One of the things discussed at the (excellent, thanks everyone) NZNOG
2004 conference was that the Internet sucks, and that a large portion of
this suckage is due to ignorant n00bs who do the wrong thing, get 0wned,
It was suggested that the "only" fix to this problem was to kill the end
to end Internet, making the "Internet" a core exchange network (a la
telco style), and allowing users only access to a local proxy at their
ISP for a very limited set of services.
Aside from my objection that this won't help much except in the short term
(plenty of protocols already tunnel around such firewall limitations --
eg, look at everything that's been tunneled through HTTP), this really
sucks for the l33t who find it awfully restrictive.
An alternative approach to that type of thing is possibly just to
heavily firewall -- at the ISP end of the link -- connections to all
"potential n00b" users (SMTP to ISP mail server, POP/IMAP/HTTP/HTTPS to
whereever and a few other common things) by default.
And then provide an "opt out" system that anyone with a clue can use to
disable the default firewalling. I would suggest:
where you have to enter "My name is $NAME, and I have a clue" (with
$NAME expanded, but otherwise literally). Possibly that setting could
be sticky; possibly it would need to be done on each reconnection.
The remaining aspect is that anyone who claimed to have a clue in this
manner and then lets something on their connection get 0wned or otherwise
abuses the privilege, (a) loses the ability to unblock themselves, and
(b) gets their name published on a list of shame.
This could pretty much be implemented today by anyone with a firewall
(or customer facing ACLs) which can be set on a per-customer basis.
Various RAS boxes have this sort of facility already; at least one ISP I
know of firewalls accounts that are over due so they can reach the
accounting website and that's about it.
The alternative seems to be that the clueful will just tunnel everything
through whatever still works. Tunnelling through DNS requests is painful
but doable; tunnelling through most other things is almost tolerably
efficient by comparision. And I guess bandwidth is cheap enough now
that we can cope with a 20-50% overhead due to tunnelling.
 Anyone who can't automate doing it on each reconnection doesn't have
 Still, it'll make the ATM tax look cheap.