Re: Schneier: ISPs should bear security burden
On 5/2/05, Joe Maimon [EMAIL PROTECTED] wrote: Isnt it a much simpler world where simply having rDNS lends the assumption of a supported static system as opposed to none? yup, like ppp-12345.townname.dialup.example.com -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Schneier: ISPs should bear security burden
[EMAIL PROTECTED] (Mark Andrews) writes: By continuing to lump filtered and unfiltered addresses together you are throwing out the baby with the bath water. the smtp protocol was designed in a time when ~Mbit/sec connections did not yet exist, and ~10Kbit/sec connections cost many thousands of dollars per month, and were used only by people who could prove membership in an established meatspace trust fabric (i have a gov't research contract) and whose hosts cost hundreds of thousands, or millions, of dollars, each having dedicated technical staff. expecting the same protocol to be used when ~Mbit/sec connections are held by hundreds of millions of uneducated users with hundred-dollar hosts is absurd. but in spite of enhancements like EHLO and AUTH, most internet e-mail is sent with the same level of authentication/confidence as before. the natural market outcome is to throw a lot of babies out with bathwater. see http://www.isc.org/personalcolo/ for the longer version of this rant, and just know that i reject ~many spams a day by refusing all mail from SBC's DSL blocks, with ~few false positives. that's SBC, alone. if you want different bathwater, it is available. there are still high-rent neighborhoods with high default expectations of the quality of traffic emanating from same. live in one, or at least rent a mailbox in one. asking people to accept e-mail from DSL networks is absurd, since they would have to act against their own best interests, and they ~know it. -- Paul Vixie
Re: Schneier: ISPs should bear security burden
on Sun, May 01, 2005 at 10:40:21PM -0400, Joe Maimon wrote: What does the rest of the internet gain when all IPs have boilerplate reverse DNS setup for them, especialy with all these wildly differing and wacky naming conventions? I don't care what the rest of the Internet gains, but I can say that knowing something about these wildly differing and wacky naming conventions has cut my spam load down by 98% or more. By knowing who names their networks what, even wild-assed guesses at times have kept the DDoS that is spam botnets from destroying the utility of email here. Isnt it a much simpler world where simply having rDNS lends the assumption of a supported static system as opposed to none? Bwahahaha. You mean supported static systems like: not-a-legal-address [140.113.12.106] 66.domain.tld [216.109.16.66] customer-reverse-entry.209.213.197.128 [209.213.197.128] suspended.for.aup.violation [216.41.37.5] unassigned [66.240.153.10] unassigned-64.23.24.128 [64.23.24.128] alameda.net.has.not.owned.this.ip.for.more.then.four.years [209.0.51.16] nolonger.a.customer.cancelled.for.AUPviolation [209.208.31.84] ...just to pick a few? I believe Suresh has already supplied the answer to the question of rDNS having anything to do with staticity. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
Re: Schneier: ISPs should bear security burden
i wrote: see http://www.isc.org/personalcolo/ for the longer version of this rant, and clearly my espresso hadn't hit yet, because that was wrong. someone said: Hey Paul, FYI, that link doesn't work. :) and of course, the real link is http://www.vix.com/personalcolo/. sorry!
Re: Schneier: ISPs should bear security burden
Steven Champeon wrote: on Sun, May 01, 2005 at 10:40:21PM -0400, Joe Maimon wrote: What does the rest of the internet gain when all IPs have boilerplate reverse DNS setup for them, especialy with all these wildly differing and wacky naming conventions? I don't care what the rest of the Internet gains, but I can say that knowing something about these wildly differing and wacky naming conventions has cut my spam load down by 98% or more. By knowing who names their networks what, even wild-assed guesses at times have kept the DDoS that is spam botnets from destroying the utility of email here. Thats not quite what I was asking. Would you not have preferred being able to do all the above simply by being able to assume that all these dialup systems would not have any RDNS? The question restated is what is the benifit in advocating dialup names as opposed to simply recommending that dialup ranges get NO rDNS? For spam/abuse prevention it surely is less usefull. Its much easier to block IP with no rDNS than to maintain a list of patterns of rDNS that should be blocked. I understand that RFCs recommend/require it. I want to know about specific benefits to the internet at large (not to the user who now has rDNS) Given a choice between ISP using unpredictable naming patterns or no name for dialup ranges, what would your preference be? Isnt it a much simpler world where simply having rDNS lends the assumption of a supported static system as opposed to none? Bwahahaha. You mean supported static systems like: not-a-legal-address [140.113.12.106] 66.domain.tld [216.109.16.66] customer-reverse-entry.209.213.197.128 [209.213.197.128] suspended.for.aup.violation [216.41.37.5] unassigned [66.240.153.10] unassigned-64.23.24.128 [64.23.24.128] alameda.net.has.not.owned.this.ip.for.more.then.four.years [209.0.51.16] nolonger.a.customer.cancelled.for.AUPviolation [209.208.31.84] ...just to pick a few? I believe Suresh has already supplied the answer to the question of rDNS having anything to do with staticity. Exactly the problem.
Re: Schneier: ISPs should bear security burden
on Mon, May 02, 2005 at 01:16:40PM -0400, Joe Maimon wrote: Steven Champeon wrote: on Sun, May 01, 2005 at 10:40:21PM -0400, Joe Maimon wrote: What does the rest of the internet gain when all IPs have boilerplate reverse DNS setup for them, especialy with all these wildly differing and wacky naming conventions? I don't care what the rest of the Internet gains, but I can say that knowing something about these wildly differing and wacky naming conventions has cut my spam load down by 98% or more. By knowing who names their networks what, even wild-assed guesses at times have kept the DDoS that is spam botnets from destroying the utility of email here. Thats not quite what I was asking. Would you not have preferred being able to do all the above simply by being able to assume that all these dialup systems would not have any RDNS? No. The question restated is what is the benifit in advocating dialup names as opposed to simply recommending that dialup ranges get NO rDNS? More information is always better. For spam/abuse prevention it surely is less usefull. Its much easier to block IP with no rDNS than to maintain a list of patterns of rDNS that should be blocked. Surely. And yet, knowing that Comcast addresses are responsible for a third of the abuse against my mail server is easier when all of the hosts' rDNS ends in comcast.net, so I don't need to do whois lookups on each IP. I understand that RFCs recommend/require it. I want to know about specific benefits to the internet at large (not to the user who now has rDNS) Given a choice between ISP using unpredictable naming patterns or no name for dialup ranges, what would your preference be? Predictable naming conventions, preferably right-anchored, such as '.dialup.dynamic.example.net' If you're saying that's not possible, then I'd prefer unpredictable names over no rDNS at all (though preferably at least consistently implemented within a given rDNS domain)... -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
Re: Schneier: ISPs should bear security burden
On Mon, 02 May 2005 13:16:40 EDT, Joe Maimon said: Thats not quite what I was asking. Would you not have preferred being able to do all the above simply by being able to assume that all these dialup systems would not have any RDNS? Not having any RDNS would help, but... Given a choice between ISP using unpredictable naming patterns or no name for dialup ranges, what would your preference be? I'd prefer unpredictable - because as squirrelly *that* is, it's better than the mess we'll see when the clueless bozos decide that having an internally visible RDNS is useful to them, and they botch deploying split views for inside and outside.. over and over in myriad different ways pgpHuvpDDrdpv.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
On Wed, Apr 27, 2005 at 09:25:55AM -0400, Edward Lewis wrote: It would be nice if the ISPs protected me from bad stuff on the Internet - but why are they to be held to a higher standard than similar services? Have we drifted? I thought the topic was tragedy of the commons, not protect the end users...? Cheers, -- jra -- Jay R. Ashworth[EMAIL PROTECTED] Designer Baylink RFC 2100 Ashworth AssociatesThe Things I Think'87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Re: Schneier: ISPs should bear security burden
On Wed, Apr 27, 2005 at 08:06:51AM -0400, Greg Boehnlein wrote: On Wed, 27 Apr 2005, Fergie (Paul Ferguson) wrote: I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. Of course Bruce Schneider is going to allocate ISP's handling security so he can sell them more of his crappy Counterpane products. I find it offensive that Mr. Schneider would categorize ISPs as lazy and unresponsible, and it does nothing but encourage me to sell anything BUT Counterpane to my customers. He doesn't, as noted, sell much by way of products... and please spell his name correctly. Cheers, -- jr 'or is that the New Age spelling?' a -- Jay R. Ashworth[EMAIL PROTECTED] Designer Baylink RFC 2100 Ashworth AssociatesThe Things I Think'87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Re: Schneier: ISPs should bear security burden
On Wed, Apr 27, 2005 at 12:56:00PM -0700, Owen DeLong wrote: Not only do I not know this, I find it to be patently false. Yes, I think a high percentage of users is too ignorant to know what they need or how to get it. However, protecting them from that ignorance only propogates and perpetuates it. Pain is one of natures most effective educators. Fine. But the pain doesn't *hurt* the people who cause it. See also: Tragedy of the Commons. http://en.wikipedia.org/wiki/Tragedy_of_the_Commons if you didn't have a better explanation handy. Cheers, -- jra -- Jay R. Ashworth[EMAIL PROTECTED] Designer Baylink RFC 2100 Ashworth AssociatesThe Things I Think'87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Re: Schneier: ISPs should bear security burden
On Thu, Apr 28, 2005 at 08:03:57AM -0500, Olsen, Jason wrote: You must not have used it much in those 20 years. I can definitely say worms, trojans, spam, phishing, ddos, and other attacks is up several orders of magnitude in those 20 years. The userbase has also increased by several orders of magnitude beyond that. 1% bad traffic at 100 users: 1 1% bad traffic at 1,000,000 users: 10,000 And this raises an absolutely excellent stand-alone point that seems to me to be something that netops types should be keeping uppermost in their minds: When a problem gets big enough, it's a *different* problem, not just a bigger problem. An analogy to this (actually, a result of it) is the difference between the office policies in a 5-person company and a 500-person one, or a town of 10,000 and a city of 400,000. This seems to bear on almost everything I've seen said in this thread (which is the award winner for the year so far...) Cheers, -- jra -- Jay R. Ashworth[EMAIL PROTECTED] Designer Baylink RFC 2100 Ashworth AssociatesThe Things I Think'87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Re: Schneier: ISPs should bear security burden
On Thu, Apr 28, 2005 at 03:13:06PM -0700, Owen DeLong wrote: Your statement that their price point is lower is absurd. It costs money to put filters in place. It doesn't cost money to not filter, except to the extent that irresponsible actions which filtration would prevent are not blocked. Therefore, any increased costs in unfiltered connections are the direct result of irresponsible use. Absent irresponsible use, unfiltered connections will, by definition, cost less. In this context, Owen, why isn't that a circular argument? Cheers, -- jra -- Jay R. Ashworth[EMAIL PROTECTED] Designer Baylink RFC 2100 Ashworth AssociatesThe Things I Think'87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Re: Schneier: ISPs should bear security burden
On Thu, Apr 28, 2005 at 05:01:42PM -0500, John Dupuy wrote: If one is going to use the car analogy, then the ISP is the street, not the car. The car is the user's computer or customer premise equipment. Streets do not have airbags. (Though that is an interesting concept.) At best, streets have features that influence safety traffic such as stop signs and guard rails, but even a well designed street does not actually prevent car accidents or dictate what kind of person is riding in a car. I disagree. The street is the transit providers. Road Runner is the car. (Well, *bus*, actually :-). If I put my kid on the bus, yes, I expect it to protect him. Cheers, -- jra -- Jay R. Ashworth[EMAIL PROTECTED] Designer Baylink RFC 2100 Ashworth AssociatesThe Things I Think'87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Re: Schneier: ISPs should bear security burden
