Re: Points on your Internet driver's license (was RE: Even you can be

[Owen DeLong]

A response doesn't mean the ISP doesn't also investigate.  Reasonable proof
is reasonable proof.  The logs are a good start, but, the ISP should review
his own logs, and, check the currently active traffic patterns too.  If 
there
isn't any evidence, the ISP shouldn't shut the customer down.  If the ISP
can see continuing abuse, the ISP should shut the customer down.  That's
not unreasonable.  That's what I'm asking fore, and, what I understood
Adi to be asking for in this case.

Owen
--On Sunday, June 13, 2004 6:34 PM -0400 Geoincidents 
<[EMAIL PROTECTED]> wrote:

- Original Message -
From: "Adi Linden" <[EMAIL PROTECTED]>
if I send an ISP reasonable proof that a
broadband customer hits my mailserver with thousands of emails an hour I
should be able to expect an immediate response. Not hours, days or weeks,
minutes and the originating account should be shut down.
Great, next time you get shut down mid auction because the ISP trusts the
log file I send him, remember you asked for it.
Geo.

--
If it wasn't crypto-signed, it probably didn't come from me.


pgpnoZQzgJNIM.pgp
Description: PGP signature

Re: Points on your Internet driver's license (was RE: Even you can be

[Geoincidents]

- Original Message - 
From: "Adi Linden" <[EMAIL PROTECTED]>

> if I send an ISP reasonable proof that a
> broadband customer hits my mailserver with thousands of emails an hour I
> should be able to expect an immediate response. Not hours, days or weeks,
> minutes and the originating account should be shut down.

Great, next time you get shut down mid auction because the ISP trusts the
log file I send him, remember you asked for it.

Geo.

Re: Points on your Internet driver's license (was RE: Even you can be

[George Roettger]

- Original Message - 
From: "Adi Linden" <[EMAIL PROTECTED]>

> Clean internet is more than just valid IP datagrams to my IP address. If I
> connect to my ISP and do nothing beyond that, not a single packet, I
> expect to not receive any packets either. If I initiate a GET request to a
> web server I expect the webservers response to be returned unaltered. If I
> have an email account with my ISP I expect only valid email to be
> delivered to my email address. I consider this clean internet service from
> the perspective of the average home user.

Apply your phone analogy to this, you want a phone, but nobody on the planet
should be allowed to call you unless you call them first. If you do call
someone, they shouldn't be allowed to use improper language, if you also
have voicemail, nobody who you don't want to hear from should be allowed to
leave you a message.

So you want the phoneco to block inbound calls, install a voice recognition
system to stop improper language, and manage your voicemail. You don't want
phone service, you want a secretary. You should call your phone company and
have them send one over right away, and don't forget to tell them you aren't
going to pay more than the standard $30/month for the service..

George Roettger

Re: Points on your Internet driver's license (was RE: Even you can be

[Henry Linneweh]

Wow he has changed and toned down a lot from those
days

-Henry

--- [EMAIL PROTECTED] wrote:
> 
> > 8 to 10 years ago the discussions were dominated
> by Karl D(1),
> > where *everything* was defined as to whether is
> was "actionable" or not.
> 
> Googling for "Karl Denninger" and "actionable" only
> gets 30 hits
> but, oh the nostalgia of it all...
> 
> Check out http://www.denninger.net to see that he is
> still
> alive and kicking and protesting one thing or
> another.
> 
> 
> 

Re: Points on your Internet driver's license (was RE: Even you can be

[Niels Bakker]

* [EMAIL PROTECTED] ([EMAIL PROTECTED]) [Mon 14 Jun 2004, 12:20 CEST]:
> Check out http://www.denninger.net to see that he is still
> alive and kicking and protesting one thing or another.

Would you buy an anti-spam solution from a man that requires the
inclusion of certain keywords in the subject in order to avoid getting
trapped in his own spam filters?


-- Niels.

-- 
(from the bottom of www.denninger.net/democrat.htm, which is a load of
 trite anyway, ``Please insert the word "advocacy" or "agree" in the
 subject line of your message to avoid my spam filters.'') 

Re: Points on your Internet driver's license (was RE: Even you can be

[Michael . Dillon]

> 8 to 10 years ago the discussions were dominated by Karl D(1),
> where *everything* was defined as to whether is was "actionable" or not.

Googling for "Karl Denninger" and "actionable" only gets 30 hits
but, oh the nostalgia of it all...

Check out http://www.denninger.net to see that he is still
alive and kicking and protesting one thing or another.

Re: Points on your Internet driver's license (was RE: Even you can be

[Adi Linden]

> > And that is a problem. Unlike your electricity, where the supplier has an
> > obligation to provide a certain level of clean energy, there is nothing
> > like it with internet bandwidth. All the crud and exploits are dutyfully
> > forwarded to the customer.
> >
> Clean internet service is internet service that delivers only valid IP
> datagrams.  Most internet service is clean internet service.  Any internet
> service that looks above layer 3 to make forwarding decisions is not clean
> internet service.

Perhaps this is where our opinions greatly differ. If I am a customer with 
my own block of routable ip space I agree with you 100%. But this about 
the average home user that receives a dynamic ip leased from the ISP.

Clean internet is more than just valid IP datagrams to my IP address. If I 
connect to my ISP and do nothing beyond that, not a single packet, I 
expect to not receive any packets either. If I initiate a GET request to a 
web server I expect the webservers response to be returned unaltered. If I 
have an email account with my ISP I expect only valid email to be 
delivered to my email address. I consider this clean internet service from 
the perspective of the average home user.

> > I argue that this is way overboard. I don't believe anyone should require
> > any particular knowledge to obtain an internet connection and use the
> > internet. Instead internet needs to be available as a clean conditioned
> > service for consumption by the clueless.
> >
> I agree that the IDL is overboard.  I even agree with your second sentence.
> Consumers need to demand software which does not support these exploits from
> their software vendors.  That is the real solution.  The internet is a
> transport, just like the phone line coming into your home.  Nothing prevents
> someone from making an obscene phone call to your house.  The most common
> problem software today is like having a telephone that won't let you hang
> up on the prank caller, then, demanding that the phone company prevent those
> calls from coming in the first place.

As a telephone customer I expect to pickup the phone make a call and hang 
up. I expect to receive calls and hang up. If the phone crashes in the 
middle of a conversation I am not happy, if it cost me money because LD 
charges continue to apply I am even less happy. The manufacturer of the 
phone has a given set of specifications to work with and the phone company 
has a given set of parameters of what the signal of the phone line should 
look like.

What if I call you and put an awful tone on the line that blows your 
eardrums, locks up your phone and causes it to dial on it's own and do the 
same to all your friend from your phone. As bonus you'll get a LD bill 
from the phone company for all the calls your phone made without your 
permission. Who's to blame? The phone company because they transmitted 
harmful signals? The phone manufacturer for building a phone without 
accounting for the possibility of this sound? The customer for picking up 
the phone? How do you prevent future events of this sort? Customer 
education?

All of todays software has flaws, some more some less. While some of these 
flaws should simply not exist while others are an oversight. Many of the 
current exploits have one thing in common, malformed packets addressed at 
machines that never requested the packets they are receiving to begin 
with. Stopping these packets from reaching their target is just as 
important as having the target immune to the attack.

