In article ,
Roger Halstead wrote:


On thing about this thread:

Posting on a group to get users to check for viruses is unlikely to
accomplish much, although I do have to say this one at least generated
a lot of discussion. Some of it has been down right educational.

OTOH, *most* computer users would never pass the definition for
computer literate, let alone computer savvy, unless the definitions
were made extremely lenient.

*Most* computer users do not know, or care how the thing works as long
as it does what they ask. You can point out the dangers inherent in
their way of doing things, but it has worked so far and they seem to
have that feeling of, "It only happens to the other guy".

Yes, MS operating systems are full of holes although many of the holes
were put there intentionally to enable the end user to do something.
The OS comes with most of the defaults turned on that put the system
in its most vulnerable state.

Lets say we could convince MS to turn off all those defaults. They
would be inundated with calls wanting to know why HTML didn't work,
why their macros didn't automatically execute, why animation didn't
work in their e-mail...and so on...That average user would just get
the defaults turned back on. Plus they'd be angry at MS for making
them have to figure out what was wrong.

LINUX and UNIX are computer people's OSs. Sure we can even make them
look like Windows, but that average end user wants all the
functionality they've been having and in the same manner.

IF MS went away tomorrow and produced no more OSs and was replaced by
fully end user friendly UNIX and LINUX we would still be plagued with
our current problems for a decade or more due to the old systems out
there. The end user wants a box they can turn on and it does what
they want. Never mind that the way they do things can create
difficulties for hundreds of thousands of other users.

_As_long_as_that_ mind_set_continues there will be a tremendous market
for the type of OS put out by MS. As long as that market continues
the rest of us will be plagued by the problems they create. Maybe our
systems will not become infected, but as shown by the recent flood of
mail and bogus bounced e-mails it can sure be an inconvenience and in
many instances cause a complete Denial Of Service (DOS) to many end
users, let alone ISPs. Some of us have the ability to change our
posting address as often as we wish. We can even use "tagged"
addresses when registering software and hardware. We can do that and
still keep private addresses for friends. However once some one with
your address had their computer infected, it's time to change.

True spam (UBE), rather than just cross posting is at unbelievable
numbers. Many ISPs are dealing with millions of messages per day.
Some of the larger ones are in millions per hour. It too can cause a
DOS once past a critical point.


Tidbit: AOL, as of a few months ago, was _throwing_away_ (i.e., before
it even got to the user mailbox) in excess of TWO AND A HALF BILLION(!!!)
messages *per*day*.

I've always used a valid return address when posting although I do
change them. This last batch of viruses has me almost ready to quite
using valid addresses, but not quite. I don't want to give up the
flexibility of putting myself out of reach to where I post.

I would offer this suggestion for those who get so excited about
receiving the results of the viruses...get a couple of accounts with
the free e-mail services. Use those addresses as returns when
posting. Most of the current bots are quite capable of figuring out
nospam, remove whatever, and symbols. I followed one of the adds
about sending millions of e-mails per day, or even per hour. That site
told exactly how to set up the bots and how to filter the addresses.
It told what addresses to never use and how to filter out the real
address out of most "munged" addresses. They also run permutations of
munged addresses to try and find a valid one. They could care less if
they have to send 50 e-mails if one of them *might* turn out to be
real. If they only get a return of 0.01% that is still a 100 returns
for every million e-mails. If they send a million an hour that is
2400 returns per day. That can make a lot of people rich.

Once an account gets trashed, change it. 10 or 20 spam and maybe 10 or
20 of the bogus e-mails are not worth getting excited about. Remember
those on here who have been receiving over a 1000 a day...That is long
since the point of changing addresses.