On Fri, Apr 29, 2005 at 02:07:17AM -0700, Dave Rand wrote: Dunno what a ton of ISP buy-in is, but the MAPS DUL now contains about 190,000,000 entries. We've been working on it very hard for the last year or two. Most ISP-level subscribers figure it stops a pretty large percentage of the compromised-home-computer spam. Ok, so here's a question for your, Dave: do you have a procedure for entertaining requests to be excluded from your replies from people with legitimate needs to operate MTA's, who have been given (let us say) static addresses by their providers which fall within a range you understand to be dialup? (I'm assuming you include cable and DSL end-user address pools; this is the sort of thing I'm asking about.) Cheers, -- jra -- Jay R. Ashworth[EMAIL PROTECTED] Designer Baylink RFC 2100 Ashworth AssociatesThe Things I Think'87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Re: Schneier: ISPs should bear security burden
On Sun, 01 May 2005 12:23:43 EDT, Jay R. Ashworth said: The street is the transit providers. Road Runner is the car. (Well, *bus*, actually :-). If I put my kid on the bus, yes, I expect it to protect him. Small but important correction here: We expect the bus company to protect the passengers *while on the bus*. I don't think *anybody* seriously expects the bus company to deny passage to people who happen to be burglars using public transportation to get to their next work site pgpfoyupqrC1L.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
[In the message entitled Re: Schneier: ISPs should bear security burden on May 1, 12:25, Jay R. Ashworth writes:] Ok, so here's a question for your, Dave: do you have a procedure for entertaining requests to be excluded from your replies from people with legitimate needs to operate MTA's, who have been given (let us say) static addresses by their providers which fall within a range you understand to be dialup? (I'm assuming you include cable and DSL end-user address pools; this is the sort of thing I'm asking about.) Of course, Jay. First off, static addresses don't belong on the DUL (unless the ISP chooses to list them). Second, any address can be removed by the ISP (even if it is a /32 in the middle of an otherwise all dynamic /16). End-users are directed to have their ISP contact us, as we *do not* take the end-users word for it. A quick note to [EMAIL PROTECTED] will get it handled. --
Re: Schneier: ISPs should bear security burden
On Sun, 01 May 2005 21:23:11 +0200, Brad Knowles said: At 1:07 PM -0400 2005-05-01, [EMAIL PROTECTED] wrote: I don't think *anybody* seriously expects the bus company to deny passage to people who happen to be burglars using public transportation to get to the ir next work site If they're wearing Balaclavas, full body armor, and carrying AK-47s, along with large sacks slung over their shoulders (either full or empty), then yes -- I would expect the bus driver to do everything he could to try to avoid picking them up. But you see - that's because *those* passengers likely pose a threat to the people *on the bus*. The fun starts when you start making passengers turn out their pockets and you try to figure out if that guy dressed like a mechanic heading home from work has a piece of bent metal in his pocket - is it an Allen wrench or a lockpick (note that many SQL-injection attacks *are* that level of subtlety - so it's not an outrageous comparison), and figure out what their intentions are once the get off the bus... (And remember - the TSA is trying to go that route. They now ban lighters because somebody tried to light a shoe bomb with matches. Is that how you want to run your network? ;) pgpnwSYm7ol8A.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
In article [EMAIL PROTECTED] you write: [In the message entitled Re: Schneier: ISPs should bear security burden on May 1, 12:25, Jay R. Ashworth writes:] Ok, so here's a question for your, Dave: do you have a procedure for entertaining requests to be excluded from your replies from people with legitimate needs to operate MTA's, who have been given (let us say) static addresses by their providers which fall within a range you understand to be dialup? (I'm assuming you include cable and DSL end-user address pools; this is the sort of thing I'm asking about.) Of course, Jay. First off, static addresses don't belong on the DUL (unless the ISP chooses to list them). Second, any address can be removed by the ISP (even if it is a /32 in the middle of an otherwise all dynamic /16). End-users are directed to have their ISP contact us, as we *do not* take the end-users word for it. A quick note to [EMAIL PROTECTED] will get it handled. Actually I think there are multiple classes in DUL. 1. unfilter addresses dynamic 2. unfilter addresses static 3. ISP filtered addresses dynamic 4. ISP filtered addresses static Most people using DUL for blocking want to detect the unfiltered addresses. Filtered address space poses no more risk than any space not on the DUL and may infact pose less risk as you know that requires a deliberate act by the ISP to allow outgoing SMTP connections. Whats needed is two lists. One for the unfiltered and a second for the filtered addresses. The second one can be used as a white list for those who insist on using name-patterns to block addresses. We already have evidence in this thread of one person using DUL as a white list. By continuing to lump filtered and unfiltered addresses together you are throwing out the baby with the bath water. I don't see the need to distinguish between static and dynamic address. All address space can be classes as static / dynamic depending upon the time frame the address use is measured over. Mark
Re: Schneier: ISPs should bear security burden
Nicholas Suan wrote: Suresh Ramasubramanian wrote: On 4/30/05, Steven Champeon [EMAIL PROTECTED] wrote: ANantes-106-1-5-107.w193-251.abo.wanadoo.fr You'll see 'abo' for 'cable', perhaps? as well as 'cable'. But for most abo = short for abonnement, that is, subscription / subscriber Just means its a pool of IPs assigned to users, I guess. What does the rest of the internet gain when all IPs have boilerplate reverse DNS setup for them, especialy with all these wildly differing and wacky naming conventions? Isnt it a much simpler world where simply having rDNS lends the assumption of a supported static system as opposed to none?
Re: Schneier: ISPs should bear security burden
Suresh Ramasubramanian wrote: On 4/30/05, Steven Champeon [EMAIL PROTECTED] wrote: ANantes-106-1-5-107.w193-251.abo.wanadoo.fr You'll see 'abo' for 'cable', perhaps? as well as 'cable'. But for most abo = short for abonnement, that is, subscription / subscriber Just means its a pool of IPs assigned to users, I guess. Dunno. Don't have many examples of those, as I block most traffic from there, and what I didn't block didn't often have rDNS anyway. The one net.cn example I have, nova, named all of their rDNS with user.nova.net.cn - yep, that's it - what every host is named. And there's a vietnamese ISP that was clever enough to give the same rDNS - localhost - to all their IP space. Don't know which one of the three ISPs there does this, but as APNIC 20 is in Hanoi, I'll most likely find that out for myself. I was actually bored enough to figure that out one day: [EMAIL PROTECTED] G]$ dig +short -x 203.160.1.66 -x 203.160.1.67 -x 203.160.1.68 -x 203.160.1.69 localhost. localhost. localhost. localhost. [EMAIL PROTECTED] G]$ whois 203.160.1.66 % [whois.apnic.net node-2] % Whois data copyright termshttp://www.apnic.net/db/dbcopyright.html inetnum: 203.160.0.0 - 203.160.1.255 netname: VNPT-VNNIC-VN country: VN descr:Vietnam Posts and Telecommunications (VNPT) descr:23 Phan Chu Trinh st., Hanoi capital, Vietnam admin-c: NXC1-AP tech-c: KNH1-AP status: ALLOCATED PORTABLE changed: [EMAIL PROTECTED] 20041011 mnt-by: MAINT-VN-VNNIC mnt-lower:MAINT-VN-VNPT source: APNIC
Re: Schneier: ISPs should bear security burden
On Wed, Apr 27, 2005 at 03:07:47AM -0700, Owen DeLong wrote: Sound about right? No, not at all. I'm not advocating a wild west every man for himself, but, I think that solving end-node oriented problems at the transport layer is equally absurd. It's like expecting to be able to throw crude oil into a tanker at one end and demanding that the trucker deliver gasoline at the other. Owen, I may be wrong... but it sounds to me like half the people in this conversation are talking about things *the retail gas station ought to do*, assuming that the people on the other side realize this, and the other side is reacting as if the first group is advocating that *refineries and pipeline operators* ought to be doing those things. Certainly backbone ops shouldn't be doing this sort of filtering, and if you're big enough and willing to pay enough, you ought to be able to get a hose free of such filters. But *what you're paying for* there is the right to pollute the commons, and no, people paying $1/MB's for their Verizon FTTH connection probably ought not to expect a raw unfiltered connection. It's not *just* about bandwidth... Cheers, -- jra -- Jay R. Ashworth[EMAIL PROTECTED] Designer Baylink RFC 2100 Ashworth AssociatesThe Things I Think'87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Re: Schneier: ISPs should bear security burden
It's not a buck a meg. 15/2 service is about $45/month: over $3/Mbps downstream over $22/Mbps for the upstream 30/5 service is almost $200/month: over $6/Mbps downstream about $40/Mbps for the upstream There should be a little money in their model to provide guidance and/or software to the consumer. Hopefully enough to fund an aggressive abuse department. At 05:34 PM 4/30/2005, you wrote: On Wed, Apr 27, 2005 at 03:07:47AM -0700, Owen DeLong wrote: Sound about right? No, not at all. I'm not advocating a wild west every man for himself, but, I think that solving end-node oriented problems at the transport layer is equally absurd. It's like expecting to be able to throw crude oil into a tanker at one end and demanding that the trucker deliver gasoline at the other. Owen, I may be wrong... but it sounds to me like half the people in this conversation are talking about things *the retail gas station ought to do*, assuming that the people on the other side realize this, and the other side is reacting as if the first group is advocating that *refineries and pipeline operators* ought to be doing those things. Certainly backbone ops shouldn't be doing this sort of filtering, and if you're big enough and willing to pay enough, you ought to be able to get a hose free of such filters. But *what you're paying for* there is the right to pollute the commons, and no, people paying $1/MB's for their Verizon FTTH connection probably ought not to expect a raw unfiltered connection. It's not *just* about bandwidth... Cheers, -- jra -- Jay R. Ashworth[EMAIL PROTECTED] Designer Baylink RFC 2100 Ashworth AssociatesThe Things I Think'87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Re: Schneier: ISPs should bear security burden
On 4/27/05, Jerry Pasker [EMAIL PROTECTED] wrote: It means 10 different things to 10 different people. The article was vague. Security could mean blocking a few ports, simple Proxy/NAT, blocking port 25 (or 139... or 53.. heh heh) or a thousand different things. There is a market for this, it's called managed services. Speaking of port 25 blocking for end users [note: not for transit feeds or raw pipes] - here's my take on it. http://www.circleid.com/article/1039_0_1_0_C/ --srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Schneier: ISPs should bear security burden
[In the message entitled Re: Schneier: ISPs should bear security burden on Apr 28, 10:20, Steve Sobol writes:] There are some basic rules of thumb you can use. The problem is that they're not guaranteed to work. The best solution was created years ago (Gordon Fecyk's DUL, which lists IP ranges the ISPs specifically register as dynamic/not supposed to host servers) and eventually came under the purview of Kelkea/MAPS, but there wasn't a ton of ISP buy-in. If we could create a similar list and actually get ISPs to register the appropriate netblocks (and not mix in IPs where servers are allowed, and IPs where they aren't, in the same block), that'd be great. Dunno what a ton of ISP buy-in is, but the MAPS DUL now contains about 190,000,000 entries. We've been working on it very hard for the last year or two. Most ISP-level subscribers figure it stops a pretty large percentage of the compromised-home-computer spam. --
Re: Schneier: ISPs should bear security burden
On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: I think it's absurd. I expect my water delivery company not to add polutants in transit. I expect my water production company to provide clean water. Water delivery is unidirectional, otherwise water utilities would infact have to filter out bad things introduced by notional bad actors which could cause other users problems and risks. See tragedy of the commons. Do I think *everyone* should do this sort of thing? No. Do I think people should be regulated into doing it? Well, my knee jerk reaction is no... but it's a knee jerk reaction. Do I think that people should, by and large, be able to assume that they can treat the internet at large as a utility? (At the T-1 and up direct connect level, I mean) Yeah, probably. Does that require that consumer-level providers do some filtering...? Yeah, probably. Cheers, -- jra -- Jay R. Ashworth[EMAIL PROTECTED] Designer Baylink RFC 2100 Ashworth AssociatesThe Things I Think'87 e24 St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Re: Schneier: ISPs should bear security burden
On April 28, 2005 at 09:09 [EMAIL PROTECTED] (Adi Linden) wrote: Its not up to the ISP to determine outbound malicious traffic, but its up to the ISP to respond in a timely manner to complaints. Many (most?) do not. If they did their support costs would explode. It is block the customer, educate the customer why they were blocked, exterminate the customers PC, unblock the customer. No doubt there'll be a repeat of the same in short time. This mantra is often repeated but their costs are going to explode anyhow as the defensive blocking of them goes on, world-wide, and their customers want to know why they can no longer send email or browse in random, and ever-growing, chunks of IP space (and, frustrated, find new providers.) Only that situation is going to be much more expensive to fix since it's others' IP space they'll need to get policy changes in, not their own. -Barry Shein Software Tool Die| [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
Re: Schneier: ISPs should bear security burden
On Fri, 29 Apr 2005, Dave Rand wrote: Dunno what a ton of ISP buy-in is, but the MAPS DUL now contains about 190,000,000 entries. We've been working on it very hard for the last year or two. Most ISP-level subscribers figure it stops a pretty large percentage of the compromised-home-computer spam. Well, that's it then: for the last year or two - I don't recall a lot of entries being on the DUL in its original incarnation. (Not for lack of trying.) -- JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638) Steven J. Sobol, Geek In Charge / [EMAIL PROTECTED] / PGP: 0xE3AE35ED The wisdom of a fool won't set you free --New Order, Bizarre Love Triangle
Re: Schneier: ISPs should bear security burden
[In the message entitled Re: Schneier: ISPs should bear security burden on Apr 29, 17:23, Steven J. Sobol writes:] On Fri, 29 Apr 2005, Dave Rand wrote: Dunno what a ton of ISP buy-in is, but the MAPS DUL now contains about 190,000,000 entries. We've been working on it very hard for the last year or two. Most ISP-level subscribers figure it stops a pretty large percentage of the compromised-home-computer spam. Well, that's it then: for the last year or two - I don't recall a lot of entries being on the DUL in its original incarnation. (Not for lack of trying.) I'm sure there was more than one reason that it was not as large as it is today. Regardless, it's here, it's effective, and it is very widely used. --
RE: Schneier: ISPs should bear security burden
Unfortunately, a lot of static business DSL IP space is still on those lists and legitimate mail servers can get blocked. I usually use the DUL as a white list to negate hits on the traditional dnsbls since those are almost always stale. - Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Rand Sent: Friday, April 29, 2005 4:07 AM To: Steve Sobol; Mark Newton Cc: Owen DeLong; Bill Stewart; North American Networking and Offtopic Gripes List Subject: Re: Schneier: ISPs should bear security burden [In the message entitled Re: Schneier: ISPs should bear security burden on Apr 28, 10:20, Steve Sobol writes:] There are some basic rules of thumb you can use. The problem is that they're not guaranteed to work. The best solution was created years ago (Gordon Fecyk's DUL, which lists IP ranges the ISPs specifically register as dynamic/not supposed to host servers) and eventually came under the purview of Kelkea/MAPS, but there wasn't a ton of ISP buy-in. If we could create a similar list and actually get ISPs to register the appropriate netblocks (and not mix in IPs where servers are allowed, and IPs where they aren't, in the same block), that'd be great. Dunno what a ton of ISP buy-in is, but the MAPS DUL now contains about 190,000,000 entries. We've been working on it very hard for the last year or two. Most ISP-level subscribers figure it stops a pretty large percentage of the compromised-home-computer spam. --
RE: Schneier: ISPs should bear security burden
On Fri, 29 Apr 2005, Miller, Mark wrote: Unfortunately, a lot of static business DSL IP space is still on those lists and legitimate mail servers can get blocked. I usually use the DUL as a white list to negate hits on the traditional dnsbls since those are almost always stale. assertion type=applies to USA, don't know about other countries That's because the ILECs, especially, don't feel the need to separate IPs on which servers are allowed, and IPs on which they aren't. SBC is the worst in this regard. No separation, no custom reverse DNS for DSL customers, no way to be absolutely certain if sending mail from a specific IP is a violation of SBC's TOS. /assertion I've noticed that you work for Qwest. If the people designing your network DO have enough clue to separate IPs, bravo... but my experience is that many ISPs, especially ILECs/RBOCs, don't. -- JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638) Steven J. Sobol, Geek In Charge / [EMAIL PROTECTED] / PGP: 0xE3AE35ED The wisdom of a fool won't set you free --New Order, Bizarre Love Triangle
RE: Schneier: ISPs should bear security burden
Well, I have no influence on addressing here, so any comments are mine alone. A lot of addressing schemes were created in the day before there was a huge issue with hostile dynamic addresses and the need to be able to identify them. Addressing assignments, of course, were (and still are to a large part) driven by routing efficiency. - Mark -Original Message- From: Steven J. Sobol [mailto:[EMAIL PROTECTED] Sent: Friday, April 29, 2005 4:40 PM To: Miller, Mark Cc: nanog@merit.edu Subject: RE: Schneier: ISPs should bear security burden On Fri, 29 Apr 2005, Miller, Mark wrote: Unfortunately, a lot of static business DSL IP space is still on those lists and legitimate mail servers can get blocked. I usually use the DUL as a white list to negate hits on the traditional dnsbls since those are almost always stale. assertion type=applies to USA, don't know about other countries That's because the ILECs, especially, don't feel the need to separate IPs on which servers are allowed, and IPs on which they aren't. SBC is the worst in this regard. No separation, no custom reverse DNS for DSL customers, no way to be absolutely certain if sending mail from a specific IP is a violation of SBC's TOS. /assertion I've noticed that you work for Qwest. If the people designing your network DO have enough clue to separate IPs, bravo... but my experience is that many ISPs, especially ILECs/RBOCs, don't. -- JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638) Steven J. Sobol, Geek In Charge / [EMAIL PROTECTED] / PGP: 0xE3AE35ED The wisdom of a fool won't set you free --New Order, Bizarre Love Triangle
Re: Schneier: ISPs should bear security burden
In article [EMAIL PROTECTED] you write: On Fri, 29 Apr 2005, Miller, Mark wrote: Unfortunately, a lot of static business DSL IP space is still on those lists and legitimate mail servers can get blocked. I usually use the DUL as a white list to negate hits on the traditional dnsbls since those are almost always stale. assertion type=applies to USA, don't know about other countries That's because the ILECs, especially, don't feel the need to separate IPs on which servers are allowed, and IPs on which they aren't. SBC is the worst in this regard. No separation, no custom reverse DNS for DSL customers, no way to be absolutely certain if sending mail from a specific IP is a violation of SBC's TOS. /assertion I've noticed that you work for Qwest. If the people designing your network DO have enough clue to separate IPs, bravo... but my experience is that many ISPs, especially ILECs/RBOCs, don't. -- JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638) Steven J. Sobol, Geek In Charge / [EMAIL PROTECTED] / PGP: 0xE3AE35ED The wisdom of a fool won't set you free --New Order, Bizarre Love Triangle Well OptusNet's cable ranges are in the DUL despite OptusNet filtering outbound 25 by default. You can get port 25 outbound opened on request but it doesn't do you any good when you are listed in the DUL. It doesn't matter if the address belongs to a business or a residential user. Everyone has the right to send email directly. As far as I can see the only reason for DUL existing is that ISP's are too slow at reacting to abuse reports and / or fail to send messages to say what action they took. People got feed up with [EMAIL PROTECTED] being a blackhole from which they if they were lucky got an automatic acknowledgement of the messages. In the end people reacted the way you would expect them to react when that perceive that they are being ignored. They stopped reporting and turned to other means (DUL, SpamAssassin, etc.). Mark
RE: Schneier: ISPs should bear security burden
[In the message entitled RE: Schneier: ISPs should bear security burden on Apr 29, 15:32, Miller, Mark writes:] Unfortunately, a lot of static business DSL IP space is still on those lists and legitimate mail servers can get blocked. I usually use the DUL as a white list to negate hits on the traditional dnsbls since those are almost always stale. We have worked very hard with the ISPs to ensure that legitimate static space isn't on the lists. We also do extensive amounts of work to ensure that isn't the case. You may be thinking of some other list, not the DUL. --
Re: Schneier: ISPs should bear security burden
On 4/30/05, Steven Champeon [EMAIL PROTECTED] wrote: ANantes-106-1-5-107.w193-251.abo.wanadoo.fr You'll see 'abo' for 'cable', perhaps? as well as 'cable'. But for most abo = short for abonnement, that is, subscription / subscriber Just means its a pool of IPs assigned to users, I guess. Dunno. Don't have many examples of those, as I block most traffic from there, and what I didn't block didn't often have rDNS anyway. The one net.cn example I have, nova, named all of their rDNS with user.nova.net.cn - yep, that's it - what every host is named. And there's a vietnamese ISP that was clever enough to give the same rDNS - localhost - to all their IP space. Don't know which one of the three ISPs there does this, but as APNIC 20 is in Hanoi, I'll most likely find that out for myself. FPT Viet Nam uses 'adsl-pool-xxx', 'adsl-fix-xxx', and 'dialup-xxx' (yes, the x's are part of the actual name, not a placeholder for the numbers). So its not FPT Vietnam, but one of the two other ISPs there 'bredband'. The Japanese use 'flets' and 'ftth', the Dutch and others ftth = fiber to the home. flets is also some kind of fiber. --srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Schneier: ISPs should bear security burden
on Sat, Apr 30, 2005 at 07:41:34AM +0530, Suresh Ramasubramanian wrote: On 4/30/05, Steven Champeon [EMAIL PROTECTED] wrote: ANantes-106-1-5-107.w193-251.abo.wanadoo.fr You'll see 'abo' for 'cable', perhaps? as well as 'cable'. But for most abo = short for abonnement, that is, subscription / subscriber Just means its a pool of IPs assigned to users, I guess. Yes, Romain Komorn was kind enough to tell me this offlist. Thanks. Dunno. Don't have many examples of those, as I block most traffic from there, and what I didn't block didn't often have rDNS anyway. The one net.cn example I have, nova, named all of their rDNS with user.nova.net.cn - yep, that's it - what every host is named. And there's a vietnamese ISP that was clever enough to give the same rDNS - localhost - to all their IP space. Don't know which one of the three ISPs there does this, but as APNIC 20 is in Hanoi, I'll most likely find that out for myself. Yep - got a rule to block stuff from them and everyone else who does something that stupid, too. FPT Viet Nam uses 'adsl-pool-xxx', 'adsl-fix-xxx', and 'dialup-xxx' (yes, the x's are part of the actual name, not a placeholder for the numbers). So its not FPT Vietnam, but one of the two other ISPs there They may use it, too. I dunno. It's not reliable to assume that any one given network always has the same rDNS naming conventions. 'bredband'. The Japanese use 'flets' and 'ftth', the Dutch and others ftth = fiber to the home. flets is also some kind of fiber. infoweb.ne.jp uses ftth, as does solcon.nl, onsnet.nu, and a few US ISPs, such as brightohio.net, cvalley.net, and surewest.net. nmt.ne.jp uses flets, as does across.or.jp, netwave.or.jp, dsn.jp, alpha-net.ne.jp (which also apparently uses bflets, and incl.ne.jp. Google suggests others do, too, but they haven't come across my radar yet, or don't use it in rDNS naming. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
Re: Schneier: ISPs should bear security burden
