Re: Schneier: ISPs should bear security burden

[Owen DeLong <owen () delong com>]

--On Wednesday, April 27, 2005 5:09 PM -0400 James Baldwin
<jbaldwin () antinode net> wrote:

> On 27 Apr 2005, at 06:07, Owen DeLong wrote:
>
> > ISPs transport packets.  That's what they do.  That's what most 
> > consumers
> > pay them to do.  I haven't actually seen a lot of consumers asking for
> > protected internet.  I've seen lots of marketing hype pushing it, but,
> > very little actual consumer demand.  Sure, the hype will probably 
> > generate
> > eventual demand, but, so far, it hasn't really.
>
> I'm not sure I agree with this statement. Our customers are retained
> based on our value added services, including protected internet
> initiatives, more than for the Internet service we provide. Internet
> service is becoming commoditized to the end user, with multiple choices
> at competitive pricing in many markets. Consumers within single provider
> markets might expect ISPs to only "transport" packets, however in multi
> vendor markets the ISPs are being chosen for offerings above and beyond
> network access.
Hey, if you've got customes willing to shell out for that, then more
power to you.  However, I'm not (and won't be) one of those customers.
I'm willing to take responsibility for protecting my systems and choosing
what traffic I do and don't want.  I don't want someone else doing it
for me.

I certainly don't want someone telling my ISP that they have to take that
choice away from me, and, finally, I _REALLY_ don't want to have to pay
more for internet service because other users are too stupid to properly
configure a firewall.

> This is becoming especially true for companies like AOL, which are
> attempting to move their value added services independently of their
> Internet access in anticipation of dropping profit margins on network
> access as well as an attempt to break into new single vendor markets.
> Moving packets is no longer enough for ISPs.
Yep... That's fine... I am not opposed to a market for such services, so
long as I can still buy actual internet connectivity and not some censored
watered-down garbage.  Further, I still think that such "value added" 
services are short-sighted.  It creates an arms race between the value
adds and the malware providers, destroying more and more functionality
in the name of better and better protection from worse and worse malware.
Eventually, you end up with things like the TSA and the war on drugs.
Problems don't get solved because you continue to attack the symptoms
instead of the causes.

> If customer retention is based on value added services then consumers are
> making market decisions based on more than network transit. I expect NSPs
> to transport packets. I expect ISPs to provide Internet services,
> including security services.
OK... Whatever... I guess I'm an NSP customer, then.  I don't draw a
distinction between NSPs and ISPs on the lines you do, and, telling ISPs
that they should all filter their end users connections still doesn't
sit well with me.  ISPs that want to offer that as an optional value added
service for a fee, I have no problem.

Owen
-- 
If it wasn't crypto-signed, it probably didn't come from me.

Attachment: _bin
Description: