[126930] in North American Network Operators' Group
Re: Nato warns of strike against cyber attackers
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Jun 9 01:23:49 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <AANLkTikZGnpsQ0qOX3DwmeT_LdZoLBunOOplgsVn6gjV@mail.gmail.com>
Date: Tue, 8 Jun 2010 22:18:09 -0700
To: Jorge Amodio <jmamodio@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 8, 2010, at 8:01 PM, Jorge Amodio wrote:
> Sent from my iToilet
>=20
> why you will penalize with fees the end customer that may not know
> that her system has been compromised because what she pays to Joe
> Antivirus/Security/Firewall/Crapware is not effective against Billy
> the nerd insecure code programmer ?
>=20
So? If said end customer is operating a network-connected system without
sufficient knowledge to properly maintain it and prevent it from doing =
mischief
to the rest of the network, why should the rest of us subsidize her =
negligence?
I don't see where making her pay is a bad thing.
> No doubt ISPs can do something, but without additional regulation and
> safeguards that they wont be sued for sniffing or filtering traffic
> nothing will ever happen. Do we want more/any regulation ? who will
> oversee it ?
>=20
Those safeguards are already in place. There are specific exemptions in =
the
law for data collection related to maintaining the service and you'd be =
very
hard pressed to claim that identifying and correcting malicious activity =
is not
part of maintaining the service.
> On the other hand think as the Internet being a vast ocean where the
> bad guys keep dumping garbage, you can't control or filter the
> currents that are constantly changing and you neither can inspect
> every water molecule, then what do you do to find and penalize the
> ones that drop or permit their systems to drop garbage on the ocean ?
>=20
Your initial premise is flawed, so the conclusion is equally flawed.
The internet may be a vast ocean where bad guys keep dumping garbage,
but, if software vendors stopped building highly exploitable code and =
ISPs
started disconnecting abusing systems rapidly, it would have a major =
effect
on the constantly changing currents. If abuse departments were fully =
funded
by cleanup fees charged to negligent users who failed to secure their =
systems
properly, it would both incentivize users to do proper security _AND_ =
provide
for more responsive abuse departments as issues are reduced and their
budget scales linearly with the amount of abuse being conducted.
Owen
> My .02
> Jorge
>=20
>> I'm fond of getting the issues addressed by getting the ISPs to be =
involved
>> with the problem. If that means users get charged "clean up" fees =
instead
>> of a "security" fee, that's fine.
>>=20
>> ISPs remain in the unique position of being able to identify the =
customer,
>> the machine, and to verify the traffic. It can be done.