On Wed, 27 Apr 2005, Owen DeLong wrote: What's rDNS for the ip address(es) assigned to you? I don't know about him, but, on my ADSL connection, it is controlled by my nameservers: ;; ANSWER SECTION: 10.159.192.in-addr.arpa. 86400 IN NS ns.rop.edu. 10.159.192.in-addr.arpa. 86400 IN NS ns.delong.sj.ca.us. Who are you to decide that there is no damage to blocking residential customers? I'm a residential customer, but, I have a number of servers running, and, a port 25 block would be very destructive to the operation of my mailserver. Ah, but *you* wouldn't get blocked. You maintain your own rDNS and presumably have enough clue to not make the rDNS look like a pool of dynamic residential IPs that aren't terribly important. To wit: [EMAIL PROTECTED]: ~ $host 192.159.10.1 1.10.159.192.in-addr.arpa domain name pointer ns.delong.sj.ca.us. [EMAIL PROTECTED]: ~ $host 192.159.10.2 2.10.159.192.in-addr.arpa domain name pointer owen.delong.sj.ca.us. [EMAIL PROTECTED]: ~ $host 192.159.10.8 8.10.159.192.in-addr.arpa domain name pointer www.diagnostix.com. Those are OBVIOUSLY not hostnames that comply with de-facto standards for dynamically assigned dialup and broadband pools like ip-192-168-0-1.AppleValleyCA.BigDSLProvider.net or port1.as29.phoenix.DialupFarm.com (for example). The idea is that your ISP should either allow you to run your own DNS or give you DNS that doesn't look like something out of a big pool of addresses, which makes it much, MUCH easier to decide what to block and what not to block. Any IP that a provider allows servers on should have distinctive, non-dynamic-looking DNS (and preferably be in a separate netblock from the dynamically-assigned IPs). That way you can be reasonably sure that you're not blocking someone whose ISP has allowed them to run servers. (Some providers are much better than others at doing this kind of thing...) Why should an ISP decide what a residential customer can or can't do with their internet connection. (This is not an advocation for abandoning TOS or allowing abuse. I am talking about within the confines of legitimate internet use, such as hosting a web site (or even several), running nameservers, mail server(s), etc.) Your ISP, or the provider of the person deciding whether to block you? Is there anything wrong with an ISP saying you can't run servers on certain types of Internet connection? -- JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638) Steven J. Sobol, Geek In Charge / [EMAIL PROTECTED] / PGP: 0xE3AE35ED The wisdom of a fool won't set you free --New Order, Bizarre Love Triangle
Re: Schneier: ISPs should bear security burden
Ah, but *you* wouldn't get blocked. You maintain your own rDNS and presumably have enough clue to not make the rDNS look like a pool of dynamic residential IPs that aren't terribly important. To wit: Um, that's not what I thought this discussion was about. I thought this discussion was about ISPs that are blocking things like my going out to port 25 on various random hosts (something mailhost.delong.com does on a regular basis, as does owen.delong.com, both of which are mail relay machines, neither of which is an open relay). Those are OBVIOUSLY not hostnames that comply with de-facto standards for dynamically assigned dialup and broadband pools like I would hope not. I've put lots of work into naming my hosts. :-) The idea is that your ISP should either allow you to run your own DNS or give you DNS that doesn't look like something out of a big pool of addresses, which makes it much, MUCH easier to decide what to block and what not to block. Any IP that a provider allows servers on should have distinctive, non-dynamic-looking DNS (and preferably be in a separate netblock from the dynamically-assigned IPs). Again, we're talking about apples and oranges. You're talking about some other ISP blocking based on rDNS. I'm talking about my ISP blocking based on ports. What other ISPs block is between them and their customers. Yes, sometimes it's annoying, but, it's really between them and their customers, so, little I can do. What I'm saying is I don't want an ISP that blocks my ports in either direction by default. However, I am a residential ADSL customer using a UNI. That way you can be reasonably sure that you're not blocking someone whose ISP has allowed them to run servers. Generally, until someone abuses my network, I don't block anyone trying to get to any of the ports on which I choose to offer services. Why should an ISP decide what a residential customer can or can't do with their internet connection. (This is not an advocation for abandoning TOS or allowing abuse. I am talking about within the confines of legitimate internet use, such as hosting a web site (or even several), running nameservers, mail server(s), etc.) Your ISP, or the provider of the person deciding whether to block you? Either. Is there anything wrong with an ISP saying you can't run servers on certain types of Internet connection? Yes. I can see the ISP saying You're not allowed to push more than X bandwidth on certain types of connections. I can even see them being unwilling to provide a static IP. However, telling me what I can or can't use the bandwidth for is absurd. What difference does it make to the ISP which side initiated the TCP connection or sent the first UDP datagram in a given flow? Owen pgpAZhYyS0gj4.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
On Thu, Apr 28, 2005 at 02:16:36AM -0400, Steven J. Sobol wrote: Any IP that a provider allows servers on should have distinctive, non-dynamic-looking DNS (and preferably be in a separate netblock from the dynamically-assigned IPs). What the hell is a non-dynamic-looking DNS? Sure, if I see something like static-192-168-1-1.isp.net I can be reasonably sure that it's non-dynamic-looking, but what does the same thing look like in Portugese? German? Spanish? French? (Korean? Chinese?) Just wait'll we start getting unicode DNS names in non-English alphabets. Perhaps then you can tell what to look for in a string of Kanji symbols which might be suggestive of the concept of static. - mark -- Mark Newton Email: [EMAIL PROTECTED] (W) Network Engineer Email: [EMAIL PROTECTED] (H) Internode Systems Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Schneier: ISPs should bear security burden
On 27-apr-2005, at 20:08, Dan Hollis wrote: I can definitely say worms, trojans, spam, phishing, ddos, and other attacks is up several orders of magnitude in those 20 years. Malicious packets now account for a significant percentage of all ip traffic. Eventually I expect malicious packets will outnumber legitimate packets, just like malicious email outnumbers legitimate email today. As long as the environmental polluter model continues to be championed and promoted on nanog (of all places), the problem will only get worse. The problem is that the maliciousness of packets or email is largely in the eye of the beholder. How do you propose ISPs determine which packets the receiver wants to receive, and which they don't want to receive? (At Mpps rates, of course.) This whole discussion is a clear example of the fallacy of treating security as an independent entity, rather than an aspect of other things. There are many ISPs that do less than they should, though. (Allow spoofed sources, don't do anything against hosts that are reported to send clearly abusive traffic, sometimes even at DoS rates...)
Re: Schneier: ISPs should bear security burden
On Thu, 28 Apr 2005, Iljitsch van Beijnum wrote: The problem is that the maliciousness of packets or email is largely in the eye of the beholder. How do you propose ISPs determine which packets the receiver wants to receive, and which they don't want to receive? (At Mpps rates, of course.) Its not up to the ISP to determine outbound malicious traffic, but its up to the ISP to respond in a timely manner to complaints. Many (most?) do not. There are many ISPs that do less than they should, though. (Allow spoofed sources, don't do anything against hosts that are reported to send clearly abusive traffic, sometimes even at DoS rates...) This is what I mean by the environmental polluter model. Providers who continually spew sewage and do nothing to shut off attackers under their domain despite repeated pleas from victims. An paper by Jeffrey Race - http://www.camblab.com/nugget/spam_03.pdf was written about the spam problem, but touches on fraud and other malicious activity. The general attitude in the paper regarding provider's responses to spam complaints also applies to ddos and other attacks. It's also interesting to note where Mr. Ebbers is today. Has the situation gotten better? Maybe at uunet it has since mr. ebbers departure, but most other places it appears to only have gotten worse[1]. Bigpond let things get so out of hand that their own network began to crumble, which is the only time I can think of in recent history that they've ever taken action to disconnect zombies. You can be certain the victims on the receiving end of bigpond's zombied customers have little sympathy for bigpond's situation. Remember, this is the ISP whos abuse@ box auto-deleted complaints for unacceptable language. When you're so bad that AOL has to block you[2], you should probably consider cleaning up your network. Sadly these official policies of 'do nothing' come from the top, so engineers and administrators who are in a position to actually take action against blatant network abuse, are actually explicitly forbidden to take any action. So the real question seems to be how to effectively apply a cluebat to CEOs to get a reasonable abuse policy enforced. Nanog can host all the meetings it wants and members can write all the RFCs they want, but until attitudes change at the top, nobody will be allowed to do anything at the bottom. -Dan [1] http://sucs.org/~sits/articles/ntl_dont_care/ [2] http://www.smh.com.au/articles/2003/04/29/1051381931239.html?oneclick=true
RE: Schneier: ISPs should bear security burden
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Hollis To: Owen DeLong Subject: Re: Schneier: ISPs should bear security burden You must not have used it much in those 20 years. I can definitely say worms, trojans, spam, phishing, ddos, and other attacks is up several orders of magnitude in those 20 years. The userbase has also increased by several orders of magnitude beyond that. 1% bad traffic at 100 users: 1 1% bad traffic at 1,000,000 users: 10,000 -JFO
Re: Schneier: ISPs should bear security burden
Hey, if you've got customes willing to shell out for that, then more power to you. However, I'm not (and won't be) one of those customers. I'm willing to take responsibility for protecting my systems and choosing what traffic I do and don't want. I don't want someone else doing it for me. Hmmm... when you're driving on a public street there is certain safety equipment you are required to have and use. You're paying more for your vehicle because of seatbelts, airbags and all the other things that are supposed to lessen the impact of an accident. Even if you're an expert driver, you don't have the privilege of not paying for these features. Adi
Re: Schneier: ISPs should bear security burden
As somebody who picked a DSL provider specifically because it allows me to run any kind of server I want, I'm not highly in favor of blocking traffic from broadband users and killing the end-to-end principle that makes the Internet work, When I sign up for an internet account, does the fine print say that I am to accept all garbage pouring out of the RJ-45...? Why should it be the recipients job to filter all incoming traffic? When my PC grabs an IP address, I'd expect to see zero traffic from the world unless I make a request for content. Only then should I see traffic and only the content I requested. Adi
Re: Schneier: ISPs should bear security burden
On 28-apr-2005, at 15:53, Adi Linden wrote: Hey, if you've got customes willing to shell out for that, then more power to you. However, I'm not (and won't be) one of those customers. I'm willing to take responsibility for protecting my systems and choosing what traffic I do and don't want. I don't want someone else doing it for me. Hmmm... when you're driving on a public street there is certain safety equipment you are required to have and use. You're paying more for your vehicle because of seatbelts, airbags and all the other things that are supposed to lessen the impact of an accident. Even if you're an expert driver, you don't have the privilege of not paying for these features. And how exactly does that translate to the online world? Despite the safety and environmental regulations and the fact that you have to have a driver's license and insurance (at least here in NL), there is no requirement that your locks are industrial strength. Or that your car can be locked at all, for that matter. The fact that a compromised computer doesn't really hurt you all that much in the real world is exactly the reason why so many users don't care about security. When driving a car they at least have to be drunk to reach that level of carelessness.
Re: Schneier: ISPs should bear security burden
On 28-apr-2005, at 16:01, Adi Linden wrote: When I sign up for an internet account, does the fine print say that I am to accept all garbage pouring out of the RJ-45...? Why should it be the recipients job to filter all incoming traffic? Because by definition the recipient is the party who receives something... And what about garbage pouring out of RJ-11 sockets? When my PC grabs an IP address, I'd expect to see zero traffic from the world unless I make a request for content. Only then should I see traffic and only the content I requested. So I do I obtain your permission to send you a packet? And where in the packet does it show that the packet comes from someone who has said permission?
