPs shouldn't have to worry about content. There is no way to know whether the user wants a particular message and methods at guessing are always imperfect. Despite this, a lot of users would like their ISP to try to do their best to filter spam and viruses out of their mail stream, etc. It really should be an local issue but users ask, so the service appears. However, distinguish content from access. Typical users, particularly in broadband residential connections, have no desire to have anyone remotely access their machine. The same is true with most small business customers. Upon arrival of their first Internet connection, the systems do not magically recognize that end-to-end now could be any endpoint in the Internet and install appropriate filters. Why doesn't it make sense to change the default model so that such are in place under the user demonstrates some understanding of the situation by asking them to be removed? To add one more analogy to the mix, we blindly install on-ramps to the freeway to anyone who asks and certainly a few folks know what is in store once connected. However, the vast majority of ramps are connected to suburban driveways, skate board parks, and middle school playgrounds. It's amazing that we all act surprised when innocents get run over... /John
Re: Points on your Internet driver's license (was RE: Even you can be
The better analogy is what happens when you leave your oven on for 8 days straight? Assuming your house doesn't burn down, should you have to pay the electric bill for those 8 days? Hell yeah. It's impossible to separate what was legit energy use and what was from the oven, and it's not their fault you didn't turn it off anyway. And in the worst case, if your house burns down, it's STILL not their fault! This had somewhat deviated from the original post and who is responsible for the bandwidth bill. When you buy a metered service, be it electricity, water, bandwidth, you pay what you use. It is not the suppliers responsiblility to determine what you do with it and question your consumption. I think it is foolish to buy a metered service without ceiling and leave things wide open. When I buy metered bandwidth I demand a hard limit. If I reach this hard limit I expect to be notified and cut off. If my upstream neglects to cut me off, consumption above and beyond the hard limit is their burden since they didn't meet their contractual obligation. A simple solution. Commodity internet access is a one-size-fits-all game plan. At most, there's a second size, residential or business. But any user of either plan can be compared to any other user of the same plan, and the provider will treat them the same. It's too difficult, and doesn't pay, to try and treat them differently. The extra $10 a month isn't going to justify the $20 spent making the changes or talking to the person on the phone. And that is a problem. Unlike your electricity, where the supplier has an obligation to provide a certain level of clean energy, there is nothing like it with internet bandwidth. All the crud and exploits are dutyfully forwarded to the customer. Some argue that clueful internet consumers are the answer. Prove your knowledge in being able to secure devices connected to the internet and maintain them properly. The Internet driver's license is proof of proficiency in this case. I argue that this is way overboard. I don't believe anyone should require any particular knowledge to obtain an internet connection and use the internet. Instead internet needs to be available as a clean conditioned service for consumption by the clueless. The reason this isn't economical today is because ISP lack any responsiblity. It is cheaper for an ISP to buy more bandwidth and pass the worms and viruses customers PCs spew to the internet than it is to deal with the problem. Seriously, if I send an ISP reasonable proof that a broadband customer hits my mailserver with thousands of emails an hour I should be able to expect an immediate response. Not hours, days or weeks, minutes and the originating account should be shut down. If this doesn't happen I should be able to go to the upstream of the ISP, present my case, and have connectivity to the ISP suspended. Adi
Re: Points on your Internet driver's license (was RE: Even you can be
--On Saturday, June 12, 2004 1:17 PM -0500 Adi Linden [EMAIL PROTECTED] wrote: That's like saying provide safe electricity. If someone has a toaster where the wire cracks and they electrocute themselves, or a hair dryer that isn't safe in the bathtub, do you complain that the electric company should provide safe electricity? The problem with all the comparisions is what you are comparing. Your utility has an obligation to provide safe electricity. If your holding your hair dryer while the utility company sends you 25,000 Volts instead of 120 Volts you should complain. Right... And if my ISP started sending me IPX or VINES, I would complain. However, as long as what they are delivering is properly formed IP packets with destination addresses within my address ranges, then I have no complaint. They are delivering what I expect them to deliver. How is bandwidth any different? It is not any different. So, we agree... As long as my ISP delivers IP, life is good. If they deliver IPX, I should complain. There is no safe bandwidth. No matter how you look at it it's a two way communications and it's never going to be safe as far as the bandwidth goes, just like electricity is power and it's never going to be safe. It's the devices you plug in that need to be made safe. Computers are devices that are supposed to magically do anything. If I purchase a computer to browse the web and send email I should be able to obtain safe bandwidth that provides web access and email. Put down the crack pipe before someone gets hurt. Computers are devices that are tools, just like hammers, power drills, telephones, chain saws, and weed whackers. If you want a computer that is safe to browse the web and receive mail, you should buy a computer with an appropriate configuration to support that. Expecting your ISP to change the internet to suit your desires is like expecting the power company to provide you with 50 cycle power because you happened to buy an electric drill that came from Europe instead of one which was designed for the US electrical system. (US power is 60 cycles, Europe is 50). If you use tools, you can get hurt if you don't take appropriate safety precautions. You don't expect the hardware store to make it impossible for you to hit your thumb with the hammer. You don't expect the power company to make it impossible for you to drill a hole in your foot with your electric drill. You don't expect the phone company to make it impossible for you to make a crank call, and, you don't expect the hardware store to make it impossible for you to saw off your leg with the chain saw. Why do you expect your ISP to make it impossible for your improper use of an incorrectly configured computer to get hacked, misuesed, etc.? To compare this with the electricity company, the average home with a 200A service is equivalent to NATed and firewalled internet bandwidth. As your electricity demands grow (for whatever reason) the electricity company upgrades your service, to 3 phase, 600V, whatever. Same with internet bandwidth, get a public ip, get a static ip, get ports opened, run servers. Just as the upgraded electricity service requires more knowledge and equipment so does the upgraded internet bandwidth. Sorry... I don't agree. The average home with a 200A service is perfectly capable of using that electricity to power any electrical device they wish up to that load. 200A service is equivalent to DSL, but, nothing in that 200A service prevents me from running a toaster, microwave, or refrigerator. Noting in that 200A service limits me to a television and a clock-radio. NATed Firewalled internet service would be equivalent to electrical service that would only work with televisions and clock-radios, but, would disable any attempt to run a microwave, refirgerator, toaster, or night-light. I certainly don't want that from my electric company, and, I don't want my internet screwed up that way either. 600A three phase is about bigger bandwidth, not different services. True, there are devices that require three phase power, but, if they don't require more power than is available in a 200A 220V services, guess what, they can be run off of household service by using a transformer to convert the household service to 3phase and handle the voltage conversion as well. A transformer is a simple, and, generally inexpensive device which the user could even make themselves if they so desired (although I don't recommend this). To continue the analogy, 200A 220V household service is like DSL or Cable. 600A 208V three phase is like a T1. 2000A 7KV three phase is like a DS3. To the best of my knowledge, all of these services can be made to work with any electrical device that doesn't require more power (bandwidth) than the service can deliver. Owen -- If it wasn't crypto-signed, it probably didn't come from me. pgpxsndsPSCl2.pgp Description: PGP signature
Re: Points on your Internet driver's license (was RE: Even you can be
On Sun, Jun 13, 2004, Adi Linden wrote: The reason this isn't economical today is because ISP lack any responsiblity. It is cheaper for an ISP to buy more bandwidth and pass the worms and viruses customers PCs spew to the internet than it is to deal with the problem. Seriously, if I send an ISP reasonable proof that a broadband customer hits my mailserver with thousands of emails an hour I should be able to expect an immediate response. Not hours, days or weeks, minutes and the originating account should be shut down. If this doesn't happen I should be able to go to the upstream of the ISP, present my case, and have connectivity to the ISP suspended. Then, start an ISP, charge extra for that kind of maintainence and compete in the marketplace. See how it works out. I wish you the best of luck, I really do. Secondly, I WANT my ISP to require more than just some third party saying holy crap, someone's spitting out crap at me. Suspend!. Obviously you've not been handed Norton Personal firewall logs which CONCLUSIVELY PROVE, as far as the user is concerned, that MY SQUID reverse proxy server is spewing out INVALID TCP FLAGS. Not that they could possibly comprehend what the hell Invalid TCP flags are with the help Norton gives. I've seen ISPs get friendly emails from people who say that they've been hacked by ${FOO}, received nasty email from ${FOO}, all kinds of crazy stuff. I'd hate to have my internet connection disabled every week because some random person decides I'm doing something illegal. I can understand your point of you. Personally, I'd love it if internet access was a simple, secure, managed commodity. But it isn't. There are far, far too many factors involved which you just Don't Get with water or electricity networks. Specifically, the things you hook up to your electricity or water network are government controlled with government guidelines. There are strict penalties for those who break the rules and there are licences for those who work on them. I don't see any of this with the internet. You can hook Anything you want up to an internet connection and have it work if it has a relatively recent (1990?) TCP/IP stack. There's no _specific_ guidelines on what can and can't be connected. The ISP has _no_ legal basis in a lot of cases for terminating accounts when we (being the people making noise on this list) would hope they would. If they do, they possibly expose themselves legally. Can you imagine the SOHO owner who screams because he's lost revenue because you shut down his internet connection for a worm? Even if you have a bullet proof AUP you may still end up having to deal with lawyers and possibly some court time. So, please explain again, why should an ISP get involved right now? $AUD0.02. Adrian -- Adrian ChaddI'm only a fanboy if [EMAIL PROTECTED] I emailed Wesley Crusher.
Re: Default Internet Service (was: Re: Points on your Internet driver's license)
I fully expect my ISP to turn me off if my site starts spewing abuse. However, until that happens, I expect my ISP to deliver any valid IP datagram destined for me, and, I expect to them to deliver any valid IP datagram I send out, at least to the next AS in the path to the destination. If they turn me off for spewing abuse, I expect them to immediately contact me and provide as much information as they have about the nature of the problem. I think expect that it is my responsibility to identify and correct the problem, notify my ISP, and wait a reasonable amount of time (possibly as much as 24-48 hours) for them to turn me back on. So far, this hasn't been a problem. Owen --On Saturday, June 12, 2004 9:54 PM -0400 John Curran [EMAIL PROTECTED] wrote: The real challenge here is that the default Internet service is wide-open Internet Protocol, w/o any safeties or controls. This made a lot of sense when the Internet was a few hundred sites, but is showing real scaling problems today (spam, major viruses, etc.) One could imagine changing the paradigm (never easy) so that the normal Internet service was proxied for common applications and NAT'ed for everything else... This wouldn't eliminate all the problems, but would dramatically cut down the incident rate. If a site wants wide-open access, just give it to them. If that turns out to cause operational problems (due to open mail proxies, spam origination, etc), then put 'em back behind the relays. /John -- If it wasn't crypto-signed, it probably didn't come from me. pgp3pxQGoDWuh.pgp Description: PGP signature
Re: Points on your Internet driver's license
At 9:02 AM -0700 6/13/04, Owen DeLong wrote: 600A three phase is about bigger bandwidth, not different services. True, there are devices that require three phase power, but, if they don't require more power than is available in a 200A 220V services, guess what, they can be run off of household service by using a transformer to convert the household service to 3phase and handle the voltage conversion as well. A transformer is a simple, and, generally inexpensive device which the user could even make themselves if they so desired (although I don't recommend this). To continue the analogy, 200A 220V household service is like DSL or Cable. 600A 208V three phase is like a T1. 2000A 7KV three phase is like a DS3. To the best of my knowledge, all of these services can be made to work with any electrical device that doesn't require more power (bandwidth) than the service can deliver. In most states, the power company cannot connect service to a home or business until it has been inspected by a building inspector... This is to keep the number of fried customers to the lower possible value. And yes, it is possible to do your own power box work, but expect the inspector to be very thorough if you aren't also a licensed electrician. So, who's checking these local LAN's to make sure they don't melt or burst into flame once hooked up? /John
Re: Default Internet Service (was: Re: Points on your Internet driver's license)
Sean... Bigger and more important questions than How do you make sure your users only access safe content? are: 1. Should you? It is very hard for me to distinguish this from censorship in my mind. No, I'm not saying malware doesn't violate community standards of decency. However, so do obscene phone calls. TPC is not expected to block all obscene phone calls. They are expected to assist in the investigation and termination of repeated abuse. I think ISPs should be held to that same standard. Anything more treads a slippery slope. 2. Who defines safe content? Is porn safe? Is freeapp (with it's well known spyware and other adjuncts) safe? Is peertopeer safe, with it's well known tendency to support copyright infringement? Is the web safe, given the various malware activex components, javascript bugs in browsers, etc.? I like deciding for my self what risks I will take. I really don't want my ISP making those choices for me. Owen pgp96eg47pDFt.pgp Description: PGP signature
Re: Points on your Internet driver's license (was RE: Even you can
I'd much rather see the people who don't pay for security get disconnected when abuse spews forth from their network. Then, they should have to clean up their site and pay a cleanup fee to get reconnected. Perhaps what is needed is a reporting agency, similar to the credit reporting agencies, where ISPs can register chronic problem-customers. Eventually, your internet credit rating deteriorates to the point that no ISP will offer you service. Owen pgpa6nA8yx7XY.pgp Description: PGP signature
Re: Points on your Internet driver's license (was RE: Even you can
[EMAIL PROTECTED] (Owen DeLong) writes: Perhaps what is needed is a reporting agency, similar to the credit reporting agencies, where ISPs can register chronic problem-customers. Eventually, your internet credit rating deteriorates to the point that no ISP will offer you service. it is with some discomfort that i watch the last decade or so of ultimate final solutions to spam be rediscovered on a sleepy nanog weekend. the reason the above analogy fails to hold (and why that proposal isn't a solution) is that credit reporting agencies have an established standard for what bad is -- days overdue on payments. there is no similar standard for a tcp/ip endsystem, and there can be none. a week doesn't go by without some goober-with-firewall complaining that f-root is portscanning him. as112 gets it every day at least two or three times. someone else here reports that his squid proxy is regularly reported by norton's tools because it sets unusual bits in the tcp header. and so on. -- Paul Vixie
Re: Points on your Internet driver's license (was RE: Even you can be
The reason this isn't economical today is because ISP lack any responsiblity. It is cheaper for an ISP to buy more bandwidth and pass the worms and viruses customers PCs spew to the internet than it is to deal with the problem. Seriously, if I send an ISP reasonable proof that a broadband customer hits my mailserver with thousands of emails an hour I should be able to expect an immediate response. Not hours, days or weeks, minutes and the originating account should be shut down. If this doesn't happen I should be able to go to the upstream of the ISP, present my case, and have connectivity to the ISP suspended. Then, start an ISP, charge extra for that kind of maintainence and compete in the marketplace. See how it works out. I wish you the best of luck, I really do. Today ISP are not held accountable for the traffic that originates from their network. If they were the economics would be different. Support costs for wide open broadband connections to the home would sky rocket. I am convinced that providing a safe internet connection to the home user would be quite viable at this point. I can understand your point of you. Personally, I'd love it if internet access was a simple, secure, managed commodity. But it isn't. Correct. The answer is to make it a simple, secure, managed commodity. Not to demand that granny has a degree to send and receive email. The ISP has _no_ legal basis in a lot of cases for terminating accounts when we (being the people making noise on this list) would hope they would. If they do, they possibly expose themselves legally. Can you imagine the SOHO owner who screams because he's lost revenue because you shut down his internet connection for a worm? Even if you have a bullet proof AUP you may still end up having to deal with lawyers and possibly some court time. Correct. Today there is less hassle and less risk to an ISP if pollution by their customers is just ignored and allowed to happen. The penalties for polluting are non-existant. The internet is a commodity supplied to customers. As such an ISP should have an obligation to supply it as clean and secure as possible. As much as the customer has an obigation to ensure that internet connected devices do not pollute the internet, so does the ISP have an obligation not to pass this pollution to customers. So, please explain again, why should an ISP get involved right now? Because it is the right place to start. It is just lacking incentive. Adi
Re: Points on your Internet driver's license (was RE: Even you can be
And that is a problem. Unlike your electricity, where the supplier has an obligation to provide a certain level of clean energy, there is nothing like it with internet bandwidth. All the crud and exploits are dutyfully forwarded to the customer. Clean internet service is internet service that delivers only valid IP datagrams. Most internet service is clean internet service. Any internet service that looks above layer 3 to make forwarding decisions is not clean internet service. I argue that this is way overboard. I don't believe anyone should require any particular knowledge to obtain an internet connection and use the internet. Instead internet needs to be available as a clean conditioned service for consumption by the clueless. I agree that the IDL is overboard. I even agree with your second sentence. Consumers need to demand software which does not support these exploits from their software vendors. That is the real solution. The internet is a transport, just like the phone line coming into your home. Nothing prevents someone from making an obscene phone call to your house. The most common problem software today is like having a telephone that won't let you hang up on the prank caller, then, demanding that the phone company prevent those calls from coming in the first place. Problem is that people understand that TPC can't tell a prank call from a legitimate one, but, for some reason, they expect ISPs to be able to magically tell whether this HTTP session is an exploit while this other one isn't. The reason this isn't economical today is because ISP lack any responsibility. It is cheaper for an ISP to buy more bandwidth and pass the worms and viruses customers PCs spew to the internet than it is to deal with the problem. Seriously, if I send an ISP reasonable proof that a broadband customer hits my mailserver with thousands of emails an hour I should be able to expect an immediate response. Not hours, days or weeks, minutes and the originating account should be shut down. If this doesn't happen I should be able to go to the upstream of the ISP, present my case, and have connectivity to the ISP suspended. The reason is that the ISPs can't tell the exploits from the legitimate traffic in most cases, and, even if they did, do you really want ISPs making value judgement about content on behalf of their users? That's a really bad model. It's just not good for innovation, free speech, mom, or apple pie. Yes, ISPs should investigate abuse complaints and immediately disconnect users that are spewing abuse. Yes, this needs to happen more consistently and more rapidly. However, content filtration at the ISP level is not a solution, it's just a different problem. Owen -- If it wasn't crypto-signed, it probably didn't come from me. pgpJB3IOKwFGp.pgp Description: PGP signature
yo, sean!! (Re: Points on your Internet driver's license (was RE: Even you can be)
