Re: The home user problem returns

["R. DuFresne" <dufresne () sysinfo com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 12 Sep 2005, Mason Schmitt wrote:

> Brian Loe wrote:


        [SNIP]


> Here's an example that's not related to Internet access and bandwidth.
> In North America (and starting to become a problem in most developed
> nations), smoking is becoming a huge problem.  Smoking is known to be
> linked to many forms of cancer, birth defects, gum disease, many
> respiratory diseases, etc, etc. - it's a really long list.  Some people
> consider smoking to be a personal choice, so lets run with that.  My
> first argument pertains more to Canada and other countries that have
> public medical systems.
>
> When enough people choose to smoke, they are placing an unnecessary
> burden on the public medical system, thereby degrading it for everyone else.

Are they?  Will they really?  Afterall, considering the above, they are 
not likely to live as long and thus not going to be within the system as 
long term as the non-smokers.


> You may be one of those militant smokers that feels it is their right to
> smoke wherever they please.  If you decide you want to smoke in public,
> you may be smoking next to someone that is an asthmatic.  It's well
> known that second hand smoke is just as deadly, if not more so, than the
> smoke you pull through your filter


Are you certain of this, or is it just another version of overhype in this 
current time and space?  Afterall, think about it a momnet, if I draw 
smoke directly into my lungs, and exhale and then you breath in a small 
fraction of what residule smoke is left, it is really more of a health 
issue for you in a secondary fashion then it was for me in the first 
intake?


> - if you and other militant smokers
> get their way, non smokers are now suffering the same health problems
> that are common amongst smokers.  Other people may be enjoying the fresh
> air or a good meal and you are denying them that.  The effect can even
> be as simple as making someone else's clothes stink.  No matter how you
> look at it, this is more than just your problem - you are involving
> other people that may not want to have anything to do with you.

We face these 'balances;' in many facets of daily life, anytime a majority 
has to allow the minority to have equal rights and protections though no?


> I promised I'd give you an example relating to your use of your Internet
> connection.  Here's one really good example for you.
>
> Recently a bot found it's way onto a customer's computer.  That bot
> setup shop and began to send spam... through our not-so-smart smarthost.
> The bot was also a worm and it started spewing like crazy trying to
> find more hosts - it found some on our network and would have found some
> out on the net if I hadn't put egress filters in place on our router a
> year or two ago.
>
> I got called into work outside normal hours to track down the bot, our
> support people had to call the customer to let them know and they also
> turned of the customer's modem until the infection was cleaned out.
> They then had to start calling other customers and doing the same.
>
> In the short time that the spam was flowing, our mail server managed to
> find it's way onto a couple blacklists.  As a result, customers that
> didn't get the worm were still being affected because some of their
> email bounced due to other mail admins using the blacklists that we
> ended up on.  This in turn generated support calls.
>
> I then kicked myself for not having implemented rate limiting and really
> basic spam filtering on our outbound smtp relay like I had planned to
> and set about working out how I was going to do that.  It turns out that
> it not feasible with our current solution, so this week I'm working on
> building a new mail server that will allow me to do the egress filtering
> I need to do.
>
> All in all, the fact that there weren't more safe guards in place cost
> us time and money and affected a fair number of customers.  It has also
> pulled me away from other important work and thus I get further behind.
>
> If that doesn't paint a clear enough picture of why you should not be
> able to have a wide open un-restricted pipe of your own, let me know and
> I'll give you some more examples.

That sure seems like a long way about trying to limit the exposures that 
got and get you into the fixes you find in your ISP technical position, 
so, let me ask here again, would it not be simpler, and likely go pretty 
much untocinted to the vast majority of your users to just lont allow 
ports 135-139, 455, and 500 and the rest of the windws specifics from 
leaving your periniters and even actually eliminate it on your braodcasts 
within?  Seems that would be far less work and likely with the ingress and 
egress filtering eliminate 90% of the issues that hit you and your user 
base, would it not?  and certainly without the support overhead of the 
vast majority of the plans and solutions you are trying to impliment, yes?

My question to the rest of the list remains:  how much would an ISP suffer 
if they invoked such policies?  and invoked such policies with the hitting 
those that request to be allowed to avoid those limitaions with a service 
expansion and extra hit from the pocketbook?  Rather then give it all away 
under the basic pricing infrastructure, you make those that wish for the 
"addon risks" pay for it.


Thanks,


Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDJzAbst+vzJSwZikRAry+AJoCKeFo3zyFsww0YwwMVVyTPSTWPACgkGmR
cTVGspq1CNCNmeeaXN8d2aM=
=X/Bq
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards