A few months ago, Mike Bierstock, who runs a tiny property management
business in Waterloo, Ont., found his office system had been compromised
- either by a virus or hacker, he's not sure - and he was slapped with a
terrific bill for the volume of traffic generated by his computer. His
access provider forgave some of his initial bills, but did nothing to
help him clean his system, so the problem continued. Ultimately the ISP
killed his account, hitting him with a bill of $11,000.
[...]
Mr. Liber simply declared bankruptcy. "They knew about the worm way
before any billing had accumulated," said Mr. Liber, now senior account
executive with iTel Solutions Inc. "They also confirmed that while they
knew that there was a worm and that they knew it was not our doing,
they [say] the responsibility is ours. Yet only they could have stopped
the worm and the massive amount of bandwidth that was flowing through
because of this worm."
Did your computer have a power switch? Did you turn it off? Or did you
continue to let it run up the bill? Yes, even the complete computer
novice can stop a computer room. Turn off your computer. If you don't
know how to fix it, take it to a repair store.
If you leave your lights on, the electric company will send you a bill.
If you leave your faucets running, the water company will send you a bill.
If you leave your computer infected, ???
** Reply to message from "Laurence F. Sheldon, Jr."
<LarrySheldon@cox.net> on Thu, 10 Jun 2004 12:39:41 -0500
Sean Donelan wrote:
> Does the water company fix your toilet if it leaks water? Or do you call
> a plumber?
On the other hand, if the water company was sending pollutants in the
water you bought, there was a perceived responsibility upon the water
company.
Now, which broken metaphor (leaky toilet, pollutant contaminated
stream) best fits the problem at hand?
Take all the time you need, we will wait.
That's an easy one.
Leaky toilet - a properly maintained toilet doesn't leak and waste
water, no matter what is in the inflow. If you want to drink from your
toilet, that's your problem.
We offer spam and virus filtering. We block many of the popular worm
access ports at the edge and core (which can be a real pain). We offer
a CD full of firewall, AV, and anti-spyware programs for the asking.
But ultimately, _you_ are responsible for your own systems.
The plumbing code require water consumers to have/install/maintain
backflow prevention valves at the customer's expense to prevent pollutants
from one customer from affecting the water supply.
Water companies issue "boil orders" but usually don't shut off the water
supply if the water fails to meet EPA standards. In that case it is
the responsibility of the user to boil the water before drinking or using
in cooking.
Almost every ISP has a "boil order" in their terms and conditions.
But ultimately, _you_ are responsible for your own systems.
When I detect abusive behavior coming from a customer site then
it is my responsibility to make sure that doesn't affect the
rest of the world.
Also, if I know how to fix it at source and the customer doesn't know
then it's my responsibility to make sure the customer has the tools
and resources to fix it. How fast it gets fixed is not a primary
concern because of the previous paragraph.
Parallels to fire/water/electricity/etc. don't quite work
because there is a big difference between the worm that came
out yesterday and the National Electrical Codes that came out
last century.
** Reply to message from "Laurence F. Sheldon, Jr."
<LarrySheldon@cox.net> on Thu, 10 Jun 2004 13:06:43 -0500
Jeff Shultz wrote:
> But ultimately, _you_ are responsible for your own systems.
Even if the water company is sending me 85% TriChlorEthane?
Right. Got it. The victim is always responsible.
There you have it folks.
A. Straw man
B. Apple/Kumquat arguement
Who is the victim here? The user who's computer was infected due to
their own lack of responsibilty (and was not fixed... remember that
part, _was_not_fixed_), or the ISP who isn't going to get a rebate on
their upstream bandwidth bill that was in turn inflated by that
customer.
The "victim" in the case Sean posted knew he had a worm, got some of his first bill forgiven, yet did nothing to correct it and acts surprised when the same thing happens the next month. YES, he is at fault. Anyone who thinks differently .. uh .. can I buy b/w from you? Oh, and since you feel responsible, I'm only going to pay for the amount of traffic I think I should have gotten on my web page, even if I get /.'ed or something. Does $25/Mbps sound good? I plan to use about 1 Mbps, but I will need an un-rate-limited GigE connection.
Back on topic, most users get upset when you do things like block ports because it breaks random crap they want to use. If you want something open, then you are responsible for what crawls through.
