Re: Points on your Internet driver's license (was RE: Even you can be hacked)
- Original Message - From: "Randy Bush" <[EMAIL PROTECTED]> To: "Jonathan Nichols" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, June 11, 2004 3:32 PM Subject: Re: Points on your Internet driver's license (was RE: Even you can be hacked) > > > http://lawandhelp.com/q298-2.htm > > while i am no fan of macdonalds, and a good case is made for > their negligence, perhaps you should follow the advice at the > bottom of that web page > > The most important message this case has for you, the > consumer, is to be aware of the potential danger posed > by your early morning pick-me-up. > > randy > Yep...and after 65 years (assuming she started drinking coffee at 16), "reasonable expectation" of the temperature comes to mind. I don't go to these kinds of places...has the temperature been climbing up in order to let you have a drinkable cup after (whatever you do) an hour? --Michael
OT Re: Points on your Internet driver's license (was RE: Even you can be hacked)
> Or, go see the movie "Super Size Me" - you might just give up McDonald's > entirely, reducing your risk of burns from their overheated coffee. :) Haven't been in one on over 2 years - and not through any great principal, I just stopped. Odd how our tastes change with age ;-) Peter
RE: Even you can be hacked
> Why does Webmaster put the entire risk on the customer, including warning > that the security mechanism has inherent limitations? Shouldn't Webmaster > be responsible if their customer suffer a loss whatsover the cause, even > if it wasn't due to any negligence on the part of Webmaster? I never argued that the ISP should be responsible for losses that weren't created by their own negligence. > Seems like Webmaster is requiring customers to be experts in Webmaster's > products. Shouldn't it be Webmaster's responsibility to analyze and > warn customers about every possible problem they could ever experience, > secure the customer against all possible harm, and compenstate the > customer for all losses? I never said an ISP should compensate a customer. How about sticking to the arguments I actually *used* rather than straw men? I'm talking about a case where the provider had continuing control over the use of the item involved. I'm talking about a case where the provider knew or should have known that there was abuse that was injuring third parties. I'm talking about a case where the provider is billing the customer for the specific act of harming the third parties. When you sell software, you have no idea what someone is going to use it for. You have no ability to continue to control the product over time. You have no way to know how the customer is actually using the product. You have no ability to shut off their usage at any particular time. You have no way to know or suspect that their usage is harming third parties. Again, every analogy fails. You have to look at this particular case and the particular facts. DS
Re: Even you can be hacked
Disclaimer: I am not a lawyer; consult yours before relying on advice from any layperson, including me. Thus spake "Owen DeLong" <[EMAIL PROTECTED]> > Should the ISP have shut the customer off? Probably. I certainly would > have. Are there ISPs that don't? You bet... Some because they are afraid > to. Have ISPs been sued for turning off abusive or abusing customers? > You bet. You can be sued for doing anything or nothing (or both). The real question is whether the plaintiff has any chance of winning, or even of getting past a pre-trial motion to dismiss. Presumably every ISP has some sort of AUP that allows the ISP to, at its discretion, shut off a customer based on suspicion of abuse. Hopefully by now they've all been updated to include in the definition of abuse a failure of the customer to secure their system(s). Even if not, I can't see a customer winning a case against an ISP who cuts them off for being infected with a worm (the activity of which would fall under abuse). > Is it prudent for an ISP to turn someone off? Depends on how you evaluate > the risks involved. Either decision you make carries some risk. Opening your doors for business invites all sorts of risks, including being sued for totally ridiculous and frivolous reasons. Acting as allowed under your contract with a customer does not substantially increase those risks. Fear of exercising your contractual rights means you don't have much faith in your contracts or representation. S Stephen Sprunk "Those people who think they know everything CCIE #3723 are a great annoyance to those of us who do." K5SSS --Isaac Asimov
RE: Even you can be hacked
On Fri, 11 Jun 2004, David Schwartz wrote: > > > This will be my last post on this issue. > > In this case: > > 1) Almost certainly the traffic was due to a worm. > > 2) Almost certainly the ISP knew (or strongly suspected) the traffic was > due to a worm. > > 3) Quite likely, the ISP never carried most of the traffic to its > destination. Once they knew it was worm traffic, they were probably > filtering by port. > > 4) The ISP should not have carried the attack traffic, if they actually > did. Doing so is negligent and creates additional innocent victims. Maybe > they would give their customer a short time to straighten things out, but > that's it. Erm.. Forgive me if this is a repeat posting but from what i've seen of this thread it needs to be stated. - My ISP Provide me with Internet Services. - I get Authentication, an IP, DNS. - I get a pipe to the world. - I pay for my own bandwidth based on the plan the ISP provides me . If I have a usage limit, and I exceed it due to a worm infection, its MY problem. Noone elses. I'm responsible for the security aspect of my own personal computers. Note the list of things above. I havnt paid for a managed circuit, with warnings after unusual activity, I havnt paid for a filtering service to filter by port for traffic that might be suspicious... so how is this not cut-and-dried? The ISP provides me with service, and puts a meter on it, and they bill me by the byte, or whatever- Thats the service they're providing, im not expecting to be billed for 'certain types of traffic' - I have a pipe, i'm using that pipe, and I pay for what travels down it. Any 'overusage' or unusual spikes in bandwidth usage are mine to handle - thats part of the risk of purchasing this service. If you want the provider to give you a solution which includes circuit monitoring, content filtering and other such things - then by all means make sure thats specified in the terms of service before you sign the dotted line. This all seems so simple to me - I simply don't understand how I can blame my ISP when my Windows machine gets a trojan on it and starts spitting out emails - whether 0 day or otherwise, its my problem, because *I* decided to take the (calculated) risk of putting that box online. (in whatever state - current, or not, firewalled or not, etc..). You can mitigate that risk through various factors - firewalls, Antivirus, WindowsUpdate, Alternative OSs... these all modify or change the risks involved but my ISP hasn't been involved in the calculation of this risk - so how can they be involved in accepting the responsibility for that risk?!? Mark. (Apparently I share a name with someone else on NANOG. So i'm not him... and hes not me :))
RE: Even you can be hacked
On Fri, 11 Jun 2004, David Schwartz wrote: > So why does everyone think the ISP is almost certainly entitled to be paid? > Is it because they're ISPs? Is it because it's easy to blame someone else? I notice that Webmaster's license agreement includes this clause: DISCLAIMER OF WARRANTY. The Software is provided on an AS IS basis, without warranty of any kind, including without limitation the warranties of merchantability, fitness for a particular purpose and non-infringement. The entire risk as to the quality and performance of the Software is borne by you. Should the Software prove defective, you and not WebMaster assume the entire cost of any service and repair. In addition, the security mechanism implemented by the Software has inherent limitations, and you must determine that the Software sufficiently meets your requirements. This disclaimer of warranty constitutes an essential part of the agreement. Why does Webmaster put the entire risk on the customer, including warning that the security mechanism has inherent limitations? Shouldn't Webmaster be responsible if their customer suffer a loss whatsover the cause, even if it wasn't due to any negligence on the part of Webmaster? It is the customer's responsibility to ask any specific questions about implementation or scalability or arrange for a more extensive trial prior to requesting that a permanent key be issued. Once a permanent key has been issued there are no refunds and all sales are final. Seems like Webmaster is requiring customers to be experts in Webmaster's products. Shouldn't it be Webmaster's responsibility to analyze and warn customers about every possible problem they could ever experience, secure the customer against all possible harm, and compenstate the customer for all losses?