The ISP provides a service to a customer, the ISP should be sensible to 
the customers requirements. If the customer requires clean internet 
service than this is what the ISP should strive for. This doesn't relieve 
the customer from being responsible (like opening any and every attachment 
received) but it is just another layer in reducing the enormous amount of 
garbage traffic we are seeing. 

Adi

Re: Points on your Internet driver's license (was RE: Even you can be

[Adi Linden]

> > My arguments are in respect to broadband connections to homes and offices
> > without IT department, firewalls or cluefulness. If you own your own IP
> > space you'd be considered an ISP, buying transit rather than broadband
> > home DSL. What the physical wire looks like the service is delivered on
> > really doesn't matter.
> >
> WRONG... I am not an ISP, and, my ARIN registration says so...

My apologies, wrong choice of words on my part. You have your own block of 
IP space assigned to you and not some static or dynamic number that 
belongs to your ISP.

All I was trying to say is that you are not a typical ISP customer. No 
matter what pricing your ISP applies to your connection, getting you 
connected takes more than signing up for a basic internet account.

> I am a home end-user ADSL subscriber.  It's as simple as that.  Yes, I 
> happen to have my own address space.  That's partly an artifact of the 
> reality that I've been doing this longer than you (and many others on 
> this list) and got my address space back when.  However, I don't think I 
> should be financially penalized for that.

That depends on your relationship with your ISP.

Adi

Re: Points on your Internet driver's license (was RE: Even you can be

[Doug White]

:
: My arguments are in respect to broadband connections to homes and offices
: without IT department, firewalls or cluefulness. If you own your own IP
: space you'd be considered an ISP, buying transit rather than broadband
: home DSL. What the physical wire looks like the service is delivered on
: really doesn't matter.
:
: If I see your ip space bombarding my mail server I can trace its origin. I
: can contact you and request to fix the problem. If you ignore me, refuse
: to fix the problem I can contact your upstream. Your upstream should then
: have a repsonsiblility to resolve the issue including suspension of
: service if my claims are valid and breach AUP.
:
: Adi
:
:
: I don't understand why you single out the SOHO and individuals as being in
need of control when I read on many lists, the IT departments of many very
large networks continually post their reasons NOT to keep their systems up to
date with patches, etc.  What ISP would DARE to terminate or suspend their
service?

A forinstance, a recent worm invasion took down several airline reservations
systems.  Took down several Air Traffic Control Servers.  This is not to
mention compromises attributable to many large university systems.

These are problems that the IT departments were made aware of well in advance
but did not act to secure their own systems.  Who do you blame here?  What ISP
would DARE to suspend their service, demand a fine, and require a
system/network audit before restoring service?

What this means that all this diatribe, finger pointing, blame someone else
conversation is just that, conversation.  Until the TCP/IP stack is reinvented
to prevent spoofing, and senders are positively, quickly and reliably tracked
down, the responsibility to secure your own network is your responsibility and
none other.

I notice no one is blaming the person/persons who propagate these compromises
whether by intent or by error.  And there are those who defend protecting the
"home turf" but I consider that negligence and ludicrous.

One must choose whether to have their computers and networks sitting out in the
front yard with access to all, or keeping them not only inside, but even in a
secure location inside.  There are those that feel that an unsecured system is
anybody's target without risk, and there are those who feel their children
should be allowed to play unsupervised anywhere without risk.My suggestion
is to do a reality check and assume responsibility where you can.

yo, sean!! (Re: Points on your Internet driver's license (was RE: Even you can be)

[Paul Vixie]

[EMAIL PROTECTED] (Adrian Chadd) writes:

> ... I WANT my ISP to require more than just some third party saying
> "holy crap, someone's spitting out crap at me. Suspend!". Obviously you've
> not been handed Norton Personal firewall logs which CONCLUSIVELY PROVE,
> as far as the user is concerned, that MY SQUID reverse proxy server is
> spewing out INVALID TCP FLAGS. ...

the hosts on the list below (which sean's /12 that contains the /19 i
reported on earlier) is of hosts who connected to an ip address that has
no dns pointing to it and delivered well-known malware matching some kind
of pattern.  mostly they're probing to see if i'm running a microsoft web
server by trying to overflow one of its buffers and put executable code
on my stack.  i think it's safe to say that if i present sean with evidence
that this occurred, he ought to immediately disco that customer and then,
when the customer calls, fines or training should be demanded, along with
auditing before reconn -- and the fines should be progressive, with deposits.

note the "LIMIT 500" which keeps this list from containing the other many
tens of thousands of infected hosts on just one of sean's /12 blocks.  and
note that i'm now displaying the span from oldest to newest as "days" and
sorting by it.  the ones at the top of the list have been attacking me the
longest.  ties in "days" are broken by looking at the number of times they
have attacked me during that span.

sean, i really think there's a problem and that the river looks better
upstream of your factory than downstream.  and if you weren't making so
much money from my pain, i wouldn't keep harping about this, really, i
wouldn't.  if you'd like this report without the "LIMIT 500" clause, and
for all of your netblocks rather than just this /12, send me the list.  i
don't promise not to blackhole them all, but i will give you the report.
since i also save the http payloads, i can give you those as well, but i
confess i can't think of a format for the two or three dvd-roms they'd
fit on.

---

SELECT  MIN(DATE(entered)) AS began,
MAX(DATE(entered)) - MIN(DATE(entered)) + 1 AS days,
SRCADDR,
COUNT(srcaddr) AS count
  FROM  trans
 WHERE  srcaddr << '63.192.0.0/12'
GROUP BY srcaddr
ORDER BY days DESC, count DESC
 LIMIT  500;

   began| days |srcaddr | count 
+--++---
 2002-12-16 |  542 | 63.203.75.13   | 8
 2002-12-14 |  534 | 63.204.134.249 | 3
 2002-11-07 |  533 | 63.199.230.184 | 2
 2002-12-18 |  531 | 63.204.119.190 | 6
 2002-12-15 |  530 | 63.204.250.99  | 2
 2002-12-22 |  523 | 63.196.6.209   |33
 2002-11-11 |  522 | 63.204.179.129 | 2
 2002-12-11 |  520 | 63.199.200.60  |49
 2002-11-10 |  515 | 63.199.61.90   |   147
 2002-12-17 |  515 | 63.202.172.46  | 3
 2002-12-11 |  513 | 63.207.61.138  |17
 2002-12-12 |  513 | 63.207.252.60  |17
 2002-12-17 |  513 | 63.207.142.25  |16
 2002-12-18 |  513 | 63.203.76.76   | 2
 2002-12-17 |  512 | 63.206.139.252 |11
 2002-12-12 |  509 | 63.199.230.148 | 7
 2002-12-18 |  509 | 63.204.133.195 | 2
 2002-12-16 |  509 | 63.199.241.16  | 2
 2002-12-16 |  506 | 63.196.240.192 | 8
 2002-12-11 |  504 | 63.202.127.13  |   202
 2002-12-13 |  503 | 63.202.127.14  |18
 2003-01-16 |  501 | 63.206.139.27  | 8
 2002-12-23 |  499 | 63.205.196.100 |17
 2002-12-18 |  499 | 63.205.138.164 | 3
 2003-01-19 |  498 | 63.202.109.53  | 2
 2002-12-11 |  496 | 63.196.189.88  | 2
 2002-12-14 |  491 | 63.202.248.34  |   114
 2003-01-06 |  488 | 63.204.107.197 |25
 2002-12-20 |  487 | 63.196.6.126   |33
 2002-12-19 |  486 | 63.206.194.9   | 3
 2003-01-08 |  486 | 63.199.245.255 | 2
 2003-01-17 |  485 | 63.200.36.71   | 8
 2003-02-02 |  484 | 63.207.60.154  |17
 2003-01-13 |  484 | 63.199.245.209 |11
 2002-12-17 |  484 | 63.205.185.38  | 2
 2002-12-05 |  484 | 63.201.26.94   | 2
 2002-12-26 |  483 | 63.199.245.182 | 3
 2002-12-17 |  483 | 63.205.185.125 | 3
 2003-02-04 |  481 | 63.207.140.93  |49
 2003-01-08 |  480 | 63.203.207.119 |17
 2003-01-13 |  480 | 63.202.21.72   |13
 2003-01-18 |  480 | 63.204.249.143 | 3
 2002-12-15 |  479 | 63.207.142.24  | 8
 2003-01-15 |  479 | 63.201.201.252 | 2
 2003-01-17 |  478 | 63.196.242.191 | 3
 2002-12-19 |  478 | 63.205.197.54  | 3
 2002-12-10 |  477 | 63.202.49.254  |  1151
 2002-12-11 |  477 | 63.207.253.244 |81
 2002-12-12 |  476 | 63.206.88.122  |30
 2002-12-16 |  476 | 63.207.140.162 | 5
 2002-12-11 |  473 | 63.203.159.240 |25
 2003-02-09 |  473 | 63.199.201.84  |17
 2002-12-28 |  473 | 63.207.14.157  |17
 2002-12-22 |  473 | 63.207.61.234  |17
 2002-12-15 |  473 | 63.199.241.223 | 2
 2002-12-15 |  472 | 63.196.6.184   |22
 2003-02-11 |  472 | 63.207.253.53  |17
 2003-01-16 |  471 | 63.205.184.153 | 2
 2002-12-17 |  470 | 63.207.129.175 | 5
 2003-01-17 |

Re: Points on your Internet driver's license (was RE: Even you can be

[Owen DeLong]

And that is a problem. Unlike your electricity, where the supplier has an
obligation to provide a certain level of clean energy, there is nothing
like it with internet bandwidth. All the crud and exploits are dutyfully
forwarded to the customer.
Clean internet service is internet service that delivers only valid IP
datagrams.  Most internet service is clean internet service.  Any internet
service that looks above layer 3 to make forwarding decisions is not clean
internet service.
I argue that this is way overboard. I don't believe anyone should require
any particular knowledge to obtain an internet connection and use the
internet. Instead internet needs to be available as a clean conditioned
service for consumption by the clueless.
I agree that the IDL is overboard.  I even agree with your second sentence.
Consumers need to demand software which does not support these exploits from
their software vendors.  That is the real solution.  The internet is a
transport, just like the phone line coming into your home.  Nothing prevents
someone from making an obscene phone call to your house.  The most common
problem software today is like having a telephone that won't let you hang
up on the prank caller, then, demanding that the phone company prevent those
calls from coming in the first place.
Problem is that people understand that TPC can't tell a prank call from a
legitimate one, but, for some reason, they expect ISPs to be able to 
magically
tell whether this HTTP session is an exploit while this other one isn't.

The reason this isn't economical today is because ISP lack any
responsibility. It is cheaper for an ISP to buy more bandwidth and pass
the  worms and viruses customers PCs spew to the internet than it is to
deal  with the problem. Seriously, if I send an ISP reasonable proof that
a  broadband customer hits my mailserver with thousands of emails an hour
I  should be able to expect an immediate response. Not hours, days or
weeks,  minutes and the originating account should be shut down. If this
doesn't  happen I should be able to go to the upstream of the ISP,
present my  case, and have connectivity to the ISP suspended.
The reason is that the ISPs can't tell the exploits from the legitimate
traffic in most cases, and, even if they did, do you really want ISPs making
value judgement about content on behalf of their users?  That's a really
bad model.  It's just not good for innovation, free speech, mom, or apple 
pie.
Yes, ISPs should investigate abuse complaints and immediately disconnect
users that are spewing abuse.  Yes, this needs to happen more consistently
and more rapidly.  However, content filtration at the ISP level is not a
solution, it's just a different problem.

Owen

--
If it wasn't crypto-signed, it probably didn't come from me.


pgpJB3IOKwFGp.pgp
Description: PGP signature

Re: Points on your Internet driver's license (was RE: Even you can be

[Adi Linden]

> > The reason this isn't economical today is because ISP lack any 
> > responsiblity. It is cheaper for an ISP to buy more bandwidth and pass the 
> > worms and viruses customers PCs spew to the internet than it is to deal 
> > with the problem. Seriously, if I send an ISP reasonable proof that a 
> > broadband customer hits my mailserver with thousands of emails an hour I 
> > should be able to expect an immediate response. Not hours, days or weeks, 
> > minutes and the originating account should be shut down. If this doesn't 
> > happen I should be able to go to the upstream of the ISP, present my 
> > case, and have connectivity to the ISP suspended. 
> 
> Then, start an ISP, charge extra for that kind of maintainence and compete
> in the marketplace. See how it works out. I wish you the best of luck,
> I really do.

Today ISP are not held accountable for the traffic that originates from 
their network. If they were the economics would be different. Support 
costs for wide open broadband connections to the home would sky rocket. I 
am convinced that providing a safe internet connection to the home user 
would be quite viable at this point.

> I can understand your point of you. Personally, I'd love it if internet
> access was a simple, secure, managed commodity. But it isn't. 

Correct. The answer is to make it a simple, secure, managed commodity. Not 
to demand that granny has a degree to send and receive email.

> The ISP has _no_ legal basis in a lot of cases for terminating accounts 
> when "we" (being the people making noise on this list) would hope they 
> would. If they do, they possibly expose themselves legally. Can you 
> imagine the SOHO owner who screams because he's lost revenue because you 
> shut down his internet connection for a worm? Even if you have a "bullet 
> proof AUP" you may still end up having to deal with lawyers and possibly 
> some court time.

Correct. Today there is less hassle and less risk to an ISP if pollution 
by their customers is just ignored and allowed to happen. The penalties 
for polluting are non-existant. 

The internet is a commodity supplied to customers. As such an ISP should 
have an obligation to supply it as clean and secure as possible. As much 
as the customer has an obigation to ensure that internet connected devices 
do not pollute the internet, so does the ISP have an obligation not to 
pass this pollution to customers.

> So, please explain again, why should an ISP get involved right now?

Because it is the right place to start. It is just lacking incentive.

Adi

Re: Points on your Internet driver's license (was RE: Even you can be

[Adi Linden]

> Sorry, that doesn't hold up entirely.  My ADSL connections to my ISP are 
> being used to route IP addresses that belong to me.  It's a home DSL 
> service coming into my house, but, I have my own portable address space 
> and enough clue to manage my own systems, firewall(s), etc.  Why should 
> I be forced to pay your clue tax?

My arguments are in respect to broadband connections to homes and offices 
without IT department, firewalls or cluefulness. If you own your own IP 
space you'd be considered an ISP, buying transit rather than broadband 
home DSL. What the physical wire looks like the service is delivered on 
really doesn't matter.

