Re: Nimda et.al. versus ISP responsibility

From: John Oliver (john.oliver@hosting.com)
Date: 09/27/01


Message-ID: <3BB36BB0.AE80FD7C@hosting.com>
Date: Thu, 27 Sep 2001 11:10:56 -0700
From: John Oliver <john.oliver@hosting.com>
To: incidents@securityfocus.org
Subject: Re: Nimda et.al. versus ISP responsibility

Luc Pardon wrote:
>
> I'd like the opinion of the list on the attitude of ISP's versus
> worms. It is clear that we're going to see more of this.
>
> I think we all agree that connecting an unpatched IIS machine to the
> open Internet is acting irresponsibly. Most AUP's already prohibit
> spamming, port scanning etc. (at least on paper). Why not include
> "infection through negligence" as a reason for suspension? Maybe with a
> reasonable grace period the first time.
>
> Problem is that one ISP can't go it alone. If they pull the plug, they
> may loose the customer to a less responsible competitor.
>
> Unlike spammers, most worm victims are "offending" out of ignorance.
> Such a provision in the AUP would likely get their attention and maybe
> cause a mind shift towards "Unpatched Is Bad (tm)".

My $.02 (speaking for myself, not my employer...)

Personally, I would like to disallow any Windows machines from
connecting to a public network without first seeing proof that they're
properly patched, secured, and managed. Further, as soon as someone
announces "I'm an MCSE", their Ethernet should be pulled. I know
several good, knowledgeable people who are MCSEs, but they do *not* need
to go around trumpeting that fact... :-) As an extension to that,
seeing proof that all machines, whatever the OS, are properly managed
would be really nice, but a pipe dream (and insulting to your potential
customers).

Professionally, when I get an abuuse report, I have someone in our tech
support staff contact the customer and explain the problem. Sometimes
we can only leave VM and/or email. If more reports come in with no
response from the customer, they get suspended. If they say they fixed
it, and more reports come in, they get a much firmer warning and a close
eye on the situation. And God help the poor "admin" who says "What does
that mean?", or "That's impossible!"... :-)

Basically, it will be very, very difficult to reach a point where proper
security is a nearly universal requirement. As it stands now, if
someone is tossed for their negligence, they can find hosting or
connectivity again within an hour. Especially with the economy the way
it is... *somebody* will take their money, just like the spam-friendly
ISPs. But that can't change the fact that there's only so many warnings
you can give as an ISP before *you're* negligent for not getting rid of
a known problem.

As for AUP provisions, they will help in legal after-the-fact
proceedings ("You can't just turn me off because some hacker took me
over!" "Ohhhh, yes we can!"). Nobody reads those. Sales will never
spend time going over stuff like that. And I doubt there's more than
five people on the face of the Earth who would read that and say "Oh,
geez... I think this means me. I don't really know what I'm doing..."

Now that we're going to be offering managed and dedicated hosting, these
incidents can probably be used as a sales tool... "You guys keep having
these security problems... for $XXXX per month, we'll take alll those
headaches off of your back" :-) And even for those without the ability
to offer such services, keeping the names and numbers of a few good,
trusted consultants around helps.

-- 
John Oliver
System Administrator
hosting.com, an Allegiance Telecom company
mailto:john.oliver@hosting.com
(858) 637-3600
http://www.hosting.com/

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE:Nimda et.al. versus ISP responsibility ---> a few thoughts
    ... versus ISP responsibility ---> a few thoughts ... Problem is that one ISP can't go it alone. ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: The Hole in Cerners Logic
    ... My management's responsibility is to manage *OUR* ... and certainly not that of any of our vendors! ... that level of management usually find their place in the bankruptcy / ... You are the Customer. ...
    (comp.os.vms)
  • Re: Who is responsible for the BT line and ADSL speed?
    ... Who is responsible for the speed of the broadband service, BT or the ISP? ... to BT its the responsibility of the ISP to contact them to fix the problem. ... BT are the customer of the ISP, ...
    (uk.telecom.broadband)
  • RE: Nimda et.al. versus ISP responsibility
    ... Subject: Nimda et.al. ... Agencies currently working at having the Law changed here, that will require an ISP to provide at ... But again think of the cost savings, the ISPs would reap with just a limited amount of protection. ... > responsibility to stay on top of the latest software fixes, ...
    (Incidents)
  • RE: Nimda et.al. versus ISP responsibility
    ... Subject: Nimda et.al. ... the blame lays with the perpetrators. ... the public infrastructure have a responsibility to maintain the functioning ... abusing network resources should be notified and shut off by the ISP. ...
    (Incidents)