On Jan 16, 2016, at 9:53 AM, Rich Kulawiec <r...@gsp.org> wrote: > On Sat, Jan 16, 2016 at 05:43:56AM -0800, Ca By wrote:
>> I see a great deal of folks on nanog clamoring to buy ddos gear. Packets >> are starting to become like spam email, where 90% are pure rubbish, and >> us good guys have to spend a lot of money and time sorting signal from >> noise. > > I've said this many times: abuse does not magically fall out of the sky. > It comes from hosts, on networks, run by people. It is time -- well > past time -- to hold those people *personally* acountable. > > Not doing so leaves us where we are today: millions -- heck, hundreds > of millions -- of dollars are being spent on defenses THAT WOULD NOT > BE NECESSARY if those people performed their jobs at a mere baseline > level of competence and diligence. Shared fate systems suck in some ways. But I disagree that “a mere baseline level of competence and diligence” is even close to what is required. Making the owner of the host responsible for an attack -personally- responsible would require every grandma & 6 year old to have insurance before buying a laptop or Xbox. And would bankrupt your favorite startup no matter how smart & competent the first time a zero-day caught them by surprise. Of course, forcing Uncle Bob to call his insurance carrier before buying a smartphone, and having San Hill Road take even greater risks when investing, and giving lawyers yet another vector for frivolous lawsuits, wouldn’t have the slightest effect on the global economy. On the other hand, that 100s of millions of dollars is a rounding error in the wealth & public good created by that same shared fate system. Overall, I think we’re doing well. Before anyone pounces on me, I hate spam, dos, etc. as much as anyone else. (You know how much personal, unpaid time I’ve put into fighting both, Rich.) If we can find the originators of these things, we should hang them by their thumbs and beat them senseless. We should do everything we can to make ISPs implement BCP38, get software vendors to QA better, and educate users to be less, well, idiotic. But I am also pragmatic. Life sucks, it is not fair. But the idea of making either grandma or the network engineer at an ISP or even the CEO of a hosting company personally responsible for things like zero-days or minor errors which can be exploited to the tune of greater than their personal wealth or even their corporate market cap is a recipe for bringing everything to a screeching halt. I kinda like the ride we’re on, bumps and all. Let’s not bring it to a screeching halt. -- TTFN, patrick
