On 20/02/06, Gadi Evron <ge@xxxxxxxxxxxx> wrote: > Many ISP's who do care about issues such as worms, infected users > "spreading the love", etc. simply do not have the man-power to handle > all their infected users' population By their own choice, might I add. Consumer-grade ISPs (which is what you are talking about) are forever trying to lower their subscription costs in order to attract new users, meaning that they have no choice but to cut operational costs. The first service to go is invariable the only one that doesn't generate revenue: the abuse desk. The end result is a huge botnet running free-wheel with nobody to clean it up because "Aunty Jane" doesn't know the first thing about computer security (wossat?) and is going to connect her shiny new unpatched XP machine to the 'Net without a firewall or an antivirus. Bang! 15 seconds later her machine is zombified. > Is it the ISP's place to do this? Should the ISP do this? Does the ISP > have a right to do this? The ISP's rights are irrelevant to a certain extent. By that, I mean that they cease to exist at the point where they start infringing on the rights of *other* networks. Furthermore, some networks tend to forget that their use of the Internet is not a $deity-given right, but a privilege, and that it is subject to rules both written and unwritten. If a consumer ISP starts flaunting those rules and starts being a bad netizen (spewing spam and viruses, allowing infected machines to attempt ssh brute force attacks etc.) then the rest of the 'Net will shun that ISP, making it extremely difficult for the shunned ISP to deliver mail outside its own network or even, in some cases, access *any* port of a foreign machine. It is therefore incumbent upon the ISP to "do the necessary" to ensure that its users have as full an Internet expreience as possible and that they are welcome elsewhere. That means that the ISP *must* police its network. It isn't the ISP's right to do this, it's the ISP's *duty*. > I respect the "don't be the Internet's firewall issue", not only for the > sake of the cause but also because friends such as Steven Bellovin and > other believe in them a lot more strongly than I do. Bigger issues such > as the safety of the Internet exist now. That doesn't mean user rights > are to be ignored, but certainly so shouldn't ours, especially if these > are mostly unaffected? The average "Aunty Jane" user isn't going to be running a mail server at home and wouldn't even notice if access to port 25 of machines other than her ISP's mail servers was blocked. -- MA
