Re: Newspaper Article about Cable Modem security

[Saso <Saso () vsecureit net>]

Hi Russ,

In message <84813DB48E28D211978700A0C9B55834429AF5 () mail cooper com>, Russ@coope
r.com writes:
> <opinion>
> Your example at the end of the paragraph is the perfect reason why security
> shouldn't be left to average users.  It's very easy for you to say that
> everyone should be responsible because you understand it.  Most people don't
> think like computers, and to try to force them to understand that they "need
> to filter BO by closing ports" is like speaking german to them.  

I have to say I completely agree with you on this. A customer doesn't care 
much what BO is and what it isn't and the usual customer wants to keep it this 
way. Most ISP customers are computer illiterate and frankly, they don't care 
how things work as long as they work the way they expect them to. 

As an ISP, you have to keep your customers happy and let them do everything 
their heart desires. Sooner or later that collides with the level of security 
that should be set. For instance, some customers on cable want to share their 
hard drives with their friends, but they can't because ISP closed port 139 
(@Home example by R. Graham). Before we took that step, we had to consider two 
options: 

        one, we could keep our hands off things and leave customers on mercy of
those zillions of script kiddies that roam the 'Net.
 
        two, we could go out of our way, knowing not many will stumble across 
it, but will definitely be angry about it, and just filter the port.

By taking option numer 1, your tech support will hear from all the angry 
customers whose important documents found a way to a local news group and soon 
newspapers will tear you apart because you didn't take enough care about your 
users.

By taking option number 2, your tech support will hear from all the angry 
customers who can't share their precious MP3 collection with their friends. 
And many their friends know someone in local newspaper what will scream 
'oppression!'.

ISP involving themselves in security issues can't gain a thing. And quite 
frankly, I don't think ISPs should do anything more than they can if a 
customers asks them to.

If a customer wants port 139 to be closed for his xDSL line, why not. But if 
they don't want it to, it's their own decision and they should be well aware 
of that.

> A "generic" security option from an ISP is probably sufficient for most
> users who just want to surf the web and get email and ICQ.  But for more
> advanced users I see more of a service approach to the problem.

Question is, how generic a generic security would be. Should we stop just by 
well-known ports like 135, 138, 139, 12345, 2140, 31337 or should we go a step 
further? How far?

We are taking the false move here. We all take major security flaws in OSs as 
if it was the only way it could be. We move the responsibility for customer 
security from computer vendors to ISPs. It is like we would move the 
resposibility for car safety from car manufacturers to the organisation that 
maintains the roads.

ISPs provide what their name says == Internet services. Yes, S in ISP stands 
for services, not security. I for one expect from my OS vendor to provide me 
secure out-of-the-box OS. I still keep hope for that day to come. ;)

> Why shouldn't computers work the same way?  People can choose to have
> generic security from their ISP, or they can choose to have none, or they
> can install a firewall themselves, or they can hire an outside company to
> monitor, update and maintain the firewall.  

Yes, I agree. Customers should be able to choose. In a perfect world, 
they could chose between an ISP that will give them different 'security plans' 
and the ISP that will lock them up inside his fort and an ISP that will leave 
them alone in the great wide open. The first one would probably be perfect for 
the accountant type, the second one for the paranoid ones and the third one 
for the adventurers.

But it's all Sysiphus work as long as computer vendors don't join the dance. 
Your ISP can't protect you from yourself or the bug farm you have on your 
computer. And that is where it all began in the first place.

Regards,

Saso