Re: Points on your Internet driver's license (was RE: Even you can be hacked)
Randy Bush wrote: http://lawandhelp.com/q298-2.htm while i am no fan of macdonalds, and a good case is made for their negligence, perhaps you should follow the advice at the bottom of that web page The most important message this case has for you, the consumer, is to be aware of the potential danger posed by your early morning pick-me-up. randy Or, go see the movie "Super Size Me" - you might just give up McDonald's entirely, reducing your risk of burns from their overheated coffee. :)
Re: Points on your Internet driver's license (was RE: Even you can be hacked)
> http://lawandhelp.com/q298-2.htm while i am no fan of macdonalds, and a good case is made for their negligence, perhaps you should follow the advice at the bottom of that web page The most important message this case has for you, the consumer, is to be aware of the potential danger posed by your early morning pick-me-up. randy
RE: Even you can be hacked
This will be my last post on this issue. In this case: 1) Almost certainly the traffic was due to a worm. 2) Almost certainly the ISP knew (or strongly suspected) the traffic was due to a worm. 3) Quite likely, the ISP never carried most of the traffic to its destination. Once they knew it was worm traffic, they were probably filtering by port. 4) The ISP should not have carried the attack traffic, if they actually did. Doing so is negligent and creates additional innocent victims. Maybe they would give their customer a short time to straighten things out, but that's it. 5) An ISP should not be paid for traffic they only carried out of their own negligence. This doesn't negate the customer's responsibility to anyone but the ISP and only if the ISP is actually negligent, not just the customer. Yes, given the facts we know, it's possible that the ISP really does deserve to be paid, this traffic wasn't due to a worm, or there was no way the ISP could be sure. However, far more likely, the facts are as I state them above. So why does everyone think the ISP is almost certainly entitled to be paid? Is it because they're ISPs? Is it because it's easy to blame someone else? DS
Re: Points on your Internet driver's license (was RE: Even you can be hacked)
attending a game. we sue for spilling hot coffee on ourselves. http://lawandhelp.com/q298-2.htm Interesting reading on that whole "woman sues for spilling hot coffee on herself" story. Sometimes there's a LOT more to the tale. :)
Re: Points on your Internet driver's license (was RE: Even you can be hacked)
Scalable bandwidth is not new and is charged for, what is the issue about that? If the network is compromised and it is on the client end, that is what business insurance is for, so that everyone gets their's (payments, otherwise other types of arrangements need to be made, according to the doctrine of reasonable man -henry R Linneweh --- Adi Linden <[EMAIL PROTECTED]> wrote: > > > If your child borrows your credit card, and makes > lots of unathorized > > charges, you may not have to pay more than $50; > but the bank can go after > > your son or daughter for the money. Most parents > end up paying, even if > > they didn't authorize their children to use the > credit card. > > So the credit card company calls you and asks about > a bunch of suspicious > charges being placed on you card. Ok, just keep on > charging. Now who's to > blame for these charges by your sons and daughters > and the russian mafia? > > I sell a client a metered product (gas, water, > electricity, telephone, > internet data, etc). I notice unusually high > consumption. I inform the > client that the bill is accumulating rather quick > and I suspect a problem. > I have done my job. The client either tells me to > stop delivery until the > problem is diagnosed and resolved or tells me to > continue service. Either > way, the ball in in the clients court. If the client > chooses continuation > of service despite high consumption and subsequent > huge bill he has an > obligation to pay, no matter WHY the usage was to > high. > > Our society has a screwed up sense of > responsibility. Everyone else is > supposed to look out for me and take care of me. If > something happens to > me because I do something stupid or foolish someone > failed to warn me, > didn't make the sign big enough, didn't sound the > horn loud enough, didn't > lock me up so I couldn't hurt myself. This isn't > true for everybody but > way too many > > Adi > >
Re: Points on your Internet driver's license (was RE: Even you can be hacked)
> If your child borrows your credit card, and makes lots of unathorized > charges, you may not have to pay more than $50; but the bank can go after > your son or daughter for the money. Most parents end up paying, even if > they didn't authorize their children to use the credit card. So the credit card company calls you and asks about a bunch of suspicious charges being placed on you card. Ok, just keep on charging. Now who's to blame for these charges by your sons and daughters and the russian mafia? I sell a client a metered product (gas, water, electricity, telephone, internet data, etc). I notice unusually high consumption. I inform the client that the bill is accumulating rather quick and I suspect a problem. I have done my job. The client either tells me to stop delivery until the problem is diagnosed and resolved or tells me to continue service. Either way, the ball in in the clients court. If the client chooses continuation of service despite high consumption and subsequent huge bill he has an obligation to pay, no matter WHY the usage was to high. Our society has a screwed up sense of responsibility. Everyone else is supposed to look out for me and take care of me. If something happens to me because I do something stupid or foolish someone failed to warn me, didn't make the sign big enough, didn't sound the horn loud enough, didn't lock me up so I couldn't hurt myself. This isn't true for everybody but way too many Adi
Re: Points on your Internet driver's license (was RE: Even you can be hacked)
we americans do not readily accept responsibility for our [in]actions. we sue for being hit by a baseball while attending a game. we sue for spilling hot coffee on ourselves. we sue when we walki into open trenches and manholes. and we self-righteously torture, commit war crimes, and murder, at a digital distance, and expect immunity in the world opinion and courts. it's a small planet, but our culture still has the vision of the infinite resources of the frontier. so, if i can't get what i want, or if i get what i don't want, surely someone else is at fault. randy, who clearly has pontificated enough for the day
Points on your Internet driver's license (was RE: Even you can be hacked)
On Fri, 11 Jun 2004, David Schwartz wrote: > generated by a worm. The ISP had an obligation to stop this traffic with > filters or customer disconnection. They may or may not have complied with > their obligation. Either way, it's hard to see why the customer should pay > for traffic the ISP did not or should not have delivered. ISP's deliver properly addressed packets to their destination (the return address sometimes isn't checked). Do ISP's have obligation to stop certain packets, based on what? What does your contract say? Did you pay the ISP to provide filters? Did you include a phrase that said the ISP had to give you 30 days notice and reasonable time to cure the breach before the ISP could terminate your service? Did the contract say the ISP would block traffic generated by worms? As people regularly point out, the Internet is a dangerous place. Is it as dangerous as going to a baseball game? BOSTON, Massachusetts (AP) -- A woman who was seriously injured by a foul ball at Fenway Park has no grounds to sue because she assumed a risk by attending the baseball game, a state appeals court ruled. The Red Sox "had no duty to warn the plaintiff of the obvious danger of a foul ball being hit into the stands," the court said Wednesday in blocking Jane Costa's personal injury lawsuit from going to trial. It would be much easier if evil doers followed RFC3514. Determining "intent" from the bits is difficult. If you call a customer up and ask Did you know your computer is generating a lot of network traffic and your bill will be very large; the customer says Ok. What should you do? Assume the customer is an idiot, and even though they said Ok, you should cut off their Internet connection anyway. If your child borrows your credit card, and makes lots of unathorized charges, you may not have to pay more than $50; but the bank can go after your son or daughter for the money. Most parents end up paying, even if they didn't authorize their children to use the credit card. If the bank sends you an ATM or debit card statement, and you fail to report unauthorized transfers on the statement after 60 days you may be responsible for unlimited loss. You can lose a lot of money if you think its other people's responsibility to protect you. You are responsible for reviewing the statement and informing the bank of unauthorized activity; not the bank. Why do so many people ignore their ISP when told about problems with their computer? My computer can't be infected, I have a firewall. Paul Vixie proposed that people should be required to use personal Co-Lo so the co-lo provider has collateral to seize when the customer fails to keep the computer secure. Would customers complain if ISPs started seizing their computers instead of sending them large bills? Should ISP's charge customers cleanup fees to encourage them to keep their computers secure? $10 or $100 or $1,000 per incident? Should it be like points on your Internet driver's license? For the first incident you have to attend 8-hour traffic school, for the second incident in 12 months you have points put on your record and your insurance rates go up. Too many points, and your Internet privileges are revoked.
RE: Even you can be hacked
yes, we're gonna hack desperately for a decade to make up for asecure (innocent of, as contrasted with devoid of, security) application protocols and implementations. it'll take half that time for the ivtf and the vendors to realize how deeply complexity is our enemy. and until then we'll hack everywhere in our desperation. but in the long run, i don't think we can win with an active middle. the problem is that the the difference betwen good traffic and bad traffic is intent. did the sender intend to send / reveal those data? did the recipient wish to receive them? and, i don't think we can stand in the middle and judge. and there's the rub. the cute example is, as i said to you privately, that i have customers who wish to receive what is sent by what i think of as malicious folk. the recipients are security folk and net-sociometricians. so who am i to judge? some people even eat at macdonalds. randy, who enjoyed his lunch of seared ahi and asparagus
RE: Even you can be hacked
I can agree with that and Randy pointed out when these idea's were created and writen, security was not part of the overall plan because there were trusted parties on either end of the spectrum. I think that my intent was noble and I am glad I started a controversy, because this is an issue that needs to be addressed as we move forward with internet development and secure application development. Working for a telecomm/datacomm company gives me some insight into the problem, I am looking into it deeper from a hardware perspective, of designing a solution that goes on a board among other system's issues... Yeah I brainstorm too, and also being an end user client I think about the end result of no solution and people overwhelemed with issues that lead to no solution to people so overwhelmed they think legislating law can fix broken code. It does help when the architects give me insight to the issue and how immense it is and what to look at when I am determining the end result of any of my efforts. -henry --- Alex Bligh <[EMAIL PROTECTED]> wrote: > > > > --On 11 June 2004 14:18 -0700 Randy Bush > <[EMAIL PROTECTED]> wrote: > > > the bottom line > > > > o if you want the internet to continue to > innovate, then > > the end-to-end model is critical. it means > that it > > If there is a lesson here, seems to me it's that > those innovative protocols > should be designed such that it is relatively easy > to prevent or at least > discourage "bad traffic". Because that's in the long > run easier (read > cheaper for those of you of a free market bent) than > educating users in an > ever changing environment. It would be a bit rich to > criticize SMTP > (for instance) as misdesigned for not bearing this > in mind given > the difficulty of anticipating its success at the > time, but there is a > lesson here for other protocols. I can think of one > rather obvious one > which would seem to allow delivery of junk in many > similar ways to SMTP; > hadn't thought of this before but we should be > learning from our > mistakes^Wprevious valuable experience. > > Alex
RE: Even you can be hacked
--On 11 June 2004 14:18 -0700 Randy Bush <[EMAIL PROTECTED]> wrote: the bottom line o if you want the internet to continue to innovate, then the end-to-end model is critical. it means that it If there is a lesson here, seems to me it's that those innovative protocols should be designed such that it is relatively easy to prevent or at least discourage "bad traffic". Because that's in the long run easier (read cheaper for those of you of a free market bent) than educating users in an ever changing environment. It would be a bit rich to criticize SMTP (for instance) as misdesigned for not bearing this in mind given the difficulty of anticipating its success at the time, but there is a lesson here for other protocols. I can think of one rather obvious one which would seem to allow delivery of junk in many similar ways to SMTP; hadn't thought of this before but we should be learning from our mistakes^Wprevious valuable experience. Alex
Re: Even you can be hacked
Richard Welty wrote: On Fri, 11 Jun 2004 17:51:00 -0400 (EDT) Scott McGrath <[EMAIL PROTECTED]> wrote: But wouldn't an interocitor with electron sorter option give you much more reliable packet delivery... that works fine until someone reverse the polarity of the neutron flow. And for heaven's sake, don't cross the streams! (It must be Friday.) -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387
Re: Even you can be hacked
In message <[EMAIL PROTECTED]>, Randy Bush writes: > >the bottom line > > o if you want the internet to continue to innovate, then >the end-to-end model is critical. What Randy said. (And all the rest of the post that I deleted to save a bit of bandwidth.) --Steve Bellovin, http://www.research.att.com/~smb
Re: Even you can be hacked
** Reply to message from Richard Welty <[EMAIL PROTECTED]> on Fri, 11 Jun 2004 18:33:00 -0400 (EDT) > On Fri, 11 Jun 2004 17:51:00 -0400 (EDT) Scott McGrath <[EMAIL PROTECTED]> wrote: > > But wouldn't an interocitor with electron sorter option give you much more > > reliable packet delivery... > > that works fine until someone reverse the polarity of the neutron flow. And I thought this thread had a whiff of unreality when Randy announced that the internet would follow Henry's wishes, and Laurence thanked him for it -- Jeff Shultz A railfan pulls up to a RR crossing hoping that there will be a train.
Re: Even you can be hacked
On Fri, 11 Jun 2004 17:51:00 -0400 (EDT) Scott McGrath <[EMAIL PROTECTED]> wrote: > But wouldn't an interocitor with electron sorter option give you much more > reliable packet delivery... that works fine until someone reverse the polarity of the neutron flow. richard -- Richard Welty [EMAIL PROTECTED] Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
Re: Even you can be hacked
Henry, from the email address I'm assuming youre not trolling and are therefore missing a few facts, IP!=IPX, that is.. ports arent in the routing table It is not the ports below that cause the security issues, it is the applications which are using them, you need to either fix the apps or take the apps off the Internet Nobody owns ports, they are arbitrary, some may get given a special purpose by the IANA but theres nothing to say they -have- to use those numbers.. therefore you cannot get a list of them.. and if they're dynamic or private (if I understand what you mean) then by defintion they arent static and cant be documented? Steve On Fri, 11 Jun 2004, Henry Linneweh wrote: > Here are a list of very active ports that attempt to hack into peoples systesm > from various parts of the world China in particular. > > I think unassigned ports should be dropped from routing tables unless they are > registered with the host and or providers as to their legitimate use > > > smpnameres 901/tcp SMPNAMERES > smpnameres 901/udp SMPNAMERES > blackjack 1025/tcpnetwork blackjack > blackjack 1025/udp network blackjack > cap1026/tcp Calender Access Protocol > cap1026/udp Calender Access Protocol > exosee 1027/tcp ExoSee > exosee 1027/udp ExoSee > # 1124-1154 Unassigned > ssslic-mgr 1203/tcpLicense Validation > ssslic-mgr 1203/udp License Validation > ms-sql-s 1433/tcp Microsoft-SQL-Server > ms-sql-s 1433/udp Microsoft-SQL-Server > ms-sql-m 1434/tcp Microsoft-SQL-Monitor > ms-sql-m 1434/udp Microsoft-SQL-Monitor > # 6851-6887 Unassigned > monkeycom 9898/tcp MonkeyCom > monkeycom 9898/udp MonkeyCom > > And I need a list that shows who or what owns Dynamic > and/or Private Ports > > -Henry > > --- "Laurence F. Sheldon, Jr." <[EMAIL PROTECTED]> > wrote: > > > > Andy Dills wrote: > > > > > On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. > > wrote: > > > > > > > > >>Jeff Shultz wrote: > > >> > > >> > > >> > > >>>But ultimately, _you_ are responsible for your > > own systems. > > >> > > >>Even if the water company is sending me 85% > > TriChlorEthane? > > >> > > >>Right. Got it. The victim is always responsible. > > >> > > >>There you have it folks. > > > > > > > > > Change the word "victim" to "negligent party" and > > you're correct. > > > > > > Ignoring all of the analogies and metaphors, the > > bottom line is that ISPs > > > are _not responsible_ for the negligence of their > > customers, and that ISPs > > > are _not responsible_ for the _content_ of the > > packets we deliver. In > > > fact, blocking the packets based on content would > > run counter to our sole > > > responsibility: delivering the well-formed packets > > (ip verify unicast > > > reverse-path) where they belong. > > > > > > Remember, we're service providers, not content > > providers. Unless your AUP > > > or customer contract spells out security services > > provided (most actually > > > go the other way and limit the liability of the > > service provider > > > specifically in this event), then your customers > > have to pay you to secure > > > their network (unless you feel like doing it for > > free), or they are > > > responsible, period. > > > > > > As far as I'm concerned, that guy would have a > > better shot at suing > > > Microsoft then challenging his bandwidth bill. > > > > > > Andy > > > > > > --- > > > Andy Dills > > > Xecunet, Inc. > > > www.xecu.net > > > 301-682-9972 > > > --- > > > > > > > > > How many more of these do I need, do you think? > > > > -- > > Requiescas in pace o email > > > > Ex turpi causa non oritur actio > > > > http://members.cox.net/larrysheldon/ > > > > > >
RE: Even you can be hacked
> This thread is quite amusing and interesting at the same time. If I read > the original post right, Mr. Mike Bierstock was informed that he was > generating an unusual amount of traffic, traffic he would have to > pay for. > He got the bill and had to deal with the consequences. What is wrong with > that? Does it matter how this traffic was generated? Well, it depends upon the contract between the customer and the ISP. It matters if the traffic was actually delivered. For example, if the traffic was attack traffic that hit the ISP's filter, is it fair to charge the customer for the traffic because it came over their line? If the ISP had an obligation to stop attack traffic from their customers from getting onto the Internet, yes, it matters if the costs are due to the ISP failing in that obligation. As I understood this example, this was traffic that the ISP knew was generated by a worm. The ISP had an obligation to stop this traffic with filters or customer disconnection. They may or may not have complied with their obligation. Either way, it's hard to see why the customer should pay for traffic the ISP did not or should not have delivered. The customer could justifiably be billed for the extra costs he imposed upon his ISP in dealing with his attack traffic, but not for the traffic itself once it was identified. As I said, at the point the ISP should not have delivered it. Doing so creates more victims, and the ISP has a greated responsibility than the customer because they have greater knowledge and control. It doesn't matter much what the contract says if the ISP wrote it and the customer didn't understand it. Ask yourself a single yes or no question -- does an ISP have a responsibility to stop worm traffic generated by their customers from getting onto the Internet once they have identified it? And is so, does it matter whether or not the customer cooperates? DS
RE: Even you can be hacked
> > Of course, except in this case, the phone company can't > > easily tell the > > legitimate calls from the illegitimate ones and block only the > > illegitimate ones. Every analogy will break down, so don't expect to be > > able to convince people with analogies that seem so obviously right to > > you. Nothing is exactly accurate except the actual situation itself. > And how, exactly, did you expect the ISP to tell which packets you were > sending were legitimate and which were from the malware running on your > computer? Please enlighten me as to how I tell a customer's legitimate > outbound email from his system apart from the email from the same system > which is being sent not by him, but, by the malware that has infected his > system? In this case, the ISP informed the customer that there was illegitimate traffic. If it's your position that the ISP can't tell the difference, then the notification that we know happened would have been impossible. Presumably they even identified the particular customer responsible for the traffic, given that they notified him about it! Since it's obvious in this case that the customer would have preferred being disconnected to having to pay for the traffic, and the ISP could certainly have disconnected him, the question becomes, why didn't they? Especially since they knew the attack traffic was creating other innocent victims. My guess is that they *were* filtering it (probably by port) and never delivered the attack traffic to its destination anyway. They probably still billed the customer because they bill for traffic over the customer's line, regardless of whether it hits their emergency or bogon filters. > > And, again, almost every contract has some insurance elements to it. > > There will be unusual cases where it's actually possible for the utility > > to lose money if something unusual happens. My main point is that the > > understanding that seems so obviously right to you may not seem so > > obviously right to your customers. > No sane ISP will insure a usage-based customer against traffic sent by > that customer's infected machines AFTER he has informed the customer > of the problem. No sane ISP will allow attack traffic to continue to hit the Internet after they know it's coming from one of their customers regardless of what the customer does or does not do. So why should the customer pay for "Internet traffic" that their ISP likely did not (and certainly should not have) actually sent or delivered? > > As for all the people who talk about turning off their DSL > > access when > > they're away from home, they're missing the point. Obviously a person > > could do that. We could shut off our electricity when we leave home. We > > could have our telephone service temporarily disabled when we go on > > vacation too. A person could do all of these things. My point is that > > it's also perfectly reasonable for a person not to do these things. > > Because in general an ISP has more ability to control these > > things and it > > makes very little sense for a home user to insure an ISP, it makes more > > sense for the ISP to insure the user. > I still don't understand why you insist that my ISP has (or should have) > more control over what traffic my systems deliver to my internet > connection > than I do. This simply isn't the case, and I would be very unhappy if > it were to become the case. For the classes of service I'm talking about, like home DSL, they do. They choose which ports to block and they have a responsibility to monitor their customers for machines that are causing problems for others. In this case, they actually did that and detected the problem -- good for them. But they then decided that instead of remedying the problem, they'd bill their customer for it. Maybe they blocked the attack traffic, maybe not. If so, why charge for traffic you won't deliver? If not, then that's serious negligence, no? > > In any unfortunate situation, you can find a hundred things > > that anyone > > could have done differently that would have avoided the situation. But > > that is not how you establish responsibility, financial or moral. You > > look at people who failed to use reasonable prudence. > And you don't think that a person who is informed that their system is > infected and chooses not to fix it has failed the reasonable prudence > test? You think an ISP that knows that their customer is sending attack traffic but neither blocks the traffic nor shuts off the customer has failed the reasonable prudence test? And who should be more subject to a reasonable prudence test for Internet practices, a home DSL customer who may not know very much about computers, or an ISP that specializes in Internet access that has monitoring equipment a trained staff 24/7? Your customers expect you to deal with this stuff. You may or may not find their expectations reasonable, but dammit, y
RE: Even you can be hacked
But wouldn't an interocitor with electron sorter option give you much more reliable packet delivery... Scott C. McGrath On Fri, 11 Jun 2004, Fisher, Shawn wrote: > > Hmm, so your on earth? > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Mike Walter > Sent: Friday, June 11, 2004 5:03 PM > To: nanog > Subject: RE: Even you can be hacked > > > > Now you are just getting silly, we know Flux Capacitors don't work on > earth. > > Mike Walter > > -Original Message- > From: Matthew McGehrin [mailto:[EMAIL PROTECTED] > Sent: Friday, June 11, 2004 5:00 PM > To: nanog > Subject: was: Even you can be hacked > > > > Coupled with a Flux Capacitor for the ultimate in message delivery :) > > - Original Message - > From: "Scott Stursa" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, June 11, 2004 4:44 PM > Subject: Re: Even you can be hacked > > > > Ah. A tunneling implementation. > > You'll need a cold fusion generator to power that. > >
Re: Even you can be hacked
We'll agree to disagree on the majority of your post and your interpretation of the facts... However, this tidbit attracted my attention... Maybe the only bandwidth simile that could be appropriate would be to a car in the 1950's, one which was unsafe at any speed. Yes... I have long felt that Micr0$0ft was the Exploding Pinto of the information super highway (yes, I realize that's a different unsafe car, but, bear with). However, the ISP didn't sell the customer the computer. The ISP didn't install Windows on the computer or sell Windows to the customer. The ISP didn't install the malware on the computer. The ISP didn't have administrative rights to the computer. Should the ISP have shut the customer off? Probably. I certainly would have. Are there ISPs that don't? You bet... Some because they are afraid to. Have ISPs been sued for turning off abusive or abusing customers? You bet. Is it prudent for an ISP to turn someone off? Depends on how you evaluate the risks involved. Either decision you make carries some risk. Owen -- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery. pgp5t7jvt3Kmw.pgp Description: PGP signature
RE: Even you can be hacked
That is true, but only if they are placed in DeLorean because they filled with drugs. Mike -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 5:10 PM To: [EMAIL PROTECTED] Subject: RE: Even you can be hacked >>> [EMAIL PROTECTED] 6/11/04 3:02:42 PM >>> > >Now you are just getting silly, we know Flux Capacitors don't work on >earth. Sure they do, at least the ones made since 1985. I believe I remember a DeLorean that used one. John --
Re: Even you can be hacked
On Thu, 10 Jun 2004, Sean Donelan wrote: :Did your computer have a power switch? Did you turn it off? Or did you :continue to let it run up the bill? Yes, even the complete computer :novice can stop a computer room. Turn off your computer. If you don't :know how to fix it, take it to a repair store. : :If you leave your lights on, the electric company will send you a bill. :If you leave your faucets running, the water company will send you a bill. :If you leave your computer infected, ??? What the ISP failed to do in this case was protect their infrastructure from being abused by a worm, which would have also infected other customers from this users host. That is to say, the worm caused them an alleged $11,000 loss because they failed to do anything to prevent it, after being made aware of the situation. The ISP (I would say negligently) exposed themselves to absurd financial risk by continuing to provide service to a site which they knew to be abusing their resources. The reality of this situation is that if the bandwidth being used by the ISP was actually costing them $5000, let alone $11,000, it would have been grossly negligent from a financial perspective to allow the worm to continue consuming bandwidth. The other reality is that bandwidth is not valuable enough for the ISP to declare an $11,000 loss unless they had booked the revenue before having some evidence they would recieve it. That is, the ISP's accounting practices should be investigated if they are booking revenue that is effectively theoretical in light of the risks they knowingly accept regarding the odds of actually recieving it. The leaving lights on/faucets running simile is inaccurate, as the burden of risk was acknowledged and borne by the ISP, in not taking steps to protect their infrastructure from loss, they got burned and are sticking the blame wherever they think it will stick. Exploiting someones lack of technological sophistication to assign liability is disingenuous and possibly fraudulent. Maybe the only bandwidth simile that could be appropriate would be to a car in the 1950's, one which was unsafe at any speed. -- James Reid, CISSP
[OT] common list sense (Re: Even you can be hacked)
Title: [OT] common list sense (Re: Even you can be hacked) Paul Jamka [PJ] wrote: On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. [LFSJ] wrote: LFSJ> I'm on the list folks, if you send it to the list I'll get it. I don't need a copy to the list and Cc:'s until the end of time. PJ> Then set a Reply-To. Pretty simple. In case no one else bothered to point this out: Not everyone who *posts* to NANOG *reads* nanog via email. For example, I read it via the web archive. For those like us, any presumption about replies to the list being read by us, would be incorrect. And since no one necessarily knows the current subscription status of everyone else, it actually makes sense to copy both the sender and the list. As Randy [Bush, of course] points out, if you don't like duplicate mail, you are free to use some kind of filter. (Please don't bother replying. I am just attempting to get in the last blow before the equine perishes.) Brian
RE: Even you can be hacked
the bottom line o if you want the internet to continue to innovate, then the end-to-end model is critical. it means that it takes only X colluding end-poits to deploy an new application which might be the next killer ap which drives your business. remember, email was not part of the original spec; http was not; jabber was not; ... this is in opposition to the telco model, where billions need to be spent uprading a smart middle to do anything new. and guess who gets the profits, if any considering what the deployment did to capex and opex. o this means that the network will also transport bad things; kinda like the phone network will carry obscene calls. damned shame, but that's the price you pay for liberty. or you can ask john poindexter (aka vigilante isps) to defend liberty for you and find all sorts of very unlovely and long term consequences. o this moves the burden for security to the edges, to the site boundaries, which may not care if their users can be early adopters of the next wannabe killer ap, and to the end-points, the hosts themselves. o but there are jillions of end-points; well yes, there are jillions of telephones too. and it's gonna be hell to clean up after the fact that they were designed without security, some have 80 jillion lines of code sitting on the laptops of naive users, blah blah. you want to support a free society, then the poupulace has to be educated. ain't no magic pixie dust here. they know how to recognize and maybe even report a 'breather' when they pick up the phone. we'll they gotta recognize a bad attachment when they get the email. and the software vendors have to clean up the jillions of lines of cr^h^hsoftware they have on the end users' desktops. and they are, half out of clue and half out of the smell of liability. but it will take a while. there ain't no free lunch. randy, who is clearly thinking of lunch, or maybe just out to lunch
RE: Even you can be hacked
Hmm, so your on earth? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mike Walter Sent: Friday, June 11, 2004 5:03 PM To: nanog Subject: RE: Even you can be hacked Now you are just getting silly, we know Flux Capacitors don't work on earth. Mike Walter -Original Message- From: Matthew McGehrin [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 5:00 PM To: nanog Subject: was: Even you can be hacked Coupled with a Flux Capacitor for the ultimate in message delivery :) - Original Message - From: "Scott Stursa" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 11, 2004 4:44 PM Subject: Re: Even you can be hacked > Ah. A tunneling implementation. > You'll need a cold fusion generator to power that.
RE: Even you can be hacked
>>> [EMAIL PROTECTED] 6/11/04 3:02:42 PM >>> > >Now you are just getting silly, we know Flux Capacitors don't work on >earth. Sure they do, at least the ones made since 1985. I believe I remember a DeLorean that used one. John --
RE: Even you can be hacked
Now you are just getting silly, we know Flux Capacitors don't work on earth. Mike Walter -Original Message- From: Matthew McGehrin [mailto:[EMAIL PROTECTED] Sent: Friday, June 11, 2004 5:00 PM To: nanog Subject: was: Even you can be hacked Coupled with a Flux Capacitor for the ultimate in message delivery :) - Original Message - From: "Scott Stursa" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 11, 2004 4:44 PM Subject: Re: Even you can be hacked > Ah. A tunneling implementation. > You'll need a cold fusion generator to power that.
Re: Even you can be hacked
On Fri, 11 Jun 2004, Andy Dills wrote: > On Fri, 11 Jun 2004, Henry Linneweh wrote: > > > > > Here are a list of very active ports that attempt to > > hack into peoples systesm from various parts of the > > world China in particular. > > > > I think unassigned ports should be dropped from > > routing > > tables unless they are registered with the host and or > > providers as to their legitimate use > > Better yet, we should hire illegal immigrants to hand deliver our packets! Ah. A tunneling implementation. > Or if you really wanted to get creative, you could bind the inverse > multiplexer to the outflow of the negative ion generator. Just be careful > not to cross your streams. You'll need a cold fusion generator to power that. This is starting to look like a meower thread in an unmoderated Usenet group. - SLS Scott L. Stursa 850/644-2591 Network Security Officer [EMAIL PROTECTED] Academic Computing and Network Services Florida State University - No good deed goes unpunished -
RE: Even you can be hacked
This thread is quite amusing and interesting at the same time. If I read the original post right, Mr. Mike Bierstock was informed that he was generating an unusual amount of traffic, traffic he would have to pay for. He got the bill and had to deal with the consequences. What is wrong with that? Does it matter how this traffic was generated? Adi
Re: Even you can be hacked
On Fri, 11 Jun 2004, Henry Linneweh wrote: > > Here are a list of very active ports that attempt to > hack into peoples systesm from various parts of the > world China in particular. > > I think unassigned ports should be dropped from > routing > tables unless they are registered with the host and or > providers as to their legitimate use Better yet, we should hire illegal immigrants to hand deliver our packets! Or if you really wanted to get creative, you could bind the inverse multiplexer to the outflow of the negative ion generator. Just be careful not to cross your streams. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
Re: Even you can be hacked
Randy Bush wrote: I think unassigned ports should be dropped from routing tables your wish is the internet's comman. ports are no longer in routing tables. Thank you -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
Re: Even you can be hacked
> I think unassigned ports should be dropped from > routing tables your wish is the internet's comman. ports are no longer in routing tables.
