funsec mailing list archives

Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups)

From: Michael Collins <mcollins () aleae com>
Date: Tue, 13 Oct 2009 11:07:31 -0400

I'll make a broad philosophical statement here.... Whee....

I think at the heart of our headache is that we're all technologists  
on this bus (with the exception of the lawyer, maybe).  So we see  
these as technological problems - you replace the strut, patch the  
code, whatever, and the system runs.  Conversely, what we're really  
dealing with here is the constant and creative adaptation of tech for  
newer and better bastardry.  I don't think the problem is fixable,  
it's controllable, maybe, through enforcement, policy, and a couple of  
other matters.  But it's never going to be "solvable".

So, the question - do cops give up because they can't fix crime?   
Because in the end, i think that's going to be waht we're talking  
about, a perpetual constant barrage of low-level noise and crap that  
we will, at best, be able to make manageable so that a civilized  
internet can keep running.

Okay, enough head in the clouds blather.  I have code to cut.


On Oct 13, 2009, at 8:28 AM, Rich Kulawiec wrote:

On Sun, Oct 11, 2009 at 10:29:05PM -0400, Larry Seltzer wrote:

Many of us have agreed that, for competitive reasons, it's not  
possible
for ISPs to lock infected users out of a network. I'd like to  
suggest a
crazy idea for your reaction: A law governing ISPs that sets rules  
for
these situations.


I've long since given up on the idea of legal solutions to problems
like these.  For starters, any such proposed law will be so hopelessly
mangled by the lobbyists that the end product will end up looking  
nothing
like the proposal; and given the immense power of the duopoloy's  
lobbyists,
at least in the US, I think they'd be all over this.

      [ See "CAN-SPAM" for a canonical example of this process. ]

But even if a law that those of us who erudite enough to be here ;-)
was enacted precisely as we wished, it would only cover this  
jurisdiction.
And this is a global problem.

And even if -- by fiat, let's say -- that same law was put in place
globally, who would enforce it?   What organization has the expertise,
the human resources, and everything else required to make it stick?

I think the best available solution to this is blacklisting.  It  
achieves
an immediate goal (preventing abuse/attacks from an obviously-infected
system) and it pushes toward a longer-term goal (convincing those
responsible for the system, that is, the former owner and the ISP, to
isolate it/clean it up/fix it).  It can be done without legal action,
since any of us are of course free to decline the privilege of network
services to anyone we want.  It scales reasonably well.  It can be  
handled
by multiple services with different criteria so that we have a choice
of which to use, and so that those with, ummm, braindamaged criteria,
will be recognized as such and largely ignored.  And -- as we have
seen on several occasions -- when properly used, it can, ummm,  
persuade
those responsible for poorly-managed operations to change their ways.

To be clear: I *don't* like this at all.  I remember a time when
people took pride in their operations and worked hard to make sure
that they were good network neighbors.  When they screwed up, they
fixed it and apologized, and then tried to learn how not to screw up
that way again.  I would prefer that we go back to that ethic.  But
that is absolutely not going to happen; there's far too much money
to be made by a combination of (a) studied negligence and (b) passive
or active cooperation with abusers.

---Rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


Mike Collins
mcollins () aleae com



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups), (continued)
- - - Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups) Nick FitzGerald (Oct 20)
    - Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups) Rich Kulawiec (Oct 20)
    - Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups) Rich Kulawiec (Oct 20)
    - Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) chris (Oct 19)
    - Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Rich Kulawiec (Oct 19)
    - Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Nick FitzGerald (Oct 19)
    - Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) chris (Oct 19)
    - Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Rich Kulawiec (Oct 17)
    - Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Michael Collins (Oct 13)
    - Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Rich Kulawiec (Oct 13)
    - Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Michael Collins (Oct 13)
  - Re: dumb. Comcast pop-ups Rich Kulawiec (Oct 10)
    - Re: dumb. Comcast pop-ups Toralv_Dirro (Oct 10)
    - Re: dumb. Comcast pop-ups Jon Kibler (Oct 10)
    - Re: dumb. Comcast pop-ups Michael Collins (Oct 10)
    - Re: dumb. Comcast pop-ups Jim Murray (Oct 11)
    - Re: dumb. Comcast pop-ups Jon Kibler (Oct 11)
    - Re: dumb. Comcast pop-ups Michael Collins (Oct 11)
    - Re: dumb. Comcast pop-ups Larry Seltzer (Oct 10)
    - Re: dumb. Comcast pop-ups der Mouse (Oct 10)
    - Re: dumb. Comcast pop-ups Dave Dennis (Oct 10)

(Thread continues...)