RE: why Senator Stevens is right on Net Neutrality

[Gadi Evron <ge () linuxbox org>]

On Thu, 6 Jul 2006, Larry Seltzer wrote:
> I'm going to agree with you, largely. It's important to look at this as a
> business issue and ask whose interests "neutrality" serves.

In my opinion it comes down to academic masturbation.

As I wrote in my blog (it's a blog, I don't have to edit myself!):

Net Neutrality is as silly as so-called Internet Governance

> From the perspective of Internet security operations, here is what Net
Neutrality means to me.

I am not saying these issues aren't important, I am saying they are
basically arguing over the colour of bits and self-marginalizing
themselves.

For a while now I tried not to comment on the Net Neutrality non-issue,
much like I didn't comment much on the whole "owning the Internet by
owning the Domain Name System" thingie. Here goes anyway.

Two years ago I strongly advocated that consumer ISP's should block some
ports, either as incident response measures or as permanent security
measures.

On the one hand it would significantly help secure the Internet and its
usability, as well as protect millions. On the other, why should the ISP's
have the right to censor us? In this text I will discuss how Net Neutrality is
just a business approach, among many others that can and will be taken
whether by legislation or as a fact of life. I will discuss security as a
counter-example of why Net Neutrality is just hypocrisy and why it is
needed, even if it is inherently wrong. Why? well, ever heard of botnets?

Blocking port 25 outgoing stops most spam of the day, but causes spam to
evolve (at least in a direction we want it to, for once).
Blocking port 445 stops many worms and exploits littering the Internet in
a non-stop thunder-storm.

The first would decrease spam from your network, the second would decrease
spam from your network. The first would stop it from being sent and in the
foreseeable future force spammers to use real compromised users rather
than fake ones, that can be blocked. The second would stop many users from
getting infected and compromised in the first place.

Ports change, threats change, blocking ports? That's almost a freedom of
speech violation (which we will discuss later). Who is the ISP to tell the
user what to use and what not to use?
Simple fact is, we are currently at global incident response stage and we
lost.

If the ISP's provide users who are most likely never to use anything more
than a web browser and some other basic clients with an easy way to get
un-blocked service, why is this a bad thing?

I met with deadly criticism from ISP's,  yet several large ISP's
implemented such barriers. Why?

They did it for the business case which they were big enough to
notice. Paying abuse personnel just so that they can discontinue service
to clients... what kind of business is that? Stopping users from sending
spam and getting infected worked for them and saved them:
1. Abuse personnel pay-checks.
2. Tech support costs.
3. Bandwidth.

Still, most ISP's absolutely refused to consider it, as it would mean
spending on the users' security, which they are not:
1. Forced to do (law/regulation).
2. Get money to do.

The technical guys had a good case, too:
1. We are busy! Go away!
2. "Don't be the Internet's Firewall!" - what gives us the right to tell a
user what to say on his phone line?

The right? That's right. The Internet is not lanes on an highway or even a
market or whatever other analogy people may come up with. The Internet is
somewhat comparable to the sky or the ocean. A boat can travel it the same
as a fighter carrier. How the space is used and traveled is to be
determined by what's in that space already.
ISP's are not Sea or Air Ports, they are air corridors. They determine
which user goes when and where. They do not determine who the user is or
does.
As with any analogy, this one is flawed and a counter analogy can be found
for it immediately.

In the recent year I have heard more and more of Net Neutrality
legislation, where ISP's, who objected to protect their users by just
blocking ports now ask to limit services and get paid for them. That isn't
new to me. My ISP limits my P2P speed considerably while I can otherwise
download freely, disconnect me occasionally or make me use a dialer so
that they can monitor my usage. They just deny it when I ask them about
it.

It is all about the business.

What I do with my DSL line is my business, not theirs. The problem starts
when the ISP does not want to give me the said service, as it utilizes
more of the line I buy. It's a business concern. They over-sold under the
calculation I won't use what I buy.

Well, I have a few things to say about that:
1. If you limit what I do or make me pay for what I say in my phone line,
I will find a new provider.
2. You may as well also protect me from what travels that line to attack
me and steal my granny's life savings. It's a two-way street. Or is it?

Net Neutrality doesn't make technological sense, no matter how you present
it. It makes perfect business sense, the ISP's see an opportunity to save
costs and earn extra cash on what they are already supposed to sell. Maybe
that is alright, I am not sure... after all, if the industry is at a
serious loss, that should be solved somehow and indeed, the Internet
services just keep taking more and more bandwidth. That is not how this is
presented, though.

What I am sure about is that whichever way Net Neutrality goes, in the end
it won't matter much for the future of the Internet, even if it is
inherently wrong. Either we pay more money for the phone lines we have and
can say whatever we want on them, or we pay for specific languages that we
speak on our phone line. We may also end up being limited and not know it.

Wrong or not, and it is wrong, the Internet will move on and hey, just
remember, the Internet is far bigger than just the United States. Whoever
wants to get by these silly filters can. One problem this will present is
that Internet Development in the United States will become less friendly
and other countries may be preferable.

The security issues I discuss happen often, as another example, a few
months ago I had a similar discussion with ISP tech folks about a
different technology, now commonly referred to as the so-called "walled
garden approach". "Filter your bad users until they fix themselves and
help them do it online by sending them only to a support web site." or
similar

I guess someone saw the business case, as  suddenly I am
mainstream. Woohoo.

The Internet today reminds me of an Orwellian society where everybody is
happy, but underneath the surface it's all Big Brother, only that in the
case of the Internet everyone is happy, and regardless of Big Brother
everybody is also part of terrorist cells called botnets and a ton of
people lose their money, work and are constantly annoyed in their daily
life. Just below their critical annoyance level. It's all about fleas,
billions of them. But just a few for each person.

Zombies. Reasonable measures to stop the epidemic of millions on millions
of compromised computers, bank accounts, etc. are fair game. We need to
get passed the black plague. That however, does not bring money to ISP's,
therefore, we will keep talking about philosophically critical issues such
as Net Neutrality, which in the long run just don't matter as the business
case will win regardless, in other means if need be.

With approximately 2 billions dollars lost in phishing alone this year and
several Trojan horses (bots) installed on almost every computer on the
Internet (in numbers vs. amount of computers), the future Internet is
going to be very interesting indeed.

It seems to me though that the United States, whenever it comes to
Internet Governance issues is self-marginalizing itself in every
turn. Why?

Net Neutrality isn't evil, it's silly to the point of ridiculous. It won't
really mean much in the long run though. In the short-term it is just
capitalistic America at it again.

Time to go read William Gibson again!

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.