I'm in Baltimore this week speaking at ISPCon. Our travel plans didn't allow us to attend the first day, unfortunately. Here are some thoughts from day two.
The show isn't exactly big. In fact, as far as number of attendees go, I think it's a fair bit smaller than the previous one in Sacramento 6 months ago. Maybe that's just an east versus west coast thing, it's hard to say. The organizers seem to want it to be bigger, not surprisingly since it's run by a company (as opposed to like the PyCon community-run conference) and bigger means a lot more money. The attendees also want it to be bigger because of the additional variety. However, with the continuing consolidation in the market, the number of ISPs is continuing to shrink, so that may be pretty hard.
They have a real nice show-floor, a lot of exhibitors are present. A lot of wireless vendors are showing equipment including wireless test and measurement, radios and antennas, and ISPs. Wireless continues to be the hot thing, largely I suspect because it allows smaller ISPs to get around the strangle-hold on the "last mile" copper that the incumbent providers have.
There's also quite a presence of filtering companies, including anti-porn. Several vendors have anti-spam solutions, and there are also many e-mail service providers that are also pushing anti-spam and anti-virus sides of their business. I talked at length to many of these vendors because I'm giving a presentation tomorrow on anti-spam and so I wanted to see what they were up to.
Vircom, which I hadn't heard of before, offers an anti-spam appliance that looks pretty good. I talked with them at length about some pretty geeky topics related to e-mail and anti-spam, and it sounds like they've at least got their heads in the right space. I also spoke to Barracuda, and they're now saying that they used to do greylisting but removed it from their product because customers didn't like it. 6 months ago at ISPCon in Sacramento they said they didn't have greylisting but were looking at adding it, which seems like a pretty short time-cycle to add and remove it. Apparently, giving the option to disable it wasn't good enough, because some users just enable everything and then complain if they don't like the results. Sad, because greylisting is so effective.
Oddly, there was an exhibit for animation software. It was one of the only booths that I regularly saw nobody at, possibly because it was being run by one guy who was spending all of his time interacting with the software, demonstrating it, instead of interacting with people walking by. Mostly, I suspect it was because ISPs need animation software like a fish needs a bicycle...
Oh, and Digium kind of had a booth there. It sounds like they paid for a booth, and got a bunch of Asterisk enthusiasts to staff it showing off their projects. There was a Soekris system running Asterisk, with a T1 card in it, and another person was running Asterisk on a Linksys WRT-54g router. I have a hard time imagining why, I guess I should have asked. I need a PBX on my router like an ISP needs animation software.
In the morning I attended the talk on Financing Wireless Networks. This was a panel discussion in the business track. Evelyn found this idea that you should try to hang out with people where you're in the bottom 10% as far as experience, because you'll learn far more that way. That's part of why I went with the business track here. The biggest idea I took away from that was to get with your bank and find a business manager there and meet with them regularly to build up a relationship. I don't know that we really need much money, but having a better relationship with the bank is probably a useful thing.
Next I went to the keynote on "Cyber security at the extreme edge". This is where I really noticed that the show was under-attended. It seemed like only a third of the seats were filled. I'm guessing that there are at least 200 attendees, but I'm pretty sure there aren't 400. Anyway, the impression I came away from this talk with was that the speaker was very well connected. I don't want to be overly harsh, but the talk could have just as appropriately been called "Who Howard knows".
In this talk, the idea was hammered away at that the small ISPs should develop relationships with their local law enforcement, and work to report even the smallest infractions. While probably no investigation will get done, it will provide information which may be able to be used by some crime-fighting agencies to consolidate and look for larger patterns. Evelyn pointed out that pushing this to the smaller ISPs is pushing it to the places that have the fewest resources to do anything about it. On the other hand, smaller ISPs may be becoming increasingly a target of small attacks because they are unlikely to be reported and many small attacks can have the same results as fewer large attacks.