So, although we can blame MS for putting out a crappy OS, and
justifiably so, they are meeting a demand from the unknowing and
uncaring end user. I seriously doubt if that is going to change any
time soon. Nor would changing to UNIX or LINUX change anything for
most on the news group who are being inundated with bogus e-mail due
to some one else's problems. THAT *stuff* needs to be filtered out at
the ISP level, yet you don't want any false positives.... Changing to
a more bulletproof OS can make you more immune to infection, but it
does nothing to prevent the bogus e-mails. Better filtering at the
user end can help if you have the band width, but probably not for the
poor user with a 28K modem and dial up service receiving more than a
1000 messages a day

As a parting shot: One of the Telcos removed access to their system
for every user with an infected computer. They will not be let back
on until they can show their systems are clean. (it was quite a few
thousand users too). Now if every ISP would do that as soon as a virus
was detected coming from that IP and share the information with all
other ISPs,

There's no need to 'share' the information with anybody else. Just
disable their access, "temporarily", and don't let 'em back on until
they 'prove' that the problem has been fixed.

"I think" it would do far more in a few days than any
amount of education we could give those users.


*ABSOLUTELY* YES!!!


Monitoring for viruses at the source and terminating the user (or
just suspending their account) as soon as a sent message is detected
would keep the effect of viruses contained and the effect to a
minimum.


There's the rub. That "monitoring". First, you have to 'detect' the
problem. *WHATEVER* approach you take to that monitoring/detection,
it takes resources, and costs money. There are some relatively simple
approaches, but they involve 'adding inconvenience' to the 'non misbehaving'
customer; the 'good-guy transparent' ones require a significant amount
of technical sophistication on the part of the provider, *and* a non-trivial
amount of high-priced equipment.

The ISP business is rife with cut-throat competition, and, literally, $1 or $2
per customer per month can make the difference between being in the black, and
bankruptcy.

On Sun, 28 Sep 2003 06:52:17 GMT, bonomi@c-ns. (Robert Bonomi) wrote:

In article ,
Roger Halstead wrote:


On thing about this thread:

Posting on a group to get users to check for viruses is unlikely to
accomplish much, although I do have to say this one at least generated
a lot of discussion. Some of it has been down right educational.
snip

There's no need to 'share' the information with anybody else. Just
disable their access, "temporarily", and don't let 'em back on until
they 'prove' that the problem has been fixed.

The sharing would prevent them from just getting on another provider
although that might not be necessary.

"I think" it would do far more in a few days than any
amount of education we could give those users.


*ABSOLUTELY* YES!!!


Monitoring for viruses at the source and terminating the user (or
just suspending their account) as soon as a sent message is detected
would keep the effect of viruses contained and the effect to a
minimum.


There's the rub. That "monitoring". First, you have to 'detect' the
problem. *WHATEVER* approach you take to that monitoring/detection,
it takes resources, and costs money. There are some relatively simple
approaches, but they involve 'adding inconvenience' to the 'non misbehaving'

I'm not even approaching the spam issue, but yes, it would have to be
something like Norton AV does. Scanning all outgoing mail and the
first of any virus or worm is likely to get through. It also means
being able to differentiate between a normal macro and one that is
malicious. It also means checking any attachment for some specific
functions, but you still can't take them all into account.

customer; the 'good-guy transparent' ones require a significant amount
of technical sophistication on the part of the provider, *and* a non-trivial
amount of high-priced equipment.

My wife and I are members of several clubs and handle the news letters
and member notification, so our ISP allows us to exceed the normal
mail limits as we may send out hundreds of news letters and
notifications. In a couple of instances the mailings exceed a
thousand, but those only happen a couple times a year.


The ISP business is rife with cut-throat competition, and, literally, $1 or $2
per customer per month can make the difference between being in the black, and
bankruptcy.


Sometimes it's less than that. However they still have to have enough
positive cash flow to stay afloat.

As I have my own dot com, but use an isp with web hosting the internet
costs are second only to the cost of flying which I also do.

Roger Halstead (K8RI EN73 & ARRL Life Member)
www.rogerhalstead.com
N833R World's oldest Debonair? (S# CD-2)

In article ,
Roger Halstead wrote:


On Sun, 28 Sep 2003 06:52:17 GMT, bonomi@c-ns. (Robert Bonomi) wrote:

In article ,
Roger Halstead wrote:


On thing about this thread:

Posting on a group to get users to check for viruses is unlikely to
accomplish much, although I do have to say this one at least generated
a lot of discussion. Some of it has been down right educational.
snip

There's no need to 'share' the information with anybody else. Just
disable their access, "temporarily", and don't let 'em back on until
they 'prove' that the problem has been fixed.

The sharing would prevent them from just getting on another provider
although that might not be necessary.

"I think" it would do far more in a few days than any
amount of education we could give those users.


*ABSOLUTELY* YES!!!


Monitoring for viruses at the source and terminating the user (or
just suspending their account) as soon as a sent message is detected
would keep the effect of viruses contained and the effect to a
minimum.


There's the rub. That "monitoring". First, you have to 'detect' the
problem. *WHATEVER* approach you take to that monitoring/detection,
it takes resources, and costs money. There are some relatively simple
approaches, but they involve 'adding inconvenience' to the 'non misbehaving'

I'm not even approaching the spam issue, but yes, it would have to be
something like Norton AV does. Scanning all outgoing mail

"Scanning all outgoing mail" *is* the difficulty. It's "easy" to do _at_the_
_originating_machine_ (which is what Norton AV does). Trying to do it at
some "upstream" location is a "whole 'nother can of worms". If the message
is 'relayed' through the ISP's outgoing mail servers, then it can be filtered
at that point. Unfortunately, a lot of 'non-passive' viruses have a _self-_
_contained_ mail-sending function, that does -not- forward to the ISP's mail-
server, but sends _directly_ to the victim network. Trying to filter _that_
kind of traffic is a much more difficult problem.

"Radio" equivalent: It's _easy_ to censor message traffic _before_ it gets
to the transmitter. Trying to do the same thing _after_ the message has left
the transmitting antenna is _qualitatively_ different. If you can enclose
the antenna in a Faraday Cage, along with a receiving antenna, then you can
do censoring on those 'recovered' messages, before feeding them to a 're-
transmitter' that is outside of the Faraday cage.

An ISP has precisely _three_ options, with regard to checking outgoing mail:
1) Put all customers in a Faraday-Cage equivalent, and require them to
'wire' all mail to the ISP's servers, which are outside the Cage.
2) The Faraday-cage equivalent, with the receiver/re-transmitter setup.
3) Simply 'monitoring' the customer-operated transmitters, and cutting the
power to anybody that sends "forbidden" content.

*All* of these approaches require that the ISP have enough processing power
to handle _all_ the messages that all their customers send, combined. In a
typical set-up, customers that send 'significant' amounts of mail _usually_
run their own 'transmitter', which does _not_ impact the ISP's mail-handling
capabilities *at*all*. Yes, the 'routers' have to handle the packets, but
they are _very_ specialized pieces of equipment, designed for 'passing the
packet', _without_ any awareness of the content. Adding _any_ check on
the 'content' -- even, for example, a check to see that the 'sender' IP
address is one that is part of _their_ network ( without regard to whether
that address is actually assigned to the particular customer that originated
that packet) -- can degrade router performance by two orders of magnitude.
Implementing the 'Faraday cage' equivalent (with or *without* the relay
transmitter) incurs similar performance penalties.

That's one h*ll of a 'performance hit'. With the *best* equipment on the
market. There is 'cheaper' stuff that doesn't have as big a 'penalty', but
it gets that because its 'optimum' performance is *much* lower.

If you're running even 'medium big' networks, and the current equipment is
running anywhere close to capacity, upgrades are _very_ expensive. You may
have to replace $30,000 devices with $100,000+ ones. A significant 'regional'
ISP will likely have a few -hundred- such devices that would need to be
replaces. One of the 'big boys' -- e.g. AOL, Earthlink, ATT, MSN, easily
has _thousands_. Let's use AOL for an example. Approx. 9 million US
customers. Assume they have physical facilities in the 500 largest U.S.
metro areas. with, say 3 routers requiring upgrades in each location.
1500 new machines at a net cost of $85,000-90,000 each (postulating a
$100k replacement cost, and that you can sell the 'used' $30k box for
33%-50% of 'new'). total cost: circa $130 _million. If they have
profits of $5/customer/year, that 'upgrade' costs them _all_ their
profits for roughly _three_ years. *OUCH*! Big time.


