Open, anonymous services and dealing with abuse

Recently, Daniel Reed <n@ml.org> wrote:
The *truly* unfortunate fact is lots of ISPs like to do things like throw up
firewall rules and then expect other people to clean up after the real
problems they are simply evading.

Consider this: A pathogen is developed that kills anyone with which it comes
in contact. People across the world are randomly exposed to the pathogen and
begin dying en masse.

Short-term public interest would seem to necessitate that hosting public
meetings should now be discouraged, if not outright banned. In some areas,
ordinances might be passed requiring that any human contact be made only if
both parties know each other, and can prove they have adequate air
filtration.

This isn't the plot to next summer's killer Sci-Fi horror movie; this is
what we are dealing with on the Internet today. In either case, the long-
term public interest would probably be served more by funding agencies to
track down and stop the spread of the pathogen.

The problem is, your analogy is too extreme; if people really
*were* dying, there'd be more attention paid to it. Unfortunately,
if we look at a more real-world case, like herpes, you realize
that we don't take contagion very seriously unless people are
dying from it. Instead, we end up with ora-gel, anbasol, and
other such fun products to take the sting away without actually
doing anything. Likewise in the network, we have a similar
approach; when the cold sores flare up again, apply a topical
solution to take some of the sting away, and then continue
life like normal...including spreading that numb-but-still-infectious
cold sore to others.

Trojaned PCs and zombie proxies relaying spam are like cold
sores; they don't kill anyone, they just make things mildly
uncomfortable, so we numb them over, and go about our
business like normal, even if that includes allowing the
infection to spread even further.

If proxies *did* kill, then yes, we'd take them seriously;
but anything short of that, and real life tells us we won't
take them seriously enough to try to do real research into
ultimately stamping them out.

--
Daniel Reed <n@ml.org> http://naim-users.org/nmlorg/ http://naim.n.ml.org/

Matt, feeling pessimistic this morning

But proxies do "kill" - the trojaned "owned" PCs are and have been
for years used to create distributed DoS attacks which can easily
kill a site or even smaller network. There is enourmous potential
harm to from them and that is in addition to normal everyday less
articulated harm because of spam and more that mail servers and other
infrastracture is being used for it. ISPs end up paying for all this.

Everybody thinks if its not us, we don't have problem so we dont want
to spend anything to fix it - bu its not true, you already are paying
for it due to increased cost of operation. The cost of fixing your own
network even 50% of other ISPs did it, would in the end be smaller.

I hate to see government get involved in anything, but perhaps
some law holding PC owners responsible for SPAM that comes
from their unpatched machines AS LONG AS there is ample
notification to that user that their machine is compromised.

Also, ISP's should be held responsible for allowing unpatched
machines to be connected to them and for e-mail to be propagated
from their.

Sounds like an unfunded "mandate", and it probably is, but there
is the concept of "attractive nusaince" in the law now.

Again, any law would need to be designed to allow for AMPLE
notification to the owner of the offending machine/ISP to allow
time for them to fix it. Only then would there be a requirement
that their ISP disconnect them or face fines.

We don't need more new laws. There is already a law - in most parts of the world you can be charged with "contributory negligence" for failing to secure an "attractive nuisance" and then a third party is injured or damaged due to your negligence. In any part of the world that doesn't have such a law, a "new law" in another part of the world wouldn't matter anyway.

What is needed is for someone to CARE enough to bother to investigate and prosecute. And yes, it's going to cost "more than it's worth" to prosecute, at least the first few times. Someone has to decide that the long-term good is worth the price of being the leader in this charge.

IMHO, you should sue both the owner of the PC (for negligently failing to properly secure their computer, or to fix it when notified), and sue Microsoft (for neglegently producing and selling software that was so easily compromised) as they are both responsible for the hardware/software that was used to damage your servers/network etc. Microsoft's EULA doesn't apply to you as a third party who is damaged by their faulty software. You should also consider an offer to settle with the PC owner if they agree to jointly sue Microsoft on your behalf. You are not held to the EULA, but they are, but since Microsoft's software is *negligent* it's possible that the EULA doesn't penetrate their inherent liability to not produce a product that causes harm. (A EULA won't protect a ladder maker from negligently building and selling a ladder on which people get hurt when they use it for its intended purpose.) But we won't know until someone digs down into their pockets and funds a lawsuit to try it out.

Sorry about the lack of operational content in this post, but sometimes you have to consider the costs and benefits of both operational solutions and other solutions (e.g. legal solution) in order to determine which solution is the best one for your network, both in the short term and in the long term.

jc