Re: Even you can be hacked
Henry Linneweh wrote: Here are a list of very active ports that attempt to hack into peoples systesm from various parts of the world China in particular. I think unassigned ports should be dropped from routing tables unless they are registered with the host and or providers as to their legitimate use smpnameres 901/tcp SMPNAMERES smpnameres 901/udp SMPNAMERES blackjack 1025/tcpnetwork blackjack blackjack 1025/udp network blackjack cap1026/tcp Calender Access Protocol cap1026/udp Calender Access Protocol exosee 1027/tcp ExoSee exosee 1027/udp ExoSee # 1124-1154 Unassigned ssslic-mgr 1203/tcpLicense Validation ssslic-mgr 1203/udp License Validation ms-sql-s 1433/tcp Microsoft-SQL-Server ms-sql-s 1433/udp Microsoft-SQL-Server ms-sql-m 1434/tcp Microsoft-SQL-Monitor ms-sql-m 1434/udp Microsoft-SQL-Monitor # 6851-6887 Unassigned monkeycom 9898/tcp MonkeyCom monkeycom 9898/udp MonkeyCom And I need a list that shows who or what owns Dynamic and/or Private Ports -Henry --- "Laurence F. Sheldon, Jr." <[EMAIL PROTECTED]> wrote: Andy Dills wrote: On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote: Jeff Shultz wrote: But ultimately, _you_ are responsible for your own systems. Even if the water company is sending me 85% TriChlorEthane? Right. Got it. The victim is always responsible. There you have it folks. Change the word "victim" to "negligent party" and you're correct. Ignoring all of the analogies and metaphors, the bottom line is that ISPs are _not responsible_ for the negligence of their customers, and that ISPs are _not responsible_ for the _content_ of the packets we deliver. In fact, blocking the packets based on content would run counter to our sole responsibility: delivering the well-formed packets (ip verify unicast reverse-path) where they belong. Remember, we're service providers, not content providers. Unless your AUP or customer contract spells out security services provided (most actually go the other way and limit the liability of the service provider specifically in this event), then your customers have to pay you to secure their network (unless you feel like doing it for free), or they are responsible, period. As far as I'm concerned, that guy would have a better shot at suing Microsoft then challenging his bandwidth bill. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 --- How many more of these do I need, do you think? -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/ Thanks -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
Re: Even you can be hacked
Henry Linneweh wrote: Here are a list of very active ports that attempt to hack into peoples systesm from various parts of the world China in particular. Thank you. I think unassigned ports should be dropped from routing tables unless they are registered with the host and or providers as to their legitimate use smpnameres 901/tcp SMPNAMERES smpnameres 901/udp SMPNAMERES blackjack 1025/tcpnetwork blackjack blackjack 1025/udp network blackjack cap1026/tcp Calender Access Protocol cap1026/udp Calender Access Protocol exosee 1027/tcp ExoSee exosee 1027/udp ExoSee # 1124-1154 Unassigned ssslic-mgr 1203/tcpLicense Validation ssslic-mgr 1203/udp License Validation ms-sql-s 1433/tcp Microsoft-SQL-Server ms-sql-s 1433/udp Microsoft-SQL-Server ms-sql-m 1434/tcp Microsoft-SQL-Monitor ms-sql-m 1434/udp Microsoft-SQL-Monitor # 6851-6887 Unassigned monkeycom 9898/tcp MonkeyCom monkeycom 9898/udp MonkeyCom And I need a list that shows who or what owns Dynamic and/or Private Ports -Henry --- "Laurence F. Sheldon, Jr." <[EMAIL PROTECTED]> wrote: Andy Dills wrote: On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote: Jeff Shultz wrote: But ultimately, _you_ are responsible for your own systems. Even if the water company is sending me 85% TriChlorEthane? Right. Got it. The victim is always responsible. There you have it folks. Change the word "victim" to "negligent party" and you're correct. Ignoring all of the analogies and metaphors, the bottom line is that ISPs are _not responsible_ for the negligence of their customers, and that ISPs are _not responsible_ for the _content_ of the packets we deliver. In fact, blocking the packets based on content would run counter to our sole responsibility: delivering the well-formed packets (ip verify unicast reverse-path) where they belong. Remember, we're service providers, not content providers. Unless your AUP or customer contract spells out security services provided (most actually go the other way and limit the liability of the service provider specifically in this event), then your customers have to pay you to secure their network (unless you feel like doing it for free), or they are responsible, period. As far as I'm concerned, that guy would have a better shot at suing Microsoft then challenging his bandwidth bill. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 --- How many more of these do I need, do you think? -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/ -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
Re: Even you can be hacked
Here are a list of very active ports that attempt to hack into peoples systesm from various parts of the world China in particular. I think unassigned ports should be dropped from routing tables unless they are registered with the host and or providers as to their legitimate use smpnameres 901/tcp SMPNAMERES smpnameres 901/udp SMPNAMERES blackjack 1025/tcpnetwork blackjack blackjack 1025/udp network blackjack cap1026/tcp Calender Access Protocol cap1026/udp Calender Access Protocol exosee 1027/tcp ExoSee exosee 1027/udp ExoSee # 1124-1154 Unassigned ssslic-mgr 1203/tcpLicense Validation ssslic-mgr 1203/udp License Validation ms-sql-s 1433/tcp Microsoft-SQL-Server ms-sql-s 1433/udp Microsoft-SQL-Server ms-sql-m 1434/tcp Microsoft-SQL-Monitor ms-sql-m 1434/udp Microsoft-SQL-Monitor # 6851-6887 Unassigned monkeycom 9898/tcp MonkeyCom monkeycom 9898/udp MonkeyCom And I need a list that shows who or what owns Dynamic and/or Private Ports -Henry --- "Laurence F. Sheldon, Jr." <[EMAIL PROTECTED]> wrote: > > Andy Dills wrote: > > > On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. > wrote: > > > > > >>Jeff Shultz wrote: > >> > >> > >> > >>>But ultimately, _you_ are responsible for your > own systems. > >> > >>Even if the water company is sending me 85% > TriChlorEthane? > >> > >>Right. Got it. The victim is always responsible. > >> > >>There you have it folks. > > > > > > Change the word "victim" to "negligent party" and > you're correct. > > > > Ignoring all of the analogies and metaphors, the > bottom line is that ISPs > > are _not responsible_ for the negligence of their > customers, and that ISPs > > are _not responsible_ for the _content_ of the > packets we deliver. In > > fact, blocking the packets based on content would > run counter to our sole > > responsibility: delivering the well-formed packets > (ip verify unicast > > reverse-path) where they belong. > > > > Remember, we're service providers, not content > providers. Unless your AUP > > or customer contract spells out security services > provided (most actually > > go the other way and limit the liability of the > service provider > > specifically in this event), then your customers > have to pay you to secure > > their network (unless you feel like doing it for > free), or they are > > responsible, period. > > > > As far as I'm concerned, that guy would have a > better shot at suing > > Microsoft then challenging his bandwidth bill. > > > > Andy > > > > --- > > Andy Dills > > Xecunet, Inc. > > www.xecu.net > > 301-682-9972 > > --- > > > > > How many more of these do I need, do you think? > > -- > Requiescas in pace o email > > Ex turpi causa non oritur actio > > http://members.cox.net/larrysheldon/ > >
Re: [OnTopic] common list sense (Re: Even you can be hacked)
On Fri, 11 Jun 2004 10:52:40 PDT, Steve Gibbard said: > As an occasional poster to this and other lists, I sometimes get a few > duplicate replies, which, being sent directly to me, end up in my regular > mailbox instead of my NANOG folder, and thus require me to actively delete > or sort through them. As an occasional issue, it seems like a natural > result of sending out a message to a few thousand people. Not being all > that important I often find it hard to believe that a few thousand people > will want to read what I have to say, so I don't do it all that often. Much more annoying are borked Out-of-Brain responders that annoy you when you post to a list because they don't understand the concept of a list. What's really sad is when an Out-of-Brain responder manages to trigger my procmail duplicate detector.. ;) pgpge2RrRnDHJ.pgp Description: PGP signature
Re: [OnTopic] common list sense (Re: Even you can be hacked)
a quick duplicate elimination in procmail is something like: :0 Whc: msgid.lock | formail -D 16384 msgid.cache :0 a: /dev/null for me it's a substantial lifestyle improvement. On Fri, 11 Jun 2004, Steve Gibbard wrote: > > I suspect most of us who are failing to feel Mr. Sheldon's pain on this > just fail to understand the burden that's been placed on him by this > problem. > > As an occasional poster to this and other lists, I sometimes get a few > duplicate replies, which, being sent directly to me, end up in my regular > mailbox instead of my NANOG folder, and thus require me to actively delete > or sort through them. As an occasional issue, it seems like a natural > result of sending out a message to a few thousand people. Not being all > that important I often find it hard to believe that a few thousand people > will want to read what I have to say, so I don't do it all that often. > > I can see, however, that some scaling issues would come into play here. > If I have to spend a few minutes sorting out duplicate replies every few > weeks after posting something to the list, it's not a big deal. Besides, > if I've taken the time to write something and send it to a few thousand > people, I generally want to know what people have to say about it. But, > never having posted to the NANOG list eight times in less than two days, I > can only imagine how the time spent dealing with duplicate replies would > add up. Besides, coming up with that many things worth sending to a few > thousand people, in such a short period of time, must be really time > consuming. With such a busy posting schedule, should we be surprised that > the time to deal with an unfathomable quantity of duplicate responses > would be hard to come by? > > -Steve > > On Fri, 11 Jun 2004, Laurence F. Sheldon, Jr. wrote: > > > > > Paul Jakma wrote: > > > > > On Fri, 11 Jun 2004, Laurence F. Sheldon, Jr. wrote: > > > > > >> Really? My responsibility to make sure you control your outbound > > >> mail. Got it. > > > > > > > > > You really think everyone on this list should remember the preference of > > > every other poster as to whether they do or do not want a direct copy? > > > Maybe we could have a list on a web page and everyone could check the > > > list before replying to a post. That'd be really useful. But wait, > > > seeing as how we've got these new-fangled computer thingies that can > > > take care of drudgery for us, how about we provide a way to allow the > > > poster to specify what their preference is, and then other people's > > > computers could automatically use that preference! > > > > > > Oh wait: > > > > > > http://www.freesoft.org/CIE/RFC/822/28.htm > > > > > > Someone already thought of that! In *1982*. Gosh, how prescient! > > > > Or the document a little out-dated and replaced. But not your > > responsibility huh? > > > > > > (sorry if the sarcasm is a little thick, but I groan and shake my head > > > every time someone posts to NANOG about how people should please stop > > > including them in list replies. When I see someone who usually has a > > > modicum of clue do same I just have to reply. :) ) > > > > > >> Oh. Any suggestions on how to do that using my mailer? > > > > > > > > > No idea, consult its documentation. I do ctrl+r in my MUA, in Netscape > > > Communicator or Mozilla mail or Thunderbird you just add the address in > > > a new field and click the drop down list and change the 'To' to 'Reply-To' > > > > > > If your mailer can not do something as simple as allow you to specify > > > the Reply-To, I suggest you upgrade to something that is at least > > > half-decent. > > > > > >> And I'll delete the other copy you sent me for you. > > > > > > > > > That's another option I guess. > > > > > >> Where is RFC 2821 is this requirement, by the way? RFC 2822 > > >> says it is optional but seems to be less than useful in the > > >> context here. > > > > > > > > > Yes, of course Reply-To is optional. Absence of Reply-to indicates reply > > > should go to sender. > > > > > > regards, > > > > > > -- > > Requiescas in pace o email > > > > Ex turpi causa non oritur actio > > > > http://members.cox.net/larrysheldon/ > > > > > -- -- Joel Jaeggli Unix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