[EMAIL PROTECTED] (Adrian Chadd) writes: ... I WANT my ISP to require more than just some third party saying holy crap, someone's spitting out crap at me. Suspend!. Obviously you've not been handed Norton Personal firewall logs which CONCLUSIVELY PROVE, as far as the user is concerned, that MY SQUID reverse proxy server is spewing out INVALID TCP FLAGS. ... the hosts on the list below (which sean's /12 that contains the /19 i reported on earlier) is of hosts who connected to an ip address that has no dns pointing to it and delivered well-known malware matching some kind of pattern. mostly they're probing to see if i'm running a microsoft web server by trying to overflow one of its buffers and put executable code on my stack. i think it's safe to say that if i present sean with evidence that this occurred, he ought to immediately disco that customer and then, when the customer calls, fines or training should be demanded, along with auditing before reconn -- and the fines should be progressive, with deposits. note the LIMIT 500 which keeps this list from containing the other many tens of thousands of infected hosts on just one of sean's /12 blocks. and note that i'm now displaying the span from oldest to newest as days and sorting by it. the ones at the top of the list have been attacking me the longest. ties in days are broken by looking at the number of times they have attacked me during that span. sean, i really think there's a problem and that the river looks better upstream of your factory than downstream. and if you weren't making so much money from my pain, i wouldn't keep harping about this, really, i wouldn't. if you'd like this report without the LIMIT 500 clause, and for all of your netblocks rather than just this /12, send me the list. i don't promise not to blackhole them all, but i will give you the report. since i also save the http payloads, i can give you those as well, but i confess i can't think of a format for the two or three dvd-roms they'd fit on. --- SELECT MIN(DATE(entered)) AS began, MAX(DATE(entered)) - MIN(DATE(entered)) + 1 AS days, SRCADDR, COUNT(srcaddr) AS count FROM trans WHERE srcaddr '63.192.0.0/12' GROUP BY srcaddr ORDER BY days DESC, count DESC LIMIT 500; began| days |srcaddr | count +--++--- 2002-12-16 | 542 | 63.203.75.13 | 8 2002-12-14 | 534 | 63.204.134.249 | 3 2002-11-07 | 533 | 63.199.230.184 | 2 2002-12-18 | 531 | 63.204.119.190 | 6 2002-12-15 | 530 | 63.204.250.99 | 2 2002-12-22 | 523 | 63.196.6.209 |33 2002-11-11 | 522 | 63.204.179.129 | 2 2002-12-11 | 520 | 63.199.200.60 |49 2002-11-10 | 515 | 63.199.61.90 | 147 2002-12-17 | 515 | 63.202.172.46 | 3 2002-12-11 | 513 | 63.207.61.138 |17 2002-12-12 | 513 | 63.207.252.60 |17 2002-12-17 | 513 | 63.207.142.25 |16 2002-12-18 | 513 | 63.203.76.76 | 2 2002-12-17 | 512 | 63.206.139.252 |11 2002-12-12 | 509 | 63.199.230.148 | 7 2002-12-18 | 509 | 63.204.133.195 | 2 2002-12-16 | 509 | 63.199.241.16 | 2 2002-12-16 | 506 | 63.196.240.192 | 8 2002-12-11 | 504 | 63.202.127.13 | 202 2002-12-13 | 503 | 63.202.127.14 |18 2003-01-16 | 501 | 63.206.139.27 | 8 2002-12-23 | 499 | 63.205.196.100 |17 2002-12-18 | 499 | 63.205.138.164 | 3 2003-01-19 | 498 | 63.202.109.53 | 2 2002-12-11 | 496 | 63.196.189.88 | 2 2002-12-14 | 491 | 63.202.248.34 | 114 2003-01-06 | 488 | 63.204.107.197 |25 2002-12-20 | 487 | 63.196.6.126 |33 2002-12-19 | 486 | 63.206.194.9 | 3 2003-01-08 | 486 | 63.199.245.255 | 2 2003-01-17 | 485 | 63.200.36.71 | 8 2003-02-02 | 484 | 63.207.60.154 |17 2003-01-13 | 484 | 63.199.245.209 |11 2002-12-17 | 484 | 63.205.185.38 | 2 2002-12-05 | 484 | 63.201.26.94 | 2 2002-12-26 | 483 | 63.199.245.182 | 3 2002-12-17 | 483 | 63.205.185.125 | 3 2003-02-04 | 481 | 63.207.140.93 |49 2003-01-08 | 480 | 63.203.207.119 |17 2003-01-13 | 480 | 63.202.21.72 |13 2003-01-18 | 480 | 63.204.249.143 | 3 2002-12-15 | 479 | 63.207.142.24 | 8 2003-01-15 | 479 | 63.201.201.252 | 2 2003-01-17 | 478 | 63.196.242.191 | 3 2002-12-19 | 478 | 63.205.197.54 | 3 2002-12-10 | 477 | 63.202.49.254 | 1151 2002-12-11 | 477 | 63.207.253.244 |81 2002-12-12 | 476 | 63.206.88.122 |30 2002-12-16 | 476 | 63.207.140.162 | 5 2002-12-11 | 473 | 63.203.159.240 |25 2003-02-09 | 473 | 63.199.201.84 |17 2002-12-28 | 473 | 63.207.14.157 |17 2002-12-22 | 473 | 63.207.61.234 |17 2002-12-15 | 473 | 63.199.241.223 | 2 2002-12-15 | 472 | 63.196.6.184 |22 2003-02-11 | 472 | 63.207.253.53 |17 2003-01-16 | 471 | 63.205.184.153 | 2 2002-12-17 | 470 | 63.207.129.175 | 5 2003-01-17 | 469 |
Re: Points on your Internet driver's license (was RE: Even you can
Paul, Actually, credit agencies don't have a single standard for what bad is; they are obligated to only keep factual data (as can be best determined) in the files. When you cause a credit report to be checked, one or more algorithms are used to score your credit, but the algorithm used is up to the particular inquirer and credit bureau. It's not that hard to make this one work for spammers, but you need some key pieces to all be in place: 1. Common definition for what information is kept 2. ISP's need customer contracts which allow reporting of incidents and terminations to any/all such bureaus 3. ISP's need to figure out how to handle a new site which has no listings. Spammers already figured out that some ISPs do DB credit checks, and have gotten very good at appearing as a new startup a week later. /John At 4:50 PM + 6/13/04, Paul Vixie wrote: [EMAIL PROTECTED] (Owen DeLong) writes: Perhaps what is needed is a reporting agency, similar to the credit reporting agencies, where ISPs can register chronic problem-customers. Eventually, your internet credit rating deteriorates to the point that no ISP will offer you service. it is with some discomfort that i watch the last decade or so of ultimate final solutions to spam be rediscovered on a sleepy nanog weekend. the reason the above analogy fails to hold (and why that proposal isn't a solution) is that credit reporting agencies have an established standard for what bad is -- days overdue on payments. there is no similar standard for a tcp/ip endsystem, and there can be none. a week doesn't go by without some goober-with-firewall complaining that f-root is portscanning him. as112 gets it every day at least two or three times. someone else here reports that his squid proxy is regularly reported by norton's tools because it sets unusual bits in the tcp header. and so on. -- Paul Vixie
Re: Points on your Internet driver's license (was RE: Even you can be
: : My arguments are in respect to broadband connections to homes and offices : without IT department, firewalls or cluefulness. If you own your own IP : space you'd be considered an ISP, buying transit rather than broadband : home DSL. What the physical wire looks like the service is delivered on : really doesn't matter. : : If I see your ip space bombarding my mail server I can trace its origin. I : can contact you and request to fix the problem. If you ignore me, refuse : to fix the problem I can contact your upstream. Your upstream should then : have a repsonsiblility to resolve the issue including suspension of : service if my claims are valid and breach AUP. : : Adi : : : I don't understand why you single out the SOHO and individuals as being in need of control when I read on many lists, the IT departments of many very large networks continually post their reasons NOT to keep their systems up to date with patches, etc. What ISP would DARE to terminate or suspend their service? A forinstance, a recent worm invasion took down several airline reservations systems. Took down several Air Traffic Control Servers. This is not to mention compromises attributable to many large university systems. These are problems that the IT departments were made aware of well in advance but did not act to secure their own systems. Who do you blame here? What ISP would DARE to suspend their service, demand a fine, and require a system/network audit before restoring service? What this means that all this diatribe, finger pointing, blame someone else conversation is just that, conversation. Until the TCP/IP stack is reinvented to prevent spoofing, and senders are positively, quickly and reliably tracked down, the responsibility to secure your own network is your responsibility and none other. I notice no one is blaming the person/persons who propagate these compromises whether by intent or by error. And there are those who defend protecting the home turf but I consider that negligence and ludicrous. One must choose whether to have their computers and networks sitting out in the front yard with access to all, or keeping them not only inside, but even in a secure location inside. There are those that feel that an unsecured system is anybody's target without risk, and there are those who feel their children should be allowed to play unsupervised anywhere without risk.My suggestion is to do a reality check and assume responsibility where you can.
Re: Points on your Internet driver's license (was RE: Even you can
As I said earlier in private mail to John, I think this will only work if the reporting is done on indivuduals, not companies. For non-corporate business entities, the president of the company should be used as a stand-in for the company. For corporate business entities, the CEO or chairman of the board should be used. I'm betting that spammers will rapidly run out of people willing to forego future internet access in the name of continuing their business fairly rapidly. Owen --On Sunday, June 13, 2004 1:14 PM -0400 John Curran [EMAIL PROTECTED] wrote: Paul, Actually, credit agencies don't have a single standard for what bad is; they are obligated to only keep factual data (as can be best determined) in the files. When you cause a credit report to be checked, one or more algorithms are used to score your credit, but the algorithm used is up to the particular inquirer and credit bureau. It's not that hard to make this one work for spammers, but you need some key pieces to all be in place: 1. Common definition for what information is kept 2. ISP's need customer contracts which allow reporting of incidents and terminations to any/all such bureaus 3. ISP's need to figure out how to handle a new site which has no listings. Spammers already figured out that some ISPs do DB credit checks, and have gotten very good at appearing as a new startup a week later. /John At 4:50 PM + 6/13/04, Paul Vixie wrote: [EMAIL PROTECTED] (Owen DeLong) writes: Perhaps what is needed is a reporting agency, similar to the credit reporting agencies, where ISPs can register chronic problem-customers. Eventually, your internet credit rating deteriorates to the point that no ISP will offer you service. it is with some discomfort that i watch the last decade or so of ultimate final solutions to spam be rediscovered on a sleepy nanog weekend. the reason the above analogy fails to hold (and why that proposal isn't a solution) is that credit reporting agencies have an established standard for what bad is -- days overdue on payments. there is no similar standard for a tcp/ip endsystem, and there can be none. a week doesn't go by without some goober-with-firewall complaining that f-root is portscanning him. as112 gets it every day at least two or three times. someone else here reports that his squid proxy is regularly reported by norton's tools because it sets unusual bits in the tcp header. and so on. -- Paul Vixie -- If it wasn't crypto-signed, it probably didn't come from me. pgp3ORyg6pucr.pgp Description: PGP signature
Re: Points on your Internet driver's license
In most states, the power company cannot connect service to a home or business until it has been inspected by a building inspector... This is to keep the number of fried customers to the lower possible value. And yes, it is possible to do your own power box work, but expect the inspector to be very thorough if you aren't also a licensed electrician. So, who's checking these local LAN's to make sure they don't melt or burst into flame once hooked up? very broken analogy. as opposed to the house wiring, the lan is not the problem. it's the stove, aka ms windoze. and you don't need to go to the home to inspect it, you know it was broken when it was shipped from the factory. and the user was neither sufficiently warned nor sufficiently educated on how to avoid its worst risks. randy
Re: Points on your Internet driver's license
My inbox overflows with complaints about the analogy, and the fact that it's the appliances that are shipped broken... I hereby acknowledge the faulty analogy, you can discard your edit buffer if you're in the process of sending me such a note... :-) Hopefully, the appliances (e.g. MS Windows) will get better over time, but in the meanwhile, how do we limit the damage? The end-user wants email and web access, and we give him raw IP access and watch the fireworks... If user education is the answer, then let the user get educated enough to figure out he's NAT'ed and proxied, and then ask to have the raw IP service. /John At 11:26 AM -0700 6/13/04, Randy Bush wrote: In most states, the power company cannot connect service to a home or business until it has been inspected by a building inspector... This is to keep the number of fried customers to the lower possible value. And yes, it is possible to do your own power box work, but expect the inspector to be very thorough if you aren't also a licensed electrician. So, who's checking these local LAN's to make sure they don't melt or burst into flame once hooked up? very broken analogy. as opposed to the house wiring, the lan is not the problem. it's the stove, aka ms windoze. and you don't need to go to the home to inspect it, you know it was broken when it was shipped from the factory. and the user was neither sufficiently warned nor sufficiently educated on how to avoid its worst risks. randy
Internet Credibility Bureau (Re: Points on your Internet driver's license)
You underestimate the profitability of spam and the creativity of such folks in filling out applications. I do think that it's workable, but just don't presume that its going to be airtight. /John At 10:45 AM -0700 6/13/04, Owen DeLong wrote: As I said earlier in private mail to John, I think this will only work if the reporting is done on indivuduals, not companies. For non-corporate business entities, the president of the company should be used as a stand-in for the company. For corporate business entities, the CEO or chairman of the board should be used. I'm betting that spammers will rapidly run out of people willing to forego future internet access in the name of continuing their business fairly rapidly. Owen