Re: Schneier: ISPs should bear security burden
And how exactly does that translate to the online world? It doesn't. There is none or very little punishment for lawlessness and missbehaviour in the online world. Despite the safety and environmental regulations and the fact that you have to have a driver's license and insurance (at least here in NL), there is no requirement that your locks are industrial strength. Or that your car can be locked at all, for that matter. There is a clear understanding of right and wrong in the general population. There is law enforcement and meaning full punishment for crooks and thieves. In the online world I have no recurse against anyone compromising my computer. The fact that a compromised computer doesn't really hurt you all that much in the real world is exactly the reason why so many users don't care about security. When driving a car they at least have to be drunk to reach that level of carelessness. The fact is that in the online world the abuser is laughing while the abused is left to clean up the damage. Because a compromised computer doesn't really hurt most do not even know that they are a victim. Adi
Re: Schneier: ISPs should bear security burden
And what about garbage pouring out of RJ-11 sockets? Hmmm... so because we have garbage coming out of the RJ-11 we might as well have garbage coming out of the RJ-45, too? 4 wires vs. 8 wires, twices the garabe out of the RJ-45. So I do I obtain your permission to send you a packet? By replying to my request. And where in the packet does it show that the packet comes from someone who has said permission? The packet only exists if it is in response to my request. Keep in mind that I am talking about enduser PC here. Adi
Re: Schneier: ISPs should bear security burden
Mark Newton [EMAIL PROTECTED] wrote: On Thu, Apr 28, 2005 at 02:16:36AM -0400, Steven J. Sobol wrote: Any IP that a provider allows servers on should have distinctive, non-dynamic-looking DNS (and preferably be in a separate netblock from the dynamically-assigned IPs). What the hell is a non-dynamic-looking DNS? Sure, if I see something like static-192-168-1-1.isp.net I can be reasonably sure that it's non-dynamic-looking, but what does the same thing look like in Portugese? German? Spanish? French? (Korean? Chinese?) France Telecom has a reasonably easy-to-understand naming scheme that ends in POP-Location.wanadoo.fr. Deutsche Telekom has an equally easy-to-understand scheme that ends in dip.t-dialin.de (for their German dialups, anyhow). Just wait'll we start getting unicode DNS names in non-English alphabets. Perhaps then you can tell what to look for in a string of Kanji symbols which might be suggestive of the concept of static. There are some basic rules of thumb you can use. The problem is that they're not guaranteed to work. The best solution was created years ago (Gordon Fecyk's DUL, which lists IP ranges the ISPs specifically register as dynamic/not supposed to host servers) and eventually came under the purview of Kelkea/MAPS, but there wasn't a ton of ISP buy-in. If we could create a similar list and actually get ISPs to register the appropriate netblocks (and not mix in IPs where servers are allowed, and IPs where they aren't, in the same block), that'd be great. -- JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638) Steven J. Sobol, Geek In Charge / [EMAIL PROTECTED] / PGP: 0xE3AE35ED The wisdom of a fool won't set you free --New Order, Bizarre Love Triangle
Re: Schneier: ISPs should bear security burden
On Thu, 28 Apr 2005 16:10:54 +0200, Iljitsch van Beijnum said: And where in the packet does it show that the packet comes from someone who has said permission? Well, if you didn't have permission, you're probably up to no good and should be setting the appropriate bits as per RFC3514 pgpGLf8Xbllk4.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
On Thu, 28 Apr 2005 16:38:00 +0930, Mark Newton said: Just wait'll we start getting unicode DNS names in non-English alphabets. Perhaps then you can tell what to look for in a string of Kanji symbols which might be suggestive of the concept of static. We may not even have to wait that long, as it appears to be in the pipe already http://www.i-dns.net/newsroom/news/GE050301-01.html pgpNGtn2CxYA3.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
On Thu, 28 Apr 2005 09:01:26 CDT, Adi Linden said: When my PC grabs an IP address, I'd expect to see zero traffic from the world unless I make a request for content. Only then should I see traffic and only the content I requested. Remember - the RST packet is there so you can tell the other end that they're trying to talk to a connection that isn't there - often due to the connection having been with the *previous* machine using that IP address pgp4EVb53v4Ov.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
On 27 Apr 2005, at 17:51, Pakojo Samm wrote: Give me a *clear* unobstructed line (that stays up) at the cheapest price please. Your attitude is very much the norm, however your requirements on connectivity are more stringent. All customers want unobstructed access and, we as an ISP, want to provide it. Obstructions to service, regardless of fault or utility, generate call volume. The vast majority of subscribers, measured in millions, are not obstructed by filtered internet services. Subscribers do not understand the benefits of complete end-to-end connectivity nor do they perceive filtered connections as less valuable than other services. For those subscribers who do notice these obstruction, we offer more robust connections at a different price point. The reasoning is simple: in order to provide the best connectivity possible, measured by least obstructions perceived by the user at the lowest price point, at the highest margin possible we need to relocate the operating cost to the appropriate party. Providing all users with unfiltered transit increases our operating expense without providing the customer with any added benefit. Providing a subset of users with unfiltered transit when necessary pushes that expense onto the users requesting additional service. As you said, customer desire the cheapest stable connection they can locate. Value added services aid in retention when cheaper rates are offered by competitors and we are not willing to match that price point. Subscribers are willing to pay more for connectivity instead of incurring the cost of replacing their email address, their ISP associated software, etc. On 28 Apr 2005, at 00:55, Owen DeLong wrote: Who are you to decide that there is no damage to blocking residential customers? The customer makes the decision when they subscribe to a service whether or not filtered service will meet their needs. Who are you to decide that unfiltered service is required to meet the needs of all customers? Why should an ISP decide what a residential customer can or can't do with their internet connection. The service provider should be able to decide what services they wish to offer. If a provider of any service chooses to differentiate services based on utility and the customer is made aware of these characteristics, how is this in anyway unfair? If your objection is that, in single provider markets, it may not be financially viable to obtain your desire service level i.e. the local cable provider does not offer unfiltered connectivity and there are no other residential high bandwidth options available then I suggest you encourage diversity in the market place. You are not entitled to unfiltered internet connectivity. If you want to be entitled to unfiltered internet connectivity then petition your local government to make transit a privatized utility with all the government oversight and bureaucracy that entails. --- James Baldwin hkp://pgp.mit.edu/[EMAIL PROTECTED] Syntatic sugar causes cancer of the semicolon. PGP.sig Description: This is a digitally signed message part
Re: Schneier: ISPs should bear security burden
On 28-apr-2005, at 16:21, Adi Linden wrote: So I do I obtain your permission to send you a packet? By replying to my request. So ask your ISP to NAT you. (Most people do this themselves but you seem to feel filtering out unwanted packets isn't something you want to do.) You won't receive any packets that aren't responses to your request, so you'll be be very happy that way. Of course you can't use VoIP reliably or engage in other peer-to-peer protocols with others who feel the same way. And where in the packet does it show that the packet comes from someone who has said permission? The packet only exists if it is in response to my request. Keep in mind that I am talking about enduser PC here. I guess there are people who are happy with always being the requester and never being the requestee... Fortunately that isn't true for the entire population.
Re: Schneier: ISPs should bear security burden
Adi Linden wrote: Its not up to the ISP to determine outbound malicious traffic, but its up to the ISP to respond in a timely manner to complaints. Many (most?) do not. If they did their support costs would explode. It is block the customer, educate the customer why they were blocked, exterminate the customers PC, unblock the customer. No doubt there'll be a repeat of the same in short time. This is actually the opposite. (though I'm biased) But the support costs will decrease because you'll get less complaints inbound and less customers complaining about slow connections because their PC's are filling them with junk. Pete
RE: Schneier: ISPs should bear security burden
Correct... Measuring reliability in terms of what's around that isn't success is not a valid method of measurment. One must measure the success rate. Does anyone really believe that they are more likely to encounter a timeout or connection drop today than 5, 10, 15, or even 20 years ago? I think not. Generally, when you click on a valid link, you get the page. Sometimes servers are slow, but, rarely do you run into network issues these days. Sure, they still occur, but, they are much less frequent than they used to be. Owen pgpdM6Iue8MVP.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
Hmmm... when you're driving on a public street there is certain safety equipment you are required to have and use. You're paying more for your vehicle because of seatbelts, airbags and all the other things that are supposed to lessen the impact of an accident. Even if you're an expert driver, you don't have the privilege of not paying for these features. This simply isn't true. You can purchase a vehicle without any of those devices. Sure, it restricts you to older vehicles, but, they are still available. Additionally, if you so choose, you can build your own vehicle without those devices. There are exemptions in most of the laws for vehicles manufactured without them. Owen -- If it wasn't crypto-signed, it probably didn't come from me. pgplFoCN8F1eB.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
When I sign up for an internet account, does the fine print say that I am to accept all garbage pouring out of the RJ-45...? Why should it be the recipients job to filter all incoming traffic? No... You should, for an appropriate fee, be able to find an ISP that will filter whatever you request them to filter. My point is that I oppose filtration by default. When my PC grabs an IP address, I'd expect to see zero traffic from the world unless I make a request for content. Only then should I see traffic and only the content I requested. So, when you take a ride on the subway, you expect not to be exposed to any random germs floating about in the atmosphere? You live in a very interesting world. Owen -- If it wasn't crypto-signed, it probably didn't come from me. pgpBGWtjnnwp9.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
If they did their support costs would explode. It is block the customer, educate the customer why they were blocked, exterminate the customers PC, unblock the customer. No doubt there'll be a repeat of the same in short time. On a cost basis, it should be: + block the customer + Explain to the customer why they were blocked Customer should be responsible for getting their PC exterminated, although enterprising ISPs could offer this service for a fee. Finally, it would not be unreasonable to impose a reconnect fee. For that matter, if ISPs wrote contracts appropriately, there could be a disconnect fee for abuse as well. Owen -- If it wasn't crypto-signed, it probably didn't come from me. pgpMyezCmAyGt.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
On 28 Apr 2005, at 00:55, Owen DeLong wrote: Who are you to decide that there is no damage to blocking residential customers? The customer makes the decision when they subscribe to a service whether or not filtered service will meet their needs. Who are you to decide that unfiltered service is required to meet the needs of all customers? I never said they did. I simply said ISPs shouldn't decide this for their customers, as some do. Why should an ISP decide what a residential customer can or can't do with their internet connection. The service provider should be able to decide what services they wish to offer. If a provider of any service chooses to differentiate services based on utility and the customer is made aware of these characteristics, how is this in anyway unfair? If your objection is that, in single provider markets, it may not be financially viable to obtain your desire service level i.e. the local cable provider does not offer unfiltered connectivity and there are no other residential high bandwidth options available then I suggest you encourage diversity in the market place. I do encourage diversity in the market place. However, that doesn't necessarily change the current reality. You are not entitled to unfiltered internet connectivity. If you want to be entitled to unfiltered internet connectivity then petition your local government to make transit a privatized utility with all the government oversight and bureaucracy that entails. In some locations, that is becoming the case. I'm not sure that's necessarily such a bad idea. I'd rather encourage providers to do the right thing without the extra overhead, however. Owen --- James Baldwin hkp://pgp.mit.edu/[EMAIL PROTECTED] Syntatic sugar causes cancer of the semicolon. -- If it wasn't crypto-signed, it probably didn't come from me. pgpI3LdRDAEzW.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
At 04:17 PM 4/28/2005, you wrote: Hmmm... when you're driving on a public street there is certain safety equipment you are required to have and use. You're paying more for your vehicle because of seatbelts, airbags and all the other things that are supposed to lessen the impact of an accident. Even if you're an expert driver, you don't have the privilege of not paying for these features. This simply isn't true. You can purchase a vehicle without any of those devices. Sure, it restricts you to older vehicles, but, they are still available. Additionally, if you so choose, you can build your own vehicle without those devices. There are exemptions in most of the laws for vehicles manufactured without them. Owen If one is going to use the car analogy, then the ISP is the street, not the car. The car is the user's computer or customer premise equipment. Streets do not have airbags. (Though that is an interesting concept.) At best, streets have features that influence safety traffic such as stop signs and guard rails, but even a well designed street does not actually prevent car accidents or dictate what kind of person is riding in a car. But this analogy breaks down on so many levels, so I recommend not using it. The street system is a government controlled monopoly and...well lets not use this analogy. John
