RE: Even you can be hacked

Of course, except in this case, the phone company can't easily tell the
legitimate calls from the illegitimate ones and block only the illegitimate
ones. Every analogy will break down, so don't expect to be able to convince
people with analogies that seem so obviously right to you. Nothing is
exactly accurate except the actual situation itself.

  And, again, alomst every contract has some insurance elements to it. There
will be unusual cases where it's actually possible for the utility to lose
money if something unusual happens. My main point is that the understanding
that seems so obviously right to you may not seem so obviously right to your
customers.

  As for all the people who talk about turning off their DSL access when
they're away from home, they're missing the point. Obviously a person could
do that. We could shut off our electricity when we leave home. We could have
our telephone service temporarily disabled when we go on vacation too. A
person could do all of these things. My point is that it's also perfectly
reasonable for a person not to do these things. Because in general an ISP
has more ability to control these things and it makes very little sense for
a home user to insure an ISP, it makes more sense for the ISP to insure the
user.

  In any unfortunate situation, you can find a hundred things that anyone
could have done differently that would have avoided the situation. But that
is not how you establish responsibility, financial or moral. You look at
people who failed to use reasonable prudence.

  And, of course, the ISP always (or very nearly always) insures the user
against the costs of inbound attack traffic that exceeds his line rate. The
more demands you make of your customers, the more you decrease the value of
your very own product.

  Frankly, if I ruled the world, obtaining Internet access would require a
serious cluefulness test and you'd take a lot more responsiblity for
generated traffic. I know a lot of people on this list wish things were the
same way and sometimes want it so much that they're able to convince
themselves that this is the way things actually are in the real world today.
But they're not, and you may find that outside your group of friends, your
views are found to be very odd by the majority of 'normal' (but, admittedly,
inferior) people.

  The arguments that seem so obviously right to you may be greeted by
amusement and the analogies you think work will be found unconvincing. This
is because this argument is largely about other people's expectations.

  DS

This thread is quite amusing and interesting at the same time. If I read
the original post right, Mr. Mike Bierstock was informed that he was
generating an unusual amount of traffic, traffic he would have to pay for.
He got the bill and had to deal with the consequences. What is wrong with
that? Does it matter how this traffic was generated?

Adi

the bottom line

  o if you want the internet to continue to innovate, then
    the end-to-end model is critical. it means that it
    takes only X colluding end-poits to deploy an new
    application which might be the next killer ap which
    drives your business. remember, email was not part of
    the original spec; http was not; jabber was not; ...

    this is in opposition to the telco model, where billions
    need to be spent uprading a smart middle to do anything
    new. and guess who gets the profits, if any considering
    what the deployment did to capex and opex.

  o this means that the network will also transport bad
    things; kinda like the phone network will carry obscene
    calls. damned shame, but that's the price you pay for
    liberty. or you can ask john poindexter (aka vigilante
    isps) to defend liberty for you and find all sorts of
    very unlovely and long term consequences.

  o this moves the burden for security to the edges, to the
    site boundaries, which may not care if their users can
    be early adopters of the next wannabe killer ap, and to
    the end-points, the hosts themselves.

  o but there are jillions of end-points; well yes, there
    are jillions of telephones too. and it's gonna be hell
    to clean up after the fact that they were designed
    without security, some have 80 jillion lines of code
    sitting on the laptops of naive users, blah blah.

    you want to support a free society, then the poupulace
    has to be educated. ain't no magic pixie dust here.
    they know how to recognize and maybe even report a
    'breather' when they pick up the phone. we'll they
    gotta recognize a bad attachment when they get the
    email.

    and the software vendors have to clean up the jillions
    of lines of cr^h^hsoftware they have on the end users'
    desktops. and they are, half out of clue and half out
    of the smell of liability. but it will take a while.

there ain't no free lunch.

randy, who is clearly thinking of lunch, or maybe just out
       to lunch

This thread is quite amusing and interesting at the same time. If I read
the original post right, Mr. Mike Bierstock was informed that he was
generating an unusual amount of traffic, traffic he would have to
pay for.
He got the bill and had to deal with the consequences. What is wrong with
that? Does it matter how this traffic was generated?