Re: Points on your Internet driver's license (was RE: Even you can
[edited to fix top posting; snipped for bandwidth] John Curran wrote: At 4:50 PM + 6/13/04, Paul Vixie wrote: [EMAIL PROTECTED] (Owen DeLong) writes: Perhaps what is needed is a reporting agency, similar to the credit reporting agencies, where ISPs can register chronic problem-customers. Eventually, your internet credit rating deteriorates to the point that no ISP will offer you service. ... the reason the above analogy fails to hold ... is that credit reporting agencies have an established standard for what bad is -- days overdue on payments. True enough, but there is even a more important point on credit agencies, one I suspect applies here as well. Credit agencies can show that you have good to excellent credit, and they certainly show many of those that don't, but they cannot protect against anyone who is willing to break the law. Identity theft is all about masquerading as someone with good credit (spoofing). Actually, credit agencies don't have a single standard for what bad is; they are obligated to only keep factual data (as can be best determined) in the files. When you cause a credit report to be checked, one or more algorithms are used to score your credit, but the algorithm used is up to the particular inquirer and credit bureau. In addition, they are known to keep inaccurate data, and it is HARD to correct inaccurate data (think various DNS/Email blacklists here). They also don't have all the data. Do you rent or lease an apartment? Whether or not you pay on time is not sent in. Evictions may or may not be sent in. They're called Credit bureaus for a reason. The data they keep is narrow. It's not that hard to make this one work for spammers, but you need some key pieces to all be in place: It'll be very hard, and there's no good business model for doing so. If you're proposing yet another SORBS or MAPS, please don't. Otherwise, you have to decide how someone can profit from maintaining this data. I don't know about the others, but I can GUARANTEE that the profit margin within Experian (formely known as TRW) is very, very, very slim. If it's slim for someone successful, how do you propose that the business model for this will work? ... Spammers already figured out that some ISPs do DB credit checks, and have gotten very good at appearing as a new startup a week later. Absolutely. Just like criminals visit graveyards and county records, spammers and other miscreants are happy to create new, fake identification, and don't really care if they have to keep doing it. The real problem, is how to you make the business model of spamming unproductive? -- Life at university, with its intellectual and inconclusive discussions at a postgraduate level is on the whole a bad training for the real world. Only men of very strong character surmount this handicap. (Paul Chambers)
Re: Points on your Internet driver's license
My inbox overflows with complaints about the analogy and, undoubtedly, you think your isp should block that traffic. :-)/2 Hopefully, the appliances (e.g. MS Windows) will get better over time, but in the meanwhile, how do we limit the damage? If user education is the answer, then let the user get educated enough to figure out he's NAT'ed and proxied, and then ask to have the raw IP service. how is the user going know the brokenness you net vigilantes propose to impose from the brokenness the other miscreants impose? tell us, john, when you were at xo and gte, how much did you educate your users as to to the perils of running open; how much education and notification did you give them about applying security patches; ...? perhaps before we screw 'em we could give 'em a bit of sex ed? just to bore you, i'll repeat a bit from a couple of days ago. randy --- From: Randy Bush [EMAIL PROTECTED] Date: Fri, 11 Jun 2004 16:37:27 -0700 To: Henry Linneweh [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Even you can be hacked yes, we're gonna hack desperately for a decade to make up for asecure (innocent of, as contrasted with devoid of, security) application protocols and implementations. it'll take half that time for the ivtf and the vendors to realize how deeply complexity is our enemy. and until then we'll hack everywhere in our desperation. but in the long run, i don't think we can win with an active middle. the problem is that the the difference betwen good traffic and bad traffic is intent. did the sender intend to send / reveal those data? did the recipient wish to receive them? and, i don't think we can stand in the middle and judge. and there's the rub. ...
Re: Points on your Internet driver's license or tags
Hopefully, the appliances (e.g. MS Windows) will get better over time, but in the meanwhile, how do we limit the damage? The end-user wants email and web access, and we give him raw IP access and watch the fireworks... If user education is the answer, then let the user get educated enough to figure out he's NAT'ed and proxied, and then ask to have the raw IP service. (MS Windows) will get better over time, but in the meanwhile, with regard to the Swiss cheeseOS ; no offense to Swiss, OS of Windows . I and many others are spending our weekends installing Opera and disabling MSIE on workstations and converting mail accounts as well. I remember when 3.1's file manager could poke right through a firewall. MS 3.1 is gone or is it? And have they (MS) become better or will they continue to bring half baked pies to the market just to call them fresh, when it reality they are just unfinished pies. With the brewing of Windows Longhorn I don't see this any hope of that they will get better over time. Users and employees are like sheep as many employers already know. They perform the same repetitive task without questions and they will continue to click those free coupon installers, despite being terminated for doing so. So do we license the network admins as the MVA or do we issue handicapped tags for the morons? -Peter
Re: Points on your Internet driver's license
At 12:15 PM -0700 6/13/04, Randy Bush wrote: tell us, john, when you were at xo and gte, how much did you educate your users as to to the perils of running open; how much education and notification did you give them about applying security patches; ...? Reasonable question business customers were indeed asked at installation what they were connecting for mail and web servers, told that a firewall was a good idea and pointing at both online and reference books that could get. I don't know what consumer DSL got, but I imagine it was a lot less. In the pre-GTE-I (i.e. BBN) days, we actually went on-site to help customers with their mail relay and local routing configurations. For consumer connections, this just doesn't scale. The consumer is going to acknowledge/clickthru/sign whatever disclaimer you put in front of them in order to get their high speed access. And as much as ISPs might want to fix the problem, they're not going to require a networking quiz before taking the order. how is the user going know the brokenness you net vigilantes propose to impose from the brokenness the other miscreants impose? Nicely put.How about: if their mail and web access works, then its the fault of the net vigilantes and filtered Internet service. If their machine is running 100% on the CPU and rebooting at random after just a few minutes online, then it's those other miscreants... /John
Re: Points on your Internet driver's license
In most states, the power company cannot connect service to a home or business until it has been inspected by a building inspector... This is to keep the number of fried customers to the lower possible value. And yes, it is possible to do your own power box work, but expect the inspector to be very thorough if you aren't also a licensed electrician. So, who's checking these local LAN's to make sure they don't melt or burst into flame once hooked up? In this aspect, the ISP is providing the connection on the WAN side, not the LAN side. Unless you're paying $400 for them to install an $80 wireless system or some such, in which case I'll do it for $200 ;) Rob Nelson [EMAIL PROTECTED]
Re: Points on your Internet driver's license (was RE: Even you can be
My arguments are in respect to broadband connections to homes and offices without IT department, firewalls or cluefulness. If you own your own IP space you'd be considered an ISP, buying transit rather than broadband home DSL. What the physical wire looks like the service is delivered on really doesn't matter. WRONG... I am not an ISP, and, my ARIN registration says so... My apologies, wrong choice of words on my part. You have your own block of IP space assigned to you and not some static or dynamic number that belongs to your ISP. All I was trying to say is that you are not a typical ISP customer. No matter what pricing your ISP applies to your connection, getting you connected takes more than signing up for a basic internet account. I am a home end-user ADSL subscriber. It's as simple as that. Yes, I happen to have my own address space. That's partly an artifact of the reality that I've been doing this longer than you (and many others on this list) and got my address space back when. However, I don't think I should be financially penalized for that. That depends on your relationship with your ISP. Adi
Re: Internet Credibility Bureau (Re: Points on your Internet driver's license)
Also the problem of off shoring spam probably should be taken into consideration. No matter how good the plan is if a country is willing not to enforce it there will be a problem. I read a study recently that analyzed where spam destination sites were hosted (where the link in the spam message takes you) and 70% was in China. http://www.businessweek.com/technology/content/may2004/tc20040517_1934_tc058.htm - Original Message - From: John Curran [EMAIL PROTECTED] Date: Sunday, June 13, 2004 2:57 pm Subject: Internet Credibility Bureau (Re: Points on your Internet driver's license) You underestimate the profitability of spam and the creativity of such folks in filling out applications. I do think that it's workable, but just don't presume that its going to be airtight. /John At 10:45 AM -0700 6/13/04, Owen DeLong wrote: As I said earlier in private mail to John, I think this will only work if the reporting is done on indivuduals, not companies. For non- corporatebusiness entities, the president of the company should be used as a stand-in for the company. For corporate business entities, the CEO or chairman of the board should be used. I'm betting that spammers will rapidly run out of people willing to forego future internet access in the name of continuingtheir business fairly rapidly. Owen
Re: Internet Credibility Bureau (Re: Points on your Internet driver's license)
At this point, I'll settle for 10% effective or better. I just want to make SPAM at least as hard as Identity theft. Owen --On Sunday, June 13, 2004 2:57 PM -0400 John Curran [EMAIL PROTECTED] wrote: You underestimate the profitability of spam and the creativity of such folks in filling out applications. I do think that it's workable, but just don't presume that its going to be airtight. /John At 10:45 AM -0700 6/13/04, Owen DeLong wrote: As I said earlier in private mail to John, I think this will only work if the reporting is done on indivuduals, not companies. For non-corporate business entities, the president of the company should be used as a stand-in for the company. For corporate business entities, the CEO or chairman of the board should be used. I'm betting that spammers will rapidly run out of people willing to forego future internet access in the name of continuing their business fairly rapidly. Owen -- If it wasn't crypto-signed, it probably didn't come from me. pgpQR4eejsdpl.pgp Description: PGP signature
Re: Points on your Internet driver's license