Re: [OnTopic] common list sense (Re: Even you can be hacked)
I suspect most of us who are failing to feel Mr. Sheldon's pain on this just fail to understand the burden that's been placed on him by this problem. As an occasional poster to this and other lists, I sometimes get a few duplicate replies, which, being sent directly to me, end up in my regular mailbox instead of my NANOG folder, and thus require me to actively delete or sort through them. As an occasional issue, it seems like a natural result of sending out a message to a few thousand people. Not being all that important I often find it hard to believe that a few thousand people will want to read what I have to say, so I don't do it all that often. I can see, however, that some scaling issues would come into play here. If I have to spend a few minutes sorting out duplicate replies every few weeks after posting something to the list, it's not a big deal. Besides, if I've taken the time to write something and send it to a few thousand people, I generally want to know what people have to say about it. But, never having posted to the NANOG list eight times in less than two days, I can only imagine how the time spent dealing with duplicate replies would add up. Besides, coming up with that many things worth sending to a few thousand people, in such a short period of time, must be really time consuming. With such a busy posting schedule, should we be surprised that the time to deal with an unfathomable quantity of duplicate responses would be hard to come by? -Steve On Fri, 11 Jun 2004, Laurence F. Sheldon, Jr. wrote: > > Paul Jakma wrote: > > > On Fri, 11 Jun 2004, Laurence F. Sheldon, Jr. wrote: > > > >> Really? My responsibility to make sure you control your outbound > >> mail. Got it. > > > > > > You really think everyone on this list should remember the preference of > > every other poster as to whether they do or do not want a direct copy? > > Maybe we could have a list on a web page and everyone could check the > > list before replying to a post. That'd be really useful. But wait, > > seeing as how we've got these new-fangled computer thingies that can > > take care of drudgery for us, how about we provide a way to allow the > > poster to specify what their preference is, and then other people's > > computers could automatically use that preference! > > > > Oh wait: > > > > http://www.freesoft.org/CIE/RFC/822/28.htm > > > > Someone already thought of that! In *1982*. Gosh, how prescient! > > Or the document a little out-dated and replaced. But not your > responsibility huh? > > > > (sorry if the sarcasm is a little thick, but I groan and shake my head > > every time someone posts to NANOG about how people should please stop > > including them in list replies. When I see someone who usually has a > > modicum of clue do same I just have to reply. :) ) > > > >> Oh. Any suggestions on how to do that using my mailer? > > > > > > No idea, consult its documentation. I do ctrl+r in my MUA, in Netscape > > Communicator or Mozilla mail or Thunderbird you just add the address in > > a new field and click the drop down list and change the 'To' to 'Reply-To' > > > > If your mailer can not do something as simple as allow you to specify > > the Reply-To, I suggest you upgrade to something that is at least > > half-decent. > > > >> And I'll delete the other copy you sent me for you. > > > > > > That's another option I guess. > > > >> Where is RFC 2821 is this requirement, by the way? RFC 2822 > >> says it is optional but seems to be less than useful in the > >> context here. > > > > > > Yes, of course Reply-To is optional. Absence of Reply-to indicates reply > > should go to sender. > > > > regards, > > > -- > Requiescas in pace o email > > Ex turpi causa non oritur actio > > http://members.cox.net/larrysheldon/ > >
RE: Even you can be hacked
> At 7:07 PM -0700 2004-06-10, David Schwartz wrote: > > Most of the people on this list see things from the ISP's > > perspective. > > However, step back a bit and see it from the user's perspective. Do you > > expect to pay for phone calls you didn't make or do you expect > > the person > > whose deliberate conscious action caused those calls to be made? Do you > > expect to be responsible for patrolling your electric lines to > > make sure > > someone hasn't plugged into your outside outlets? > If you had a PBX in your home that was misconfigured and allowed > people to dial-in and then dial back out and get free long distance, > and your telephone company warned you about this weakness, forgives > your first month overages due to your being hacked, and yet you still > refused to fix the system, then you're toast. > > Under those circumstances, if someone makes $10M worth of long > distance calls via your PBX, then you're going to have to pay up. Of course, except in this case, the phone company can't easily tell the legitimate calls from the illegitimate ones and block only the illegitimate ones. Every analogy will break down, so don't expect to be able to convince people with analogies that seem so obviously right to you. Nothing is exactly accurate except the actual situation itself. And, again, alomst every contract has some insurance elements to it. There will be unusual cases where it's actually possible for the utility to lose money if something unusual happens. My main point is that the understanding that seems so obviously right to you may not seem so obviously right to your customers. As for all the people who talk about turning off their DSL access when they're away from home, they're missing the point. Obviously a person could do that. We could shut off our electricity when we leave home. We could have our telephone service temporarily disabled when we go on vacation too. A person could do all of these things. My point is that it's also perfectly reasonable for a person not to do these things. Because in general an ISP has more ability to control these things and it makes very little sense for a home user to insure an ISP, it makes more sense for the ISP to insure the user. In any unfortunate situation, you can find a hundred things that anyone could have done differently that would have avoided the situation. But that is not how you establish responsibility, financial or moral. You look at people who failed to use reasonable prudence. And, of course, the ISP always (or very nearly always) insures the user against the costs of inbound attack traffic that exceeds his line rate. The more demands you make of your customers, the more you decrease the value of your very own product. Frankly, if I ruled the world, obtaining Internet access would require a serious cluefulness test and you'd take a lot more responsiblity for generated traffic. I know a lot of people on this list wish things were the same way and sometimes want it so much that they're able to convince themselves that this is the way things actually are in the real world today. But they're not, and you may find that outside your group of friends, your views are found to be very odd by the majority of 'normal' (but, admittedly, inferior) people. The arguments that seem so obviously right to you may be greeted by amusement and the analogies you think work will be found unconvincing. This is because this argument is largely about other people's expectations. DS
Re: [OnTopic] common list sense (Re: Even you can be hacked)
On Fri, 11 Jun 2004, Laurence F. Sheldon, Jr. wrote: Or the document a little out-dated and replaced. But not your responsibility huh? 822 might have been superceded, yes, however no newer standards track RFC has made Reply-to obsolete. My point was that Reply-to isnt something new, it's something I'd expect anyone on a network ops mailling list to know about and be able to use. (if they really wish to run the risk of other people accidently mailling private correspondence to the Reply-To address). NB: The other thing you can do is filter your email into seperate mailboxes, eg each list into a seperate folder. If you do this, the direct copy will become useful. regards, -- Paul Jakma [EMAIL PROTECTED] [EMAIL PROTECTED] Key ID: 64A2FF6A warning: do not ever send email to [EMAIL PROTECTED] Fortune: Innovation is hard to schedule. -- Dan Fylstra
Re: [OnTopic] common list sense (Re: Even you can be hacked)
On Fri, 11 Jun 2004, Laurence F. Sheldon, Jr. wrote: Really? My responsibility to make sure you control your outbound mail. Got it. You really think everyone on this list should remember the preference of every other poster as to whether they do or do not want a direct copy? Maybe we could have a list on a web page and everyone could check the list before replying to a post. That'd be really useful. But wait, seeing as how we've got these new-fangled computer thingies that can take care of drudgery for us, how about we provide a way to allow the poster to specify what their preference is, and then other people's computers could automatically use that preference! Oh wait: http://www.freesoft.org/CIE/RFC/822/28.htm Someone already thought of that! In *1982*. Gosh, how prescient! (sorry if the sarcasm is a little thick, but I groan and shake my head every time someone posts to NANOG about how people should please stop including them in list replies. When I see someone who usually has a modicum of clue do same I just have to reply. :) ) Oh. Any suggestions on how to do that using my mailer? No idea, consult its documentation. I do ctrl+r in my MUA, in Netscape Communicator or Mozilla mail or Thunderbird you just add the address in a new field and click the drop down list and change the 'To' to 'Reply-To' If your mailer can not do something as simple as allow you to specify the Reply-To, I suggest you upgrade to something that is at least half-decent. And I'll delete the other copy you sent me for you. That's another option I guess. Where is RFC 2821 is this requirement, by the way? RFC 2822 says it is optional but seems to be less than useful in the context here. Yes, of course Reply-To is optional. Absence of Reply-to indicates reply should go to sender. regards, -- Paul Jakma [EMAIL PROTECTED] [EMAIL PROTECTED] Key ID: 64A2FF6A warning: do not ever send email to [EMAIL PROTECTED] Fortune: October 12, the Discovery. It was wonderful to find America, but it would have been more wonderful to miss it. -- Mark Twain, "Pudd'nhead Wilson's Calendar"
Re: [OnTopic] common list sense (Re: Even you can be hacked)
On Fri, 11 Jun 2004, Randy Bush wrote: reply-to: headers are bad. Oh, on that I agree. There are draft RFCs to specify these things better, eg seperating the concept of 'Reply-to' into one policy for list related replies and another for personal, mutt supports these drafts already[1], but there hasnt been much apparent movement in these drafts becoming standards track. (primarily because there are already similar headers defined and RFC standards tracked for NNTP readers/posters). 1. which can be annoying when dealing with mutt users. regards, -- Paul Jakma [EMAIL PROTECTED] [EMAIL PROTECTED] Key ID: 64A2FF6A warning: do not ever send email to [EMAIL PROTECTED] Fortune: The soul would have no rainbow had the eyes no tears.
