Re: Would you pay more ...

[Charley Hamilton <chamilto () uci edu>]

> Would you pay more to only have the following destination ports open
> to the internet originating from your broadband modem: 

Actually, as a consumer, I'd pay less.  However, I am semi-advanced
(i.e. I can get into deeper trouble more creatively) and I *like*
having other ports available to cycle my various connections through.
Controlling the inbound/outbound ports at both my office (personal) firewall
and my home firewall gives me a (somewhat miguided) sense of security through
obscurity.  The script kiddies who just hunt the "regular" target ports
don't bother my connectivity apps.  And if they do hit the right port, their
IP gets dropped by the ruleset anyway.  And if it doesn't they fail the 
authentication....

If only "standard" ports became available, a lot of people who are
unwilling to pay more for the "business" service (because we aren't a
business!) just to get access to those other ports will be forced to either 
"misuse" standard ports by running nonstandard apps on them (okay misuse is 
probably the wrong word there) or give up connectivity options that they
already have.

The danger I see to offering such "secure by design" service is
that it's not actually all that much more secure and is, in the end, more a
marketing ploy than anything else.  Most users wouldn't know a trojan
on a "standard port" from one on a random port.  In fact, I will venture
that most users (to some extent like me) don't really grok what a port is
anyway.  They just run antivirus and expect it to get everything.
Including windoze patches.  Would the ISP then take to scanning the
approved ports for unusual activity?  What's the savings of running
through only those ports instead of all of them?  How badly is my user-ness
showing?  ;-)

> ALTERNATIVELY, would you like it if this was the STANDARD package and
> additional ports were considered optional, and required payment.

How much more do you pay?  By what argument are you justifying the additional
cost, given that most individuals who would actually *know* about and
*want* additional ports are typically smart enough to operate some sort of 
firewall.  It seems those who operate a firewall should be offered a
discount....  Hrm, I wonder how my ISP would react to that idea?  ROTFL,
I expect.

I suspect that a more *useful* service would be offering a "secure 
configuration" service --- at a "nominal fee" --- to users where the
ISP sets up a system to auto-update (e.g. windoze) patches, configure
firwalls, etc.  Make the charge cost-defraying instead of a revenue source. 
That will keep the extra charges low.  Don't charge the users extra to make
a "firewall" out of their modems.  If you call it "Package 2 -- Improved 
security!  No extra charge!", the users will think they're putting one over
on the ISP and getting something for nothing.  They feel like they won, the
ISP gets to restrict the ports open to the net from many subscribers, and
those who know enough to be dangerous get to play with fire.

As usual, just my $0.02.

Charley

--
Charles Hamilton, PhD EIT               Faculty Fellow
Department of Civil and                 Phone: 949.824.3752
    Environmental Engineering           FAX:   949.824.2117
University of California, Irvine        Email: chamilto () uci edu



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------