  Well, it depends upon the contract between the customer and the ISP. It
matters if the traffic was actually delivered. For example, if the traffic
was attack traffic that hit the ISP's filter, is it fair to charge the
customer for the traffic because it came over their line? If the ISP had an
obligation to stop attack traffic from their customers from getting onto the
Internet, yes, it matters if the costs are due to the ISP failing in that
obligation.

  As I understood this example, this was traffic that the ISP knew was
generated by a worm. The ISP had an obligation to stop this traffic with
filters or customer disconnection. They may or may not have complied with
their obligation. Either way, it's hard to see why the customer should pay
for traffic the ISP did not or should not have delivered.

  The customer could justifiably be billed for the extra costs he imposed
upon his ISP in dealing with his attack traffic, but not for the traffic
itself once it was identified. As I said, at the point the ISP should not
have delivered it. Doing so creates more victims, and the ISP has a greated
responsibility than the customer because they have greater knowledge and
control.

  It doesn't matter much what the contract says if the ISP wrote it and the
customer didn't understand it.

  Ask yourself a single yes or no question -- does an ISP have a
responsibility to stop worm traffic generated by their customers from
getting onto the Internet once they have identified it? And is so, does it
matter whether or not the customer cooperates?

  DS

If there is a lesson here, seems to me it's that those innovative protocols
should be designed such that it is relatively easy to prevent or at least
discourage "bad traffic". Because that's in the long run easier (read
cheaper for those of you of a free market bent) than educating users in an
ever changing environment. It would be a bit rich to criticize SMTP
(for instance) as misdesigned for not bearing this in mind given
the difficulty of anticipating its success at the time, but there is a
lesson here for other protocols. I can think of one rather obvious one
which would seem to allow delivery of junk in many similar ways to SMTP;
hadn't thought of this before but we should be learning from our
mistakes^Wprevious valuable experience.

Alex

I can agree with that and Randy pointed out when these
idea's were created and writen, security was not part
of the overall plan because there were trusted parties
on either end of the spectrum.

I think that my intent was noble and I am glad I
started a controversy, because this is an issue that
needs to be addressed as we move forward with internet
development and secure application development.

Working for a telecomm/datacomm company gives me some
insight into the problem, I am looking into it deeper
from a hardware perspective, of designing a solution
that goes on a board among other system's issues...

Yeah I brainstorm too, and also being an end user
client I think about the end result of no solution and
people overwhelemed with issues that lead to no
solution to people so overwhelmed they think
legislating law can fix broken code.

It does help when the architects give me insight to
the issue and how immense it is and what to look at
when I am determining the end result of any of my
efforts.

-henry

yes, we're gonna hack desperately for a decade to make up
for asecure (innocent of, as contrasted with devoid of,
security) application protocols and implementations. it'll
take half that time for the ivtf and the vendors to realize
how deeply complexity is our enemy. and until then we'll
hack everywhere in our desperation.

but in the long run, i don't think we can win with an active
middle.

the problem is that the the difference betwen good traffic
and bad traffic is intent. did the sender intend to send /
reveal those data? did the recipient wish to receive them?

and, i don't think we can stand in the middle and judge.
and there's the rub.

the cute example is, as i said to you privately, that i have
customers who wish to receive what is sent by what i think
of as malicious folk. the recipients are security folk and
net-sociometricians. so who am i to judge? some people
even eat at macdonalds.

randy, who enjoyed his lunch of seared ahi and asparagus

ISP's deliver properly addressed packets to their destination (the return
address sometimes isn't checked).

Do ISP's have obligation to stop certain packets, based on what? What
does your contract say? Did you pay the ISP to provide filters? Did you
include a phrase that said the ISP had to give you 30 days notice and
reasonable time to cure the breach before the ISP could terminate your
service? Did the contract say the ISP would block traffic generated by
worms?