If you want the b/w provider to protect you, then ask them. Just be prepared to pay, because b/w prices these days do not include security services.
OTOH, as a good netizen, the upstream might want to cut off those users spewing to the rest of the 'Net.
> But ultimately, _you_ are responsible for your own systems.
Even if the water company is sending me 85% TriChlorEthane?
Which water company is sending you 85% TriChlorEthane? More than likely
its your next door neighbor with a defective system leaking it. The water
company didn't put TriChlorEthane in the water, someone else did.
Right. Got it. The victim is always responsible.
Who is the perpetrator and who is the victim? The mistake is trying to
put the blame on one of the parties, which isn't responsible for it.
Blaming the water company simply distracts you from fixing the real
problem, your neighbor's chemical waste dump.
If your ISP tells you your computer is infected, do you have any
responsibility to fix your computer?
If you fail to fix your computer, or have it fixed, are you still an
"innocent" victim or have you become part of the problem? Have you become
the chemical waste dump, and you are now responsible for dumping 85%
TriChlorEthane in your neighbor's water?
...the distinction btwn content, delivery systems, and customer
owned equipment. context shifting... anyone (else) remember
when all kit that touched the telephone network was owned
by the telco? ... and ostensibly why?
bit-pipes are a -very- comfortable business model; "we just
pass the bits, we don't mess w/ them" - pushes the mitigation
issues elsewhere and/or opens new business opportunities.
of course neither my mother nor my daughters know or care
about gcc ... and they pay to have someone to blame.
Even if the water company is sending me 85% TriChlorEthane?
Right. Got it. The victim is always responsible.
There you have it folks.
Are they really a victim though? In Sean's post the person had fair warning. The problem in this day in age is the terrible lack of self responsibility. That and the fact that a large percentage of people are just plain lazy, which makes for a bad combination. Instead of taking action it's much easier to just be lazy and blame someone else.
Victims are innocent bystanders, not excuse makers.
If you leave your lights on, the electric company will send you a bill.
If the neighbor taps into your power lines after the meter...?
If you leave your faucets running, the water company will send you a bill.
If you leave your computer infected, ???
If you lose your credit card and someone runs up thousands of dollars
in charges, the credit card company sends you a bill... But you can at
most be held responsible for $50.
Does that really mean anything with respect to Mr. Donelan's quoted
article? Not really. But neither do electric and water bills.
I have some sympathy for the malware victim. But I don't expect the
ISP to eat all of the costs. The article is more balanced than the
selected quotes portray.
> If you leave your lights on, the electric company will send you a bill.
If the neighbor taps into your power lines after the meter...?
That will be a criminal matter between you and your neighbour.
> If you leave your faucets running, the water company will send you a bill.
> If you leave your computer infected, ???
If you lose your credit card and someone runs up thousands of dollars
in charges, the credit card company sends you a bill... But you can at
most be held responsible for $50.
Which is a 'feature' of most credit cards, irrelevant to criminal law.
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben --
-- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
> If you leave your lights on, the electric company will send you a bill.
If the neighbor taps into your power lines after the meter...?
Not a reasonable argument. It is expected that unpatched hosts will get
infected
and it has been well reported on how users should protect themselves. A
neighbor
tapping another power is not something to occurs often. It is not reasonable
to expect
this to happen. It's not even a reasonable argumnet.
I think we're drifting from the original point here..
What it boils down to is this: If I have a DS3 to a provider in my
office and my provider notifies me that I have a worm, is it my
provider's responsibility to fly someone out here to help me fix my
systems? No. I'm the guy controlling them and I'm the one who has to
take the responsibility. So what if I don't know how? Well, surely
they can advise me where to look for the requisite information. And if
thats insufficient, I can contact a consultant to come in and help me
clean up my network but thats the key, it's MY network and MY job.
My service provider is responsible for transporting the traffic. Even
if it's "bad" traffic. I'm the one who is responsible for making sure
that the traffic originating from my network is the traffic I *want*
to originate from my network. Obviously, if the provider chooses to
implement policies (such as cable modem providers and so forth) that
restrict the type of traffic I'm allowed to source, thats their
business. It's still my job to make sure that my servers are clean.
I suspect I might be come after with pitchforks for this analogy, but here
goes...