as an exercise, try to write the end-user-level document on how a typical end user can tell if application X, for a very large range of X, is not working because of an isp-imposed firewall or OK... I'll give it a whirl :-) Dear user, Thank you for selecting CensorCo Bicycle Company's Internet with TrainingWheels(tm). We would like you to know that we've made every effort to keep your internet experience safe, but, depending on your usage and other factors, some unexpected things may still happen. First, your safe internet connection supports only the following services: 1. Your access to web sites via HTTP and HTTPS. 2. Your ability to send mail through our mail relay via SMTP to mail.censorco.net. 3. Your ability to look up DNS records through DNS to ns1.censorco.net and ns2.censorco.net. All other traffic will be blocked. This means that if you are using any other internet-based applications, such as on-line gaming, peer to peer file-sharing, etc., they will not work with Censorco. These applications have been demonstrated to be unsafe, and, are not accessible while still using the TrainingWheels(tm) service. If you want to do this, you will need to contact your account representative, pass a brief internet knowledge and security test, and sign the appropriate waiver. We will then remove the TrainingWheels(tm) from your internet service and you will receive a full, unfiltered, unsafe connection to the internet. In the meantime, here is a step-by-step guide to determining if your problem is due to an unexpected situation, or, due to a characteristic of the TraningWheels(tm) service. 1. Are you trying to browse the web? If yes: 1a: Does the URL you are having difficulty with start with http: or https:? If Yes, then, most likely this is an unexpected situation. If no, proceed to step 2. 2. Are you trying to send email? If yes: 2a: Please check that your outbound server is set to mail.censorco.net. If not, this is your problem. If so, proceed to step 2b. 2b: See if you can go to http://mail.censorco.net in your web browser. If so, you are suffering from an unexpected situation. If not, chances are that you are having DNS problems. Proceed to step 5 below. If no, proceed to step 3. 3. Are you trying to look up information in DNS? If you don't know what this means, the answer is most likely no. If Yes, proceed to step 5. If no, then proceed to step 4. 4. Your problem is that you are trying to use an unsupported internet application. This application will not work with the TrainingWheels(tm) service. Please contact your account representative to have your TrainingWheels(tm) taken off. This concludes your troubleshooting. Please do not proceed to the next step. 5. If your web browser says Host Not found when you try to visit http://mail.censorco.net, you have an unexpected DNS problem. Call censorco technical support for assistance. If your browser is saying anything like NXDOMAIN, Nameserver Error, Could not find host, etc., then these are the same as Host Not found above. Otherwise, your problem is most likely caused by an actual problem with nameservice on the internet in general or an effort to access a host which no longer exists. These things happen from time to time. You may want to try your request again later. If it still doesn't work, then it is likely the server you were trying to reach no longer exists. This is not something that CensorCo controls, and, as such, we cannot really help you with this situation. = Sure, no marketing department on the planet is going to be happy with it, but, it does provide a reasonable set of steps that allows you to determine if our problem is due to complete filtration, or, other issues. Owen -- If it wasn't crypto-signed, it probably didn't come from me. pgpvcBZlAieSs.pgp Description: PGP signature
Re: Points on your Internet driver's license or tags
Pete wrote: (MS Windows) will get better over time, but in the meanwhile, with regard to the Swiss cheeseOS ; no offense to Swiss, OS of Windows . I and many others are spending our weekends installing Opera and disabling MSIE on workstations and converting mail accounts as well. I remember when 3.1's Hope you´re using the paid-for version of Opera, since the ad-sponsored version contains software to report your surfing habits to interested parties. For spyware-less free alternative, I would suggest Mozilla or Firefox, although occasional donation would also help their cause. Pete
OT Re: Points on your Internet driver's license (was RE: Even you can be hacked)
Or, go see the movie Super Size Me - you might just give up McDonald's entirely, reducing your risk of burns from their overheated coffee. :) Haven't been in one on over 2 years - and not through any great principal, I just stopped. Odd how our tastes change with age ;-) Peter
Re: Points on your Internet driver's license (was RE: Even you can be
On Sat, 12 Jun 2004, Paul Vixie wrote: in any other industry, you (the isp) would do a simple risk analysis and start treating the cause rather than the symptom. What other industry do you know where you are expected to fix products you didn't sell and didn't cause for free? Should we revoke Carterphone? You can't connect a Tivo or unauthorized device to your ISP connection, and ISP would remotely control all the devices on your home network to ensure they are patched and secure. Send me your root passwords. Trust me. for example you might offer inbound filtering, Done. Effectiveness? cleanup tools and services, Done. Effectiveness? and you would put their computer in cyberjail when it was known to be infected, Done. Effectiveness? and you would certainly not offer your services without a clear idea of how to reach the customer and assist them in getting out of cyberjail -- Done. Effectiveness? even if it meant rolling a technician. Done. Effectiveness? Been there, done that. Got any new ideas? no. there should be a forfeitable deposit, plus an per-incident fee which is mostly to pay for the cost of monitoring and the cost of auditing the host to ensure that it complies with the isp's security policy before it can be reattached. the deposit can be refunded after N years of incident-free behaviour, and should be doubled after each verified incident. How much are you willing to pay? The bank industry makes billions from late payments, overdrafts, charge backs. It makes banks a lot of money, and puts people in bankruptcy, but doesn't seem to be very good at teaching people to handle credit wisely. People already think ISPs make money from infected computers and spammers. What incentive would there people to fix things instead of just paying them off? Is it Ok to spam, as long as you pay a lot? Is it Ok to leave an infected computer on the network, as long as you pay a lot? Haven't you just described what bullet-proof web hosting companies do? How do we create incentives for people to want to buy more secure products? Why do people continue to buy Windows instead of Macs? Cars have a gas guzzler tax to encourage fuel efficiency; should Windows computers have a security guzzler tax to encourage security? Should it be like points on your Internet driver's license? For the first incident you have to attend 8-hour traffic school, for the second incident in 12 months you have points put on your record and your insurance rates go up. Too many points, and your Internet privileges are revoked. alas. on the internet, nobody knows you're a dog. Regulations could fix that. The US Postal Service has the Postal Inspection Service. They have jurisdiction anywhere the mail goes. The post office didn't create the Anthrax, they delivered the envelopes as addressed. Most railroads have railroad police with jurisdiction anywhere the railroad tracks go. Some railroad police departments have trans-national jurisdiction in multiple countries. Do we need an Internet Police with jurisdiction anywhere the Internet goes? Instead of waiting for the FBI to make a case, the ISP police could arrest people. Should ISPs be required to forward all their customer information and logs to the Department of Homeland Security (or other national equivalent) so they always know who is doing what. Would that solve the no one knows you're a dog problem?
Re: Points on your Internet driver's license (was RE: Even you can be hacked)
- Original Message - From: Randy Bush [EMAIL PROTECTED] To: Jonathan Nichols [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, June 11, 2004 3:32 PM Subject: Re: Points on your Internet driver's license (was RE: Even you can be hacked) http://lawandhelp.com/q298-2.htm while i am no fan of macdonalds, and a good case is made for their negligence, perhaps you should follow the advice at the bottom of that web page The most important message this case has for you, the consumer, is to be aware of the potential danger posed by your early morning pick-me-up. randy Yep...and after 65 years (assuming she started drinking coffee at 16), reasonable expectation of the temperature comes to mind. I don't go to these kinds of places...has the temperature been climbing up in order to let you have a drinkable cup after (whatever you do) an hour? --Michael
Re: Points on your Internet driver's license (was RE: Even you can be
Sean Donelan wrote: and you would certainly not offer your services without a clear idea of how to reach the customer and assist them in getting out of cyberjail -- Done. Effectiveness? If you do this and keep them there until they are fixed, your network should qualify as a good neighborhood and the influx of email into your abuse@ addresses should be minimal. Eventually they´d either clean up or move elsewhere. If the places to move to would be small enough in numbers, they could be filtered from the rest of the Internet. Pete
Re: Points on your Internet driver's license (was RE: Even you can be
Been there, done that. Got any new ideas? Provide a safe network connection. I believe an ISP should provide a safe environment to play, assuming the customer is innocent granny. Your average DSL network connection should be safe by default, so a default Win98 (or any other OS) can be connected without fear of compromise. I really don't agree with the Internet driver's license concept as presented. It really is not an Internet driver's license but a Microsoft Safe Operating License. A one fits all type arrangement. Who sets the standard? The plug that connects to the internet world needs to scale with the level of expertise of the user. This needs to include a beginners level for the clueless with safe email and safe browsing. Adi
Re: Points on your Internet driver's license (was RE: Even you can be
On Saturday 12 June 2004 14:53, Adi Linden wrote: Been there, done that. Got any new ideas? Provide a safe network connection. I believe an ISP should provide a safe environment to play, assuming the customer is innocent granny. Your average DSL network connection should be safe by default, so a default Win98 (or any other OS) can be connected without fear of compromise. I really don't agree with the Internet driver's license concept as presented. It really is not an Internet driver's license but a Microsoft Safe Operating License. A one fits all type arrangement. Who sets the standard? The plug that connects to the internet world needs to scale with the level of expertise of the user. This needs to include a beginners level for the clueless with safe email and safe browsing. The problem with this is one of who pays for it. You are talking about an environment where the newcomers and non-experts require significantly more intervention in how things are done and what they can do than the more experienced hands. Do you charge the newbies more to cover this level of protection, or do you spread the charges across your entire userbase to avoid impacting one segment? If you raise the prices for newbies then you will automatically have newcomers going for the cheaper, more raw, service and negating any advantages you have to a tiered product set with protection at the bottom. If you spread the charges then the users who require less handholding are going to get upset when their prices are hiked to cover functionality they will never use. The only real way to enforce product stratification on this scale where people are introduced safely and then educated and given more freedom is to enforce some kind of metric on what is a permissable clue level to move to the next stratum of service with less handholding. This means ISPs effectively having to vet all of their customers when they try to upsell. The alternative to this is a multilateral driving license whereby simply having the piece of paper gets you the cheaper, rawer service. If handholding was for everyone then AOL would be the only service provider and the rest of us wouldn't exist. None of the suits who run the companies represented here are going to do anything to impact their bottom line, so refusing to take customers on a skill basis isn't going to happen. I don't really see that it's the ISPs job to make the net less frightening for the customers. It should be down to the OS vendors of whatever shape and the application vendors to ensure that their products are as secure as they can reasonably be which is not currently the case. What you are proposing with the protect granny at all costs approach is giving software vendors an excuse to code crappy product because there won't be any impact. Do you fancy subsidising Microsoft in the long term? P.
