Security or Freedom?

[Adron]

Adron,
While I do feel that the bandwidth providers do have the right to configure their networks however they want, I still don't feel that it is their responsibility to compensate for software manufacturer's insecure and troublesome products.  The root of the problem is the software, not the network.  If the bandwidth providers reduce the symptoms, where is the incentive for the software manufacturer's to fix their product?

Nono, it's not their responsibility. It's about adding value. For example, on such a connection you can safely hook up your newly formatted / reinstalled Windows box to download the latest updates.

With so much bandwidth being wasted, I'm sure the providers are pissed and want to reduce it for that reason.  A better way, which will provide more value to their customers, is to do what Verizon is doing on their DSL network.  Every new Verizon customer receives and nifty Firewall / Router for them to connect with.  By default, all ports are closed and remote management is disabled on their 2Way devices.  You even have the option of getting one with a built in wireless router!  I've been on Verizon's DSL network since it's inception in Dallas and I've noticed a significant decrease in the amount of unwantet traffic coming into my house from it.  Comcast cable network, however, is a worthless piece of crap because they will allow any device to connect and rape their network.

Giving out free routers sounds like a good idea. It's really similar to what I was after, the only difference being what end of the dsl connection the filtering is done on. I thought filtering at the ISP end would be more cost-efficient. I guess with mass production of cheap routers, those might not cost more.

[muert0]

Do they not have cable modems with NAT built-in? If they don't would it be that hard to implement?

[mynameistmp]

I should be able to go to firewall.comcast.net, and have a web-based control panel that works from my IP address which lets me selectively pick ports to use. By default, they should have SMTP and netbios blocked, but allow them to be opened by this web-based CP.

Hm. ~$80 (and that's Canadian funds) and a wee bit of sed magic...

$sed -e 's/firewall.comcast.net/192.168.1.1'

Look, Ma, it's a linksys!

[Banana fanna fo fanna]

In response to alternate random ports, I'm talking about trojan/email virii.

[iago]

Those types of viruses aren't what's saturating the pipes with crap, it's the ones like Slammer and Sasser and MSBlaster that are.

Apparently some ISPs have over 50% traffic belonging to this crap, which is rediculous.  I'm quite happy the my ISP took the initiative and helped out the Internet in a small way.  If even a good chunk of ISPs did that right now, they would eliminate a good part of the current worm problem.

Have you ever tried plugging in an unprotected Windows XP machine and tried to download the updates?  It's impossible to do, because you'll get a worm before you finish updating.  That's rediculous.  Something has to change.

[tA-Kane]

You can't argue that, but it doesn't change the fact that some ports are "evil".

Someguy 1: "i say we should try to get to the east by sailing west..."
Someguy 2: "that doesn't change the fact that you'll fall off the face of the earth if you venture out into the sea too far"

since this gives them a free security upgrade to the latest OS version, you should of course charge them appropriately.

And of course, if they decide not to use your security features, you charge them a fee for "non-secure fee". Charge them if they do, charge them if they don't! Fuckthat.

[Adron]

since this gives them a free security upgrade to the latest OS version, you should of course charge them appropriately.

And of course, if they decide not to use your security features, you charge them a fee for "non-secure fee". Charge them if they do, charge them if they don't! Fuckthat.

Well, it's up to them if they want to be connected or not......

[Kp]

Do they not have cable modems with NAT built-in? If they don't would it be that hard to implement?

First, with regard to muert0's comment: I wouldn't want one of those even if it existed.  My experiences with "home" router type setups have been consistent failures in achieving my goals, for the simple reason that the NAT device has been so badly braindamaged before retail that it cannot perform even the simple tasks I want, such as getting the NAT rewrites correct when two internal systems talk to their external addresses (e.g. Brood War).

With regard to alternate solutions, I have a draconian one that should resolve the issue in fairly short order.  Rather than blocking worm ports, block networks that generate more than N worm attacks per M time units.  When the network admin informs you that he's fixed the problem, lower the barricade.  ISPs would thus be strongly encouraged to clean up their internal problems (such as by imposing similar measures against their clients), lest they be banned from their provider.  Of course, such would require a Terms-of-Service change between the ISP and their provider, so it would not be instant.  This is along the same principle as the realtime-blackhole-list.  Domains known to be serious sources of spam are completely banned from sending any traffic until they've been cleaned up.  IIRC, MSN got blacklisted for a few days a couple years ago.  They fixed their problems in a hurry after that.

This is said partially in jest, since I doubt any major companies would have the courage to do this to paying customers.  However, I've seen this policy work quite effectively on nonprofit networks (e.g. universities cutting off infected students, companies isolating infected employees from the corporate network).  By nonprofit network, I mean that access to the network is provided as part of some larger deal, so being cut off does not give the infected individual ground to cry "breach of contract" for loss of service.