As people regularly point out, the Internet is a dangerous place. Is
it as dangerous as going to a baseball game?

  BOSTON, Massachusetts (AP) -- A woman who was seriously injured by a
  foul ball at Fenway Park has no grounds to sue because she assumed a
  risk by attending the baseball game, a state appeals court ruled.

  The Red Sox "had no duty to warn the plaintiff of the obvious danger of
  a foul ball being hit into the stands," the court said Wednesday in
  blocking Jane Costa's personal injury lawsuit from going to trial.

It would be much easier if evil doers followed RFC3514. Determining
"intent" from the bits is difficult. If you call a customer up and
ask Did you know your computer is generating a lot of network traffic
and your bill will be very large; the customer says Ok. What should
you do? Assume the customer is an idiot, and even though they said
Ok, you should cut off their Internet connection anyway.

If your child borrows your credit card, and makes lots of unathorized
charges, you may not have to pay more than $50; but the bank can go after
your son or daughter for the money. Most parents end up paying, even if
they didn't authorize their children to use the credit card.

If the bank sends you an ATM or debit card statement, and you fail to
report unauthorized transfers on the statement after 60 days you may be
responsible for unlimited loss. You can lose a lot of money if you think
its other people's responsibility to protect you. You are responsible for
reviewing the statement and informing the bank of unauthorized activity;
not the bank.

Why do so many people ignore their ISP when told about problems with their
computer? My computer can't be infected, I have a firewall.

Paul Vixie proposed that people should be required to use personal Co-Lo
so the co-lo provider has collateral to seize when the customer fails to
keep the computer secure. Would customers complain if ISPs started
seizing their computers instead of sending them large bills?

Should ISP's charge customers cleanup fees to encourage them to keep
their computers secure? $10 or $100 or $1,000 per incident? Should it
be like points on your Internet driver's license? For the first incident
you have to attend 8-hour traffic school, for the second incident in 12
months you have points put on your record and your insurance rates go
up. Too many points, and your Internet privileges are revoked.

we americans do not readily accept responsibility for our
[in]actions. we sue for being hit by a baseball while
attending a game. we sue for spilling hot coffee on
ourselves. we sue when we walki into open trenches and
manholes. and we self-righteously torture, commit war
crimes, and murder, at a digital distance, and expect
immunity in the world opinion and courts.

it's a small planet, but our culture still has the vision
of the infinite resources of the frontier. so, if i can't
get what i want, or if i get what i don't want, surely
someone else is at fault.

randy, who clearly has pontificated enough for the day

If your child borrows your credit card, and makes lots of unathorized
charges, you may not have to pay more than $50; but the bank can go after
your son or daughter for the money. Most parents end up paying, even if
they didn't authorize their children to use the credit card.

So the credit card company calls you and asks about a bunch of suspicious
charges being placed on you card. Ok, just keep on charging. Now who's to
blame for these charges by your sons and daughters and the russian mafia?

I sell a client a metered product (gas, water, electricity, telephone,
internet data, etc). I notice unusually high consumption. I inform the
client that the bill is accumulating rather quick and I suspect a problem.
I have done my job. The client either tells me to stop delivery until the
problem is diagnosed and resolved or tells me to continue service. Either
way, the ball in in the clients court. If the client chooses continuation
of service despite high consumption and subsequent huge bill he has an
obligation to pay, no matter WHY the usage was to high.

Our society has a screwed up sense of responsibility. Everyone else is
supposed to look out for me and take care of me. If something happens to
me because I do something stupid or foolish someone failed to warn me,
didn't make the sign big enough, didn't sound the horn loud enough, didn't
lock me up so I couldn't hurt myself. This isn't true for everybody but
way too many....

Adi

Scalable bandwidth is not new and is charged for, what
is the issue about that?

If the network is compromised and it is on the client
end, that is what business insurance is for, so that
everyone gets their's (payments, otherwise other types
of arrangements need to be made, according to the
doctrine of reasonable man....