Re: Points on your Internet driver's license (was RE: Even you can be
- Original Message - From: Adi Linden [EMAIL PROTECTED] Provide a safe network connection. I believe an ISP should provide a safe environment to play, assuming the customer is innocent granny. Your average DSL network connection should be safe by default, so a default Win98 (or any other OS) can be connected without fear of compromise. That's like saying provide safe electricity. If someone has a toaster where the wire cracks and they electrocute themselves, or a hair dryer that isn't safe in the bathtub, do you complain that the electric company should provide safe electricity? How is bandwidth any different? There is no safe bandwidth. No matter how you look at it it's a two way communications and it's never going to be safe as far as the bandwidth goes, just like electricity is power and it's never going to be safe. It's the devices you plug in that need to be made safe. The only thing ISP's can do is damper bandwidth, try and limit feedback/flow rates so we don't have a single tree take out the electrical network in the northeast. Geo.
Re: Points on your Internet driver's license (was RE: Even you can be
Maybe I'm a little slow on the draw, but I've just now realized that we've come full circle, in a strange sort of way. 8 to 10 years ago the discussions were dominated by Karl D(1), where *everything* was defined as to whether is was actionable or not. Now the discussions are dominated by many people, acting like Karl D, where their view is solely based on whether their contract supports either what they do or don't do. -mark (1) Actual name not shown to avoid being sued.
Re: Points on your Internet driver's license (was RE: Even you can
[EMAIL PROTECTED] (Sean Donelan) writes: in any other industry, you (the isp) would do a simple risk analysis and start treating the cause rather than the symptom. What other industry do you know where you are expected to fix products you didn't sell and didn't cause for free? risk management doesn't mean fixing other people's problems for free, it means building your business with knowledge of those problems, and making sure your business copes with them. You can't connect a Tivo or unauthorized device to your ISP connection, and ISP would remotely control all the devices on your home network to ensure they are patched and secure. Send me your root passwords. Trust me. you should offer this service. most of us would urge our parents' generation to sign up for it. (i hope you weren't joking.) for example you might offer inbound filtering, Done. Effectiveness? cleanup tools and services, Done. Effectiveness? and you would put their computer in cyberjail when it was known to be infected, Done. Effectiveness? and you would certainly not offer your services without a clear idea of how to reach the customer and assist them in getting out of cyberjail Done. Effectiveness? even if it meant rolling a technician. Done. Effectiveness? Been there, done that. Got any new ideas? with all due respect, which is in fact waning due to your sarcastic attitude, none of those things have been done. oh, sure, various isp's have waved at those problems, and some have paid some lip service to them, but it has not been seriously tried, because there's no way to do insist on them and still make money. if you or any other isp seriously Done.'d those things, then the few customers you'd have left would be very happy, and the rest of us who are not your customers would also be very happy with the lack of swill coming from your network. People already think ISPs make money from infected computers and spammers. only because i've been an insider at a couple of places where it was arguable. What incentive would there people to fix things instead of just paying them off? i believe i mentioned doubling the forfeitable deposit on each verified incident. Is it Ok to spam, as long as you pay a lot? Is it Ok to leave an infected computer on the network, as long as you pay a lot? Haven't you just described what bullet-proof web hosting companies do? i don't accept e-mail from rackspace.com or any of their customers, because this appears to be their business model. on http://www.vix.com/personalcolo/ i present what i call a good internet neighborhood model. a bullet proof hosting company wouldn't qualify, no matter what deposit they collected or how much customer equipment they had on-site. alas. on the internet, nobody knows you're a dog. Regulations could fix that. no, really, they couldn't. bad guys can cons up a new identity every week if that's what it takes to avoid driving with a bad internet driver's license. Most railroads have railroad police with jurisdiction anywhere the railroad tracks go. Some railroad police departments have trans-national jurisdiction in multiple countries. several times i've suggested that only by upgrading this problem to the level of inter-national treaty, as has been done with other offenses like drugs and fraud and violence, will we begin to see the beginnings of containment. you, sean, were party to at least one of those threads. perhaps you can do some homework and answer now what you didn't bother to answer then. Do we need an Internet Police with jurisdiction anywhere the Internet goes? Instead of waiting for the FBI to make a case, the ISP police could arrest people. Should ISPs be required to forward all their customer information and logs to the Department of Homeland Security (or other national equivalent) so they always know who is doing what. Would that solve the no one knows you're a dog problem? no, it wouldn't. until the cost of creating new identities can be driven up, then nothing adhering to identity, such as reputation, will be of any real value in stopping repeat abusers. a dsl or cable provider is in a unique position in this regard. you know who your customers are and you know where they live. as a favour to the rest of us, it would be a fine thing if you would take advantage of this position to cause a general increase in the reputation-level of your customers' IP addrs. whether you do that with deposits, truck rolls, filtering, cyberjails, weekly training seminars, and/or lawsuits against microsoft and apple, is your problem not ours, since you make the profit from these customers. how you remain profitable and competitive while managing these risks is also your problem, again since you make the profit from these customers. google for chemical polluter business model if you want more background. -- Paul Vixie
Re: Points on your Internet driver's license (was RE: Even you can be
The problem with this is one of who pays for it. The customer. You are talking about an environment where the newcomers and non-experts require significantly more intervention in how things are done and what they can do than the more experienced hands. I am talking about an environment that applies significant filtering before packets are delivered to the customer. NAT, firewall, proxy I don't think it is all that difficult to do. Do you charge the newbies more to cover this level of protection, or do you spread the charges across your entire userbase to avoid impacting one segment? This protection is a basic service. Opening ports, supplying a real ip address, removing the proxy are the add-on items that increase the cost of the connection. If you raise the prices for newbies then you will automatically have newcomers going for the cheaper, more raw, service and negating any advantages you have to a tiered product set with protection at the bottom. Raise the price of the raw service. Keeping in mind I am talking about broadband connections to homes and small offices, not bandwidth for larger organizations that should have an IT department. If you spread the charges then the users who require less handholding are going to get upset when their prices are hiked to cover functionality they will never use. An ISP has a responsibility in regards of the packets transported. I get the impression that most ISP's prefer to be packet movers. Move packets from point A to point B without monitoring, intervention or any other responsibilities or obligations. This is quite appropriate for an ISP serving corporate clients with large pipes, where IP space is assigned from the ISP to the client. Once we're talking about providers that server homes and small offices this should be different. The ISP holds the IP space so it should be held responsible for the packets originating form these IPs to some degree. In other words, if I provide proof that ip w.x.y.z is the source of unsolicited email (these days probably because of a compromised host) I firmly believe that it is the ISPs responsiblity to either provide contact information on who owns this IP and/or manage the traffic to eliminate the abuse. I am convinced that the cost of looking after the raw clients will be much greater then the cost of providing conditioned bandwidth. Adi
Re: Points on your Internet driver's license (was RE: Even you can be
That's like saying provide safe electricity. If someone has a toaster where the wire cracks and they electrocute themselves, or a hair dryer that isn't safe in the bathtub, do you complain that the electric company should provide safe electricity? The problem with all the comparisions is what you are comparing. Your utility has an obligation to provide safe electricity. If your holding your hair dryer while the utility company sends you 25,000 Volts instead of 120 Volts you should complain. How is bandwidth any different? It is not any different. There is no safe bandwidth. No matter how you look at it it's a two way communications and it's never going to be safe as far as the bandwidth goes, just like electricity is power and it's never going to be safe. It's the devices you plug in that need to be made safe. Computers are devices that are supposed to magically do anything. If I purchase a computer to browse the web and send email I should be able to obtain safe bandwidth that provides web access and email. To compare this with the electricity company, the average home with a 200A service is equivalent to NATed and firewalled internet bandwidth. As your electricity demands grow (for whatever reason) the electricity company upgrades your service, to 3 phase, 600V, whatever. Same with internet bandwidth, get a public ip, get a static ip, get ports opened, run servers. Just as the upgraded electricity service requires more knowledge and equipment so does the upgraded internet bandwidth. Adi
Re: Points on your Internet driver's license (was RE: Even you can be
Adi Linden wrote: To compare this with the electricity company, the average home with a 200A service is equivalent to NATed and firewalled internet bandwidth. As your electricity demands grow (for whatever reason) the electricity company upgrades your service, to 3 phase, 600V, whatever. Same with internet bandwidth, get a public ip, get a static ip, get ports opened, run servers. Just as the upgraded electricity service requires more knowledge and equipment so does the upgraded internet bandwidth. If we would properly follow the analogy above, ISPs should provide a security fuse which would disconnect the user when blown. Paul called this cyberjail if I follow his thoughts. All efforts above this should be charged separately or be part of better general level of service. You can also charge for letting people out of the jail. Make it $50 or $100 a pop, not to be outrageous but justifiable. Pete
Re: Points on your Internet driver's license (was RE: Even you can be
If we would properly follow the analogy above, ISPs should provide a security fuse which would disconnect the user when blown. Paul called this cyberjail if I follow his thoughts. All efforts above this should be charged separately or be part of better general level of service. You can also charge for letting people out of the jail. Make it $50 or $100 a pop, not to be outrageous but justifiable. Absolutely. Properly managing ones bandwidth needs to be less expensive than the penalty for abuse. Adi
Re: Points on your Internet driver's license (was RE: Even you can
So you claim even the ISPs you ran yourself have never attempted to do any of these things? the last access-side isp i had anything to do with running used uucp and shell and was just getting going on c-slip when i pushed off. (i assure that any rmail or rnews spam was grounds for suspension during my watch.) my last gig at a colo-side isp ended with me moving over to paix due to the board's discomfort over my policies toward certain colo-side customers (who have since improved, yay.) If you didn't do them, why do you think other people should? so you aren't going to google for chemical polluter business model, huh?
Re: Points on your Internet driver's license (was RE: Even you can be
To compare this with the electricity company, the average home with a 200A service is equivalent to NATed and firewalled internet bandwidth. As your electricity demands grow (for whatever reason) the electricity company upgrades your service, to 3 phase, 600V, whatever. Same with internet bandwidth, get a public ip, get a static ip, get ports opened, run servers. Just as the upgraded electricity service requires more knowledge and equipment so does the upgraded internet bandwidth. The biggest problem with this is that, so long as the lines support it, your electric company will send you as few or as many amps as you need, when you need it. They also make sure they don't send you 1200 amps on a #14 wire, which would probably cause a significant portion of your wiring to smoke, if not burn. With internet access, how easy is it to suddenly turn off NAT, stop redirecting all SMTP access to your anti-everything spam free SMTP server, remove the firewalls blocking outbound IPSec packets and inbound SSH? How quickly can it be done? How much should be charged for it? The better analogy is what happens when you leave your oven on for 8 days straight? Assuming your house doesn't burn down, should you have to pay the electric bill for those 8 days? Hell yeah. It's impossible to separate what was legit energy use and what was from the oven, and it's not their fault you didn't turn it off anyway. And in the worst case, if your house burns down, it's STILL not their fault! Commodity internet access is a one-size-fits-all game plan. At most, there's a second size, residential or business. But any user of either plan can be compared to any other user of the same plan, and the provider will treat them the same. It's too difficult, and doesn't pay, to try and treat them differently. The extra $10 a month isn't going to justify the $20 spent making the changes or talking to the person on the phone. Rob Nelson [EMAIL PROTECTED]
Re: Points on your Internet driver's license (was RE: Even you can
On Sun, 13 Jun 2004, Paul Vixie wrote: If you didn't do them, why do you think other people should? so you aren't going to google for chemical polluter business model, huh? I hope you also google for Nonpoint Source Pollution. ISPs don't put the pollution in the water, ISPs are trying to clean up the water polluted by others. ISPs are spending a lot of money cleaning up problems created by other people.
