<p>I think you have to quarantine the entire connection, at least until v6 becomes the default and you get to look behind the gateway. </p>
<p>I'd like to talk about regular servicing meaning that tread problems are predictable, whereas infection is not, but I think that analogy has finally shuffled off to rhetorical device heaven. </p>
<p>We could ask an AV Vendor to provide useful stats on AV efficacy but I suspect it might undermine their marketing. In the last year I've seen a nonrepresentative sample of people get done while their security subscriptions are valid. (Hi mum!) </p>
<p>Sorry for the top replies. Anything else is too hard on a phone. </p>
<div class="gmail_quote">On Jun 18, 2012 8:27 AM, "Mark Andrews" <<a href="mailto:marka@isc.org">marka@isc.org</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
In message <CALxh8x88V+KmZYayyNETKuwy977MFQcP=TqYz-rsaXRJKZuv=<a href="mailto:g@mail.gmail.com">g@mail.gmail.com</a>><br>
, Roland Chan writes:<br>
> I'd go further than that. The analogy is flawed in many ways, but the<br>
> 2 most salient are:<br>
><br>
> - Roadworthiness is not an implicit part of owning a car (at least not<br>
> one that's driven on public roads). It's an explicit requirement of<br>
> operating a vehicle mandated by law. No such corresponding thing<br>
> exists for computers, and given the current state of technology I<br>
> believe it would impossible to define and enforce.<br>
> - Roadworthiness is the ability of the vehicle to perform when<br>
> operated lawfully, and says nothing about the ability of the vehicle<br>
> to perform when under attack or used as a weapon. Up to date security<br>
> measures on a computer do not provide anywhere near as much confidence<br>
> about the protection from compromise as a roadworthiness certificate<br>
> does for mechanical reliability of a car.<br>
<br>
This is more like, you have been pulled over for bald tires. There<br>
are obvious signs that you are infected and you are being pulled<br>
off the net for everyone elses saftey.<br>
<br>
> I'll torture the analogy a bit further though: imagine losing your<br>
> licence because your car was stolen and used in an armed robbery.<br>
> Flawed again, but I couldn't help myself. I hate analogies and<br>
> torturing them gives me pleasure. ;)<br>
<br>
And is pointless in this case because you are not being told you<br>
can't use any computers. You are just being told you can't use<br>
particular computers until you get them fixed.<br>
<br>
> I do agree with Damien that a service provider that does not have<br>
> explicit T&Cs dealing with this scenario may well end up in trouble,<br>
> and a provider that does have these T&Cs will have a significant<br>
> customer service issues that will generate immense cost to the<br>
> business, to say nothing of the reputational impact.<br>
<br>
You do it well you will get a positive reputation.<br>
<br>
> I don't agree that we're talking about a short term support cost spike<br>
> either. Users will be repeatedly compromised, quarantined and calling<br>
> in for support.<br>
<br>
> Quarantine is painful for the customer and the provider, and does not<br>
> deliver sufficient long term benefit to the user, the provider or the<br>
> Internet at large to balance the cost, at least in my opinion.<br>
<br>
Tell that to those that are suffering DDoS and other attacks from<br>
compromised machines.<br>
<br>
> If<br>
> there were cheap, reliable and easily deployable measures a user could<br>
> take to secure their computers in the long term I would probably think<br>
> differently. Until then, I'm happy with mucking about with DNS to take<br>
> a chunk out of the problem (Disclosure: I used to lead the group that<br>
> designed all the stuff in the BigPond network that Barrie's been<br>
> talking about, including the Interpol filtering).<br>
<br>
This will always be a catchup game but if you get the systems<br>
upgraded to have the latest fixes you reduce the number of machines<br>
that can get infected and be used to attack others before the C&C<br>
machines are discovered.<br>
<br>
What percentage of these machines are infected via known and fixed<br>
vulnerablities and what are infected by yet to be fixed vulnerabilities.<br>
<br>
Mark<br>
--<br>
Mark Andrews, ISC<br>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
PHONE: <a href="tel:%2B61%202%209871%204742" value="+61298714742">+61 2 9871 4742</a> INTERNET: <a href="mailto:marka@isc.org">marka@isc.org</a><br>
</blockquote></div>