Re: I would like to be the first to welcome our new masters...

[Rich Kulawiec <rsk () gsp org>]

On Fri, May 14, 2010 at 09:27:18AM -0400, Valdis.Kletnieks () vt edu wrote:
> Except that by and large, it isn't the service providers that have the
> security issues. How about we put certifications where they *matter*:
>
> 1) Certify the security of *customers* and *web hosting* companies.
>
> 2) Certify the provider's ability/willingness to *cut off abusive customers*.

+2.

One of the points that seems to repeatedly escape many (but not of course
those august luminaries gathered *here* ;-) ) is that attacks and abuse
do not magically fall out of the sky: they originate on *somebody's*
network, on *somebody's* host.  Whether that's the result of hostile
intent or a mistake or an intrusion or anything else is difficult to
distinguish except by extensive post-mortem analysis on the originating
site -- and this is rarely done by independent third parties.  But
whatever the underlying reason, the operational impact is the same.

One of our major failures has been not holding people responsible for
that impact.  We have not displayed the necessary collective will to
deny privileges to abuse/attack-sourcing operations, and as a result,
they have no motivation to do anything about the situation.  (Well,
that's not quite true: if they're being well-paid to facilitate this
impact, then they're highly motivated to facilitate more of it.)

In my own area of expertise, as I've pointed out many times, we have held
the solution for most of the spam problem in our hands for many years.
We just don't have the guts to use it, which is in part why we fully
deserve the ensuing misery.

---Rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.