If I see your ip space bombarding my mail server I can trace its origin. I 
can contact you and request to fix the problem. If you ignore me, refuse 
to fix the problem I can contact your upstream. Your upstream should then 
have a repsonsiblility to resolve the issue including suspension of 
service if my claims are valid and breach AUP.

Adi

Re: Points on your Internet driver's license (was RE: Even you can be

[Adrian Chadd]

On Sun, Jun 13, 2004, Adi Linden wrote:

> The reason this isn't economical today is because ISP lack any 
> responsiblity. It is cheaper for an ISP to buy more bandwidth and pass the 
> worms and viruses customers PCs spew to the internet than it is to deal 
> with the problem. Seriously, if I send an ISP reasonable proof that a 
> broadband customer hits my mailserver with thousands of emails an hour I 
> should be able to expect an immediate response. Not hours, days or weeks, 
> minutes and the originating account should be shut down. If this doesn't 
> happen I should be able to go to the upstream of the ISP, present my 
> case, and have connectivity to the ISP suspended. 

Then, start an ISP, charge extra for that kind of maintainence and compete
in the marketplace. See how it works out. I wish you the best of luck,
I really do.

Secondly, I WANT my ISP to require more than just some third party saying
"holy crap, someone's spitting out crap at me. Suspend!". Obviously you've
not been handed Norton Personal firewall logs which CONCLUSIVELY PROVE,
as far as the user is concerned, that MY SQUID reverse proxy server is
spewing out INVALID TCP FLAGS. Not that they could possibly comprehend
what the hell Invalid TCP flags are with the help Norton gives.
I've seen ISPs get "friendly" emails from people who say that they've been
hacked by ${FOO}, received nasty email from ${FOO}, all kinds of crazy
stuff. I'd hate to have my internet connection disabled every week
because some random person decides I'm doing something illegal.

I can understand your point of you. Personally, I'd love it if internet
access was a simple, secure, managed commodity. But it isn't. There are
far, far too many factors involved which you just Don't Get with
water or electricity networks. Specifically, the things you hook up to
your electricity or water network are government controlled with
government guidelines. There are strict penalties for those who break
the rules and there are licences for those who work on them.
I don't see any of this with the internet. You can hook Anything you want
up to an internet connection and have it work if it has a relatively
recent (1990?) TCP/IP stack. There's no _specific_ guidelines on what
can and can't be connected. The ISP has _no_ legal basis in a lot of
cases for terminating accounts when "we" (being the people making noise
on this list) would hope they would. If they do, they possibly expose
themselves legally. Can you imagine the SOHO owner who screams because
he's lost revenue because you shut down his internet connection for a worm?
Even if you have a "bullet proof AUP" you may still end up having to
deal with lawyers and possibly some court time.

So, please explain again, why should an ISP get involved right now?


$AUD0.02.



Adrian

-- 
Adrian ChaddI'm only a fanboy if
<[EMAIL PROTECTED]> I emailed Wesley Crusher.

Re: Points on your Internet driver's license (was RE: Even you can be

[Owen DeLong]

--On Saturday, June 12, 2004 1:17 PM -0500 Adi Linden <[EMAIL PROTECTED]> 
wrote:


That's like saying provide safe electricity. If someone has a toaster
where the wire cracks and they electrocute themselves, or a hair dryer
that isn't safe in the bathtub, do you complain that the electric
company should provide safe electricity?
The problem with all the comparisions is what you are comparing. Your
utility has an obligation to provide safe electricity. If your holding
your hair dryer while the utility company sends you 25,000 Volts instead
of 120 Volts you should complain.
Right... And if my ISP started sending me IPX or VINES, I would complain.
However, as long as what they are delivering is properly formed IP packets
with destination addresses within my address ranges, then I have no 
complaint.
They are delivering what I expect them to deliver.

How is bandwidth any different?
It is not any different.
So, we agree... As long as my ISP delivers IP, life is good.  If they 
deliver
IPX, I should complain.

There is no "safe bandwidth". No matter how you look at it it's a two way
communications and it's never going to be "safe" as far as the bandwidth
goes, just like electricity is power and it's never going to be safe.
It's the devices you plug in that need to be made safe.
Computers are devices that are supposed to magically do anything. If I
purchase a computer to browse the web and send email I should be able to
obtain "safe bandwidth" that provides web access and email.
Put down the crack pipe before someone gets hurt.  Computers are devices 
that
are tools, just like hammers, power drills, telephones, chain saws, and
weed whackers.  If you want a computer that is safe to browse the web and
receive mail, you should buy a computer with an appropriate configuration
to support that.  Expecting your ISP to change the internet to suit your
desires is like expecting the power company to provide you with 50 cycle
power because you happened to buy an electric drill that came from Europe
instead of one which was designed for the US electrical system. (US power
is 60 cycles, Europe is 50).  If you use tools, you can get hurt if
you don't take appropriate safety precautions.  You don't expect the 
hardware
store to make it impossible for you to hit your thumb with the hammer.
You don't expect the power company to make it impossible for you to drill
a hole in your foot with your electric drill.  You don't expect the
phone company to make it impossible for you to make a crank call, and,
you don't expect the hardware store to make it impossible for you to
saw off your leg with the chain saw.  Why do you expect your ISP to make
it impossible for your improper use of an incorrectly configured computer
to get hacked, misuesed, etc.?

To compare this with the electricity company, the average home with a
200A  service is equivalent to NATed and firewalled internet bandwidth.
As your  electricity demands grow (for whatever reason) the electricity
company  upgrades your service, to 3 phase, 600V, whatever. Same with
internet  bandwidth, get a public ip, get a static ip, get ports opened,
run  servers. Just as the upgraded electricity service requires more
knowledge  and equipment so does the upgraded internet bandwidth.
Sorry... I don't agree.  The average home with a 200A service is perfectly
capable of using that electricity to power any electrical device they wish
up to that load.  200A service is equivalent to DSL, but, nothing in that
200A service prevents me from running a toaster, microwave, or refrigerator.
Noting in that 200A service limits me to a television and a clock-radio.
NATed Firewalled internet service would be equivalent to electrical service
that would only work with televisions and clock-radios, but, would disable
any attempt to run a microwave, refirgerator, toaster, or night-light.
I certainly don't want that from my electric company, and, I don't want
my internet screwed up that way either.
600A three phase is about bigger bandwidth, not different services.  True,
there are devices that require three phase power, but, if they don't require
more power than is available in a 200A 220V services, guess what, they can
be run off of household service by using a transformer to convert the 
household
service to 3phase and handle the voltage conversion as well.  A transformer
is a simple, and, generally inexpensive device which the user could even
make themselves if they so desired (although I don't recommend this).

To continue the analogy, 200A 220V household service is like DSL or Cable.
600A 208V three phase is like a T1.  2000A 7KV three phase is like a DS3.
To the best of my knowledge, all of these services can be made to work
with any electrical device that doesn't require more power (bandwidth)
than the service can deliver.
Owen

--
If it wasn't crypto-signed, it probably didn't come from me.


pgpxsndsPSCl2.pgp
Description: PGP signature

Re: Points on your Internet driver's license (was RE: Even you can be

[Adi Linden]

> The better analogy is what happens when you leave your oven on for 8 days 
> straight? Assuming your house doesn't burn down, should you have to pay the 
> electric bill for those 8 days? Hell yeah. It's impossible to separate what 
> was "legit" energy use and what was from the oven, and it's not their fault 
> you didn't turn it off anyway. And in the worst case, if your house burns 
> down, it's STILL not their fault!

This had somewhat deviated from the original post and who is responsible 
for the bandwidth bill. When you buy a metered service, be it electricity, 
water, bandwidth, you pay what you use. It is not the suppliers 
responsiblility to determine what you do with it and question your 
consumption.

I think it is foolish to buy a metered service without ceiling and leave 
things wide open. When I buy metered bandwidth I demand a hard limit. If I 
reach this hard limit I expect to be notified and cut off. If my upstream 
neglects to cut me off, consumption above and beyond the hard limit is 
their burden since they didn't meet their contractual obligation. A simple 
solution.

> Commodity internet access is a one-size-fits-all game plan. At most, 
> there's a second size, residential or business. But any user of either plan 
> can be compared to any other user of the same plan, and the provider will 
> treat them the same. It's too difficult, and doesn't pay, to try and treat 
> them differently. The extra $10 a month isn't going to justify the $20 
> spent making the changes or talking to the person on the phone.

And that is a problem. Unlike your electricity, where the supplier has an 
obligation to provide a certain level of clean energy, there is nothing 
like it with internet bandwidth. All the crud and exploits are dutyfully 
forwarded to the customer.

Some argue that clueful internet consumers are the answer. Prove your 
knowledge in being able to secure devices connected to the internet and 
maintain them properly. The "Internet driver's license" is proof of 
proficiency in this case.

I argue that this is way overboard. I don't believe anyone should require 
any particular knowledge to obtain an internet connection and use the 
internet. Instead internet needs to be available as a clean conditioned 
service for consumption by the clueless.

The reason this isn't economical today is because ISP lack any 
responsiblity. It is cheaper for an ISP to buy more bandwidth and pass the 
worms and viruses customers PCs spew to the internet than it is to deal 
with the problem. Seriously, if I send an ISP reasonable proof that a 
broadband customer hits my mailserver with thousands of emails an hour I 
should be able to expect an immediate response. Not hours, days or weeks, 
minutes and the originating account should be shut down. If this doesn't 
happen I should be able to go to the upstream of the ISP, present my 
case, and have connectivity to the ISP suspended. 

Adi

Re: Points on your Internet driver's license (was RE: Even you can be

[Rob Nelson]

To compare this with the electricity company, the average home with a 200A
service is equivalent to NATed and firewalled internet bandwidth. As your
electricity demands grow (for whatever reason) the electricity company
upgrades your service, to 3 phase, 600V, whatever. Same with internet
bandwidth, get a public ip, get a static ip, get ports opened, run
servers. Just as the upgraded electricity service requires more knowledge
and equipment so does the upgraded internet bandwidth.
The biggest problem with this is that, so long as the lines support it, 
your electric company will send you as few or as many amps as you need, 
when you need it. They also make sure they don't send you 1200 amps on a 
#14 wire, which would probably cause a significant portion of your wiring 
to smoke, if not burn.

With internet access, how easy is it to suddenly turn off NAT, stop 
redirecting all SMTP access to your anti-everything spam free SMTP server, 
remove the firewalls blocking outbound IPSec packets and inbound SSH? How 
quickly can it be done? How much should be charged for it?

The better analogy is what happens when you leave your oven on for 8 days 
straight? Assuming your house doesn't burn down, should you have to pay the 
electric bill for those 8 days? Hell yeah. It's impossible to separate what 
was "legit" energy use and what was from the oven, and it's not their fault 
you didn't turn it off anyway. And in the worst case, if your house burns 
down, it's STILL not their fault!

Commodity internet access is a one-size-fits-all game plan. At most, 
there's a second size, residential or business. But any user of either plan 
can be compared to any other user of the same plan, and the provider will 
treat them the same. It's too difficult, and doesn't pay, to try and treat 
them differently. The extra $10 a month isn't going to justify the $20 
spent making the changes or talking to the person on the phone.

Rob Nelson
[EMAIL PROTECTED]

Re: Points on your Internet driver's license (was RE: Even you can be

[Adi Linden]

> If we would properly follow the analogy above, ISPs should provide a 
> "security fuse" which would disconnect the user when blown. Paul called 
> this "cyberjail" if I follow his thoughts. All efforts above this should 
> be charged separately or be part of "better general level of service". 
> You can also charge for letting people out of the jail. Make it $50 or 
> $100 a pop, not to be outrageous but justifiable.

Absolutely.

Properly managing ones bandwidth needs to be less expensive than the 
penalty for abuse. 

Adi

Re: Points on your Internet driver's license (was RE: Even you can be

[Petri Helenius]

Adi Linden wrote:
To compare this with the electricity company, the average home with a 
200A

service is equivalent to NATed and firewalled internet bandwidth. As your 
electricity demands grow (for whatever reason) the electricity company 
upgrades your service, to 3 phase, 600V, whatever. Same with internet 
bandwidth, get a public ip, get a static ip, get ports opened, run 
servers. Just as the upgraded electricity service requires more knowledge 
and equipment so does the upgraded internet bandwidth.

 

If we would properly follow the analogy above, ISPs should provide a 
"security fuse" which would disconnect the user when blown. Paul called 
this "cyberjail" if I follow his thoughts. All efforts above this should 
be charged separately or be part of "better general level of service". 
You can also charge for letting people out of the jail. Make it $50 or 
$100 a pop, not to be outrageous but justifiable.

Pete

Re: Points on your Internet driver's license (was RE: Even you can be

[Adi Linden]

> That's like saying provide safe electricity. If someone has a toaster where
> the wire cracks and they electrocute themselves, or a hair dryer that isn't
> safe in the bathtub, do you complain that the electric company should
> provide safe electricity?

The problem with all the comparisions is what you are comparing. Your 
utility has an obligation to provide safe electricity. If your holding 
your hair dryer while the utility company sends you 25,000 Volts instead 
of 120 Volts you should complain. 

> How is bandwidth any different?

It is not any different.

> There is no "safe bandwidth". No matter how you look at it it's a two way
> communications and it's never going to be "safe" as far as the bandwidth
> goes, just like electricity is power and it's never going to be safe. It's
> the devices you plug in that need to be made safe.

Computers are devices that are supposed to magically do anything. If I 
purchase a computer to browse the web and send email I should be able to 
obtain "safe bandwidth" that provides web access and email.

To compare this with the electricity company, the average home with a 200A 
service is equivalent to NATed and firewalled internet bandwidth. As your 
electricity demands grow (for whatever reason) the electricity company 
upgrades your service, to 3 phase, 600V, whatever. Same with internet 
bandwidth, get a public ip, get a static ip, get ports opened, run 
servers. Just as the upgraded electricity service requires more knowledge 
and equipment so does the upgraded internet bandwidth.

Adi

Re: Points on your Internet driver's license (was RE: Even you can be

[Adi Linden]

> The problem with this is one of who pays for it.

The customer.

> You are talking about an environment where the newcomers and non-experts 
> require significantly more intervention in how things are done and what they 
> can do than the more experienced hands.

I am talking about an environment that applies significant filtering 
before packets are delivered to the customer. NAT, firewall, proxy I 
don't think it is all that difficult to do.