Re: Schneier: ISPs should bear security burden
--On Thursday, April 28, 2005 12:18 PM -0400 James Baldwin [EMAIL PROTECTED] wrote: On 28 Apr 2005, at 11:51, [EMAIL PROTECTED] wrote: It would seem that relocating the costs of doing extra (filtering, etc) *should* be passed on to the people who necessitated the extra handling by running software that needs extra protection. As it stands, you're charging the people who (in general) aren't the problem more for you *not* to do something... Extra in the sense of this statement is incorrect. If filtered connectivity is the norm in our environment, then I would be charging people who require unfiltered access more to make an exception for them and allow them more flexible connectivity. Exceptions, even in the form of removing restrictions, are something. No, it isn't. The fact that filtered is becoming the norm is what many of us are taking exception to. I shouldn't have to pay extra for unfiltered intenet just because the majority of your customers are too ignorant to correctly deal with it. Fortunately for me, as long as there are ISPs that don't see the world your way, I won't have to be your customer, so, have fun. Car insurance companies figured this out long ago: They charge extra premiums to those customers who incur them more cost - that's why male teenagers pay more than middle-aged people, and why people with multiple tickets pay more. This is a poor analogy, which is why I have avoided them thus far. It is easier to assess blame in automobile incidents. It is, more often than not, the fault of a driver of one of the involved automobiles, not some nebulous third party. Insurances companies maintain records of traffic offenses on customers and check traffic records for prospective customers, there is no comparison within network abuse. It is difficult to assess responsibility in network abuse. Actually, it's an excellent analogy. If your system is a source of abuse, you are responsible, one way or another. Either you chose to run exploitable software and failed to patch it, or, you chose to run the exploit. Either way, you have responsibility for abuse originating from your machine. Sure, there's a contributing factor in a lot of internet abuse from a nebulous third party, but, people running exploitable systems should be held responsible for the abuse those systems generate. Increasing the price point, or penalizing the customer, for network traffic generated by malware is an excellent way to promote churn and reduce revenue. It is more profitable to restrict customers from generating unfriendly network traffic in the first place than penalize them after the fact. While I believe we don't currently have a better process than capitalism available, this is an example of how capitalism does not necessarily lead to the correct conclusions in a market. Destroying existing and future valid capabilities of the network to avoid solving the real problem because solving the real problem might eat into revenues is exactly why I think we need to modify our thinking on this. Would any car insurance company be able to stay in business long-term if they raised the premium for middle-aged men driving boring Toyota sedans because somebody else's teenager wrapped their Camaro around a tree? Why is it perceived as reasonable in this industry? Again, this is a poor analogy. I am not penalizing customers who act responsibly. There is no direct correlation between users who are responsible and users who require unfiltered internet access. There are millions of subscribers who are responsible using filtered internet connectivity and they are not penalized for it. In fact, they are rewarded as they are paying a lower price point for this adequate and restricted service. Yes you are. You are penalizing users who act responsibly and want to use the full capability of the network instead of some subset in order to subsidize the costs of your other users who don't know and don't care. It is an excellent analogy, it just doesn't support your point of view. Your statement that their price point is lower is absurd. It costs money to put filters in place. It doesn't cost money to not filter, except to the extent that irresponsible actions which filtration would prevent are not blocked. Therefore, any increased costs in unfiltered connections are the direct result of irresponsible use. Absent irresponsible use, unfiltered connections will, by definition, cost less. Please, stop making the assumption that all responsible users require unfiltered internet access. That isn't the assumption. The assertion is that unfiltered use costs less than filtered use unless there is abuse or irresponsible use to be filtered. The further assertion is that ISPs should not be the ones determining what level of access end users require. ISPs should filter what end users ask them to filter. End users should not be charged extra for access to the whole
Re: Schneier: ISPs should bear security burden
On Thu, 28 Apr 2005, John Dupuy wrote: But this analogy breaks down on so many levels, so I recommend not using it. The street system is a government controlled monopoly and...well lets not use this analogy. If you really want some analogy for Internet independent of the telecom sector or governent infrastructure, best is to compare internet ISPs to retail product distribution. In both cases you have produces (content or manufactures) with many different kind of products and brands consumers want and complex distribution channels to get from the produces to the stores (ISPs) where end-users actually buy it. But in majority of retail products, the origin product can not be contaminated or dangerous to end-users, but if you compare groceries (a subset) then its a lot more interesting and product can easily get spoiled or otherwise be dangerous and a lot more regulations exist to make sure what consumers get is good and supermarkets also routingly check themselve quality of products they receive (especially for produce and dairy). -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Schneier: ISPs should bear security burden
In my own opinion, I would not expect a transit provider to filter anything other than my BGP announcements. However, I would expect my ISP to filter a possible worm infection port(s), as it would completely saturate my lowly-end-user datapipe if they did not, making network access worthless, even if my host was secure. Ofcourse, I would also, not expect to pay a higher fee for this filtering. I'm probably one of the ones you think is confused. However, I am not, I simply don't think that they need different policies about what packets flow. If the customer doesn't ask for something to be blocked, it shouldn't be blocked. The most probabl worm infection port is 80 or 443. Do you really want those filtered by your ISP? I don't... It would wreak havoc with my web servers. Additionally, I am curious why any time a technical issue comes up on NANOG (or any other operator list), people resort to terrible analogies that have little to do with the actual content of the discussion? Personally, I think the analogy was a pretty good one. Just because it doesn't support your point of view doesn't make it a bad analogy. No matter how much you and the person you qouted would like to obscure the fact, default filtration is bad policy for a number of reasons: + It inflicts an unfair cost burden on responsible users who want full internet connectivity. + It inflicts an unfair cost burden on responsible users who don't need full internet connectivity, but, don't need ISP-side filtration, either. + It taxes responsible users in order to reduce the costs of irresponsible users. + It is a transit solution to an end-host problem, thus creating a number of undesirable side-effects, not the least of which is the cost of a continuing arms race between the filters and the malware. Owen --- Andy -- If it wasn't crypto-signed, it probably didn't come from me. pgpIi4bFhnAha.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: So much for any sort of journalistic ethic, fact checking, or, unbiased reporting. Schneier isn't a journalist or reporter; He's a security vendor. - mark -- Mark Newton Email: [EMAIL PROTECTED] (W) Network Engineer Email: [EMAIL PROTECTED] (H) Internode Systems Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Schneier: ISPs should bear security burden
And you're a network engineer. What's your point? - ferg -- Mark Newton [EMAIL PROTECTED] wrote: On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: So much for any sort of journalistic ethic, fact checking, or, unbiased reporting. Schneier isn't a journalist or reporter; He's a security vendor. - mark -- Mark Newton Email: [EMAIL PROTECTED] (W) Network Engineer Email: [EMAIL PROTECTED] (H) Internode Systems Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223 -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Schneier: ISPs should bear security burden
On Wed, Apr 27, 2005 at 06:06:22AM +, Fergie (Paul Ferguson) wrote: -- Mark Newton [EMAIL PROTECTED] wrote: On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: So much for any sort of journalistic ethic, fact checking, or, unbiased reporting. Schneier isn't a journalist or reporter; He's a security vendor. And you're a network engineer. What's your point? Merely that Owen's expectation of journalistic ethic, fact checking, or unbiased reporting was misplaced because his remarks are addressing someone who has a vested interest in the outcome of the debate, not an ethical, unbiased disinterested observer. - mark -- Mark Newton Email: [EMAIL PROTECTED] (W) Network Engineer Email: [EMAIL PROTECTED] (H) Internode Systems Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Schneier: ISPs should bear security burden
On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: I think it's absurd. I expect my water delivery company not to add polutants in transit. I expect my water production company to provide clean water. er.. bad analogy warning... please take a sample of tap water to an independent lab for analysis... and find out just what the water company is putting into your water. This is like asking the phone company to prevent minors from hearing swear-words on telephone calls or prevent people from being able to make prank phone calls from pay-phones. more bad analogies... :) Owen - ferg that said, if you don't want your ISP to diddle your packets, may i suggest IPSEC? --bill
Re: Schneier: ISPs should bear security burden
Hi, maybe this is an OLD topic, but the problem is what is security? or how to define a secure internet access service . E.g. should ISP respond for managing application transmitted across its backbone? if so, how to define standard appliation model while keeping internet a flexible platform? Could we maintein the scalability of IP network while keeping it secure high performance? To business consideration , would people pay more money for a limited, secure internet access service while his/her child is able to visit those Nude website? So, IMHO, it's a good idea but it's not a feasible proposal. Joe --- Jerry Pasker [EMAIL PROTECTED] wrote: I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. It means 10 different things to 10 different people. The article was vague. Security could mean blocking a few ports, simple Proxy/NAT, blocking port 25 (or 139... or 53.. heh heh) or a thousand different things. There is a market for this, it's called managed services. _ Do You Yahoo!? http://cn.rd.yahoo.com/mail_cn/tag/10m/*http://cn.mail.yahoo.com/event/10m.html
Re: Schneier: ISPs should bear security burden
On April 26, 2005 11:36 pm, [EMAIL PROTECTED] wrote: On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: I think it's absurd. I expect my water delivery company not to add polutants in transit. I expect my water production company to provide clean water. er.. bad analogy warning... please take a sample of tap water to an independent lab for analysis... and find out just what the water company is putting into your water. Actually that _is_ a bad analogy. According to my sister (who works in that area as a regional water expert), tap-water is held to higher standards than bottled water. In Canada at least... ymmv. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada May 4-6 2005 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp
Re: Schneier: ISPs should bear security burden
On Wed, 27 Apr 2005, Dragos Ruiu wrote: an independent lab for analysis... and find out just what the water company is putting into your water. Actually that _is_ a bad analogy. According to my sister (who works in that area as a regional water expert), tap-water is held to higher standards than bottled water. In Canada at least... ymmv. Yeah, gotta to clean it up from pollutants [spam, ddos], add antibacterial [antivirus] agents, check that the supply [latency] is not too low [high], make sure there are no leaks [anauthorized access]. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Schneier: ISPs should bear security burden
Ferg, you asked for it. I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. Links here: http://www.vnunet.com/news/1162720 Schneier has a profound interest in the ISPs being forced to buy his (or his competitors) security gear to fulfill the customers' dreams of a clean Internet connection. Pretty biased, if you don't mind. What he lacks to understand is the reasons why ISPs don't do it. It's not just lazyness (only part) or lack of responsibility; it's more like that it's expensive and nobody would pay for it - no, not the customers; they like to get everything for free, remember? The most prominent reason keeping ISPs from filtering their clients' data streams is - tada - jurisdiction. It's simply not allowed in countries that don't officially harvest everything they can get their hands on. There is something called privacy rights. Nobody may legally interfere with the data stream that reaches my boxes, and nobody - not even my boss! - must fiddle with my email if not expressly allowed by myself. So it is a damn good sign of the ISP's responsibility if it does _not_ place filters in the data stream. But then, my sympathies for Bruce have long evaporated, so I am of course biased as well. Elmar. -- Begehe nur nicht den Fehler, Meinung durch Sachverstand zu substituieren. (PLemken, [EMAIL PROTECTED]) --[ ELMI-RIPE ]---
Re: Schneier: ISPs should bear security burden
[EMAIL PROTECTED] (william(at)elan.net) wrote: According to my sister (who works in that area as a regional water expert), tap-water is held to higher standards than bottled water. In Canada at least... ymmv. Yeah, gotta to clean it up from pollutants [spam, ddos], add antibacterial [antivirus] agents, check that the supply [latency] is not too low [high], make sure there are no leaks [anauthorized access]. In fact, the tap-water analogy is a very bad and at the same time a very good one. (1) In some countries, tap water is really pure and clean, often a lot better than what you can buy in bottles. This is especially true for Germany, Austria, and, according to Dragos, for Canada, too. The reason for the water quality here in ol' Europe is defined quality standards and ongoing tests. (2) In other countries, water companies are allowed to adhere to a lot less rigid standards. I was pretty surprised how awful water in the US midwest was. Full of chlorine and tasting dead. I still cannot believe, people drink it there every day (but they do, it's what Coke's made with there). So we do see differences here, some of which stem from the available water supplies in the area, and some of which are the effect of different defined standards and - inherently - jurisdiction. Countries are different, there is - legally spoken - no world-wide Internet. Everyone falls under the legislation of their home country (for various values of home...). And while we may not like it, this jurisdiction can be very different from mine. Or yours. Elmar. -- Begehe nur nicht den Fehler, Meinung durch Sachverstand zu substituieren. (PLemken, [EMAIL PROTECTED]) --[ ELMI-RIPE ]---