[[.. munch ..]]

The ISP business is rife with cut-throat competition, and, literally, $1 or
$2 per customer per month can make the difference between being in the black,
and bankruptcy.

Sometimes it's less than that. However they still have to have enough
positive cash flow to stay afloat.

True. A successful ISP might have profits of $3-4/customer *per*year*.

As has been written in this thread- there is no good ISP based solution
to this problem.

There really is only one real fix-
Make the penalty for creating one of these viruses so severe
that no one will ever do it again.
Twenty years without parole for the original creator,
ten for any "copy cats" sounds like a good start to me.
D.S.

As has been written in this thread- there is no good ISP based solution
to this problem.

There really is only one real fix-
Make the penalty for creating one of these viruses so severe
that no one will ever do it again.
Twenty years without parole for the original creator,
ten for any "copy cats" sounds like a good start to me.
D.S.

In article ,
Roger Halstead wrote:


On Sun, 28 Sep 2003 06:52:17 GMT, bonomi@c-ns. (Robert Bonomi) wrote:

In article ,
Roger Halstead wrote:


On thing about this thread:

Posting on a group to get users to check for viruses is unlikely to
accomplish much, although I do have to say this one at least generated
a lot of discussion. Some of it has been down right educational.
snip

There's no need to 'share' the information with anybody else. Just
disable their access, "temporarily", and don't let 'em back on until
they 'prove' that the problem has been fixed.

The sharing would prevent them from just getting on another provider
although that might not be necessary.

"I think" it would do far more in a few days than any
amount of education we could give those users.


*ABSOLUTELY* YES!!!


Monitoring for viruses at the source and terminating the user (or
just suspending their account) as soon as a sent message is detected
would keep the effect of viruses contained and the effect to a
minimum.


There's the rub. That "monitoring". First, you have to 'detect' the
problem. *WHATEVER* approach you take to that monitoring/detection,
it takes resources, and costs money. There are some relatively simple
approaches, but they involve 'adding inconvenience' to the 'non misbehaving'

I'm not even approaching the spam issue, but yes, it would have to be
something like Norton AV does. Scanning all outgoing mail

"Scanning all outgoing mail" *is* the difficulty. It's "easy" to do _at_the_
_originating_machine_ (which is what Norton AV does). Trying to do it at
some "upstream" location is a "whole 'nother can of worms". If the message
is 'relayed' through the ISP's outgoing mail servers, then it can be filtered
at that point. Unfortunately, a lot of 'non-passive' viruses have a _self-_
_contained_ mail-sending function, that does -not- forward to the ISP's mail-
server, but sends _directly_ to the victim network. Trying to filter _that_
kind of traffic is a much more difficult problem.

"Radio" equivalent: It's _easy_ to censor message traffic _before_ it gets
to the transmitter. Trying to do the same thing _after_ the message has left
the transmitting antenna is _qualitatively_ different. If you can enclose
the antenna in a Faraday Cage, along with a receiving antenna, then you can
do censoring on those 'recovered' messages, before feeding them to a 're-
transmitter' that is outside of the Faraday cage.

An ISP has precisely _three_ options, with regard to checking outgoing mail:
1) Put all customers in a Faraday-Cage equivalent, and require them to
'wire' all mail to the ISP's servers, which are outside the Cage.
2) The Faraday-cage equivalent, with the receiver/re-transmitter setup.
3) Simply 'monitoring' the customer-operated transmitters, and cutting the
power to anybody that sends "forbidden" content.

*All* of these approaches require that the ISP have enough processing power
to handle _all_ the messages that all their customers send, combined. In a
typical set-up, customers that send 'significant' amounts of mail _usually_
run their own 'transmitter', which does _not_ impact the ISP's mail-handling
capabilities *at*all*. Yes, the 'routers' have to handle the packets, but
they are _very_ specialized pieces of equipment, designed for 'passing the
packet', _without_ any awareness of the content. Adding _any_ check on
the 'content' -- even, for example, a check to see that the 'sender' IP
address is one that is part of _their_ network ( without regard to whether
that address is actually assigned to the particular customer that originated
that packet) -- can degrade router performance by two orders of magnitude.
Implementing the 'Faraday cage' equivalent (with or *without* the relay
transmitter) incurs similar performance penalties.