> Do you charge the newbies more to cover this level of protection, or do you 
> spread the charges across your entire userbase to avoid impacting one 
> segment?

This protection is a basic service. Opening ports, supplying a real ip 
address, removing the proxy are the add-on items that increase the cost of 
the connection.

> If you raise the prices for newbies then you will automatically have newcomers 
> going for the cheaper, more "raw", service and negating any advantages you 
> have to a tiered product set with protection at the bottom.

Raise the price of the "raw" service. Keeping in mind I am talking about 
broadband connections to homes and small offices, not bandwidth for larger 
organizations that should have an IT department.

> If you spread the charges then the users who require less handholding are 
> going to get upset when their prices are hiked to cover functionality they 
> will never use.

An ISP has a responsibility in regards of the packets transported. I get 
the impression that most ISP's prefer to be "packet movers". Move packets 
from point A to point B without monitoring, intervention or any other 
responsibilities or obligations. This is quite appropriate for an ISP 
serving corporate clients with large pipes, where IP space is assigned 
from the ISP to the client. Once we're talking about providers that server 
homes and small offices this should be different. The ISP holds the IP 
space so it should be held responsible for the packets originating form 
these IPs to some degree.

In other words, if I provide proof that ip w.x.y.z is the source of 
unsolicited email (these days probably because of a compromised host) I 
firmly believe that it is the ISPs responsiblity to either provide contact 
information on who owns this IP and/or manage the traffic to eliminate the 
abuse. I am convinced that the cost of looking after the "raw" clients 
will be much greater then the cost of providing "conditioned" bandwidth.

Adi

Re: Points on your Internet driver's license (was RE: Even you can be

[Mark Kent]

Maybe I'm a little slow on the draw, but I've just now realized 
that we've come full circle, in a strange sort of way.

8 to 10 years ago the discussions were dominated by Karl D(1),
where *everything* was defined as to whether is was "actionable" or not.
Now the discussions are dominated by many people, acting like
Karl D, where their view is solely based on whether
their contract supports either what they do or don't do.

-mark

(1) Actual name not shown to avoid being sued.

Re: Points on your Internet driver's license (was RE: Even you can be

[Geoincidents]

- Original Message - 
From: "Adi Linden" <[EMAIL PROTECTED]>

> Provide a safe network connection. I believe an ISP should provide a safe
> environment to play, assuming the customer is innocent granny. Your
> average DSL network connection should be safe by default, so a default
> Win98 (or any other OS) can be connected without fear of compromise.

That's like saying provide safe electricity. If someone has a toaster where
the wire cracks and they electrocute themselves, or a hair dryer that isn't
safe in the bathtub, do you complain that the electric company should
provide safe electricity?

How is bandwidth any different?

There is no "safe bandwidth". No matter how you look at it it's a two way
communications and it's never going to be "safe" as far as the bandwidth
goes, just like electricity is power and it's never going to be safe. It's
the devices you plug in that need to be made safe.

The only thing ISP's can do is damper bandwidth, try and limit feedback/flow
rates so we don't have a single tree take out the electrical network in the
northeast.

Geo.

Re: Points on your Internet driver's license (was RE: Even you can be

[Paul S. Brown]

On Saturday 12 June 2004 14:53, Adi Linden wrote:
> > Been there, done that.  Got any new ideas?
>
> Provide a safe network connection. I believe an ISP should provide a safe
> environment to play, assuming the customer is innocent granny. Your
> average DSL network connection should be safe by default, so a default
> Win98 (or any other OS) can be connected without fear of compromise.
>
> I really don't agree with the "Internet driver's license" concept as
> presented. It really is not an "Internet driver's license" but a
> "Microsoft Safe Operating License". A one fits all type arrangement. Who
> sets the standard?
>
> The plug that connects to the internet world needs to scale with the level
> of expertise of the user. This needs to include a beginners level for the
> clueless with safe email and safe browsing.
>

The problem with this is one of who pays for it.

You are talking about an environment where the newcomers and non-experts 
require significantly more intervention in how things are done and what they 
can do than the more experienced hands.

Do you charge the newbies more to cover this level of protection, or do you 
spread the charges across your entire userbase to avoid impacting one 
segment?

If you raise the prices for newbies then you will automatically have newcomers 
going for the cheaper, more "raw", service and negating any advantages you 
have to a tiered product set with protection at the bottom.

If you spread the charges then the users who require less handholding are 
going to get upset when their prices are hiked to cover functionality they 
will never use.

The only real way to enforce product stratification on this scale where people 
are introduced safely and then educated and given more freedom is to enforce 
some kind of metric on what is a permissable clue level to move to the next 
stratum of service with less handholding. This means ISPs effectively having 
to vet all of their customers when they try to upsell. The alternative to 
this is a multilateral "driving license" whereby simply having the piece of 
paper gets you the cheaper, rawer service.

If handholding was for everyone then AOL would be the only service provider 
and the rest of us wouldn't exist. None of the suits who run the companies 
represented here are going to do anything to impact their bottom line, so 
refusing to take customers on a skill basis isn't going to happen.

I don't really see that it's the ISPs job to make the net less frightening for 
the customers. It should be down to the OS vendors of whatever shape and the 
application vendors to ensure that their products are as secure as they can 
reasonably be which is not currently the case. What you are proposing with 
the "protect granny at all costs" approach is giving software vendors an 
excuse to code crappy product because there won't be any impact. Do you fancy 
subsidising Microsoft in the long term?

P.

Re: Points on your Internet driver's license (was RE: Even you can be

[Adi Linden]

> Been there, done that.  Got any new ideas?

Provide a safe network connection. I believe an ISP should provide a safe 
environment to play, assuming the customer is innocent granny. Your 
average DSL network connection should be safe by default, so a default 
Win98 (or any other OS) can be connected without fear of compromise.

I really don't agree with the "Internet driver's license" concept as 
presented. It really is not an "Internet driver's license" but a 
"Microsoft Safe Operating License". A one fits all type arrangement. Who 
sets the standard?

The plug that connects to the internet world needs to scale with the level 
of expertise of the user. This needs to include a beginners level for the 
clueless with safe email and safe browsing.

Adi 

Re: Points on your Internet driver's license (was RE: Even you can be

[Petri Helenius]

Sean Donelan wrote:

and you would certainly not offer your services without a clear idea of how
to reach the customer and assist them in getting out of cyberjail --
   

Done. Effectiveness?
 

If you do this and keep them there until they are fixed, your network 
should qualify as a good neighborhood and the influx of email into your 
abuse@ addresses should be minimal.

Eventually they´d either clean up or move elsewhere. If the places to 
move to would be small enough in numbers, they could be filtered from 
the rest of the Internet.

Pete

Re: Points on your Internet driver's license (was RE: Even you can be hacked)

[Michael Painter]

- Original Message - 
From: "Randy Bush" <[EMAIL PROTECTED]>
To: "Jonathan Nichols" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, June 11, 2004 3:32 PM
Subject: Re: Points on your Internet driver's license (was RE: Even you can be hacked)


>
> > http://lawandhelp.com/q298-2.htm
>
> while i am no fan of macdonalds, and a good case is made for
> their negligence, perhaps you should follow the advice at the
> bottom of that web page
>
> The most important message this case has for you, the
> consumer, is to be aware of the potential danger posed
> by your early morning pick-me-up.
>
> randy
>

Yep...and after 65 years (assuming she started drinking coffee at 16), "reasonable 
expectation" of the temperature comes to mind.
I don't go to these kinds of places...has the temperature been climbing up in order to 
let you have a drinkable cup after (whatever
you do) an hour?

