[Asrg] Solving spam == Solving zombies/botnets

Douglas Otis dotis at mail-abuse.org
Tue Dec 2 13:43:05 PST 2008 

On Dec 2, 2008, at 8:36 AM, Gerald Klaas wrote:
>
> Sue the ISP?  Why would it be any easier for an ISP to determine  
> that Granny's PC is pwn3d than it is for the rest of us?  Why not  
> sue Granny?  (a la MPAA)

Only the ISP is able to fully monitor the network traffic of their  
customers.  It is not reasonable to expect ISP customers, or even  
third-party monitoring services, will be able to track this problem  
nearly as well.  The simple impediment to a solution is that ISP don't  
want to inform their customers that they are part of a bot-net.   
Customers are then likely to blame the ISP for having allowed bad  
actors access to their system, and will expect expensive support as a  
result.

ISPs need a financial incentive to deal with the bot-net issue, rather  
than their current incentive to ignore the problem.  If ISPs are to be  
held accountable for containing a bot-net plague, they should be  
allowed to impose additional fees whenever they detect a compromised  
customer.  Customers should be required to obtain bot-net insurance to  
defray the costs related to dealing with bot-net systems.  Insurance  
companies that competitively set a price for their service, will  
assess the risks based upon the vulnerability and serviceability of  
the infected OS being insured.  Of course, insurance companies have  
clearinghouses to rate repeat offenders.

In deed, OS vendors are guilty of contributing to the problem.   
Scrubbing compromised systems has been complicated by the snarled  
amalgam of application settings, library extensions dependent upon a  
plethora of data structures within each API, and an endless variety of  
exchanged active content.  When hardware vendors offer writable flash  
on motherboards, video cards, hard and DVD drives, once a system  
becomes compromised, it becomes extremely difficult to ensure malware  
does not remain hidden beneath some virtual device or file system.  
This situation could be seen as being analogous to SUV manufactures  
whose products consume too much fuel, are dangerous to drive, and that  
are too expensive repair.  Customers may eventually opt for cleaner,  
smaller, better organized, and ultimately much safer solutions.   
Prices charged by insurance companies may help consumers make informed  
decisions that are forced to consider the burden caused by unsafe  
products.  Any government regulation regarding consumer product  
security is likely to favor those vendors able to influence  
legislature, which seems unlikely to improve the situation.  It would  
seem that requiring bot-net insurance would offer the incentives  
needed for market driven solutions.

-Doug

More information about the Asrg mailing list