RE:Nimda et.al. versus ISP responsibility ---> a few thoughts

From: Bill_Royds@pch.gc.ca
Date: 09/27/01 

From: Bill_Royds@pch.gc.ca
To: Marc Ducharme <MDucharme@ViaNovus.com>
Message-ID: <85256AD4.006F3133.00@pch.gc.ca>
Date: Thu, 27 Sep 2001 16:14:23 -0400
Subject: RE:Nimda et.al. versus ISP responsibility ---> a few thoughts

The major fault has to be with Microsoft. Not with the software faults
themselves, since they are inevitable, but with the installation process.
  Any system that installs products without explaining the consequences to
the installer needs to bear the responsibility for those consequences.
  I have captured the hosts hitting my cable modem with Cod REd/Nimda et
al and used a wget to retrieve the home page.
As well as most often being cable/ADSL users, they are also running the
default IIS home page from a default install of Windows 2000. After
contacting one system, I found that he was not even aware that he was
running a web server, let alone that it needed patches.
   If the user is unaware that they are running servers, they certainly
are not going to path them, so MS is at fault for installing them by
default.
  The EULA doesn't help Microsoft there, because I didn't agree to it and
it was MS software that was attempting to attack me, without its user's
permission.
  I would hope that a corporation that has spent millions of dollars in
bandwith and network maintanance becuase of this takes MS to court for
willful negligence.

I do not speak for my employer in this.

To:
incidents@securityfocus.com
cc:
(bcc: Bill Royds/HullOttawa/PCH/CA)

Subject:
RE:Nimda et.al. versus ISP responsibility ---> a few thoughts

This is only one aspect of the problem.

People who create and distribute these should be brought to justice. It is
really a form of cyber-terrorism and should be punished the same way as
people who place bombs. Granted, there is less violence, but the intent is
the same.

Ultimately, MS has a large share of responsability when they release
software that can be exploited in such a fashion. We need some
accountability here.

I also think that ISPs could react to protect their clients when worm
spreads. Adding a few lines to their routers to block a worm's profile
should not be a big deal.

Marc Ducharme
IT consultant

   I'd like the opinion of the list on the attitude of ISP's versus
worms. It is clear that we're going to see more of this.

  I think we all agree that connecting an unpatched IIS machine to the
open Internet is acting irresponsibly. Most AUP's already prohibit
spamming, port scanning etc. (at least on paper). Why not include
"infection through negligence" as a reason for suspension? Maybe with a
reasonable grace period the first time.

  Problem is that one ISP can't go it alone. If they pull the plug, they
may loose the customer to a less responsible competitor.

  Unlike spammers, most worm victims are "offending" out of ignorance.
Such a provision in the AUP would likely get their attention and maybe
cause a mind shift towards "Unpatched Is Bad (tm)".

  What do you all think ?

  Luc Pardon
  Skopos Consulting
  Belgium

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: MS-MVP Moniker
    ... that was not part of the Windows installation must be working too, ... take responsibility for the lost documents, e-mails, programs, MP3's, ... MVP - Windows Shell/user ... >I see on many of the replies to questions posted on this group where the OP ...
    (microsoft.public.windowsxp.general)
  • RE: Nimda et.al. versus ISP responsibility
    ... Subject: Nimda et.al. ... versus ISP responsibility ... > I think we all agree that connecting an unpatched IIS machine to the ...
    (Incidents)
  • Re: Great Blackout of 2003 Caused by MSBlast Computer Worm?
    ... > The only answer is for both vendor and client to take joint responsibility. ... the production installation. ... users into the control network. ... where an engineering firm has designed a plant floor ...
    (comp.security.misc)
  • RE: Nimda et.al. versus ISP responsibility
    ... And No I do not work for an ISP. ... This freedom places the burden of responsibility solely on the user. ... on my network that is acting offensively, ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: SP2 is a problem
    ... >machines and the existing installation of Windows. ... >Microsoft left you no choice but to install, ... >> customer's responsibility to know the intricate ...
    (microsoft.public.windowsxp.perform_maintain)