--Michael

Re: Points on your Internet driver's license (was RE: Even you can be

[Sean Donelan]

On Sat, 12 Jun 2004, Paul Vixie wrote:
> in any other industry, you (the isp) would do a simple risk analysis
> and start treating the cause rather than the symptom.

What other industry do you know where you are expected to fix products
you didn't sell and didn't cause for free?  Should we revoke Carterphone?
You can't connect a Tivo or unauthorized device to your ISP connection,
and ISP would remotely control all the devices on your home network to
ensure they are patched and secure.

Send me your root passwords.  Trust me.


> for example you
> might offer inbound filtering,

Done. Effectiveness?

> cleanup tools and services,

Done. Effectiveness?

> and you would put their computer in cyberjail when it was known to be
> "infected",

Done. Effectiveness?

> and you would certainly not offer your services without a clear idea of how
> to reach the customer and assist them in getting out of cyberjail --

Done. Effectiveness?

> even if it meant rolling a technician.

Done. Effectiveness?


Been there, done that.  Got any new ideas?


> no.  there should be a forfeitable deposit, plus an per-incident fee which is
> mostly to pay for the cost of monitoring and the cost of auditing the host
> to ensure that it complies with the isp's security policy before it can be
> reattached.  the deposit can be refunded after N years of incident-free
> behaviour, and should be doubled after each verified incident.

How much are you willing to pay?

The bank industry makes billions from late payments, overdrafts, charge
backs.  It makes banks a lot of money, and puts people in bankruptcy, but
doesn't seem to be very good at teaching people to handle credit wisely.

People already think ISPs make money from infected computers and spammers.
What incentive would there people to fix things instead of just paying
them off?  Is it Ok to spam, as long as you pay a lot?  Is it Ok to leave
an infected computer on the network, as long as you pay a lot?  Haven't
you just described what "bullet-proof" web hosting companies do?

How do we create incentives for people to want to buy more secure
products?  Why do people continue to buy Windows instead of Macs?
Cars have a gas guzzler tax to encourage fuel efficiency; should Windows
computers have a security guzzler tax to encourage security?


> > Should it be like points on your Internet driver's license?  For the
> > first incident you have to attend 8-hour traffic school, for the second
> > incident in 12 months you have points put on your record and your
> > insurance rates go up.  Too many points, and your Internet privileges are
> > revoked.
>
> alas.  on the internet, nobody knows you're a dog.

Regulations could fix that.

The US Postal Service has the Postal Inspection Service.  They have
jurisdiction anywhere the mail goes.  The post office didn't create
the Anthrax, they delivered the envelopes as addressed.

Most railroads have railroad police with jurisdiction anywhere the
railroad tracks go.  Some railroad police departments have trans-national
jurisdiction in multiple countries.

Do we need an Internet Police with jurisdiction anywhere the Internet
goes?  Instead of waiting for the FBI to make a case, the ISP police
could arrest people.

Should ISPs be required to forward all their customer information
and logs to the Department of Homeland Security (or other national
equivalent) so they always know who is doing what.  Would that solve
the no one knows you're a dog problem?

OT Re: Points on your Internet driver's license (was RE: Even you can be hacked)

[Peter Galbavy]

> Or, go see the movie "Super Size Me" - you might just give up McDonald's
> entirely, reducing your risk of burns from their overheated coffee. :)

Haven't been in one on over 2 years - and not through any great principal, I
just stopped. Odd how our tastes change with age ;-)

Peter

Re: Points on your Internet driver's license (was RE: Even you can be

[Randy Bush]

> alas.  on the internet, nobody knows you're a dog.

http://www.nettime.org/Lists-Archives/nettime-l-0405/msg00057.html

Re: Points on your Internet driver's license (was RE: Even you can be

[Paul Vixie]

[EMAIL PROTECTED] (Sean Donelan) writes:

> ...
> 
> Why do so many people ignore their ISP when told about problems with
> their computer?  My computer can't be infected, I have a firewall.

in any other industry, you (the isp) would do a simple risk analysis
and start treating the cause rather than the symptom.  for example you
might offer inbound filtering, cleanup tools and services, and you would
put their computer in cyberjail when it was known to be "infected", and
you would certainly not offer your services without a clear idea of how
to reach the customer and assist them in getting out of cyberjail --
even if it meant rolling a technician.

but then you'd have to charge for all that.  and in the isp business,
you'd have competitors who wouldn't offer it and wouldn't charge for it,
and you'd lose business or maybe even go out of business.

with the unhappy result being that you just let it happen, which is bad
for your customers, and bad for the rest of us on the internet, but not
nearly as bad for you (the isp).  for you (the isp), every possible cure
is worse than the disease.  but you don't seem to mind that the rest of
us, and your customers, catch various diseases, as long as *you're* ok.

feh.

> Paul Vixie proposed that people should be required to use personal Co-Lo
  ^^(1)
> so the co-lo provider has collateral to seize when the customer fails to
^^^(2)
> keep the computer secure.

well, no.  i (1) said that people who had personal co-lo boxes in better
internet neighborhoods and who could just use their cable or dsl line
for web browsing and for access to their personal co-lo box would have
less of their e-mail rejected at the far end.  and as for (2), i think
that anyone who co-lo's a personal box is likely to first learn how to
pay enough attention to it that it will not become a malagency for third
parties, and that a co-lo operator who only had such customers would be
able to charge enough to pay for some monitoring and cleanup and so on;
the possibility of seizure is more for the case of deliberate abuse (like
ddos'ing an irc server, or sending spam, or hosting spamvertized www)
than third party abuse.

see  for more information about all that.
and note that i'm broadening it to include smtp-auth/webdav/ftp providers
who want to serve basically the same market but without dedicated iron.  so
if you offer that and havn't told me, then please tell me now.

> Would customers complain if ISPs started seizing their computers instead
> of sending them large bills?

that's so unsequitur that i don't even know how to read it let alone answer.

> Should ISP's charge customers cleanup fees to encourage them to keep
> their computers secure?

yes.

> $10 or $100 or $1,000 per incident?

no.  there should be a forfeitable deposit, plus an per-incident fee which is
mostly to pay for the cost of monitoring and the cost of auditing the host
to ensure that it complies with the isp's security policy before it can be
reattached.  the deposit can be refunded after N years of incident-free
behaviour, and should be doubled after each verified incident.

