Dr. Antonio Nucci

By Kevin McTiernan

An employee of a large US corporation was fired for excessive use of the Internet during work hours. After his employment was terminated in 2003, the employee filed a lawsuit charging his employer with wrongful termination. He claims that his employer offered programs to assist fellow employees “with much more severe psychological problems?” including drugs and alcohol and thusly, he should have been offered counseling instead of being fired. His employer claims that he was in Internet chatrooms where sexually explicit topics were discussed and visited a website containing sexual content, all of this while using one of their computers. The employee claims the chatrooms were “self medication?” to help cope with post traumatic stress due to his experiences in Vietnam.

This brings up interesting comments about today’s Internet-driven culture. Employers are finding their employees requiring physical therapy for the “thumb tendonitis?” which results from the constant use of smartphones (such as Blackberrys, Treos and Sidekicks). Treatment centers are finding their clientele increasing and needing help with addictions including online gambling, cybersex and online shopping.

It is interesting – could the Internet, by making it possible to communicate with anyone around the clock, by providing an unending supply of information, and by enabling technologies (such as VoIP or videoconferencing), cause dependencies similar to that of nicotine, alcohol and drugs? When you look at the statistics released with a Stanford University study (see “A Stanford University study finds…?” below), there may be a new addiction for the healthcare industry to keep an eye out for.

In this Internet-driven culture, what will the responsibility of an employer be? Would employers be required to monitor all Internet traffic and analyze to look for dependencies? Will employers continue to offer Internet access? How long before we see a pamphlet on our HR admin’s desk on Internet addiction? Will schools need to provide guidance to students similar to teen pregnancy or alcohol abuse?

Stanford University’s Office of Communication and Public affairs has information on their study, here.

By Kevin McTiernan

At the Blocking Denial of Service Attacks on the Internet conference held earlier this month in London, leading Internet lawyer, Lilian Edwards, argued that ISPs should be held financially responsible for DDoS attacks carried out via their networks. Edwards, a published author and authority on legal issues of the Internet, believes that ISPs should be legally required by their government to prevent DDoS attacks.

Edwards’ argument has merit. In my opinion, it is similar to when parents are held accountable for their children’s actions or a television network is penalized for violating indecency standards. In these cases, it is not the child or the television program’s producers that are penalized; it is the person that should be providing oversight. In fact, many telecommunications regulations exist today that result in penalties or fines if violated. Examples include number portability, E-911, CALEA, etc.

I do have some problems with the argument, however. The first problem with the argument is that the bots or zombie computers that launch the attacks do not only seek out computers on ISPs. They look for any vulnerable system and find them on ISPs as well as enterprises, hosting facilities, cyber cafés and metro WiFi networks. Think back to 2003 and the slammer worm - remember the story about the Ohio nuclear plant and how the worm got in? My point is that if you limit the requirement to the ISPs, you still have many more vulnerabilities that must be addressed. Extending the regulation to enterprises, cyber cafés and metro WiFi networks may cause access to be limited or not offered.

The second problem with the argument is that of governance of the Internet. While phishing scams can be investigated and broken in countries where regulation is present and a judicial system will prosecute such crimes, many parts of the world do not have such standards and the scams go untouched. In those same parts of the world, the bot viruses are written, the DDoS attacks are launched and the damage is done - the double-edged sword of the Internet is that it is available anywhere. Requiring an ISP to spot a local, vulnerable system in the UK or the US, may not prevent the attack if executed from Kenya, for example.

The third problem is that carriers are prohibited from controlling traffic on their network. While the prohibition against such “blocking?” or “rate limiting?” is in the form of public outcry, it is a definite part of the net-neutrality debate and as such may be regulated shortly. A prime example of the issue is with Skype and its roughly 100 Million subscribers (see “What’s the problem with Skype anyway??” below for more information).

I’m not about to say that the only problem that carriers have with Skype is the security threat. Skype (and other providers, such as Vonage) are costing carriers millions of dollars daily in lost revenue for traditional phone services. My point is there are many facets to the net-neutrality debate. By saying carriers cannot control the services that are run in the network - which would end the concept of charging a tariff to quality-sensitive content providers (YouTube, Skype or Vonage) – you in effect limit their ability to prevent such attacks by blocking security threats.