Re: Schneier: ISPs should bear security burden
On Tue, 26 Apr 2005, Jerry Pasker wrote: I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. It means 10 different things to 10 different people. The article was yep, and the danger is you agree with the article and some politicians or journalists think you are advocating a full police service which would be bad. i do think we have an obligation to try to keep the net clean to a certain degree, think anti-ddos wg's etc but providing full security for all users is unrealistic. there seems to be some moves to offering partial security and this is probably a good thing eg blocking common ms ports will likely be effective. Steve
Re: Schneier: ISPs should bear security burden
Sound about right? No, not at all. I'm not advocating a wild west every man for himself, but, I think that solving end-node oriented problems at the transport layer is equally absurd. It's like expecting to be able to throw crude oil into a tanker at one end and demanding that the trucker deliver gasoline at the other. ISPs transport packets. That's what they do. That's what most consumers pay them to do. I haven't actually seen a lot of consumers asking for protected internet. I've seen lots of marketing hype pushing it, but, very little actual consumer demand. Sure, the hype will probably generate eventual demand, but, so far, it hasn't really. Do you really want an internet where everything has to run over ports 80 and 443 because those are all that's left that ISPs don't filter? That's where a lot of this crap is headed. Heck, Micr0$0ft is ready for that... They already tunnel almost all of the viruses through those two ports in order to facilitate them penetrating corporate firewalls and such. How much functionality are we going to destroy before we realize that you can't fix end-node problems in the transit network? Owen pgp4iwb4xprqY.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
I was referring to the article which contained the schneier quote, not schneier. The article was written by someone at least pretending to be a journalist, and, was put out as news, not editorial or advertising. As such, it should be held to the standard that should apply to news. Instead, it was yet another example of advertising disguised as news. Owen --On Wednesday, April 27, 2005 15:42 +0930 Mark Newton [EMAIL PROTECTED] wrote: On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: So much for any sort of journalistic ethic, fact checking, or, unbiased reporting. Schneier isn't a journalist or reporter; He's a security vendor. - mark pgpot09ccyZsd.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
--On Wednesday, April 27, 2005 6:36 + [EMAIL PROTECTED] wrote: On Tue, Apr 26, 2005 at 10:38:00PM -0700, Owen DeLong wrote: I think it's absurd. I expect my water delivery company not to add polutants in transit. I expect my water production company to provide clean water. er.. bad analogy warning... please take a sample of tap water to an independent lab for analysis... and find out just what the water company is putting into your water. Admittedly, there are contaminants in the water, but, I don't believe most of them are added in transit. (If I did, I'd be putting pressure on to get that fixed). If you're talking about fluoridation, I am fortunate enough to live in an area where they figured out that was a bad idea. This is like asking the phone company to prevent minors from hearing swear-words on telephone calls or prevent people from being able to make prank phone calls from pay-phones. more bad analogies... :) Why is this a bad analogy? Neither of these actions are currently prevented by the telcos. that said, if you don't want your ISP to diddle your packets, may i suggest IPSEC? Sometimes I use IPSEC, but, I don't want my ISP to diddle my packets whether they're tunneled or not. Fortunately, so far, I've been able to find ISPs that don't. Owen pgpfxNOOUquYD.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
On 4/27/05, Stephen J. Wilcox [EMAIL PROTECTED] wrote: i do think we have an obligation to try to keep the net clean to a certain degree, think anti-ddos wg's etc but providing full security for all users is unrealistic. there seems to be some moves to offering partial security and this is probably a good thing eg blocking common ms ports will likely be effective. As complete security as possible, to your end users. That doesnt extend to applying filters to circuits you provision for your customers (managed T1 type stuff maybe, but definitely, more useful in the case of end user stuff like at the edge of broadband / dialup pools) -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Schneier: ISPs should bear security burden
I'm not advocating a wild west every man for himself, but, I think that solving end-node oriented problems at the transport layer is equally absurd. That's not what was being suggested. The article suggested that ISPs, the providers of the transport layer service, should consider branching out and offering other value added services in addition to the transport layer, because customers want to buy value-added services and not just the raw, unfiltered transport layer. It's up to the ISP as to how they configure and manage those services. The company that I work for decided to build a separate global IP network in 20 countries to connect about 150 providers of application and data services to their customers, currently just under 11,000 of them. This IP network provides vastly higher levels of security than the public Internet and that is part of our contracts and SLAs. There is no technical reason why other ISPs could not offer similar value-add services other than a failure of the imagination. And we all know what failure of the imagination buys you. In the telecom industry it led to the rise of the ISP and the Internet because the incumbents could not imagine what we have today. In the U.S. political arena it led to 9/11 because the people charged with protecting the country could not imagine that a small group of people based in one of the most backward countries on earth could pose a threat to American soil. The report of the 911 commission makes interesting reading if one is able to see the abstract lessons that it draws. Many of those lessons relate to failure of imagination and failure to move on and change with the changing times. ISPs transport packets. That's what they do. You're wrong there. ISPs provide Internet services. That's what they have always done. In the early days they ran mail servers and web servers and news servers and terminal servers and many other things. We have gone through a period of specialization where ISPs have been differentiated into providing a subset of all possible Internet services. Some do indeed specialise in pure packet transport, but that is rare and they are usually part of a larger company that provides other services. In any case, it's time to move on and change some more, perhaps by adding new value-added services on that last mile connection. I haven't actually seen a lot of consumers asking for protected internet. That's because you don't work for Yahoo email or for AOL. Do you really want an internet where everything has to run over ports 80 and 443 because those are all that's left that ISPs don't filter? No. But I want an Internet in which different ISPs are free to offer different services rather than have a regulated environment that says that ISPs MUST offer a specific service in a specific way. I want choices. --Michael Dillon
Re: Schneier: ISPs should bear security burden
Thing is, protecting them from themselves and their own stupidity is also the thing that most everyone else needs, too. Do you really want an internet where everything has to run over ports 80 and 443 because those are all that's left that ISPs don't filter? They should be filtered, too. For standard bottom-feeder accounts, *everything* should be filtered and transparent proxied. And the accounts should be priced so that they pay for their own upkeep. What will cost money is to turn off the filters selectively for certain accounts, and people who want that should be in a position to pay for it. I'm sorry, but, I simply do not share your belief that the educated should be forced to subsidize the ignorant. This belief is at the heart of a number of today's socialogical problems, and, I, for one, would rather not expand its influence. How much functionality are we going to destroy before we realize that you can't fix end-node problems in the transit network? How much of the Internet is going to be destroyed before we realize that the users are too stupid to be trusted to run their end-nodes, and if the transit network wants to protect itself from the worst offenses it will need to provide only managed services and not let these people out of the corral to being with? Strangely, for all the FUD in the above paragraph, I'm just not buying it. The internet, as near as I can tell, is functioning today at least as well as it ever has in my 20+ years of experience working with it. The vast majority of the end node problems come from one particular software vendor. If that vendor could be held accountable for the problems they have created, things would be much better. The major advanatage of the internet is the ability to deploy new applications and protocols quickly and easily. Transparent proxies, btw, would not prevent most of the harmful stuff available via 443, so, I'm not sure what you think that accomplishes. Malware will quickly adapt to any such filtration at the transport layer. As long as you can get some form of undefined content through the internet, malware will have a way to gain transit. It must be addressed at the end node. Owen pgpCED2dFkTpD.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
On Wed, 27 Apr 2005, Fergie (Paul Ferguson) wrote: I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. Of course Bruce Schneider is going to allocate ISP's handling security so he can sell them more of his crappy Counterpane products. I find it offensive that Mr. Schneider would categorize ISPs as lazy and unresponsible, and it does nothing but encourage me to sell anything BUT Counterpane to my customers. Our customers vary greatly, and their security needs differ just as much. There is no one stop solution for every customer, and it is not the ISP's responsibility to filter traffic and firewall their customers. Those that do invariable end up with trouble. -- Vice President of N2Net, a New Age Consulting Service, Inc. Company http://www.n2net.net Where everything clicks into place! KP-216-121-ST
Re: Schneier: ISPs should bear security burden
I understand that, but opinions being what they are, everyone is certainly entitled to have one of their own. Placing value on those opinions is an exercise left to the reader. And not everyone's opinions are constructed to to simply allow financial benefit -- somethimes it is just a simple observation. Cheers, - ferg -- Mark Newton [EMAIL PROTECTED] wrote: Schneier isn't a journalist or reporter; He's a security vendor. And you're a network engineer. What's your point? Merely that Owen's expectation of journalistic ethic, fact checking, or unbiased reporting was misplaced because his remarks are addressing someone who has a vested interest in the outcome of the debate, not an ethical, unbiased disinterested observer. - mark -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Schneier: ISPs should bear security burden
On Wed, 27 Apr 2005, Fergie (Paul Ferguson) wrote: Oh, please. If you think that the Internet should remain an every man for himself, wild wild west, Ok Corral, situation (not my words, mind you), then you better get with the powers that will steam-roll all of us if we let it -- money and marketing. This ain't no science project anymore. Bruce is right -- right as rain -- I don't give two damns whether you think it is an issue of marketing, or protecive self-advertising. The issue is that the _consumers_ want it, that's what they'll pay for, and it is the ISP's perogative to either honor that wish, or lose the business. We owe to our customers, and we owe it to ourselves, so let's just stop finding excise to side-step the issue. Sound about right? No. Not at all. I agree that if customers are willing to pay for managed security services that ISP's should provide them. However, an ISP that does not provide them is not lazy and irresponsible, as characterized in the article. As for security, intelligent ISPs will be monitoring their network and will have sensors in place to alert them to abnormal traffic (NetFlow, Snort, SNMP Traps, Log watchers) patterns and take action, but that does NOT extend to enforcing a security policy on the public without their consent. If the public agrees to it, and requests it, that is one thing. Universally filtering packets because it makes our lives easier is another. No one said this business would be easy. -- Vice President of N2Net, a New Age Consulting Service, Inc. Company http://www.n2net.net Where everything clicks into place! KP-216-121-ST
Re: Schneier: ISPs should bear security burden
Speaking on Deep Background, the Press Secretary whispered: Schneier has a profound interest in the ISPs being forced to buy his (or his competitors) security gear to fulfill the customers' dreams of a clean Internet connection. Pretty biased, if you don't mind. Err... What gear? Last I heard he sold security consulting services, not hardware. He also writes books. And the worse the net-wide situation, the more customers he gets for both. So it sounds to me as if he's cutting his own throat with this position. So at least to my ears, claiming he is just trying to sell hardware is not only a cheap shot, but a clear miss. I've got a radical idea: why not discuss/debate his statement|proposal on its merits|debits, vice proported ulterior motives? Such debate is how many of us learn. -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: Schneier: ISPs should bear security burden
None -- when you disconnect [correct, block, whatever] abusive end-systems in your administrative domain. Act locally, think globally. In fact, an ISP in AUS just did this last week... - ferg Owen DeLong [EMAIL PROTECTED] wrote: How much functionality are we going to destroy before we realize that you can't fix end-node problems in the transit network? -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Schneier: ISPs should bear security burden
clean it up from pollutants [spam, ddos], add antibacterial [antivirus] agents, ;) My hotel confirmation for NANOG 34 was marked as spam. Thankfully, the ISP let it through anyway. It would be nice if the ISPs protected me from bad stuff on the Internet - but why are they to be held to a higher standard than similar services? E.g., (not intended as a water-tight analogy) the roads around me have laws and enforcement (sometimes). If I am hit by someone who breaks a rule, my insurance takes care of that. But the road system offers no protection to guarantee my on-time arrival at a Wednesday night beering session. (No over-provisioning there.) If we can't make it easy to get to happy hour, how are we going to make the Internet safe? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis+1-571-434-5468 NeuStar If you knew what I was thinking, you'd understand what I was saying.