-henry R Linneweh

attending a game. we sue for spilling hot coffee on
ourselves.

http://lawandhelp.com/q298-2.htm

Interesting reading on that whole "woman sues for spilling hot coffee on herself" story. Sometimes there's a LOT more to the tale.

http://lawandhelp.com/q298-2.htm

while i am no fan of macdonalds, and a good case is made for
their negligence, perhaps you should follow the advice at the
bottom of that web page

    The most important message this case has for you, the
    consumer, is to be aware of the potential danger posed
    by your early morning pick-me-up.

randy

Randy Bush wrote:

http://lawandhelp.com/q298-2.htm

while i am no fan of macdonalds, and a good case is made for
their negligence, perhaps you should follow the advice at the
bottom of that web page

    The most important message this case has for you, the
    consumer, is to be aware of the potential danger posed
    by your early morning pick-me-up.

randy

Or, go see the movie "Super Size Me" - you might just give up McDonald's entirely, reducing your risk of burns from their overheated coffee.

sean@donelan.com (Sean Donelan) writes:

...

Why do so many people ignore their ISP when told about problems with
their computer? My computer can't be infected, I have a firewall.

in any other industry, you (the isp) would do a simple risk analysis
and start treating the cause rather than the symptom. for example you
might offer inbound filtering, cleanup tools and services, and you would
put their computer in cyberjail when it was known to be "infected", and
you would certainly not offer your services without a clear idea of how
to reach the customer and assist them in getting out of cyberjail --
even if it meant rolling a technician.

but then you'd have to charge for all that. and in the isp business,
you'd have competitors who wouldn't offer it and wouldn't charge for it,
and you'd lose business or maybe even go out of business.

with the unhappy result being that you just let it happen, which is bad
for your customers, and bad for the rest of us on the internet, but not
nearly as bad for you (the isp). for you (the isp), every possible cure
is worse than the disease. but you don't seem to mind that the rest of
us, and your customers, catch various diseases, as long as *you're* ok.

feh.

Paul Vixie proposed that people should be required to use personal Co-Lo

                                  ^^^^^^^^^^^^^^^^^^(1)

so the co-lo provider has collateral to seize when the customer fails to

                            ^^^^^^^^^^^^^^^^^^^(2)

keep the computer secure.

well, no. i (1) said that people who had personal co-lo boxes in better
internet neighborhoods and who could just use their cable or dsl line
for web browsing and for access to their personal co-lo box would have
less of their e-mail rejected at the far end. and as for (2), i think
that anyone who co-lo's a personal box is likely to first learn how to
pay enough attention to it that it will not become a malagency for third
parties, and that a co-lo operator who only had such customers would be
able to charge enough to pay for some monitoring and cleanup and so on;
the possibility of seizure is more for the case of deliberate abuse (like
ddos'ing an irc server, or sending spam, or hosting spamvertized www)
than third party abuse.

see <http://www.vix.com/personalcolo/> for more information about all that.
and note that i'm broadening it to include smtp-auth/webdav/ftp providers
who want to serve basically the same market but without dedicated iron. so
if you offer that and havn't told me, then please tell me now.

Would customers complain if ISPs started seizing their computers instead
of sending them large bills?

that's so unsequitur that i don't even know how to read it let alone answer.

Should ISP's charge customers cleanup fees to encourage them to keep
their computers secure?

yes.

$10 or $100 or $1,000 per incident?

no. there should be a forfeitable deposit, plus an per-incident fee which is
mostly to pay for the cost of monitoring and the cost of auditing the host
to ensure that it complies with the isp's security policy before it can be
reattached. the deposit can be refunded after N years of incident-free
behaviour, and should be doubled after each verified incident.

