Slashdot Mirror
ISP Restrictions Based on Hardware/Software?
An anonymous reader writes "IT Architect magazine is reporting that ISPs are working towards a greater restriction of a customer's right to run what may be 'insecure' software. From the article: 'A greater threat is that ISPs may try to restrict the customer's side by denying access to machines based on their hardware or software configuration. [...] former head of cybersecurity, White House terrorism advisor Richard Clarke even said it should be made mandatory to quarantine malware.' Something that may also come as a surprise to some is that Microsoft is completely against this censorship of internet access. 'According to Chief Privacy Officer Peter Cullen, Microsoft is against ISPs doing anything that would restrict customers' choice of software. And he says this isn't just about the impracticability of demanding that data centers patch everything on the second Tuesday of the month. Laptop and home users also have the right to run an insecure PC.'"
At the risk of pointing out the obvious, but - does it surprise anyone that the maker of the #1 target for malware writers is actively campagining against ISPs downthrottling infected users' PCs? I mean, if customers found out that Microsoft Windows = your ISP cuts down your rate, are people more or less likely to buy Windows? Their actions seems like obvious good buisness practice to me.
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
What if the user is behind a SOHO router? It will be hard to figure out what the client's OS/version is. Try using www.grc.com and their ShieldsUp.
Anyways, this being the US, such practice will be considered discriminatory especially if poorer families cannot afford the latest M$ tax.
Of course Microsoft would object to this proposal. Any objective analysis (which the ISPs are certain to do) would put Windows high on the list of vulnerable systems. No matter how much Microsoft tries, it's always hard to configure a Windows system to be both secure and capable of easily running the software most users want to run without glitches. Putting a hardware firewall in front of it's just as bad from Microsoft's point of view: you're still telling users they have to spend more money and do more work to use Windows on the Internet. By contrast, many of the competing systems (Max OSX, *nix) are at low risk and would pass most security checks easily out of the box. No way does Microsoft want ISPs making it easier to put a Mac or a Linux box on the Internet than a Windows box.
Personally I don't care why Microsoft is against it - I'm sure they have their own agenda, but the enemy of my enemy is still my friend. If Microsoft are against it, it almost certainly won't happen - they have enough clout.
Anyway, such a law would be pandemonian, it would require international standards etc etc - it would never work...
1. It's impractical -
I can see how the White House might deal with this sort of restriction, but an ISP dealing with thousands of customers that don't WANT to cooperate - not to mention, there would be an absurd number of software and hardware iiterations, hacks, etc, all of which they'd have to deal with.
2. It's unfair -
I should be able to run the software I want on the hardware I want, as long as I'm not producing malware. A restriction on rights for security is inconsistent with democractic ideals, especially with the qualifier that the security doesn't necessarily protect rights.
http://www.TheGamerNation.com/Forums
I want on the OpenBSD-only ISP.
Trolling is a art,
It is becoming increasingly obvious that the large ISPs are out to put a strangle hold on the "Services" they deliver. There will be problems with VOIP caused by port restrictions, Others will stop offering basic services like nntp access. They have taken the view that the network is theirs and that they will dictate what is run over them with consumers being and endless cash cow that can be milked for access to "Premium" applications.
> Laptop and home users also have the right to run an insecure PC
Absolutely. But do they have the right to abuse the ISP's network by sending spam/DDoS attacks etc?
Run what you may on your PC, but if you are using the network infrastructure owned and maintained by your ISP, you have to adhere to their Terms of Service, and they should have the right to enforce those terms of service.
If you don't like your ISP's TOS, find a different one. But don't confuse you right to run an insure PC with your right to abuse your ISP's network -- you do not have the latter.
Yes, but do they have the right to run an insecure PC connected to the Internet? When their insecure PC, if it gets 0wned, is going to have adverse consequences for others on the Internet?
An analogy: I have the right to drive a car that fails safety inspection - on my own land. I do not have the right to drive it on the public roads, where it can endanger others. (Of course, this analogy breaks down, because the government mandates the safety inspection, and the government owns the roads, and in the Internet case, it's not the government that mandates the safe PC, but rather the ISP... and the ISP owns the "road" that I'm putting the unsafe PC on, or at least the road I use to access it... hmm, maybe the analogy isn't that bad.)
Depending on your definitions, banning malware could mean banning Windows!
Or if the RIAA/MPAA have their way: P2P traffic. Be careful what you wish for.
Trolling is a art,
While true, I really doubt ISPs are going to start blocking Windows users from accessing the Internet. Not only because they'd be blocking somewhere between most and all of their customers (Why yes, we'll sell you Internet access, we just won't let you use it.), but I've also encountered a lot of ISPs that would get really freaked out (for no good reason) if they heard you planned on connecting with anything but a Windows PC.
