[Dshield] Possible solution for ISP (was DShield's public goals)

Laura Vance vancel at winfreeacademy.com
Fri Jan 13 17:49:54 GMT 2006

Then we will discuss. :)

The specific operating systems will become irrelevant to the ISP, 
because they will not have to support the cleaning or disinfecting of 
the machine.  That would be done by a 3rd party that has been certified 
as ok to do so by the ISP group.  This could also remove all tech 
support issues that arise from anything other than connection-specific 
issues.  If a user has a problem that doesn't deal directly with their 
connection to the Internet, the support would go to one of these 3rd 
party companies (Best Buy, CompUSA, Geeks on Call, Joe's Linux Computer 
Repair, Ma's Mac Shop, etc).  Half of the time, the ISP will tell the 
user to reinstall their OS anyway when there is a more serious problem 
than resetting a configuration tool, so these companies being part of 
the list of companies allowed to certify the user/machine could be a 
simple process.  Do they know how to install/update a virus scanner?  Do 
they know how to check settings?  Do they know how to reinstall an OS?  
If they can do those things, they would be allowed to certify that users 
are ready to go back online... and possibly even remove them from the 
"bad" list if the ISP's don't want that responsibility.

The idea that one individual or one organization has to keep up with the 
list is a little off the mark with what I'm thinking.  My idea is that 
it's a real-time system that all participants can update the 
information.  The only centralized administration would be adding and 
removing login's (ISPs and repair companies).  If user X gets booted 
from ISP Y, then he tries to connect to ISP Z.... ISP Z will see that he 
was booted and let him know how to get off the list (restating what ISP 
Y should've already told him).  User X then does what is necessary 
(Geeks on Call, whatever), then decides that he wants to go with ISP 
A... ISP A will check and see that he's OK now and he gets signed up.... 
all real-time... all up to the user.  If Geeks on Call doesn't update 
his record from "bad" to "educated", then it's user X's responsibility 
to call Geeks on Call and tell them to update his record.  The data will 
only get stale if the user allows it to get stale.  Unlike the credit 
reporting agency or the TSA, it doesn't take forms in triplicate to 8 
different agencies to get taken off the list... the company that fixed 
user X can adjust his status in the database immediately.... very likely 
before user X leaves the shop... or the Geek on call can log in with 
their handheld and update the list... or call the office and have 
someone there do it.  In case your wondering, only authorized users will 
have a login to the system, and that login security would be tight.

The reason that a central database would be good is because it would 
prevent a situation where ISP A really wants to keep their users secure 
and allow full access both inbound and outbound, so they limit access to 
infected machines.  Several people have already brought up the case 
where the user that was limited will just go to a different ISP that 
doesn't care.  If there were a centralized system, users would be less 
able to jump from ISP to ISP without cleaning their computer.  You could 
almost compare it to the licensing system that was mentioned earlier, 
but instead of fishing license comparison, compare it to drivers 
license.  If you do enough bad, your license is revoked.  If you move to 
a different city/county/state/country, your record follows you, so 
likely will not get a license.  Again, the TSA tries to foretell evil, 
this only bases on actual activity.  DMV's don't deny you a license 
because you *might* hit a school bus, just like this one will not deny 
you ISP access because you *might* get infected.  The TSA comparison is 
completely invalid, because the TSA system is preventive, this one is 
not.  It doesn't try to magically figure out if you're going to get 
infected, it waits until you do.  The TSA cannot wait until someone 
bombs an airplane, the system that I'm talking about has the luxury of 
waiting for evidence in the form of activity logs before they are put on 
the list.  The only thing that's the same about this system and the TSA 
system is that they are both computer systems that track people... other 
than that, they are completely different.  There are millions of 
computer systems that track people, but almost none of them are like the 
TSA system.

ed.truitt at etee2k.net wrote:

>Maybe, the reason we are bringing up statements you feel have already been
>addressed is that we (some of us, anyway) aren't sure they have been 
>Actually, I think that some of us (at least one of us) aren't yet 
>convinced this
>is an idea we should be cultivating (I presume you mean "promoting it", but I
>might be mistaken there.)  I see too many problems implementing this in the
>real world (in which ISPs don't have the resources necessary to 
>properly manage
>their operations as they now stand, and in which this would be an easy "cop
>out".)  I simply see too many possible problems with the proposal as I
>understand it, and I see a high probability that the ISPs would 
>implement it in
>such a manner as to minimize their own costs (for example:  only Windows
>machines would be allowed - OK, maybe Macs, but Linux and other non-MS
>operating systems would be strictly verboten, and forget about running 
>software they don't "support".)
>There certainly could be some benefit to ISPs in limiting access to machines
>that appear to be infected (as per Cefiar's suggestion), but I think 
>they could
>do this without a "Do Not Let Surf" TSA watch list-style database (and all the
>extra administrative overhead that would entail -- because SOMEONE has to vet
>the data, or else it becomes stale and unreliable.)  Maybe something like the
>ORDB could be adopted, but again I would counsel caution, as it would be too
>easy to null route "bad" users forever, which would again defeat the 
>purpose of
>the system.
>Quoting Laura Vance <vancel at winfreeacademy.com>:
>>The basic idea is very flexible, but it seems that all you are trying to
>>do is dismiss it or shoot it down with statements that have already been
>>addressed.  If you spent the same effort helping to cultivate the idea
>>it would become a better system that could have ISPs jumping onboard.
>Learn about Intrusion Detection in Depth from the comfort of your own couch:
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

Laura Vance
Systems Engineer
Winfree Academy Charter Schools
6221 Riverside Dr. Suite 110
Irving, Tx  75039
Web: www.winfreeacademy.com

More information about the list mailing list