more on FTC to alert ISPs to zombies

[David Farber <dave () farber net>]

Begin forwarded message:

From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: July 20, 2005 1:38:13 PM EDT
To: David Farber <dave () farber net>
Subject: Re: Fwd: [IP] FTC to alert ISPs to zombies


I received the following query:

> Maybe he can elaborate a little on the abuse he mentions, I don't know
> what he is referring too.
Any time a government agency starts telling ISPs which of their
customers are misbehaving, I worry.  We can all agree about certain
forms of illegal behavior -- worms, for example -- but there are greyer
areas.  For example, on occasion I've been known to run security scans
from my house against a machine I personally own.  That's legal, in the
sense that it's authorized by the owner of the machine, but no IDS is
going to know that.  But for consumer ISPs, it's often easier to pull
the plug than to investigate.

More seriously, I'm concerned any time a government agency starts
reporting or otherwise taking action on legal forms of "speech".  The
usual phrase is a "chilling effect" -- will my ISP feel it has to go
overboard to avoid getting notices (with the implied threat of
regulation) from the FTC?  To be concrete, how about IRC?  It's very
well known in the Internet security community that many botnets are
controlled via IRC.  Does that mean that an ISP should block all IRC
traffic?  Is that the easiest way to avoid such notices?  IRC is, of
course, a very legitimate way to engage in conversations.

        --Steven M. Bellovin, http://www.cs.columbia.edu/~smb




-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/