Re: Schneier: ISPs should bear security burden
Finally -- an analogy I can relate to. ;-) As an aside, perhaps if we worked on making the Internet safer, as opposed to strictly safe, we might make some progress. You know -- baby steps. And Big Pond is my hero. :-) http://www.zdnet.com.au/news/communications/0,261791,39188135,00.htm - ferg -- Edward Lewis [EMAIL PROTECTED] wrote: If we can't make it easy to get to happy hour, how are we going to make the Internet safe? -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Schneier: ISPs should bear security burden
On Wed, 27 Apr 2005, Brad Knowles wrote: At 8:13 AM -0400 2005-04-27, Greg Boehnlein wrote: As for security, intelligent ISPs will be monitoring their network and will have sensors in place to alert them to abnormal traffic (NetFlow, Snort, SNMP Traps, Log watchers) patterns and take action, but that does NOT extend to enforcing a security policy on the public without their consent. This assumes intelligence on the part of ISPs. This is no more valid than assuming that all users are intelligent. No, it assumes that some ISPs are intelligent and that they will do what is neccessary. Darwinism will take care of the less intelligent. ;) -- Vice President of N2Net, a New Age Consulting Service, Inc. Company http://www.n2net.net Where everything clicks into place! KP-216-121-ST
Re: Schneier: ISPs should bear security burden
And Big Pond is my hero. :-) http://www.zdnet.com.au/news/communications/0,261791,39188135,00.htm I'm not sure I'd break my arm trying to pat them on the back yet. They have a ways to go in SMTP filtering their users so that when they are infected with trojans, they aren't abused to send spam out. From the above article, they are only disconnecting those users now because BigPond is feeling some pain on their own infrastructure. Our numbers of rejects from their users are consistently 3-4 hundred per day. sam
Re: Schneier: ISPs should bear security burden
In message [EMAIL PROTECTED], Fergie (Paul Ferguson) writes: I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. Links here: http://www.vnunet.com/news/1162720 At a recent forum at Fordham Law School, Susan Crawford -- an attorney, not a network operator -- expressed it very well: if we make ISPs into police, we're all in the ghetto. Bruce is a smart guy, and a good friend of mine, but he's not a network operator or architect. There are a small number of times when operators can, should, and -- in a very few cases -- act, but those are rare. The most obvious case is flooding attacks, since they represent an abuse of the network itself; operators also have responsibility for other pieces of the infrastructure they control, such as (many) name servers. --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: Schneier: ISPs should bear security burden
On Wed, 27 Apr 2005, Owen DeLong wrote: Strangely, for all the FUD in the above paragraph, I'm just not buying it. The internet, as near as I can tell, is functioning today at least as well as it ever has in my 20+ years of experience working with it. You must not have used it much in those 20 years. I can definitely say worms, trojans, spam, phishing, ddos, and other attacks is up several orders of magnitude in those 20 years. Malicious packets now account for a significant percentage of all ip traffic. Eventually I expect malicious packets will outnumber legitimate packets, just like malicious email outnumbers legitimate email today. As long as the environmental polluter model continues to be championed and promoted on nanog (of all places), the problem will only get worse. -Dan
Re: Schneier: ISPs should bear security burden
On Wed, Apr 27, 2005 at 11:08:42AM -0700, Dan Hollis wrote: Malicious packets now account for a significant percentage of all ip traffic. As a data point: An unused, never before used or even just announced /21 currently draws an average of 112pps und 70kbit/s, translating to about 1GB (1 Gigabyte!) of traffic per day, or about 30GB per month. In some countries, that translates to real money (I'm hearing INTERESTING price tags on bandwidth in South Africa). Looking at psmith's weekly routing table report, this would extrapolate (totally non-scientific and ignoring several effects) to at least about 675GB daily stray traffic in the whole Internet, WITHOUT any host answering to the viruses, trojans, whatever. I hope to find the time to do some capturing and analysis of this traffic. If anyone here has experience with that I'd be happy to hear from them... don't want to waste time doing something others already did... :-) Best regards, Daniel -- CLUE-RIPE -- Jabber: [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- PGP: 0xA85C8AA0
Re: Schneier: ISPs should bear security burden
Fergie (Paul Ferguson) wrote: We owe to our customers, and we owe it to ourselves, so let's just stop finding excise to side-step the issue. So are you saying that managed security services are not avaialble for paying consumers in USA? Pete
Re: Schneier: ISPs should bear security burden
Owen DeLong [EMAIL PROTECTED] wrote: Why do ISPs owe this to their customers. They don't. (I would argue that they owe it to the rest of the Internet, but that argument is tangential to this discussion.) However, I'd like to add an additional data point: Those of us in .us have undoubtedly seen the AOL commercials touting their comprehensive anti-virus services. (Don't know if they do other malware, FWIW) The services are offered to AOL members at no cost to them. Anyone who thinks AOL is doing this out of the goodness of their hearts, please speak up now... [FX: sound of crickets chirping] Yup. That's what I thought. Not having to support people who have tons of viruses saves money, and therefore is a good idea. Making it easier for people to avoid infection is good business, especially when you are talking about AOL's userbase (in terms of sheer numbers and the Internet expertise of the stereotypical AOL member). It's not up to the online service or ISP to force security updates on their customers. It might be a good idea for them to at least *offer* said updates, though. How many do, besides AOL? And I'd argue that Owen's attitude is appropriate for transit and business-class connections[0] - but if you're talking about a consumer ISP, that's different. If the Big Four[1] US cable companies followed AOL's lead, we'd see a huge drop in malware incidents and zombies. **SJS [0] Always appropriate for transit. Generally appropriate for business-class bandwidth services, although you will still run into a lot of clueless business owners who might end up with the same problems as residential customers. [1] Soon to be Big Three, but currently Comcast, Time Warner, Charter, and Adelphia. -- JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638) Steven J. Sobol, Geek In Charge / [EMAIL PROTECTED] / PGP: 0xE3AE35ED The wisdom of a fool won't set you free --New Order, Bizarre Love Triangle
Re: Schneier: ISPs should bear security burden
On Wed, 27 Apr 2005, Petri Helenius wrote: We owe to our customers, and we owe it to ourselves, so let's just stop finding excise to side-step the issue. So are you saying that managed security services are not avaialble for paying consumers in USA? I think the debate is if default should be managed or unanaged. And some here are concerned that if default becomes managed throught the industry, they'd never be able to get unmanaged from anyone. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Schneier: ISPs should bear security burden
At 01:39 PM 4/27/2005, you wrote: In message [EMAIL PROTECTED], Fergie (Paul Ferguson) writes: I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. Links here: http://www.vnunet.com/news/1162720 At a recent forum at Fordham Law School, Susan Crawford -- an attorney, not a network operator -- expressed it very well: if we make ISPs into police, we're all in the ghetto. Bruce is a smart guy, and a good friend of mine, but he's not a network operator or architect. There are a small number of times when operators can, should, and -- in a very few cases -- act, but those are rare. The most obvious case is flooding attacks, since they represent an abuse of the network itself; operators also have responsibility for other pieces of the infrastructure they control, such as (many) name servers. While this stance works for backbone network operators, I'm not entirely convinced it's a viable business strategy for ISPs dealing directly with end user customers (business or residential). The problem at the edge is customers insist they don't want the spam and viruses, and expect the ISP to help. Earthlink and AOL provide such services, and in the course of doing this raise an expectation. Now a regional or local ISP can either say it's not our job to protect you and have their customers migrate away, or they can make efforts to help and retain customers. So, is this a technical issue or a business issue? Network engineers are not necessarily qualified to make business decisions, unless they wear both hats. Customers at the retail level expect basic protection services as a part of the price of service. Whether that's a good thing or not, it's where we are on the business side of providing retail ISP services.
Re: Schneier: ISPs should bear security burden
Of course there are. What I'm saying is that too many providers do nothing, regardless of whether it is a managed (read: paid) service, or not. - ferg -- Petri Helenius [EMAIL PROTECTED] wrote: We owe to our customers, and we owe it to ourselves, so let's just stop finding excise to side-step the issue. So are you saying that managed security services are not avaialble for paying consumers in USA? Pete -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Schneier: ISPs should bear security burden
Thank you, Steve, for a very articulate rational post. :-) - ferg -- Steve Sobol [EMAIL PROTECTED] wrote: [snip] Anyone who thinks AOL is doing this out of the goodness of their hearts, please speak up now... [FX: sound of crickets chirping] Yup. That's what I thought. Not having to support people who have tons of viruses saves money, and therefore is a good idea. Making it easier for people to avoid infection is good business, especially when you are talking about AOL's userbase (in terms of sheer numbers and the Internet expertise of the stereotypical AOL member). [snip] -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Schneier: ISPs should bear security burden
I have no problem with disconnecting known abusers. However, there's lots of other actions implied in the ISP responsibility described that are things like filtering port 25, blocking NetBIOS, etc. Some ISPs do this. I'm all for having an AUP and/or TOS that allows you to disconnect abusers. When I was working for various ISPs, I personally disconnected a number of such abusers. However, IMHO, disconnecting abusers is a far cry from Providing a clean internet. Owen --On Wednesday, April 27, 2005 12:26 PM + Fergie (Paul Ferguson) [EMAIL PROTECTED] wrote: None -- when you disconnect [correct, block, whatever] abusive end-systems in your administrative domain. Act locally, think globally. In fact, an ISP in AUS just did this last week... - ferg Owen DeLong [EMAIL PROTECTED] wrote: How much functionality are we going to destroy before we realize that you can't fix end-node problems in the transit network? -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/ -- If it wasn't crypto-signed, it probably didn't come from me. pgp8GCFEpWpWC.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
We know that almost all users are too stupid to know what they really need or how to get it, and that they need to be protected from their own stupidity -- as well as protecting the rest of the world from their stupidity. Not only do I not know this, I find it to be patently false. Yes, I think a high percentage of users is too ignorant to know what they need or how to get it. However, protecting them from that ignorance only propogates and perpetuates it. Pain is one of natures most effective educators. Allowing people to experience the full (as long as it's non-fatal) effect of their ignorance often creates a strong desire for education. This incredible expansion of We must protect people from themselves philosophy is wasteful, expensive, and, worst of all, highly destructive to society in the long run. Government or any other regulatory body should protect people from each other, not from themselves. Similarly, while knowingly producing a dangerous product should carry some civil and criminal liabilty, the fact that we have effectively made companies and professionals liable for any act of stupidity comitted by their consumers unless they specifically disclaimed or warned (and sometimes even if they did) the consumer is about 2/3rds of the cost of medicine today. It's about 1/2 of the cost of an airline ticket. It's about 3/4 of the cost of aircraft parts. The list goes on. Owen -- If it wasn't crypto-signed, it probably didn't come from me. pgpTt1wnqpTqv.pgp Description: PGP signature
Re: Schneier: ISPs should bear security burden
In message [EMAIL PROTECTED], Steve Sobol writes: And I'd argue that Owen's attitude is appropriate for transit and business-class connections[0] - but if you're talking about a consumer ISP, that's different. If the Big Four[1] US cable companies followed AOL's lead, we'd see a huge drop in malware incidents and zombies. I see your point, and I almost agree -- almost, but not quite, because there's a very big problem: consumers have very little choice of which broadband ISP they can subscribe to. As you note, there are very few cable ISPs, at least one of whom is also a major content owner. The LEcs are flexing their muscles to get rid of UNE, which may eliminate DSL options in many places. That will leave consumers with at most two choices, and the players in that space seem to love walled gardens. Is, for example, p2p abuse? After all, it uses up bandwidth. I worry about giving too much power to unaccountable monopolists. --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
