Re: The home user problem returns

["R. DuFresne" <dufresne () sysinfo com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 8 Sep 2005, Mason Schmitt wrote:

> Marcus J. Ranum wrote:
> > ISPs have a completely different place in the security stack - your
> > job is to carry goodness and badness;
>
> I agree that the ISP's place in the security stack is different than
> that of businesses and government.  However, I don't think our job is to
> carry badness.  As a major choke point between thousands (in our case)
> or millions (the big ones) of home users and the rest of the net, I
> think ISPs absolutely should be doing whatever possible to restrict
> badness on their networks.  They have the visibility necessary to do the
> job and they have the means to at least offer some basic protection.
>
> The fact that ISPs are now seeing enough pressure (from customers, RBLs,
> and worm/bot load on their networks) that they are starting to react, is
> encouraging.  Comcast, once the worlds greatest source of spam is now
> working toward a full outbound port 25 block and has just made
> available, to all of their customers, a McAfee software bundle that has
> an antivirus app and personal firewall.
>
> I don't think it's a great solution (probably marketing driven), but
> certainly far better than what they had before.
>
> as you point out, your end
> > users (who are idiots) will resent your attempts to make things
> > better for them.
>
> I see my job as trying to provide as consistent and unencumbered an
> experience as possible for our customers.  Right now, spam, bots, and
> #!$%ing spyware are getting in my way of doing that.  I don't like the
> fact that at the onset of each new worm, that I still have to contact
> people and shut them down.  I don't like the fact that customers phone
> complaining that our service is slow and when they bring their computer
> into our shop we find a massive spyware infestation (the current record
> btw is 5300).  As a result, we are willing to try anything that is
> likely to gain us some ground.  Right now one of the projects that we
> have that is working really well is having customers bring in their
> computer when they sign up.  We give the PC a thorough enema and send it
> back out with free antivirus and antispyware, windows updates turned on
> and the XP firewall enabled.  Twice a year we run a spring cleanup and a
> fall tune-up which again goes through the enema process for $29.  We're
> fairly confident that this program is making a big dent in the number of
> really vulnerable systems out there.
>
> Our goal is to severely reduce the number of infections on our network
> so that our customers can have a consistent and hassle free experience
> on the net.  I'd like to see all ISPs adopt that stance.
>
> Sorry.  Just realised this looks a whole lot like a sales pitch...
>
> --

Mason, I do not think Marcus was beating up on you personally, and I don;t 
think anyone else here would or has either.  You have a tough world to 
work from, that of a tech within an ISP.  But the best that an ISP can do 
is perhaps limited, and since the corp industry is still unable to beat 
the problems that abound, and since gov sites both federal and state and 
local are still up to their collective necks in internet-do-do, any 
efforts from the ISP realms is welcomed though perhaps not to have too 
drmatic of an effect.  But, if each and every ISP forced into their 
routers ingress as well as egress filtering, we;d have eleiminted a large 
number of attack vectors and issues with the anonymity that many rely upon 
for their nasty deeds.

As for the  new value-adds of firewalls and spam filters offered by some 
ISP's they aren;t going to sell well even now.  Afterall, what are folks 
seeking;  a connection plain and simple and since education has not made 
them really aware of the pitfalls they face, why are they going to pay 
more for a service they don;t really seek let alone feel they need?  There 
is afterall more serious concerns for their wallets in gas prices 
rising....  Now, if frewalls and spam filters were part of the base 
offering, folks might or  might not notice or be concerned and still 
signon, though that's not a given either.  Folks tends to in both the home 
user realm as well as the corporate realm do these silly "full installs" 
afterall, thinking if they do any less they are somhow limiting their 
capabilities.

By the way, Marcus, love yer 10 list!  spreading it all about the place 
now.  I had hesitated in replying to the user training side of the thread 
as folks tend to view me as a pessimist, rather then a realist.

ingress and egress is the strong begining move to make.  Marcus has many 
tales to tell on how well that matter goes through the corp world, and has 
I'm sure only related a few of those tales here...



Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDJdJVst+vzJSwZikRAvZmAJ9q7aAczxKWBA4K6ErX9ox8UnrsTQCcD/LX
u04zsbiJWkrj8pKWYnnjkOs=
=Yrsl
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards