In message
To be fair though, in mentioning an opt-out system I was thinking of clueful users deliberately running their own servers that would notice within minutes that port 25 had been blocked - not the SMTP AUTH crowd which may be significantly less clued up and not notice why their previously working 'Email Thingy" isn't working anymore.
The clueful users can always build tunnels and route stuff through the tunnels. I do this from my laptop when working in various organisations where I still want to send mail via my own mail server (because, eg, it's the only one listed in the SPF rules). SMTP AUTH is harder, but at least as a first cut simply permitting connections that did SMTP AUTH would probably select for the "good" connections and ignore the bad ones. Much the same for STARTTLS -- anything using that is probably not malware, at least at present. Most malware barely manages to interoperate with SMTP servers let alone actually supporting "fancy" features. As I've suggested before blocking some of these services by default, and providing an "enable this service again" automatic system for clueful users would be nearly as useful as trying to do layer-7 filtering on the protocol. It could even require turning on again with every reconnection, totally doing away with the need for the ISP to store anything associating permissions with the user. (Anyone who can't automate a GET of, eg, http://ihaveaclue.$ISP/enable?services=smtp or similar on reconnect doesn't have the necessary clue.) On a related tack, I am seriously considering writing to the appropriate government ministers and suggesting that, as part of their proposed anti-spam legislation, a legal duty be placed on people not to connect/allow to remain connected an insecure/0wned/infected system under their control. With the first breach resulting in mandatory disconnection of the system from the network, not to be reconnected until person had completed a course on "network security" and had their machine certified "cleaned up" by someone appropriate. Subsequent breaches resulting in that and fines and/or longer periods of mandatory disconnection. IMHO such insecure/0wned/infected systems are a nuisance (in the legal sense of the word) and thus the owners of them should be responsible for the damage they cause. Ewen
Ewen McNeill wrote:
On a related tack, I am seriously considering writing to the appropriate government ministers and suggesting that, as part of their proposed anti-spam legislation, a legal duty be placed on people not to connect/allow to remain connected an insecure/0wned/infected system under their control. With the first breach resulting in mandatory disconnection of the system from the network, not to be reconnected until person had completed a course on "network security" and had their machine certified "cleaned up" by someone appropriate. Subsequent breaches resulting in that and fines and/or longer periods of mandatory disconnection.
IMHO such insecure/0wned/infected systems are a nuisance (in the legal sense of the word) and thus the owners of them should be responsible for the damage they cause.
Ah yes, like my old idea of the Internet User's License, with enforced education and third party insurance? The problem is, there are and will be certain situations where even clued up users cannot patch machines quickly enough, or vendors are tardy bringing patches out. Given the sizes of the current zombie armies however, I'm sure a revenue hungry government would listen to you. "Better than speed cameras!" they'll go. -- Juha
On Thu, Jun 10, 2004 at 04:58:31PM +1200, Ewen McNeill wrote:
On a related tack, I am seriously considering writing to the appropriate government ministers and suggesting that, as part of their proposed anti-spam legislation, a legal duty be placed on people not to connect/allow to remain connected an insecure/0wned/infected system under their control. With the first breach resulting in mandatory disconnection of the system from the network, not to be reconnected until person had completed a course on "network security" and had their machine certified "cleaned up" by someone appropriate. Subsequent breaches resulting in that and fines and/or longer periods of mandatory disconnection.
Unlike vehicles, access to the internet for most people is not via a "public road". A WOF/license for driving the internet just seems like needless legisation. ISPs already have the power to regulate users this way via their TOS. Its clear though that all ISPs would have to subscribe to the above for it to have long-term effect. Nicholas
-----Original Message----- From: Ewen McNeill [mailto:ewen(a)naos.co.nz] Sent: Thursday, 10 June 2004 4:59 p.m. To: neil gardner Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Zombies
On a related tack, I am seriously considering writing to the appropriate government ministers and suggesting that, as part of their proposed anti-spam legislation, a legal duty be placed on people not to connect/allow to remain connected an insecure/0wned/infected system under their control. With the first breach resulting in mandatory disconnection of the system from the network, not to be reconnected until person had completed a course on "network security" and had their machine certified "cleaned up" by someone appropriate. Subsequent breaches resulting in that and fines and/or longer periods of mandatory disconnection.
IMHO such insecure/0wned/infected systems are a nuisance (in the legal sense of the word) and thus the owners of them should be responsible for the damage they cause.
Interestingly that exact issue was discussed today at an InternetNZ Spam Taskforce Meeting. The Government discussion paper aksed about what liability there should be for different parties such as vendors, senders, harvesters, ISPs and Telcos. The discussion highlighted that many Nzers are unwitting senders of spam through zombie machines, and discussed whether they should be liable. There was a variety of views and some interesting analogies to liability for an unmaintained car that causes an accident. At the Spam Legislation Workshop on the 24th June, I expect this issue to be discussed also. DPF
participants (4)
-
David Farrar -
Ewen McNeill -
Juha Saarinen -
Nicholas Lee