North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Schneier: ISPs should bear security burden

  • From: Owen DeLong
  • Date: Wed Apr 27 06:44:42 2005

	Thing is, protecting them from themselves and their own stupidity is
also the thing that most everyone else needs, too.

 Do you really want an internet where everything has to run over ports
 80 and 443 because those are all that's left that ISPs don't filter?
	They should be filtered, too.  For standard bottom-feeder accounts,
*everything* should be filtered and transparent proxied. And the accounts
should be priced so that they pay for their own upkeep.  What will cost
money is to turn off the filters selectively for certain accounts, and
people who want that should be in a position to pay for it.

I'm sorry, but, I simply do not share your belief that the educated should
be forced to subsidize the ignorant.  This belief is at the heart of a
number of today's socialogical problems, and, I, for one, would rather not
expand its influence.

 How much functionality are we going to destroy before we realize that
 you can't fix end-node problems in the transit network?
	How much of the Internet is going to be destroyed before we realize that
the users are too stupid to be trusted to run their end-nodes, and if the
transit network wants to protect itself from the worst offenses it will
need to provide only managed services and not let these people out of the
corral to being with?
Strangely, for all the FUD in the above paragraph, I'm just not buying it.
The internet, as near as I can tell, is functioning today at least as well
as it ever has in my 20+ years of experience working with it. The vast
majority of the end node problems come from one particular software vendor.
If that vendor could be held accountable for the problems they have created,
things would be much better.

The major advanatage of the internet is the ability to deploy new applications
and protocols quickly and easily. Transparent proxies, btw, would not
prevent most of the harmful stuff available via 443, so, I'm not sure
what you think that accomplishes.

Malware will quickly adapt to any such filtration at the transport layer.
As long as you can get some form of undefined content through the internet,
malware will have a way to gain transit. It must be addressed at the end


Attachment: pgp00026.pgp
Description: PGP signature