I'll be speaking next week at Arizona State University's "Computer Security Awareness Week" on the above topic. My talk is on Wednesday, November 2 at 11 a.m. at the Polytechnic Campus in Union Ballroom C, and will be followed by Erik Graham of General Dynamics speaking on Wireless Security. I've been told to be as technically detailed as I like, though I think this is a problem which is in greater need of having its economic aspects addressed, in order to drive the implementation of the existing technical solutions. Bruce Schneier has suggested that ISPs need to be held liable for malicious traffic they originate; I'd amend that to say that they should be held liable to the extent there are commercially reasonable measures to prevent, detect, and respond to such traffic and they don't do it. I agree with Schneier that the ISPs whose end users have compromised machines are in the best position to address the problems those compromised machines create--along with the manufacturers of the operating systems they run.