However, the free market is driving change. Enterprises and other consumers of carrier services are embracing the idea of a security service level agreement (Security SLA) whereby the carrier ensures a “clean pipe?” either as part of their service (which keeps existing while luring new customers) or with a fee (which increases revenue). Major carriers in the US and Europe are embracing this shift and managed service providers (such as VeriSign, NeuStar and KSR) are seeing growth and are making acquisitions to keep pace. And, corporate behemoths, such as IBM and Cisco, are making security a major business component.

I do agree fully with Edwards that the Internet is a component of the critical national infrastructure, and governments the world over must treat it as such. But the economics of the situation (competitive advantage or revenue opportunity) are causing carriers to respond to this economic driver much quicker and with more promise than they would to any regulation.

Here’s an article from NewScientist.com news service where Lilian Edwards is interviewed on the argument she made.

Here’s a link to books by Lilian Edwards on the topic of law and the Internet.

By Doug Miller, Director-Channel Management

Just when you thought it was over, here come the politicians again trying to revive Net Neutrality legislation. Political pressures have forced the issue to become a potential roadblock to the AT&T–Bell South merger. Without it, pundits say that the FCC may block the merger. It’s definitely something to watch for in this post-election environment.

While there are very real and valid arguments both for and against this type of open structure, for me it should come down to a free market. The Internet should be no different than the rest of our society in that consumers get to choose with their purchasing decisions. With carriers, service providers and content owners openly competing for purchasing dollars, it would seem that they will make the best choices for the consumers and ultimately for themselves. Competition, reinforced by anti-trust laws, is thus a far better protector of the interest of consumers, carriers and content providers than government ownership or regulation.

Let’s take an example of an environment without Net Neutrality regulation (today’s status quo). Say that DSL Provider A decides to charge content providers to ride its network. Google and Yahoo! pay the fee, but Ebay and Amazon do not. In this case, it stands to reason that many consumers would rather go to Cable Operator X for their service where they have equal access to everything (a conscious choice made by Operator X). Provider A then changes its structure to keep up with the dreaded churn and innovates to launch new services that will bring customers back. Operator X sees this and launches its own new services like managed VoIP or P2P services, and sets QoS higher for those services to ensure that customers get the best possible experience. There’s competition, new services are conceived and launched, billing plans are changed. Everybody, including the consumer, wins.

Now, let’s take a similar example with Net Neutrality regulation. All of a sudden, Provider A and Operator X are relegated to nothing more than bit pipes that can only compete on aggregate speed and price. Sounds a lot like a commodity, right? Sure, they can bundle data services with home phone service and maybe TV, but they have lost any incentive to launch new branded services since they really can’t legally guarantee QoS or QoE. In essence, Net Neutrality, with all of the good intentions that go along with it, would have effectively stifled new service delivery, innovation, desire for growth, etc. Why would carriers continue to pour literally billions of dollars into their networks if their only payback is to sell bits? Sure, it would be a big win for content providers, but that’s not going to get carriers to increase the network performance and security to the point that the services would be valuable and worth paying for.

The “access?” honeymoon is over. The market is demanding more than just fast service to check e-mail, stock quotes and weather reports. Where will the money be made? If it’s not going to be made by the carriers, why will they continue to spend the money so that content providers can reap the rewards? Basic economics says that just won’t happen. It’s time for carriers to get broadband in every home and to give them free reign to manage their networks based on consumer demand. And let’s all get real here. Will any carrier in their right mind block or otherwise limit access to Google, Yahoo!, Ebay, Amazon, etc.?

So, do we let the politicians decide for us? Do they have the networking knowledge and insight to make these decisions? Or, do we let carriers and service providers with advanced DPI tools, monitoring systems, security solutions, and other key network management applications and skills go head-to-head with each other and let them fight for our monthly Internet budget? I, for one, am up for a good fight and one that is conducted not in the courtroom or on Capitol Hill, but on my computer and in my monthly bill.

Pipeline included my article on Skype traffic detection and classification in its September issue. In this article, I discuss the future of traffic detection and classification, new concerns raised by this technology, and issues with privacy and authenticity. I also address the challenges of detecting Skype traffic and how “traffic classification in the dark” is a very effective protocol detection technique to solve this problem. Are you involved with this type of work? I’d really like to hear your thoughts on the topic.