Remember RFC 873!
In the real world, restrictions like this will be used to keep people from running Linux (or *BSD, or anything but Windows).
Mod me down, but you know it's true. They'll say that GNU/Linux systems are not "trusted" (as in "Trusted Computing"), and that will be that. Only niche geek-friendly ISPs like Speakeasy will continue welcome *nix users.
With spending like this, exactly what are "conservatives" conserving?
That'll actually not work for most ISPs. If you call my ISP (Cox Cable) for a new installation these days, the installer will show up with a home router/firewall along with the modem. You have to ask to get a direct computer-modem hookup, or do the installation yourself. Windows-only access agents don't play well with that setup. Cox went with it, BTW, because it's cheaper and easier for them to manage the firewall and router than it is to keep dealing with malware/virus-related support calls from clueless Windows users.
Side #1: Microsoft is terrified of this because it will set a precedent whereby an ISP will be able to cut people off based on the ISP's view of their software configuration. So, ISPs will be able to threaten to kick Microsoft in the balls unless they get favorable treatment (RE: cheaper prices), and home users will be able to demand that tainted machines get knocked off the web until they're fixed (which will mostly affect MICROSOFT). Microsoft, God bless 'em, is naturally against the whole thing.
;)
Side #2: The TRUE result of this will be that lazy ISPs (read: most ISPs) will just lock out anything that doesn't match some piece of shit filter they put in place. So, a fully patched Microsoft or Apple box will probably be able to connect, but my Slackware box will NOT. And when I call tech support, the retard who takes my call will say "SlackWHAT? You can't run that on our network, for, uh... SECURITY reasons. Why don'cha run Winders like everyone else?" And I will be forced to resort to cruel, mocking language, upsetting his supervisor and getting me absolutely NOWHERE.
So, naturally, I'm against this bullshit too.
Farewell! It's been a fine buncha years!
The other concern Microsoft may well have is that if you can only run "approved" OS' on the Internet, it will kill their beta programs and may well make it harder to roll out service packs. After all, it changes the version ID, so won't be an "approved" OS any more. If nobody patches their system, for fear of being disconnected from the Internet, it will be Microsoft that suffers.
What about Linux users? Well, there's always the IP Personality patch. This disguises your OS, so that common methods of fingerprinting your computer will return the OS identity that you choose. You can always make a Linux box look like Windows XP or whatever.
That's probably another concern of Microsoft. Linux distributions can be easily modified to fool such restrictions and existing Linux users will likely install the necessary patches. This could make Linux more attractive to the Walmarts of the world (fewer customer complaints) and also to corporations (no risk of unexpected downtime, due to ISPs not keeping up).
I'm all for these restrictions, because they don't apply to Open Source software - masquerading as other software is already quite standard. Only closed-source vendors and closed-minded customers have anything to be scared of, and I've no problem with them being scared silly by Homeland Security.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
...blah blah blah, of course Microsoft is against it blah blah blah...
But this IS a horrible practice? Restricting people's internet access based on their computer? Does anyone see what is wrong with this or are you all going to complain about MS?
One line blog. I hear that they're called Twitters now.
verizon wireless is already doing this over their unlimited broadband 500kbps wireless data plan for 60 bucks a month restricts the user from ANY large upload or downloads. here, this quoted from verizon's website.
PROPER USES:
"Unlimited NationalAccess/BroadbandAccess:
Subject to VZAccess Acceptable Use Policy, available on www.verizonwireless.com. NationalAccess and BroadbandAccess data sessions may be used with wireless devices for the following purposes: (i) Internet browsing; (ii) email; and (iii) intranet access (including access to corporate intranets, email and individual productivity applications like customer relationship management, sales force and field service automation).
SUCH USE DESCRIBED BELOW WOULD BE SUBJECT TO TERMINATION OF SERVICE CONTRACT
Unlimited NationalAccess/BroadbandAccess services cannot be used (1) for uploading, downloading or streaming of movies, music or games, (2) with server devices or with host computer applications, including, but not limited to, Web camera posts or broadcasts, automatic data feeds, Voice over IP (VoIP), automated machine-to-machine connections, or peer-to-peer (P2P) file sharing, or (3) as a substitute or backup for private lines or dedicated data connections."
I remember one ISP which required every ADSL connection to be installed by a technician. The tech also would only sign the activation form if he had personally done and verified the configuration of a Windows PC. (This was well before the current malware flood.)
One of my friends had to dig up a spare PC running Windows just for this purpose.
The Hacker's Guide To The Kernel: Don't panic()!