RE: Points on your Internet driver's license (was RE: Even you can
On Sun, 13 Jun 2004, Paul Vixie wrote: If you didn't do them, why do you think other people should? so you aren't going to google for chemical polluter business model, huh? I hope you also google for Nonpoint Source Pollution. ISPs don't put the pollution in the water, ISPs are trying to clean up the water polluted by others. ISPs are spending a lot of money cleaning up problems created by other people. ISPs do put the pollution in the water. They own/run the pipes that carry the pollution into the ocean. Nobody cares about pollution inside the ISP's own network, we only care about the pollution they put into our water. They own, run, and manage the pipes that put the pollution where it can harm others. They have continuous control over the process and ultimately decide who does or does not put things into those pipes and influence the policies. I think there's a serious disconnect between how ISPs see this issue and how their customers do. I hold ISPs responsible for their customers behavior once they are aware of that behavior. It has been many years since I just pass the traffic my customers tell me to pass was an acceptable answer. In fact, ISPs that take that attitude are (properly) ostracized today. If an ISP knows or suspected or should know that their customer is putting pollution into the communal waters, they have an obligation to do whatever it takes to stop that pollution. If that's notifying the customer, disconnecting the customer, filtering, whatever, that's between the ISP and the customer. I'm willing to make all kinds of allowances for what is and is not possible. I don't expect a filter in minutes. I don't expect them to disconnect a customer because they couldn't reach them. However, I do expect them to track the issue with their customer until it's resolved. If they do not do so, I hold them responsible to the extent that I am able to do so. Again, as I said, this in no way diminishes the responsiblity of the customer, the author of the malware, the person who failed to install the patch, the person who misconfigured the firewall (or decided they really didn't need one). Responsibility does not have to sum to 100%, it's possible for any number of parties to be wholly responsible. It amazes me how quick ISPs are to blame others, as if this diminshes their responsibility. It does not. If I leave your car unlocked and someone steals your CDs, no amount of blame I place on the thief diminshes my responsibility. DS
Default Internet Service (was: Re: Points on your Internet driver's license)
The real challenge here is that the default Internet service is wide-open Internet Protocol, w/o any safeties or controls. This made a lot of sense when the Internet was a few hundred sites, but is showing real scaling problems today (spam, major viruses, etc.) One could imagine changing the paradigm (never easy) so that the normal Internet service was proxied for common applications and NAT'ed for everything else... This wouldn't eliminate all the problems, but would dramatically cut down the incident rate. If a site wants wide-open access, just give it to them. If that turns out to cause operational problems (due to open mail proxies, spam origination, etc), then put 'em back behind the relays. /John
Re: Default Internet Service (was: Re: Points on your Internet driver's license)
One could imagine changing the paradigm (never easy) so that the normal Internet service was proxied for common applications and NAT'ed for everything else... This wouldn't eliminate all the problems, but would dramatically cut down the incident rate. If a site wants wide-open access, just give it to them. If that turns out to cause operational problems (due to open mail proxies, spam origination, etc), then put 'em back behind the relays. guilty until proven innocent, eh? thanks mr ashcroft. randy
Re: Default Internet Service (was: Re: Points on your Internet driver's license)
At 6:58 PM -0700 6/12/04, Randy Bush wrote: One could imagine changing the paradigm (never easy) so that the normal Internet service was proxied for common applications and NAT'ed for everything else... This wouldn't eliminate all the problems, but would dramatically cut down the incident rate. If a site wants wide-open access, just give it to them. If that turns out to cause operational problems (due to open mail proxies, spam origination, etc), then put 'em back behind the relays. guilty until proven innocent, eh? thanks mr ashcroft. Randy, are you objecting to the model for initial connectivity, or the throwing them back behind relays w/o a formal trial? /John
Re: Default Internet Service (was: Re: Points on your Internet driver's license)
On Sat, 12 Jun 2004, John Curran wrote: One could imagine changing the paradigm (never easy) so that the normal Internet service was proxied for common applications and NAT'ed for everything else... This wouldn't eliminate all the problems, but would dramatically cut down the incident rate. In the BBS days, how did most viruses get on computers? Have things really changed that much? Take a look how computers are being compromised. Its amazing just how many compromised computers have NAT, firewalls, proxies, etc. 1) pre-infected, i.e. already compromised before connecting to your network (laptops are dangerous) 2) self-infected, i.e. compromised because the user installed the software containing the virus 3) network-infected, i.e. compromised solely by being connected without any action by the user Some broadband providers have been selling service that includes a NAT/firewall on the connection for several years. What is the difference in infection rate of those users? Is it just wishfull thinking by some people that NAT/firewalls/proxies will solve the problem? Or do they have hard data to back them up? Preventing users from compromising their computers is a lot like preventing users from accessing porn or music. Basically anything the user wants could be potentially harmful, and the miscreants know that. So how do you make sure users can only access safe content?
Re: Points on your Internet driver's license (was RE: Even you can
On Sat, 12 Jun 2004, Paul Vixie wrote: Send me your root passwords. Trust me. you should offer this service. most of us would urge our parents' generation to sign up for it. (i hope you weren't joking.) As you keep pointing out, a problem with current Internet security is its opt-in nature. Why should Paul be allowed to walk around the security checks, but Paul's grandmother needs to be searched? Both Paul and Paul's grandmother needs to go through security. Allowing some people to opt-out would defeat the very thing you are trying to achieve. Most major ISPs offer a variety of Internet security products, if the user signs up for them, pays for them, installs them and uses them. AOL charges about $14/month, Earthlink charges about $6/month, MSN charges about $8/month, SBC charges about $5/month, Bellsouth charges about $7/month, etc. For a while, some broadband providers were even offering a $99 rebate when people bought a hardware nat/firewall device. Why don't more people take advantage of the security that is already available? Some people pay hundreds of dollars every month for bottled water, and filters on their faucets because they aren't satisfied with the quality of the water delivered by the local water company. If we give some people an option to opt-out, most grandmothers will probably follow Paul's example and save the few bucks every month and not use the security features. Should ISPs charge for security like the Universial Service Fund fee on your telephone bill, everyone (not just grandmothers) has to pay it. The FCC (or your national equivalent) would sets the rate every quarter, and it appears on everyone's ISP bill. You have to pay it, even if you already have other security.
Re: Default Internet Service (was: Re: Points on your Internet driver's license)
On Sat, 12 Jun 2004, John Curran wrote: The real challenge here is that the default Internet service is wide-open Internet Protocol, w/o any safeties or controls. This made a lot of sense when the Internet was a few hundred sites, but is showing real scaling problems today (spam, major viruses, etc.) One could imagine changing the paradigm (never easy) so that the normal Internet service was proxied for common applications and NAT'ed for everything else... This wouldn't eliminate all the problems, but would dramatically cut down the incident rate. This sounds like a fantastic idea, for instance: How much direct IP does joe-average Internet user really require? Do they require anything more than imap(s)/pop(s)/smtp(+tls) and dns/http/https ? I suppose they also need: 1) internet gaming 2) voip 3) kazaa/p2p-app(s)-of-choice 4) IM Actually I'm sure there are quite a few things they need, things which require either very smart NAT/Proxy devices or open access. The filtering of IP on the broad scale will hamper creativity and innovation. I'm fairly certain this was not what we want in the long term, is it? If a site wants wide-open access, just give it to them. If that turns out to cause operational problems (due to open mail proxies, spam origination, etc), then put 'em back behind the relays. We have methods of dealing with these abuse problems today, unfortanately as Paul Vixie often points out there are business reasons why these problems persist. Often the 'business' reason isn't the tin-foil-hat-brigade's reason so much as 'we can't afford to keep these abuse folks around since they don't make money for the company'. Downstream from the ISP, the individuals are not taking responsibility for their actions/in-actions with respect to 'security'. Vendors are not providing safe environments for their consumers either. I understand that shipping an OS with 100% of things enabled might 'foster innovation' or 'make things easier for the end user', however, so would well thought instructions for enabling (safely) these same features. 99% of computer users never ever need to share files, yet file sharing is enabled by defailt on some operating systems... This is a major vector for infection and abuse. Education and awareness are also lacking in the industry as a whole, well not the 'industry' so much as 'the culture' I think. Why should anyone want to hack my machine? I'm not some big corporation with lots of 'secrets'. No, they want your machine for the simple fact it's connected to the global Internet and it's NOT their ip address so abuse of it won't harm 'them' :( -Chris
Re: Default Internet Service (was: Re: Points on your Internet driver's license)
At 4:21 AM + 6/13/04, Christopher L. Morrow wrote: We have methods of dealing with these abuse problems today, unfortanately as Paul Vixie often points out there are business reasons why these problems persist. Often the 'business' reason isn't the tin-foil-hat-brigade's reason so much as 'we can't afford to keep these abuse folks around since they don't make money for the company'. I'll argue that we have don't effective methods of dealing with this today, and it's not the lack of abuse desk people as much as the philosophy of closing barn doors after the fact. The idea that we can leave everything wide open for automated exploit tools, and then clean up afterwards manually with labor-intensive efforts is fundamentally flawed. /John
Re: Points on your Internet driver's license (was RE: Even you can
so you aren't going to google for chemical polluter business model, huh? I hope you also google for Nonpoint Source Pollution. ISPs don't put the pollution in the water, ISPs are trying to clean up the water polluted by others. ISPs are spending a lot of money cleaning up problems created by other people. where you got it from before you dumped it into the stream that feeds me is a yet another problem that i'd rather you resolved without my involvement.
