Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups)

[Rich Kulawiec <rsk () gsp org>]

On Sun, Oct 11, 2009 at 10:29:05PM -0400, Larry Seltzer wrote:
> Many of us have agreed that, for competitive reasons, it's not possible
> for ISPs to lock infected users out of a network. I'd like to suggest a
> crazy idea for your reaction: A law governing ISPs that sets rules for
> these situations. 

I've long since given up on the idea of legal solutions to problems
like these.  For starters, any such proposed law will be so hopelessly
mangled by the lobbyists that the end product will end up looking nothing
like the proposal; and given the immense power of the duopoloy's lobbyists,
at least in the US, I think they'd be all over this.

        [ See "CAN-SPAM" for a canonical example of this process. ]

But even if a law that those of us who erudite enough to be here ;-)
was enacted precisely as we wished, it would only cover this jurisdiction.
And this is a global problem.

And even if -- by fiat, let's say -- that same law was put in place
globally, who would enforce it?   What organization has the expertise,
the human resources, and everything else required to make it stick?

I think the best available solution to this is blacklisting.  It achieves
an immediate goal (preventing abuse/attacks from an obviously-infected
system) and it pushes toward a longer-term goal (convincing those
responsible for the system, that is, the former owner and the ISP, to
isolate it/clean it up/fix it).  It can be done without legal action,
since any of us are of course free to decline the privilege of network
services to anyone we want.  It scales reasonably well.  It can be handled
by multiple services with different criteria so that we have a choice
of which to use, and so that those with, ummm, braindamaged criteria,
will be recognized as such and largely ignored.  And -- as we have
seen on several occasions -- when properly used, it can, ummm, persuade
those responsible for poorly-managed operations to change their ways.

To be clear: I *don't* like this at all.  I remember a time when
people took pride in their operations and worked hard to make sure
that they were good network neighbors.  When they screwed up, they
fixed it and apologized, and then tried to learn how not to screw up
that way again.  I would prefer that we go back to that ethic.  But
that is absolutely not going to happen; there's far too much money
to be made by a combination of (a) studied negligence and (b) passive
or active cooperation with abusers.

---Rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.