In my experience its never the people that find an exploit that end up causing the mayhem. If the flow of information from the exploit finders to the script kiddies could be stopped so would the majority of worms etc. I know this is old thinking but it seems like a easier option than firewalling off the Internet. I recently read the "Changes to Functionality in Microsoft Windows XP Service Pack 2" and in it, it states that the Internet Connection Firewall will be turned on by default. Changes like this and Microsoft's long term commitment to security via their "Trustworthy Computing" initiative may make the problems that you are trying to solve a thing of the past. http://www.microsoft.com/downloads/details.aspx?FamilyID=7bd948d7-b791-40b6-8364-685b84158c78&displaylang=en http://www.microsoft.com/mscorp/innovation/twc/twc_whitepaper.asp The documents are MS Word format. -----Original Message----- From: Ewen McNeill [mailto:ewen(a)naos.co.nz] Sent: Sunday, 1 February 2004 11:17 a.m. To: nznog(a)list.waikato.ac.nz Subject: [nznog] The Internet for n00bs One of the things discussed at the (excellent, thanks everyone) NZNOG 2004 conference was that the Internet sucks, and that a large portion of this suckage is due to ignorant n00bs who do the wrong thing, get 0wned, etc. It was suggested that the "only" fix to this problem was to kill the end to end Internet, making the "Internet" a core exchange network (a la telco style), and allowing users only access to a local proxy at their ISP for a very limited set of services. Aside from my objection that this won't help much except in the short term (plenty of protocols already tunnel around such firewall limitations -- eg, look at everything that's been tunneled through HTTP), this really sucks for the l33t who find it awfully restrictive. An alternative approach to that type of thing is possibly just to heavily firewall -- at the ISP end of the link -- connections to all "potential n00b" users (SMTP to ISP mail server, POP/IMAP/HTTP/HTTPS to whereever and a few other common things) by default. And then provide an "opt out" system that anyone with a clue can use to disable the default firewalling. I would suggest: telnet ihaveaclue.$ISP where you have to enter "My name is $NAME, and I have a clue" (with $NAME expanded, but otherwise literally). Possibly that setting could be sticky; possibly it would need to be done on each reconnection.[0] The remaining aspect is that anyone who claimed to have a clue in this manner and then lets something on their connection get 0wned or otherwise abuses the privilege, (a) loses the ability to unblock themselves, and (b) gets their name published on a list of shame. This could pretty much be implemented today by anyone with a firewall (or customer facing ACLs) which can be set on a per-customer basis. Various RAS boxes have this sort of facility already; at least one ISP I know of firewalls accounts that are over due so they can reach the accounting website and that's about it. The alternative seems to be that the clueful will just tunnel everything through whatever still works. Tunnelling through DNS requests is painful but doable; tunnelling through most other things is almost tolerably efficient by comparision. And I guess bandwidth is cheap enough now that we can cope with a 20-50% overhead due to tunnelling.[1] Ewen [0] Anyone who can't automate doing it on each reconnection doesn't have a clue. [1] Still, it'll make the ATM tax look cheap. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog