North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Schneier: ISPs should bear security burden

  • From: Bill Stewart
  • Date: Wed Apr 27 20:09:57 2005
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta;; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=FIE4ahpePVOUPX54aQcMw5hUFyNQnYzEm3iBGSXakYCLJwxyWM2wP76R24WdXHTcEUXBHqlSLe20eJdXioGnRFc0LNJIKvuJXGO2ME7oxBCjic6pZDn3shN4OO//N0YypH1nQ2Omm7/4oU3RZ+gltE3U7KkAaRwZGVg2dArG8Rs=

Steve Sobol wrote:
> And I'd argue that Owen's attitude is appropriate for transit and
> business-class connections[0] - but if you're talking about a consumer ISP,
> that's different. If the Big Four[1] US cable companies followed AOL's lead,
> we'd see a huge drop in malware incidents and zombies.

You could solve 90% of the problems that you perceive are being caused
by unrestricted
cable modem users by using blocklists to ignore traffic from them.
As somebody who picked a DSL provider specifically because it allows me to
run any kind of server I want, I'm not highly in favor of blocking
traffic from broadband users
and killing the end-to-end principle that makes the Internet work,
but if the noise-to-signal ratio is too high, it's easy to set up your
mail servers
to reject mail from cable modem users, or set your routers to
null-route their packets,
or even null-route-plus-strict-uRPF them if that's what makes your users happy.

You'd see a huge drop in zombies because they'd become invisible to you,
and while being surrounded by invisible zombies isn't all it's cracked up to be,
it's a good start.  It puts the choices in the hands of the recipients,
and market-like processes will find a balance that's much more varied
than imposing technical restrictions on senders (as opposed to
don't-spam types of restrictions.)

(And in spite of my self-righteous pontificating about not broadly
blocking big chunks of
people because it blocks the good along with the bad, my main email
ISP allows users
to pick blocklists by country, and you can bet that I'm blocking email
from China,
Korea, and Nigeria, and anybody there who wants to reach me can email
my work address
or use a Yahoo account.  I'm not using the DSL/cable blocklists,
though, but that mail
gets spam-filtered.)

             Thanks;     Bill

Note that this isn't my regular email account - It's still experimental so far.
And Google probably logs and indexes everything you send it.