> Should it be like points on your Internet driver's license?  For the
> first incident you have to attend 8-hour traffic school, for the second
> incident in 12 months you have points put on your record and your
> insurance rates go up.  Too many points, and your Internet privileges are
> revoked.

alas.  on the internet, nobody knows you're a dog.
-- 
Paul Vixie

Re: Points on your Internet driver's license (was RE: Even you can be hacked)

[Jonathan Nichols]

Randy Bush wrote:
http://lawandhelp.com/q298-2.htm

while i am no fan of macdonalds, and a good case is made for
their negligence, perhaps you should follow the advice at the
bottom of that web page
The most important message this case has for you, the
consumer, is to be aware of the potential danger posed
by your early morning pick-me-up.
randy
Or, go see the movie "Super Size Me" - you might just give up McDonald's 
entirely, reducing your risk of burns from their overheated coffee. :)

Re: Points on your Internet driver's license (was RE: Even you can be hacked)

[Randy Bush]

> http://lawandhelp.com/q298-2.htm

while i am no fan of macdonalds, and a good case is made for
their negligence, perhaps you should follow the advice at the
bottom of that web page

The most important message this case has for you, the
consumer, is to be aware of the potential danger posed
by your early morning pick-me-up.

randy

Re: Points on your Internet driver's license (was RE: Even you can be hacked)

[Jonathan Nichols]

attending a game.  we sue for spilling hot coffee on
ourselves. 
http://lawandhelp.com/q298-2.htm
Interesting reading on that whole "woman sues for spilling hot coffee on 
herself" story. Sometimes there's a LOT more to the tale. :)

Re: Points on your Internet driver's license (was RE: Even you can be hacked)

[Henry Linneweh]

Scalable bandwidth is not new and is charged for, what
is the issue about that?

If the network is compromised and it is on the client
end, that is what business insurance is for, so that
everyone gets their's (payments, otherwise other types
of arrangements need to be made, according to the
doctrine of reasonable man

-henry R Linneweh



--- Adi Linden <[EMAIL PROTECTED]> wrote:
> 
> > If your child borrows your credit card, and makes
> lots of unathorized
> > charges, you may not have to pay more than $50;
> but the bank can go after
> > your son or daughter for the money.  Most parents
> end up paying, even if
> > they didn't authorize their children to use the
> credit card.
> 
> So the credit card company calls you and asks about
> a bunch of suspicious 
> charges being placed on you card. Ok, just keep on
> charging. Now who's to 
> blame for these charges by your sons and daughters
> and the russian mafia?
> 
> I sell a client a metered product (gas, water,
> electricity, telephone, 
> internet data, etc). I notice unusually high
> consumption. I inform the 
> client that the bill is accumulating rather quick
> and I suspect a problem. 
> I have done my job. The client either tells me to
> stop delivery until the 
> problem is diagnosed and resolved or tells me to
> continue service. Either 
> way, the ball in in the clients court. If the client
> chooses continuation 
> of service despite high consumption and subsequent
> huge bill he has an 
> obligation to pay, no matter WHY the usage was to
> high.
> 
> Our society has a screwed up sense of
> responsibility. Everyone else is 
> supposed to look out for me and take care of me. If
> something happens to 
> me because I do something stupid or foolish someone
> failed to warn me, 
> didn't make the sign big enough, didn't sound the
> horn loud enough, didn't 
> lock me up so I couldn't hurt myself. This isn't
> true for everybody but 
> way too many
> 
> Adi
> 
> 

Re: Points on your Internet driver's license (was RE: Even you can be hacked)

[Adi Linden]

> If your child borrows your credit card, and makes lots of unathorized
> charges, you may not have to pay more than $50; but the bank can go after
> your son or daughter for the money.  Most parents end up paying, even if
> they didn't authorize their children to use the credit card.

So the credit card company calls you and asks about a bunch of suspicious 
charges being placed on you card. Ok, just keep on charging. Now who's to 
blame for these charges by your sons and daughters and the russian mafia?

I sell a client a metered product (gas, water, electricity, telephone, 
internet data, etc). I notice unusually high consumption. I inform the 
client that the bill is accumulating rather quick and I suspect a problem. 
I have done my job. The client either tells me to stop delivery until the 
problem is diagnosed and resolved or tells me to continue service. Either 
way, the ball in in the clients court. If the client chooses continuation 
of service despite high consumption and subsequent huge bill he has an 
obligation to pay, no matter WHY the usage was to high.

Our society has a screwed up sense of responsibility. Everyone else is 
supposed to look out for me and take care of me. If something happens to 
me because I do something stupid or foolish someone failed to warn me, 
didn't make the sign big enough, didn't sound the horn loud enough, didn't 
lock me up so I couldn't hurt myself. This isn't true for everybody but 
way too many

Adi

Re: Points on your Internet driver's license (was RE: Even you can be hacked)

[Randy Bush]

we americans do not readily accept responsibility for our
[in]actions.  we sue for being hit by a baseball while
attending a game.  we sue for spilling hot coffee on
ourselves.  we sue when we walki into open trenches and
manholes.  and we self-righteously torture, commit war
crimes, and murder, at a digital distance, and expect
immunity in the world opinion and courts.

it's a small planet, but our culture still has the vision
of the infinite resources of the frontier.  so, if i can't
get what i want, or if i get what i don't want, surely
someone else is at fault.

randy, who clearly has pontificated enough for the day

Points on your Internet driver's license (was RE: Even you can be hacked)

[Sean Donelan]

On Fri, 11 Jun 2004, David Schwartz wrote:
> generated by a worm. The ISP had an obligation to stop this traffic with
> filters or customer disconnection. They may or may not have complied with
> their obligation. Either way, it's hard to see why the customer should pay
> for traffic the ISP did not or should not have delivered.

ISP's deliver properly addressed packets to their destination (the return
address sometimes isn't checked).

Do ISP's have obligation to stop certain packets, based on what?  What
does your contract say?  Did you pay the ISP to provide filters?  Did you
include a phrase that said the ISP had to give you 30 days notice and
reasonable time to cure the breach before the ISP could terminate your
service?  Did the contract say the ISP would block traffic generated by
worms?

As people regularly point out, the Internet is a dangerous place.  Is
it as dangerous as going to a baseball game?

  BOSTON, Massachusetts (AP) -- A woman who was seriously injured by a
  foul ball at Fenway Park has no grounds to sue because she assumed a
  risk by attending the baseball game, a state appeals court ruled.

  The Red Sox "had no duty to warn the plaintiff of the obvious danger of
  a foul ball being hit into the stands," the court said Wednesday in
  blocking Jane Costa's personal injury lawsuit from going to trial.

It would be much easier if evil doers followed RFC3514.  Determining
"intent" from the bits is difficult.  If you call a customer up and
ask Did you know your computer is generating a lot of network traffic
and your bill will be very large; the customer says Ok.  What should
you do?  Assume the customer is an idiot, and even though they said
Ok, you should cut off their Internet connection anyway.

If your child borrows your credit card, and makes lots of unathorized
charges, you may not have to pay more than $50; but the bank can go after
your son or daughter for the money.  Most parents end up paying, even if
they didn't authorize their children to use the credit card.

If the bank sends you an ATM or debit card statement, and you fail to
report unauthorized transfers on the statement after 60 days you may be
responsible for unlimited loss.  You can lose a lot of money if you think
its other people's responsibility to protect you.  You are responsible for
reviewing the statement and informing the bank of unauthorized activity;
not the bank.

Why do so many people ignore their ISP when told about problems with their
computer?  My computer can't be infected, I have a firewall.

Paul Vixie proposed that people should be required to use personal Co-Lo
so the co-lo provider has collateral to seize when the customer fails to
keep the computer secure.  Would customers complain if ISPs started
seizing their computers instead of sending them large bills?

Should ISP's charge customers cleanup fees to encourage them to keep
their computers secure?  $10 or $100 or $1,000 per incident?  Should it
be like points on your Internet driver's license?  For the first incident
you have to attend 8-hour traffic school, for the second incident in 12
months you have points put on your record and your insurance rates go
up.  Too many points, and your Internet privileges are revoked.