Quarantined connections are a very, very good thing. Corporate networks already do this -- there is, if I recall, a Cisco client which enforces router rules based on the security software installed on the PC. Windows RRAS can enforce a quarantine network based on whether or not the connecting machines are patched up-to-date. Captive portal software allows only authenticated users to connect to the greater network -- same with VPN tunnels.
All of these things work in a very good, and non-censoring way: they require the user connecting to the network, to take certain "safe computing" steps. Requiring virus/spyware protection is overkill (I for one have never run spyware or virus protection, and have only had one spyware infection that required a reformat and two viruses -- in 11 years of being connected to networks unprotected. All of those infections were 3+ years ago.) but requiring that computer users, say, don't broadcast worm packets and don't have unpatched security holes, is a very good thing.
It's one thing for the ISP to shut off people for downloading certain types of content, it's another if the user is abusing the network resources. Similar to, a phone company won't cut your line for calling people they might not agree with the opinions of -- but if you, say, wardial your entire neighborhood on a daily basis, they have some recourse against you.
Overall, the ISP restricting access to its network to people who aren't infected and are secure, is only a good thing -- on every possible front. And, from the stand point that Windows updates generally are denied to people using pirate copies, it will reduce software piracy rates as well. There's no excuse for people to still be broadcasting the Sasser worm, other than the fact that it isn't worth their time to fix it. This will make it worth their time, to no longer be a deliberate nuisance to everyone else.
The ISP's first responsibility is IP egress filtering. The ISP must validate the outgoing source IP address of each packet. This at least prevents the most annoying types of denial of service attacks. Most competent ISPs do this now, although some of the cable guys are weak in this area.
The ISP's second responsibility is outgoing mail rate limiting. That's enough to slow down zombie-based spam. If the outgoing mail rate exceeds some reasonable threshold, the user should get a phone call, even if the phone call is automatically generated.
The ISP's third responsibility is incoming mail spam filtering. This should include virus filtering.
Incidentally, ISPs which block outgoing TCP ports should return an ICMP message (type Destination Unreachable, code Communication Administratively Prohibited). At least then you know what's going on, and who's doing the filtering.
As an admin for an ISP, I can safely say that Microsoft Windows users are safe from descrimination by us. As the parent mentioned, 99.9% of our users are running Windows. The problem arises when customers want to run some super-wiz-bang email client and expect the ISP to support it.
Spend an hour on the phone with someone trying to explain that you're not blocking their access to email but that you just don't know how to configure their software. This goes for almost any software that accesses the internet. I've been asked to troubleshoot problems with p2p apps, instant messaging clients, firewalls, spyware scanners, obscure Linux distros, outdated software (windows 3.1), and microwaves (yes, I've talked a customer through setting the time on their microwave...I was bored)
I actually had a conversation with my brother tonight about this very topic. Technology is so easy to obtain, everyone thinks they're qualified to use it. My broadband customers frequently plug their gateway into the lan side of their router (at least two users per day.) Of course, it's my fault that they didn't (can't) follow the picture-book instructions. Personally, I'd like to see the good-old-days return, when computer users knew how to use their computers. The days when calling tech-support was a last resort are long gone....people now call tech support in order to turn their computer on.
"Lame" - Galaxar
"Um, yea - I need root access to your laptop..."
;-)
No, you may leave now.
I've been around the military for 20 years now plus some time outside the military. I've moved over 20 times, and I don't play well with people like that at all.
After moving to Germany, my local ISP got upset at me when I told them I would be using a router and I didn't need them to help me setup my access. They wanted me to open the router up to them (remote access) and give them the password so they could do some technical stuff. After prodding a little they threw technobabble at me (MTU, DNS - you know sir, technical stuff) and I said, "Well, opening the router up to you may expose my internal network of over 5 servers, 2 workstations and Cisco equipment to the internet. If you want access, you'll need to proove what you're doing by telling me how to open up a Cisco router for you." They tried to tell me to open my browser and go to 192.168.... "Nope, I said Cisco, not Linksys..."
They shut up and I haven't heard from them since.
Of course, now my wife is demanding that I get rid of the "portable heaters that hum all night in the office". I'll tell her their gone and just relocate them to the basement
That depends entirely on how you can tell. If the method is your silly Cisco router which checks for this or that piece of Windoze shit, it sucks. If the method is detecting obvious spam and worm broadcasting signatures, great. Detecting spammbots is getting tricker all the time because the spammers are smart enough to not want damage the user's performance enough for the user to want to fix the computer. ISPs have been turning off blatantly broken computers for a while and it is a very good thing.
Windows updates generally are denied to people using pirate copies, it will reduce software piracy rates as well.
How do you equate the two without advocating some really stupid and lazy method of punishing people for not having whatever Bill Gates wants you to have right now? A check which provides that kind of solution will outlaw all the software that's actually secure.
Friends don't help friends install M$ junk.