Trying to get small ISPs to keep their customers from being infected as zombies is going to be pretty hard though. My experience has been that the infected end-user just doesn't really care. That's what I've seen at coffee shops, anyway, where literally the infected users can't be bothered to remove the wireless PCMCIA card from their laptop, even though they claim they "aren't even using the wireless network". From my experience, the only way you'll get these people to secure their systems is if you go to their computer and do it for them. "Don't talk computer to me", as one virus-laden person at a local coffee shop once told me -- they just want it fixed.
For lunch, they have "topic tables" and you pick a table based on topics such as "Networking", "E-mail", and "Business", and have lunch with others who share that topic. I selected Networking, since I'm talking on high availability routers tomorrow. Interestingly, it was one of the less populated tables. I did have a nice conversation with a couple of guys from a rural phone cooperative in Minnesota, though.
I spent some time after lunch back down in the exhibit hall, speaking to the ImageStream folks. They make Linux-based routers, and while I'm a big advocate of Linux routers I haven't had ever used one of their products. Mostly it's just an issue of not being familiar with their products. If I want to do Linux-based routing, I can set up a box with my favorite distribution on it and I'm very familiar with it's layout for where to put firewall rules, and the like. With their box, I have to learn the menuing interface, or learn where things go in the underlying config files, so it's hard to come up with a case for when it would be beneficial to use their products.
We did talk extensively about traffic shaping. Apparently, one can get the Linux tc to work. ImageStream has written an (apparently proprietary) tool to help setting up the tc rules. Their tool looked pretty easy to use, and just generated back-end tc rules. Apparently Linux can handle with tc up to 64 thousand shaper flows. Too bad the documentation on using tc is so horrible...
I went to a talk that was listed as being about SARBOX, but it ended up having been replaced by a talk on address verification. The idea was to create an infrastructure of authentication servers which would regularly generate message authentication tokens which mail clients would then embed in the e-mail messages they send, and remote mail servers could use to verify (against the authentication server) that the message was sent from the correct sender.
It has some huge problems though, as far as I can tell. First of all, it uses the DNS TXT record for a zone to publish information about the authentication servers. The presenter apparently didn't realize that SPF uses DNS TXT records for it's use as well, and seemed awfully confident that SPF could deal with his information also existing in the same TXT record. I'm not so sure about that, but maybe.
It also has the problem that the tokens given out are secret. The tokens authenticate the holder as being the sender, so once you receive one of these messages you can then masquerade as the sender for some period of hours or days. A pretty big problem... I suggested perhaps looking at something more like hashcash where each token you give out is good for one particular recipient and is timestamped, which might help. Given the idea of an authentication server that a recipient can use to see if a message is authentic, I think there are a lot of things that one could do to secure e-mail. I'm just not sure the Simplicato system proposed in this talk is the best use of that infrastructure. Or even that, as currently proposed, that it's a good use of that infrastructure at all.
In the evening was the ISP-CEO Exchange session. This was a moderated group discussion of largely ISP owners. The discussion varied quite a lot in the couple of hours I was there, a long time was spent on discussing how to get more people to ISPCon. A lot of time was spent, collectively, bashing SBC (with a soft stick, though, since there was an SBC person in the room). The idea was floated that instead of complaining about how the SBCs of the world had a killer upper-cut and that they needed to fight with one hand tied behind their back, you need to fight their weaknesses. What Evelyn and I call "Making lemonade".
Several people said that having an ILEC that was providing DSL or cable service was great for their business, because when people get pissed off at the service or the company they will happily come to you. Smaller companies can always provide better service than larger companies, so play to your strengths. And once you've got that "trusted adviser" status with a client, sell them other things that they need. Perhaps you sell DSL at cost, and make your money on selling add-on services like web hosting, virus scanning, backup services, etc. It's very much the idea of a loss leader.
That's the report from day 2 of ISPCon. Tune in tomorrow for the conference wrap-up.comments powered by Disqus