Re: [OnTopic] common list sense (Re: Even you can be hacked)
Paul Jakma wrote: On Fri, 11 Jun 2004, Laurence F. Sheldon, Jr. wrote: Really? My responsibility to make sure you control your outbound mail. Got it. You really think everyone on this list should remember the preference of every other poster as to whether they do or do not want a direct copy? Maybe we could have a list on a web page and everyone could check the list before replying to a post. That'd be really useful. But wait, seeing as how we've got these new-fangled computer thingies that can take care of drudgery for us, how about we provide a way to allow the poster to specify what their preference is, and then other people's computers could automatically use that preference! Oh wait: http://www.freesoft.org/CIE/RFC/822/28.htm Someone already thought of that! In *1982*. Gosh, how prescient! Or the document a little out-dated and replaced. But not your responsibility huh? (sorry if the sarcasm is a little thick, but I groan and shake my head every time someone posts to NANOG about how people should please stop including them in list replies. When I see someone who usually has a modicum of clue do same I just have to reply. :) ) Oh. Any suggestions on how to do that using my mailer? No idea, consult its documentation. I do ctrl+r in my MUA, in Netscape Communicator or Mozilla mail or Thunderbird you just add the address in a new field and click the drop down list and change the 'To' to 'Reply-To' If your mailer can not do something as simple as allow you to specify the Reply-To, I suggest you upgrade to something that is at least half-decent. And I'll delete the other copy you sent me for you. That's another option I guess. Where is RFC 2821 is this requirement, by the way? RFC 2822 says it is optional but seems to be less than useful in the context here. Yes, of course Reply-To is optional. Absence of Reply-to indicates reply should go to sender. regards, -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
Re: [OnTopic] common list sense (Re: Even you can be hacked)
On Fri, 11 Jun 2004 11:50:26 CDT, "Laurence F. Sheldon, Jr." said: > Where is RFC 2821 is this requirement, by the way? RFC 2822 > says it is optional but seems to be less than useful in the > context here. 2821 is about the SMTP side of things. By the time the MTA is handed a list of RCPT TO's, it's waaay past time to argue about Reply-to:. (As a matter of fact, careful reading of 2821 will reveal that there's no *specific* requirement that the stuff between the DATA and final '.' even be an 822-style e-mail - I've seen blecherous things that toss an X.400 blob around in there instead...) 2822 and related would be the right place, as that's about the 822-style headers on the mail itself. As already noted by several people, Reply-To: doesn't necessarily impose the proper semantics (and before anybody pipes up, Bernstein's "Mail-Followup-To:" isn't perfect either, *and* there's not even an active I-D for it, much less any sort of RFC). pgpch4zAwmhkz.pgp Description: PGP signature
Re: [OnTopic] common list sense (Re: Even you can be hacked)
reply-to: headers are bad. the replier can be sending to the list when they intended to reply privately. hence, many of us have our MTAs strip them before we even get the mail. again, procmail is your friend # prevent dupes # :0 Wh: msgid.lock | formail -D 65536 msgid.cache randy
Re: Even you can be hacked
Andy Dills wrote: On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote: Jeff Shultz wrote: But ultimately, _you_ are responsible for your own systems. Even if the water company is sending me 85% TriChlorEthane? Right. Got it. The victim is always responsible. There you have it folks. Change the word "victim" to "negligent party" and you're correct. Ignoring all of the analogies and metaphors, the bottom line is that ISPs are _not responsible_ for the negligence of their customers, and that ISPs are _not responsible_ for the _content_ of the packets we deliver. In fact, blocking the packets based on content would run counter to our sole responsibility: delivering the well-formed packets (ip verify unicast reverse-path) where they belong. Remember, we're service providers, not content providers. Unless your AUP or customer contract spells out security services provided (most actually go the other way and limit the liability of the service provider specifically in this event), then your customers have to pay you to secure their network (unless you feel like doing it for free), or they are responsible, period. As far as I'm concerned, that guy would have a better shot at suing Microsoft then challenging his bandwidth bill. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 --- How many more of these do I need, do you think? -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
Re: [OnTopic] common list sense (Re: Even you can be hacked)
Paul Jakma wrote: On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote: Why do I have to get two and three copies of each of these? Because you havn't set a Reply-To header? Eg with the list as address? I'm on the list folks, if you send it to the list I'll get it. I don't need a copy to the list and Cc:'s until the end of time. Then set a Reply-To. Pretty simple.. regards, Really? My responsibility to make sure you control your outbound mail. Got it. Oh. Any suggestions on how to do that using my mailer? And I'll delete the other copy you sent me for you. Where is RFC 2821 is this requirement, by the way? RFC 2822 says it is optional but seems to be less than useful in the context here. -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
[OT] common list sense (Re: Even you can be hacked)
On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote: Why do I have to get two and three copies of each of these? Because you havn't set a Reply-To header? Eg with the list as address? I'm on the list folks, if you send it to the list I'll get it. I don't need a copy to the list and Cc:'s until the end of time. Then set a Reply-To. Pretty simple.. regards, -- Paul Jakma [EMAIL PROTECTED] [EMAIL PROTECTED] Key ID: 64A2FF6A warning: do not ever send email to [EMAIL PROTECTED] Fortune: Coding is easy; All you do is sit staring at a terminal until the drops of blood form on your forehead.
RE: Even you can be hacked
It all depends upon what the agreement between the customer and the ISP says. It's no unreasonable for the ISP to 'insure' the customer against risks he isn't able to mitigate which the ISP is, even if that means shutting off his service. True, to some extent, but... If someone blows up my water line and $1,000,000 worth of water is wasted, I don't think the water company is going to expect me to pay for it. This is especially true if the water company knew about the leak, could have done something to mitigate it, and failed to do so. Even if that means shutting off my water, that's what I'd expect them to do, shut it off until someone fixes it. Interesting theory. I don't expect that. I expect the water company to tell me how to shut off my water, or, possibly offer to come out and shut off my water for a fee. I don't expect them to turn the water off just to protect me from an outrageous bill if the problem is on my portion of the line. I do expect them to shut off your line when it blows up if it is causing a pressure drop which is affecting other customers, whether you want them to or not. Most of the people on this list see things from the ISP's perspective. However, step back a bit and see it from the user's perspective. Do you expect to pay for phone calls you didn't make or do you expect the person whose deliberate conscious action caused those calls to be made? Do you expect to be responsible for patrolling your electric lines to make sure someone hasn't plugged into your outside outlets? Well, as the step-parent of two teenage daughters, both of whom have cell phones purchased for them by my wife, I routinely pay for telephone calls I didn't make with no hope of getting said teenagers to ever pay the bill. I certainly don't expect the electric company to patrol my outside electrical outlets, and, yes, when someone plugged into one of mine, I did get billed by the power company. Why should they pay for it? They delivered the electricity to me. What I did with it afterwards (in this case, giving it to someone else I didn't expect or condone) is my problem. For most classes of service, it makes the most sense to only charge the customer for the traffic he wants and have the ISP take the responsibility for dealing with attacks to the extent they can do so. This is because the customer can't afford to hire a full time person to guard his always-on DSL connection while he's away for two weeks but his ISP can. This may mean that you're disconnected until they can coordinate with you -- such is life. If the customer is sending the traffic to the ISP (the issue in this case), then the ISP has no ability to drop the traffic before it arrives at the ISP router. The ISP, in this case, acted responsibly and informed the customer of their problem. They were even gracious enough to give the customer credit for some period of time. The ISP in this case did not control the CPE, it was the customer's CPE. As such, the customer is responsible for maintaining and configuring the CPE to do any desired blocking. Just be aware, your customers may not have the same expectations you do, and you should make your understanding *very* clear to your customers in your contracts. I don't make anything for customers in contracts... We have a sales department and a legal department that do that. I make routers deliver packets, and, sometimes, I even have to make routers not deliver packets. Sometimes, I help sales and legal figure out how to explain things to customers. Once in a while, I help them clarify that in the contract. Fortunately, for the most part, I run routers, not contracts. I like it better that way. However, I will say that the customers I have dealt with on the technical level have generally expected us to deliver packets, and, expected to pay for packets we deliver according to their agreement. When they ask us to block something, we do, but, I have never had a customer expect not to pay for their infected system AFTER we told them they were spewing. YMMV, Owen -- If it wasn't crypto-signed, it probably didn't come from me. pgpI6tHlSkgsL.pgp Description: PGP signature
Re: Even you can be hacked
On Thu, Jun 10, 2004, David Schwartz wrote: > > Take some responsibility. > > How does a person with a DSL line at home take responsibilty if he's away > for a month? Is he supposed to hire someone? The same way I did it when I went on holiday. I turned off the DSL router. Adrian -- Adrian ChaddI'm only a fanboy if <[EMAIL PROTECTED]> I emailed Wesley Crusher.
