Mike- Should we hold the consumers responsible for their lack of tech knowhow > when corporations with actual ITSEC departments get owned all the time or > is that a total abrogation of responsibility from the people who are taking > the money to provide the service or hardware?
So your position here is : Since corporate security folks can't catch everything, end users shouldn't be held responsible for doing anything themselves, and their ISPs should do it? ( Except isn't the ISP the corporate security folks you just said can't catch everything? ) On Sat, Jan 17, 2026 at 12:09 PM Mike Simpson <[email protected]> wrote: > So where are they getting the malware from if not from their ISP? > > Should we hold the consumers responsible for their lack of tech knowhow > when corporations with actual ITSEC departments get owned all the time or > is that a total abrogation of responsibility from the people who are taking > the money to provide the service or hardware? > > I think the “we aren’t responsible for anything that comes down the pipe > to the end users because doing otherwise will cost $$$ and impact our > revenue” is a stance that shouldn’t hold true anymore. > > I wonder how clearly you advertise the fact in your sales literature that > a user needs to have more technical security knowhow or needs to care more > than fortinet to safely connect to your network. > > That combined with all the reasons why having your users being infested is > bad for you should make you want to do more about it. Being a diseased > network spewing infection is surely seen as bad practice and “it’s the > fault of the users and there is nothing we are willing to do to change > that” shouldn’t be adequate. > > > > On 17 Jan 2026, at 16:26, Tom Beecher <[email protected]> wrote: > > > >> If you didn’t want your customers being infected then don’t serve them >> malware and then blame them for getting owned and it impacting on your >> network or your upstreams. > > > ISPs aren't 'serving customers malware'. Come on. > > There is a shared responsibility here. ISPs need to take reasonable > precautions to block bad, while also ensuring that users can use the access > they provide in the ways they chose to do so. End users need to have a > basic level of understanding that the 'naked' internet is a nasty place, > and many network enabled devices are poorly designed, so having some level > of network security is important. > > > > On Sat, Jan 17, 2026 at 9:23 AM Mike Simpson via NANOG < > [email protected]> wrote: > >> Again tho. >> What does it matter to the customer. It’s not impacting on their bottom >> line. They are used to fairly rubbish service for a huge multitude of >> reasons so their bandwidth being a bit slashdotted doesn’t matter to them. >> That’s why it’s a ddos. >> >> The only reason they got infected wasn’t their fault. It’s the fault of >> every company that believes that a eula is the end of their liability. >> >> If you didn’t want your customers being infected then don’t serve them >> malware and then blame them for getting owned and it impacting on your >> network or your upstreams. >> >> This is something that should have been sorted out after nimda but that >> wouldn’t have boosted shareholder value apparently. >> >> Your users aren’t aware that it’s not safe to plug stuff into the network >> you provide in the same way that they would expect a firewall not to get >> them owned or that a VPN device would be safe to use. >> >> -this is our fault, our failing, and we need to stop our knee jerk victim >> shaming and do better. >> >> > On 17 Jan 2026, at 12:49, Mel Beckman <[email protected]> wrote: >> > >> > Mike, >> > >> > I agree with you where ISPs choose insecure CPE and force their >> customers to use it. But in the case of AISURU, It’s not the CPE causing >> the problem, it’s the customer’s buggy android-based IoT. >> > >> > -mel >> > >> >> On Jan 17, 2026, at 4:16 AM, Mike Simpson <[email protected]> >> wrote: >> >> >> >> “immediately recognize any they own, which will drive home the point >> that this is their problem” >> >> >> >> That’s some grade A victim blaming bs there. >> >> >> >> “The rubbish CPE that we forced you to have is now owned and it’s >> upsetting our eyeballs only peering arrangements so you need to sort it out” >> >> >> >> ISPs are only not accountable legally for the content of the packets >> they transport. That doesn’t mean they are not responsible for the terrible >> routers they give out. >> >> >> >> Your customers in the main don’t care as they are used to flaky >> internet service. It’s the problem of the ISP as it only really impacts on >> them in an aggregated form so as that’s where the pain is, that’s who is >> “it” for solving it. >> >> >> >> -don’t hand out cheap pos un-updatable CPE or do (shareholder value/ >> enshittification) and accept the consequences with good grace. >> >> >> >> >> >> >> >>>> On 17 Jan 2026, at 02:10, Mel Beckman via NANOG < >> [email protected]> wrote: >> >>> >> >>> immediately recognize any they own, which will drive home the point >> that this is their problem >> _______________________________________________ >> NANOG mailing list >> >> https://lists.nanog.org/archives/list/[email protected]/message/SAEZI4VPMBOHWTH267E5ZOFIIOREGHYO/ > > _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/OXBK2XY4DXKELLW2WY3HVLM3CNV5NBOH/