Look at it from this perspective: it's the responsibility of the various
Departments of Transportation (and other Governmental and Private
authorities) to upkeep roads, but it's not their job to fix your car. If
your car is broken, you may be stopped by a police officer, but he's not
going to fix your car either. That's the user's responsibility.
Change the word "victim" to "negligent party" and you're correct.
Ignoring all of the analogies and metaphors, the bottom line is that ISPs
are _not responsible_ for the negligence of their customers, and that ISPs
are _not responsible_ for the _content_ of the packets we deliver. In
fact, blocking the packets based on content would run counter to our sole
responsibility: delivering the well-formed packets (ip verify unicast
reverse-path) where they belong.
Remember, we're service providers, not content providers. Unless your AUP
or customer contract spells out security services provided (most actually
go the other way and limit the liability of the service provider
specifically in this event), then your customers have to pay you to secure
their network (unless you feel like doing it for free), or they are
responsible, period.
As far as I'm concerned, that guy would have a better shot at suing
Microsoft then challenging his bandwidth bill.
Look at it from this perspective: it's the responsibility of the various
Departments of Transportation (and other Governmental and Private
authorities) to upkeep roads, but it's not their job to fix your car. If
your car is broken, you may be stopped by a police officer, but he's not
going to fix your car either. That's the user's responsibility.
i have a tee shirt from about '96 which says "we build the
information superhighway. we don't fix your car."
Your contract with the water company is for them to deliver you water.
They make a best effort to do just that, but, inherently, there's stuff
besides dihydrogen-oxide in your water. In most parts of the US, for
the most part, the other stuff isn't significant and nobody worries about
it. However, if you have a broken toilet that leaks, there is not a single
water company on the planet that will forgive your bill for the water that
leaked through it.
On the other hand, generally, your contract with your ISP says that you
expect them to deliver packets destined for your IP address to your system
and that you expect them to accept packets from your computer system and
deliver them to the rest of the internet. You've contracted for the internet,
not for water. The internet contains worms, viruses, hackers, spammers, and
the like. It is well known, and, expected behavior of the internet.
You have not contracted your ISP to run your system for you. You have
contracted them to deliver packets. In the scenario described, the
"victim" was a victim of his own actions. The ISP was generous in
forgiving his bill(s) at first, but, he chose not to fix the toilet.
He could have fixed the toilet at any time and yet, for months, he
chose not to. Why should the ISP pay the costs incurred because he
chose to continue to run a system he knew was infected and chose not
to fix?
But ultimately, _you_ are responsible for your own systems.
When I detect abusive behavior coming from a customer site then
it is my responsibility to make sure that doesn't affect the
rest of the world.
To some extent, yes. I agree that his ISP should have shut him down
much earlier than they did, but, I suspect this guy would be pretty
unhappy about that, too.
Also, if I know how to fix it at source and the customer doesn't know
then it's my responsibility to make sure the customer has the tools
and resources to fix it. How fast it gets fixed is not a primary
concern because of the previous paragraph.
I'm less convinced of this. Certainly, it's the nice thing to do, but, I'm
not convinced you have any responsibility. It's what I would do. It's
the neighborly thing to do. It's the good customer service thing to do.
All of those things put it in a very different context than "I have a
responsibility".
Parallels to fire/water/electricity/etc. don't quite work
because there is a big difference between the worm that came
out yesterday and the National Electrical Codes that came out
last century.
Yes and no. If a customer starts dumping dirty power onto the electric
grid, believe me, it will cause problems for other customers almost
as quickly (although over a smaller area) as yesterday's worm. If
the sanitary sewer develops a clog at the end of the street, it is
the neighbor at the bottom of the hill that will suffer when the
neighbor at the top of the hill flushes.
The analogies at least work in terms of who has responsibility for
fixing the machine. It is not your responsibility to fix your customer's
machine unless that is an additional service they have contracted you
for. I don't want my ISP telling me how to run my machine, nor do I want
them controlling what packets I do and don't receive. Customers who do
want those services should be able to find ISPs that offer them as a
value add. I don't want them, and I would be angered if they were dictated
to me.
Oh, and since you feel responsible, I'm only going to pay for the amount of traffic I think I should have gotten on my web page, even if I get /.'ed or something. Does $25/Mbps sound good? I plan to use about 1 Mbps, but I will need an un-rate-limited GigE connection.