Re: Nimda et.al. versus ISP responsibility

[Brian Cervenka <brian () zerobelow org>]

I really think we need to have two classes of internet service. One for
technically savvy users, and one for my grandfather, and the millions of
users like him.

Most ISPs already offer this differentiation of service as a "personal"
account vs. a "business" account. There is a cost difference between them,
as there should be. The "personal" internet accounts should have somewhat
severe limits put onto them, such that they can not run servers, etc. The
business class accounts should not have the limits, or if they have the
limits by default, the ISP should allow the user to fill out a form or
check a box at signup which removes those limits. The AUP for many ISPs
(cable for example) states that a residential user is not allowed to run a
server -- so the legal issues of this are in place already.

While many users have the need to run their own servers, from what I hear,
the vast majority of CR and Nimda hosts are people who don't know they are
running a service -- such limitation would be a boon to those people.

Some ISPs actually have an option where they will install (and manage?)
some level of firewall service for their users. This is the way it should
be done.




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com