Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: "Association of Responsible Internet Providers"?
From: david () FASTOLFE NET (David Nesting)
Date: Thu, 2 Mar 2000 12:17:38 -0600


I apologize for taking so long in summarizing these responses.  I've
been on vacation and otherwise occupied for a couple of weeks.

Elias has been kind enough to set up a mailing list for future discussions
about "ARIP" (or whatever descendents might arise).  To subscribe, send
an e-mail to listserv () securityfocus com with the text "subscribe arip
firstname lastname" in the body.  Please send any further discussions,
ideas, or replies to this mailing list.

A few people mentioned NANOG <http://www.nanog.org/> and ISPF
<http://www.ispf.org/>.  I am in agreement that input must be solicited
from these groups.  I also encourage people to subscribe to Dragos Ruiu's
<defender () dursec com> list for related discussions about coordinating
attack responses (see list archives for details).

I won't begin to respond to all of the e-mail I've received, but here
are some snippets of a few responses I've received.  There were lots of
very interesting points made, and if I've missed yours, please feel free
to post it to the ARIP list.

David

* despot <despot () crosswinds net>
  One of the downsides I see is that such a certification would provide
  attackers with at least some idea of which providers are irresponsible.

I hadn't thought about explicitely publising a list of participating
entities, though I would hope one of the conditions of membership would be
a published, staffed emergency contact, and I would hate to restrict this
information to members only.  And of course just because a company isn't
ISO certified doesn't mean it's not an exceptional company otherwise.

* Seth R Arnold <sarnold () willamette edu>
  There are two points of trouble I can think of -- first, if the dues
  are high enough, ISPs won't want to join -- profits are slim enough
  already for many. Second, most users don't care

It would be our job to make them care.  Explain to the public and press
WHY membership with this organization is good for the customer and for
the Internet as a whole, and eyes will start wandering to those big
names that /aren't/ boasting membership.

* "Aleshire Rick" <aleshire_rick () bah com>
  you are creating an elitist organization - the have vs the have nots -
  you cannot even begin to tackle the security of the internet if the
  weakest link in the chain is not a part of it!!!

I agree 100%!  Ideally, we should not only work on pointing out those
companies that have done an excellent job, but aid everyone in working
together, member or not.  I'd rather not see this turn into Yet Another
Security Site, so this specific task might be better left to another
group.

* "Mark E. Drummond" <drummond-m () rmc ca>
  ... this is absolutely ludicrous. "You can't be part of our clique
  cuz you can't afford it" ... "oh, you are loosing business because
  you are not certified by us? well for a small fee ...".

* Arch Angel <floz12355ml () yahoo com>
  The rational man would say.."Well, if he couldnt conform to the
  standards, then he shouldnt have opened an ISP." however, I could see
  a competent coorperate attorney sueing for monopolizing the internet
  or some other ridiculous ccharge.

I don't see an organization like this to be any different from, say, ISO
certification.  Cheap ISP's (as in can't afford to abide by membership
requirements) will continue to have their niche in the form of customers
that could care less.  ISP's that take the time and effort to secure
their systems, networks, and who make an effort to have staff on-hand
to aid their peers in tracking down abuses deserve recognition.


  By Date           By Thread  

Current thread:
  • Re: &quot;Association of Responsible Internet Providers&quot;? David Nesting (Mar 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]