Should it be like points on your Internet driver's license? For the
first incident you have to attend 8-hour traffic school, for the second
incident in 12 months you have points put on your record and your
insurance rates go up. Too many points, and your Internet privileges are
revoked.

alas. on the internet, nobody knows you're a dog.

alas. on the internet, nobody knows you're a dog.

http://www.nettime.org/Lists-Archives/nettime-l-0405/msg00057.html

Or, go see the movie "Super Size Me" - you might just give up McDonald's
entirely, reducing your risk of burns from their overheated coffee.

Haven't been in one on over 2 years - and not through any great principal, I
just stopped. Odd how our tastes change with age

Peter

in any other industry, you (the isp) would do a simple risk analysis
and start treating the cause rather than the symptom.

What other industry do you know where you are expected to fix products
you didn't sell and didn't cause for free? Should we revoke Carterphone?
You can't connect a Tivo or unauthorized device to your ISP connection,
and ISP would remotely control all the devices on your home network to
ensure they are patched and secure.

Send me your root passwords. Trust me.

for example you
might offer inbound filtering,

Done. Effectiveness?

cleanup tools and services,

Done. Effectiveness?

and you would put their computer in cyberjail when it was known to be
"infected",

Done. Effectiveness?

and you would certainly not offer your services without a clear idea of how
to reach the customer and assist them in getting out of cyberjail --

Done. Effectiveness?

even if it meant rolling a technician.

Done. Effectiveness?

Been there, done that. Got any new ideas?

no. there should be a forfeitable deposit, plus an per-incident fee which is
mostly to pay for the cost of monitoring and the cost of auditing the host
to ensure that it complies with the isp's security policy before it can be
reattached. the deposit can be refunded after N years of incident-free
behaviour, and should be doubled after each verified incident.

How much are you willing to pay?

The bank industry makes billions from late payments, overdrafts, charge
backs. It makes banks a lot of money, and puts people in bankruptcy, but
doesn't seem to be very good at teaching people to handle credit wisely.

People already think ISPs make money from infected computers and spammers.
What incentive would there people to fix things instead of just paying
them off? Is it Ok to spam, as long as you pay a lot? Is it Ok to leave
an infected computer on the network, as long as you pay a lot? Haven't
you just described what "bullet-proof" web hosting companies do?

How do we create incentives for people to want to buy more secure
products? Why do people continue to buy Windows instead of Macs?
Cars have a gas guzzler tax to encourage fuel efficiency; should Windows
computers have a security guzzler tax to encourage security?

> Should it be like points on your Internet driver's license? For the
> first incident you have to attend 8-hour traffic school, for the second
> incident in 12 months you have points put on your record and your
> insurance rates go up. Too many points, and your Internet privileges are
> revoked.

alas. on the internet, nobody knows you're a dog.

Regulations could fix that.

The US Postal Service has the Postal Inspection Service. They have
jurisdiction anywhere the mail goes. The post office didn't create
the Anthrax, they delivered the envelopes as addressed.

Most railroads have railroad police with jurisdiction anywhere the
railroad tracks go. Some railroad police departments have trans-national
jurisdiction in multiple countries.

Do we need an Internet Police with jurisdiction anywhere the Internet
goes? Instead of waiting for the FBI to make a case, the ISP police
could arrest people.

Should ISPs be required to forward all their customer information
and logs to the Department of Homeland Security (or other national
equivalent) so they always know who is doing what. Would that solve
the no one knows you're a dog problem?

Yep...and after 65 years (assuming she started drinking coffee at 16), "reasonable expectation" of the temperature comes to mind.
I don't go to these kinds of places...has the temperature been climbing up in order to let you have a drinkable cup after (whatever
you do) an hour?

--Michael

Sean Donelan wrote:

and you would certainly not offer your services without a clear idea of how
to reach the customer and assist them in getting out of cyberjail --
   
Done. Effectiveness?

If you do this and keep them there until they are fixed, your network should qualify as a good neighborhood and the influx of email into your abuse@ addresses should be minimal.

Eventually they�d either clean up or move elsewhere. If the places to move to would be small enough in numbers, they could be filtered from the rest of the Internet.

Pete