Re: Points on your Internet driver's license (was RE: Even you can
[EMAIL PROTECTED] (David Schwartz) writes: ISPs don't put the pollution in the water, ISPs are trying to clean up the water polluted by others. ISPs are spending a lot of money cleaning up problems created by other people. ISPs do put the pollution in the water. They own/run the pipes that carry the pollution into the ocean. Nobody cares about pollution inside the ISP's own network, we only care about the pollution they put into our water. They own, run, and manage and profit from the pipes that put the pollution where it can harm others. They have continuous control over the process and ultimately decide who does or does not put things into those pipes and influence the policies. yea, verily. -- Paul Vixie
Points on your Internet driver's license (was RE: Even you can be hacked)
On Fri, 11 Jun 2004, David Schwartz wrote: generated by a worm. The ISP had an obligation to stop this traffic with filters or customer disconnection. They may or may not have complied with their obligation. Either way, it's hard to see why the customer should pay for traffic the ISP did not or should not have delivered. ISP's deliver properly addressed packets to their destination (the return address sometimes isn't checked). Do ISP's have obligation to stop certain packets, based on what? What does your contract say? Did you pay the ISP to provide filters? Did you include a phrase that said the ISP had to give you 30 days notice and reasonable time to cure the breach before the ISP could terminate your service? Did the contract say the ISP would block traffic generated by worms? As people regularly point out, the Internet is a dangerous place. Is it as dangerous as going to a baseball game? BOSTON, Massachusetts (AP) -- A woman who was seriously injured by a foul ball at Fenway Park has no grounds to sue because she assumed a risk by attending the baseball game, a state appeals court ruled. The Red Sox had no duty to warn the plaintiff of the obvious danger of a foul ball being hit into the stands, the court said Wednesday in blocking Jane Costa's personal injury lawsuit from going to trial. It would be much easier if evil doers followed RFC3514. Determining intent from the bits is difficult. If you call a customer up and ask Did you know your computer is generating a lot of network traffic and your bill will be very large; the customer says Ok. What should you do? Assume the customer is an idiot, and even though they said Ok, you should cut off their Internet connection anyway. If your child borrows your credit card, and makes lots of unathorized charges, you may not have to pay more than $50; but the bank can go after your son or daughter for the money. Most parents end up paying, even if they didn't authorize their children to use the credit card. If the bank sends you an ATM or debit card statement, and you fail to report unauthorized transfers on the statement after 60 days you may be responsible for unlimited loss. You can lose a lot of money if you think its other people's responsibility to protect you. You are responsible for reviewing the statement and informing the bank of unauthorized activity; not the bank. Why do so many people ignore their ISP when told about problems with their computer? My computer can't be infected, I have a firewall. Paul Vixie proposed that people should be required to use personal Co-Lo so the co-lo provider has collateral to seize when the customer fails to keep the computer secure. Would customers complain if ISPs started seizing their computers instead of sending them large bills? Should ISP's charge customers cleanup fees to encourage them to keep their computers secure? $10 or $100 or $1,000 per incident? Should it be like points on your Internet driver's license? For the first incident you have to attend 8-hour traffic school, for the second incident in 12 months you have points put on your record and your insurance rates go up. Too many points, and your Internet privileges are revoked.
Re: Points on your Internet driver's license (was RE: Even you can be hacked)
we americans do not readily accept responsibility for our [in]actions. we sue for being hit by a baseball while attending a game. we sue for spilling hot coffee on ourselves. we sue when we walki into open trenches and manholes. and we self-righteously torture, commit war crimes, and murder, at a digital distance, and expect immunity in the world opinion and courts. it's a small planet, but our culture still has the vision of the infinite resources of the frontier. so, if i can't get what i want, or if i get what i don't want, surely someone else is at fault. randy, who clearly has pontificated enough for the day
Re: Points on your Internet driver's license (was RE: Even you can be hacked)
If your child borrows your credit card, and makes lots of unathorized charges, you may not have to pay more than $50; but the bank can go after your son or daughter for the money. Most parents end up paying, even if they didn't authorize their children to use the credit card. So the credit card company calls you and asks about a bunch of suspicious charges being placed on you card. Ok, just keep on charging. Now who's to blame for these charges by your sons and daughters and the russian mafia? I sell a client a metered product (gas, water, electricity, telephone, internet data, etc). I notice unusually high consumption. I inform the client that the bill is accumulating rather quick and I suspect a problem. I have done my job. The client either tells me to stop delivery until the problem is diagnosed and resolved or tells me to continue service. Either way, the ball in in the clients court. If the client chooses continuation of service despite high consumption and subsequent huge bill he has an obligation to pay, no matter WHY the usage was to high. Our society has a screwed up sense of responsibility. Everyone else is supposed to look out for me and take care of me. If something happens to me because I do something stupid or foolish someone failed to warn me, didn't make the sign big enough, didn't sound the horn loud enough, didn't lock me up so I couldn't hurt myself. This isn't true for everybody but way too many Adi
Re: Points on your Internet driver's license (was RE: Even you can be hacked)
Scalable bandwidth is not new and is charged for, what is the issue about that? If the network is compromised and it is on the client end, that is what business insurance is for, so that everyone gets their's (payments, otherwise other types of arrangements need to be made, according to the doctrine of reasonable man -henry R Linneweh --- Adi Linden [EMAIL PROTECTED] wrote: If your child borrows your credit card, and makes lots of unathorized charges, you may not have to pay more than $50; but the bank can go after your son or daughter for the money. Most parents end up paying, even if they didn't authorize their children to use the credit card. So the credit card company calls you and asks about a bunch of suspicious charges being placed on you card. Ok, just keep on charging. Now who's to blame for these charges by your sons and daughters and the russian mafia? I sell a client a metered product (gas, water, electricity, telephone, internet data, etc). I notice unusually high consumption. I inform the client that the bill is accumulating rather quick and I suspect a problem. I have done my job. The client either tells me to stop delivery until the problem is diagnosed and resolved or tells me to continue service. Either way, the ball in in the clients court. If the client chooses continuation of service despite high consumption and subsequent huge bill he has an obligation to pay, no matter WHY the usage was to high. Our society has a screwed up sense of responsibility. Everyone else is supposed to look out for me and take care of me. If something happens to me because I do something stupid or foolish someone failed to warn me, didn't make the sign big enough, didn't sound the horn loud enough, didn't lock me up so I couldn't hurt myself. This isn't true for everybody but way too many Adi
Re: Points on your Internet driver's license (was RE: Even you can be hacked)
attending a game. we sue for spilling hot coffee on ourselves. http://lawandhelp.com/q298-2.htm Interesting reading on that whole woman sues for spilling hot coffee on herself story. Sometimes there's a LOT more to the tale. :)
Re: Points on your Internet driver's license (was RE: Even you can be hacked)
http://lawandhelp.com/q298-2.htm while i am no fan of macdonalds, and a good case is made for their negligence, perhaps you should follow the advice at the bottom of that web page The most important message this case has for you, the consumer, is to be aware of the potential danger posed by your early morning pick-me-up. randy
Re: Points on your Internet driver's license (was RE: Even you can be hacked)
Randy Bush wrote: http://lawandhelp.com/q298-2.htm while i am no fan of macdonalds, and a good case is made for their negligence, perhaps you should follow the advice at the bottom of that web page The most important message this case has for you, the consumer, is to be aware of the potential danger posed by your early morning pick-me-up. randy Or, go see the movie Super Size Me - you might just give up McDonald's entirely, reducing your risk of burns from their overheated coffee. :)
Re: Points on your Internet driver's license (was RE: Even you can be
[EMAIL PROTECTED] (Sean Donelan) writes: ... Why do so many people ignore their ISP when told about problems with their computer? My computer can't be infected, I have a firewall. in any other industry, you (the isp) would do a simple risk analysis and start treating the cause rather than the symptom. for example you might offer inbound filtering, cleanup tools and services, and you would put their computer in cyberjail when it was known to be infected, and you would certainly not offer your services without a clear idea of how to reach the customer and assist them in getting out of cyberjail -- even if it meant rolling a technician. but then you'd have to charge for all that. and in the isp business, you'd have competitors who wouldn't offer it and wouldn't charge for it, and you'd lose business or maybe even go out of business. with the unhappy result being that you just let it happen, which is bad for your customers, and bad for the rest of us on the internet, but not nearly as bad for you (the isp). for you (the isp), every possible cure is worse than the disease. but you don't seem to mind that the rest of us, and your customers, catch various diseases, as long as *you're* ok. feh. Paul Vixie proposed that people should be required to use personal Co-Lo ^^(1) so the co-lo provider has collateral to seize when the customer fails to ^^^(2) keep the computer secure. well, no. i (1) said that people who had personal co-lo boxes in better internet neighborhoods and who could just use their cable or dsl line for web browsing and for access to their personal co-lo box would have less of their e-mail rejected at the far end. and as for (2), i think that anyone who co-lo's a personal box is likely to first learn how to pay enough attention to it that it will not become a malagency for third parties, and that a co-lo operator who only had such customers would be able to charge enough to pay for some monitoring and cleanup and so on; the possibility of seizure is more for the case of deliberate abuse (like ddos'ing an irc server, or sending spam, or hosting spamvertized www) than third party abuse. see http://www.vix.com/personalcolo/ for more information about all that. and note that i'm broadening it to include smtp-auth/webdav/ftp providers who want to serve basically the same market but without dedicated iron. so if you offer that and havn't told me, then please tell me now. Would customers complain if ISPs started seizing their computers instead of sending them large bills? that's so unsequitur that i don't even know how to read it let alone answer. Should ISP's charge customers cleanup fees to encourage them to keep their computers secure? yes. $10 or $100 or $1,000 per incident? no. there should be a forfeitable deposit, plus an per-incident fee which is mostly to pay for the cost of monitoring and the cost of auditing the host to ensure that it complies with the isp's security policy before it can be reattached. the deposit can be refunded after N years of incident-free behaviour, and should be doubled after each verified incident. Should it be like points on your Internet driver's license? For the first incident you have to attend 8-hour traffic school, for the second incident in 12 months you have points put on your record and your insurance rates go up. Too many points, and your Internet privileges are revoked. alas. on the internet, nobody knows you're a dog. -- Paul Vixie
Re: Points on your Internet driver's license (was RE: Even you can be
alas. on the internet, nobody knows you're a dog. http://www.nettime.org/Lists-Archives/nettime-l-0405/msg00057.html