RE: Even you can be hacked

David_Schwartz · June 12, 2004, 1:18am

This will be my last post on this issue.

In this case:

1) Almost certainly the traffic was due to a worm.

2) Almost certainly the ISP knew (or strongly suspected) the traffic was
due to a worm.

3) Quite likely, the ISP never carried most of the traffic to its
destination. Once they knew it was worm traffic, they were probably
filtering by port.

4) The ISP should not have carried the attack traffic, if they actually
did. Doing so is negligent and creates additional innocent victims. Maybe
they would give their customer a short time to straighten things out, but
that's it.

5) An ISP should not be paid for traffic they only carried out of their own
negligence. This doesn't negate the customer's responsibility to anyone but
the ISP and only if the ISP is actually negligent, not just the customer.

Yes, given the facts we know, it's possible that the ISP really does
deserve to be paid, this traffic wasn't due to a worm, or there was no way
the ISP could be sure. However, far more likely, the facts are as I state
them above.

So why does everyone think the ISP is almost certainly entitled to be paid?
Is it because they're ISPs? Is it because it's easy to blame someone else?

DS

Sean_Donelan · June 12, 2004, 2:50am

I notice that Webmaster's license agreement includes this clause:

  DISCLAIMER OF WARRANTY. The Software is provided on an AS IS basis,
  without warranty of any kind, including without limitation the
  warranties of merchantability, fitness for a particular purpose and
  non-infringement. The entire risk as to the quality and performance of
  the Software is borne by you. Should the Software prove defective, you
  and not WebMaster assume the entire cost of any service and repair. In
  addition, the security mechanism implemented by the Software has
  inherent limitations, and you must determine that the Software
  sufficiently meets your requirements. This disclaimer of warranty
  constitutes an essential part of the agreement.

Why does Webmaster put the entire risk on the customer, including warning
that the security mechanism has inherent limitations? Shouldn't Webmaster
be responsible if their customer suffer a loss whatsover the cause, even
if it wasn't due to any negligence on the part of Webmaster?

  It is the customer's responsibility to ask any specific questions
  about implementation or scalability or arrange for a more extensive
  trial prior to requesting that a permanent key be issued. Once a
  permanent key has been issued there are no refunds and all sales are
  final.

Seems like Webmaster is requiring customers to be experts in Webmaster's
products. Shouldn't it be Webmaster's responsibility to analyze and
warn customers about every possible problem they could ever experience,
secure the customer against all possible harm, and compenstate the
customer for all losses?

Mark_Foster · June 12, 2004, 3:17am

Erm..

Forgive me if this is a repeat posting but from what i've seen of this
thread it needs to be stated.

- My ISP Provide me with Internet Services.
- I get Authentication, an IP, DNS.
- I get a pipe to the world.
- I pay for my own bandwidth based on the plan the ISP provides me .

If I have a usage limit, and I exceed it due to a worm infection, its MY
problem. Noone elses. I'm responsible for the security aspect of my own
personal computers. Note the list of things above. I havnt paid for a
managed circuit, with warnings after unusual activity, I havnt paid for a
filtering service to filter by port for traffic that might be
suspicious... so how is this not cut-and-dried?

The ISP provides me with service, and puts a meter on it, and they bill me
by the byte, or whatever- Thats the service they're providing, im not
expecting to be billed for 'certain types of traffic' - I have a pipe, i'm
using that pipe, and I pay for what travels down it.

Any 'overusage' or unusual spikes in bandwidth usage are mine to handle -
thats part of the risk of purchasing this service. If you want the
provider to give you a solution which includes circuit monitoring, content
filtering and other such things - then by all means make sure thats
specified in the terms of service before you sign the dotted line.

This all seems so simple to me - I simply don't understand how I can blame
my ISP when my Windows machine gets a trojan on it and starts spitting out
emails - whether 0 day or otherwise, its my problem, because *I* decided
to take the (calculated) risk of putting that box online. (in whatever
state - current, or not, firewalled or not, etc..).

You can mitigate that risk through various factors - firewalls, Antivirus,
WindowsUpdate, Alternative OSs... these all modify or change the risks
involved but my ISP hasn't been involved in the calculation of this risk -
so how can they be involved in accepting the responsibility for that
risk?!?

Mark.
(Apparently I share a name with someone else on NANOG. So i'm not him...
and hes not me :))

David_Schwartz · June 12, 2004, 4:00am

Why does Webmaster put the entire risk on the customer, including warning
that the security mechanism has inherent limitations? Shouldn't Webmaster
be responsible if their customer suffer a loss whatsover the cause, even
if it wasn't due to any negligence on the part of Webmaster?

I never argued that the ISP should be responsible for losses that weren't
created by their own negligence.

Seems like Webmaster is requiring customers to be experts in Webmaster's
products. Shouldn't it be Webmaster's responsibility to analyze and
warn customers about every possible problem they could ever experience,
secure the customer against all possible harm, and compenstate the
customer for all losses?

I never said an ISP should compensate a customer.

How about sticking to the arguments I actually *used* rather than straw
men?

I'm talking about a case where the provider had continuing control over the
use of the item involved. I'm talking about a case where the provider knew
or should have known that there was abuse that was injuring third parties.
I'm talking about a case where the provider is billing the customer for the
specific act of harming the third parties.

When you sell software, you have no idea what someone is going to use it
for. You have no ability to continue to control the product over time. You
have no way to know how the customer is actually using the product. You have
no ability to shut off their usage at any particular time. You have no way
to know or suspect that their usage is harming third parties.

Again, every analogy fails. You have to look at this particular case and
the particular facts.

DS