Let's start talking about who really should be responsible here, and no, I'm not pointing my finger at Microsoft. Let's talk about the ISPs, particularly the broadband ISPs like the telcos and the cable companies.

How much would it have cost a company the size of Comcast or Verizon to buy a Linksys or Netgear router for their millions of Internet subscribers? $10 per sub? $20 per sub? If you asked most any Internet professional whether it makes sense to connect a Windows PC directly to the Internet, I'm sure nearly every one would answer "of course not." Yet that's what all these companies do every day.

I've been in this business for a decade now, and even back then, when most clients with a full-time connection were using a 28.8K modem, we'd always install a firewall. How could anyone with a conscience have thought that connecting a home computer directly to a 24/7 high-speed connection deserved any less?

I'm really tired of hearing people put the onus for security on ordinary consumers who have literally no conception how insecure the public Internet really is. Instead we get lots of ads showing happy families browsing the web and e-mailing pictures of their kids to grandma. Meanwhile, of course, that happy family hasn't a clue that their computer, and probably grandma's as well, is busily sending out porn spam to thousands of addresses every day or being used in some denial-of-service attack. Connecting computers directly to the Internet without any thought given to security is corporate irresponsibility at the highest levels.

Of course, it doesn't take more than a moment's thought to understand why no one tells grandma that connecting to the Internet might have some potential downside. It might actually dissuade some people from connecting and thus lead to fewer sales. And, including a firewall router in every installation might actually require additional (read costly) training for the installers.

Recently a friend installed cable TV and Internet service from Comcast. The technician came to her house, connected up the TV's, connected the cable modem to her Windows PC, and gave her a CD-ROM to run on her computer. Thus endeth the "installation." And, no, the CD-ROM contained no security software, just a bunch of unnecessary stuff that displayed Comcast's trademarks all over her computer every time she boots it up.

In the case of the cable operators, we can identify another reason: their adherence to an (outmoded) business model based on charging extra for every additional connected device. Cable TV operators have always charged an additional fee for each television connected to the service. When these companies began providing Internet service, they expected to be able to charge an additional fee for each computer connected to the Internet. Given this mindset, it's not hard to understand why they'd be averse to installing a NAT router which hides the number of machines using the connection.

On top of this, we have the following nonsense as reported in a recent Slashdot discussion (http://it.slashdot.org/article.pl?sid=04/08/17/1347214&tid=
172) concerning this subject:

"When I worked for a large cable company, those of us in the technology organization wanted to make it policy to recommend to subscribers that they have a firewall. The legal department made [the] argument that we exposed ourselves to liability lawsuits if we said, in effect, that the Internet was a dangerous place and you should take steps to protect yourselves. So the company did not give users warnings, and the network became one of the world's larger sources of various attacks..."

I find it ironic that, in a period where government officials talk endlessly about the need for security, no one suggests that telcos and cable operators, which are already Federally regulated, be required to include the hardware necessary to provide security as part of their standard Internet service offerings.



[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/262/28117#28117