I'll make a broad philosophical statement here.... Whee.... I think at the heart of our headache is that we're all technologists on this bus (with the exception of the lawyer, maybe). So we see these as technological problems - you replace the strut, patch the code, whatever, and the system runs. Conversely, what we're really dealing with here is the constant and creative adaptation of tech for newer and better bastardry. I don't think the problem is fixable, it's controllable, maybe, through enforcement, policy, and a couple of other matters. But it's never going to be "solvable".
So, the question - do cops give up because they can't fix crime? Because in the end, i think that's going to be waht we're talking about, a perpetual constant barrage of low-level noise and crap that we will, at best, be able to make manageable so that a civilized internet can keep running. Okay, enough head in the clouds blather. I have code to cut. On Oct 13, 2009, at 8:28 AM, Rich Kulawiec wrote: > On Sun, Oct 11, 2009 at 10:29:05PM -0400, Larry Seltzer wrote: >> Many of us have agreed that, for competitive reasons, it's not >> possible >> for ISPs to lock infected users out of a network. I'd like to >> suggest a >> crazy idea for your reaction: A law governing ISPs that sets rules >> for >> these situations. > > I've long since given up on the idea of legal solutions to problems > like these. For starters, any such proposed law will be so hopelessly > mangled by the lobbyists that the end product will end up looking > nothing > like the proposal; and given the immense power of the duopoloy's > lobbyists, > at least in the US, I think they'd be all over this. > > [ See "CAN-SPAM" for a canonical example of this process. ] > > But even if a law that those of us who erudite enough to be here ;-) > was enacted precisely as we wished, it would only cover this > jurisdiction. > And this is a global problem. > > And even if -- by fiat, let's say -- that same law was put in place > globally, who would enforce it? What organization has the expertise, > the human resources, and everything else required to make it stick? > > I think the best available solution to this is blacklisting. It > achieves > an immediate goal (preventing abuse/attacks from an obviously-infected > system) and it pushes toward a longer-term goal (convincing those > responsible for the system, that is, the former owner and the ISP, to > isolate it/clean it up/fix it). It can be done without legal action, > since any of us are of course free to decline the privilege of network > services to anyone we want. It scales reasonably well. It can be > handled > by multiple services with different criteria so that we have a choice > of which to use, and so that those with, ummm, braindamaged criteria, > will be recognized as such and largely ignored. And -- as we have > seen on several occasions -- when properly used, it can, ummm, > persuade > those responsible for poorly-managed operations to change their ways. > > To be clear: I *don't* like this at all. I remember a time when > people took pride in their operations and worked hard to make sure > that they were good network neighbors. When they screwed up, they > fixed it and apologized, and then tried to learn how not to screw up > that way again. I would prefer that we go back to that ethic. But > that is absolutely not going to happen; there's far too much money > to be made by a combination of (a) studied negligence and (b) passive > or active cooperation with abusers. > > ---Rsk > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. Mike Collins mcoll...@aleae.com _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
