> While I might support this on first blush, there is the possibility of > unintended consequence to be considered. It might be a case of needing to provide a service that suits different users. There are at least 3 broad classes of users on the Internet, which are (roughly): 1. The basic Internet user - limited technical expertise, only interested in being an end user. Most would fall into this category. 2. The hobbyist/students - Varying levels of expertise. Many are able to manage their own security, with a bit of instruction, and most would be able to install patches, if directed to them and provided with instructions. 3. IT professionals (when not at work - to distinguish from actual corporate networks :) ) - Most should (one might argue, in the light of recent events) be able to keep their systems relatively safe and also respond to any alerts, or even proactively take countermeasures. The skill set of the groups will overlap somewhat. Anyway, my point is that the needs of the first group are somewhat different to those of the others. The first group, in addition to a basic service, also need additional protection from Internet threats, such as port blocking. This group is unlikely to want to host their own servers, so blocking connections to the relevant ports on their machine is likely to have little, if any negative impact. With the latter two groups, unecessary port blocking and restrictive AUPs are likely to be an impedimant to what these people want to do. Usually the hobbyist comes off worst with restrictive AUPs, as they want to run the odd web server on their machine. SMTP is popular as well here. These people will be dissatisfied with a "client only" Internet service. Maybe the answer for the ISP is to assume every (home) customer is in the first (non technical) group, unless they can demonstrate otherwise. Such demonstration might involve a workshop or submission of appropriate evidence. The ISP need not be directly involved in running these workshops. All that matters to them is the evidence of some level of basic competency in managing a PC's security (i.e. awareness that viruses and worms exist, installing patches and antivirus software, understanding advisories so they don't panic if the ISP informs them of a problem, etc). Sounds a little over the top, but with the increasing risks on the Internet, something will have to be done. An analogy: Cars can be dangerous in the wrong hands. As a result, almost all countries require drivers to submit evidence of a basic level of competency (i.e. by undergoing a driving test and possibly a written test on road laws), before issueing their licence. That licence is the evidence of their (basic) competency that is accepted by law enforcement authorities. Those who don't have a licence to drive are still free to be a passenger or take public transport, if it's available. It's a similar situation with my hobby of ham radio. I'm licenced by my government to build and operate transmitters, and conduct experiments on the ham bands. Those without these qualifications are not allowed to build or modify radio equipment, but instead must use type approved radios and are restricted to very specific services (e.g. CB radio, mobile phones, wireless gadgets, wireless networking) on specific frequency bands over which the end user has little (selection of a few channels) or no control (fixed frequency or auto frequncy control, as in the case of mobile phones). Perhaps the same will happen with the Internet - that only a basic form of Internet connection will be provided, unless the user can demonstrate a basic level of security proficiency. Who's responsible in this scenario? Obviously, the ISP would assume a higher level of responsibility (but it can't be 100%, due to the nature of security issues), except where the user is accredited as detailed above, in which case, the responsibility is on the user to manage their security issues. Just my $0.02 worth, hope it makes sense. P.S. Dunno if I like the idea or not, but I see it happening down the track. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 27 2001 - 16:40:54 PDT