That's one h*ll of a 'performance hit'. With the *best* equipment on the
market. There is 'cheaper' stuff that doesn't have as big a 'penalty', but
it gets that because its 'optimum' performance is *much* lower.

If you're running even 'medium big' networks, and the current equipment is
running anywhere close to capacity, upgrades are _very_ expensive. You may
have to replace $30,000 devices with $100,000+ ones. A significant 'regional'
ISP will likely have a few -hundred- such devices that would need to be
replaces. One of the 'big boys' -- e.g. AOL, Earthlink, ATT, MSN, easily
has _thousands_. Let's use AOL for an example. Approx. 9 million US
customers. Assume they have physical facilities in the 500 largest U.S.
metro areas. with, say 3 routers requiring upgrades in each location.
1500 new machines at a net cost of $85,000-90,000 each (postulating a
$100k replacement cost, and that you can sell the 'used' $30k box for
33%-50% of 'new'). total cost: circa $130 _million. If they have
profits of $5/customer/year, that 'upgrade' costs them _all_ their
profits for roughly _three_ years. *OUCH*! Big time.


[[.. munch ..]]

The ISP business is rife with cut-throat competition, and, literally, $1 or
$2 per customer per month can make the difference between being in the black,
and bankruptcy.

Sometimes it's less than that. However they still have to have enough
positive cash flow to stay afloat.

True. A successful ISP might have profits of $3-4/customer *per*year*.

On Sun, 28 Sep 2003 06:52:17 GMT, bonomi@c-ns. (Robert Bonomi) wrote:

In article ,
Roger Halstead wrote:


On thing about this thread:

Posting on a group to get users to check for viruses is unlikely to
accomplish much, although I do have to say this one at least generated
a lot of discussion. Some of it has been down right educational.
snip

There's no need to 'share' the information with anybody else. Just
disable their access, "temporarily", and don't let 'em back on until
they 'prove' that the problem has been fixed.

The sharing would prevent them from just getting on another provider
although that might not be necessary.

"I think" it would do far more in a few days than any
amount of education we could give those users.


*ABSOLUTELY* YES!!!


Monitoring for viruses at the source and terminating the user (or
just suspending their account) as soon as a sent message is detected
would keep the effect of viruses contained and the effect to a
minimum.


There's the rub. That "monitoring". First, you have to 'detect' the
problem. *WHATEVER* approach you take to that monitoring/detection,
it takes resources, and costs money. There are some relatively simple
approaches, but they involve 'adding inconvenience' to the 'non misbehaving'

I'm not even approaching the spam issue, but yes, it would have to be
something like Norton AV does. Scanning all outgoing mail and the
first of any virus or worm is likely to get through. It also means
being able to differentiate between a normal macro and one that is
malicious. It also means checking any attachment for some specific
functions, but you still can't take them all into account.

customer; the 'good-guy transparent' ones require a significant amount
of technical sophistication on the part of the provider, *and* a non-trivial
amount of high-priced equipment.

My wife and I are members of several clubs and handle the news letters
and member notification, so our ISP allows us to exceed the normal
mail limits as we may send out hundreds of news letters and
notifications. In a couple of instances the mailings exceed a
thousand, but those only happen a couple times a year.


The ISP business is rife with cut-throat competition, and, literally, $1 or $2
per customer per month can make the difference between being in the black, and
bankruptcy.


Sometimes it's less than that. However they still have to have enough
positive cash flow to stay afloat.

As I have my own dot com, but use an isp with web hosting the internet
costs are second only to the cost of flying which I also do.

Roger Halstead (K8RI EN73 & ARRL Life Member)
www.rogerhalstead.com
N833R World's oldest Debonair? (S# CD-2)