RE: Even you can be hacked
> On Jun 10, 2004, at 10:07 PM, David Schwartz wrote: > > It all depends upon what the agreement between the customer and the > > ISP > > says. It's no unreasonable for the ISP to 'insure' the customer against > > risks he isn't able to mitigate which the ISP is, even if that means > > shutting off his service. > While it may not be unreasonable, it is also not unreasonable for the > ISP to *not* insure the customer against such risks. > > It all depends. :) Well, it depends upon the class of service. For lower classes of service, it's generally a non-issue because the service isn't billed based upon usage. But I would argue that for low-end service (like home DSL) that is billed based upon usage, it's unreasonable for the ISP to bill customers for attack traffic. Obviously, it's possible that someone could offer this and get a customer to agree to it, but I'd be really suspicious as to whether they actually had a meeting of the minds with the customer about the consequences. > Also, you did not really address my question: Are you willing to sell > me the service I asked for above? I've acted as a negotiator for several companies who were looking to obtain connectivity. I've had no trouble negotiating agreements where the customer does not pay for attack traffic. Some companies want a 'per incident' fee, some don't. Usually these fees are reasonable and include firewalls and tracking and other things that are worth paying for. You can certainly get flat rate connections and you can get connections where if your service goes over X dollars, they rate limit you unless you agree to let more in. Yes, you can get almost any combination of service features. Obviously, some cost more than others. However, you can certainly get your ISP to insure you if you want. Heck, buy a flat rate 100Mbps line from any carrier and they're paying for any attack traffic over 100Mbps. Put in a filter and they're paying to carry all the attack traffic to the filter. > > Most of the people on this list see things from the ISP's > > perspective. > > However, step back a bit and see it from the user's perspective. Do you > > expect to pay for phone calls you didn't make or do you expect the > > person > > whose deliberate conscious action caused those calls to be made? Do you > > expect to be responsible for patrolling your electric lines to make > > sure > > someone hasn't plugged into your outside outlets? > > Actually, I Am Not An Isp. (Yes, that is really what is stands for.) > I do see things from a user perspective. And I still do not agree with > you. > > For instance, I do believe if someone comes by and plugs something into > an outside socket on my house that I should pay the bill. The power > was used, it cost something, and the power company sure as hell was not > responsible. Of course, if I can find the culprit, I can force him to > pay. But that does not mean the power company should eat the > difference. It does if the person got to your house over the power company's lines. It does if the power company knows about it. Unfortunately, every analogy breaks down. > Take some responsibility. How does a person with a DSL line at home take responsibilty if he's away for a month? Is he supposed to hire someone? > This whole thing reminds me of when we were > kids and I loaned my middle brother my walkman. He left it on the > floor where my baby brother was playing - who promptly smashed it with > some random toy and destroyed it. My middle brother claimed it was not > his fault, my baby brother did it. I was out a walkman (big bux in > those days!), but I learned a valuable lesson: Never trust someone who > is not willing to take responsibility. Certainly it was both of their faults and you're technically entitled to collect from either of them. > Since you seem to disagree with me, care to put your money where your > mouth is? Sell me a service where I only pay for what I expect. I'm > happy to have you shut me off if you notice traffic out of profile, but > don't expect me to pay more than what I think I should. Oh, and you > should be prepared to turn the service back on when I "fix" the problem > (even if it is just going to happen again, and again, and again, and > again...). As I said, this kind of service is *definitely* available. You can get flat rate service where you only pay what for traffic you expect. You can get service where you can set a rate limit dynamically. You can get service where filters are put up at your whim and you do not pay for traffic that hits the filters. I think you're mostly being glib with clauses like "more than what I think I should", but it is definitely possible to negotiate contracts where you don't pay for attack traffic. It is definitely possible to negotiate contracts where there's a fixed maximum you can pay. In fact, I've never seen a contract that makes the customer responsible for at
Re: Even you can be hacked
On Jun 10, 2004, at 11:49 PM, David Krikorian wrote: Sometimes the provider shares the responsibility with the offender. For example, I can't get my telephone demark inside my house, so it is unlocked, and open to all comers. This is not, nor has ever been within my control. Since I'm not allowed to secure the line it is the provider, who prevents me from having a vaguely secured line, who enabled the theft of service, and should take some share of the responsibility. Not a valid comparison. The ISP did not leave the Internet line outside your house, nor have they any responsibility to secure your systems. In fact, most users would get upset at a provider meddling in their systems. Similarly, if I'm under an attack that is consuming my bandwidth, I'd expect to be responsible for if I had a way of guaging the bandwidth (to detect the abuse) and if the ISP did its part to shut down the attack. You have your router, it gives you stats. And what part is the ISP supposed to do to shut down an attack? Did you pay for the ISP to monitor your line and proactively shut down an attack? Did you give the ISP permission to filter traffic of certain types? If you get /.'ed or run a promotion on your web site and the ISP filters the traffic as an attack, will you be upset? If I complained to the ISP about the attack, and nothing were done about it in a reasonable amount of time, driving up my cost for the month (or two) due to bursting, I would be unwilling to take responsibility for the added cost. The ISP's delay resulted in the ISP charging me more money. I think most reasonably people would consider that extra charge to be undeserved, unfair, and unreasonable. If you ask the ISP to take action and they do not, it is a _TOTALLY_ different story. Of course, in the original post, the ISP informed the end user of his problem, and even forgave his first month's bill. Wouldn't you say the ISP was being more than nice? I think one metric of "reasonableness" is how big a surprise the added cost would be. If my phone/electric/net bill is double for one month, that's an unpleasant surprise, but not a big deal. If it consumes my whole month's paycheck and I didn't knowingly contribute to the overrun, I will be outraged (and possibly bankrupt). Service companies generally don't want to outrage (or bankrupt) their customers. That's a fine metric, but by no means a perfect one. Many companies have "flash crowds", get /.'ed, run promotions, get mentioned in a blog somewhere, etc., etc., etc. The resulting traffic can be very out-of-profile, but still very wanted. Nice ISPs call or e-mail the customer and mention this change. But there is no responsibility to do so in any contract I have seen that does not include extra charges for security purposes. Take some responsibility. Yes, when that responsibility doesn't already belong to someone else who can be held accountable, and/or when I had some warning in advance of the risk I was taking. You signed a contract that said you would pay for usage. Therefore you had warning. You are over 18, you are supposed to know what you are doing when you sign a contract. (And if you don't, no one cares anyway. :) As for someone else being held accountable, that depends on your definition of "can be held accountable". The worm writers are "accountable" in my book, but they cannot "be held accountable" because they will likely never be caught. (And if they are, no way will they be able to pay.) Should the ISP have to pay their transit bill while you get to blame a faceless perpetrator? Or do you hold any responsibility and need to pay for the bandwidth your system consumed on the line you agreed to purchase, whether you personally sent the bits or not? -- TTFN, patrick
Re: Even you can be hacked
Ahhh, here is it... :) On Jun 10, 2004, at 10:07 PM, David Schwartz wrote: On Jun 10, 2004, at 2:06 PM, Laurence F. Sheldon, Jr. wrote: Uh, no, I wrote this part. :) The "victim" in the case Sean posted knew he had a worm, got some of his first bill forgiven, yet did nothing to correct it and acts surprised when the same thing happens the next month. YES, he is at fault. Anyone who thinks differently .. uh .. can I buy b/w from you? :) Oh, and since you feel responsible, I'm only going to pay for the amount of traffic I think I should have gotten on my web page, even if I get /.'ed or something. Does $25/Mbps sound good? I plan to use about 1 Mbps, but I will need an un-rate-limited GigE connection. It all depends upon what the agreement between the customer and the ISP says. It's no unreasonable for the ISP to 'insure' the customer against risks he isn't able to mitigate which the ISP is, even if that means shutting off his service. While it may not be unreasonable, it is also not unreasonable for the ISP to *not* insure the customer against such risks. It all depends. :) Also, you did not really address my question: Are you willing to sell me the service I asked for above? Most of the people on this list see things from the ISP's perspective. However, step back a bit and see it from the user's perspective. Do you expect to pay for phone calls you didn't make or do you expect the person whose deliberate conscious action caused those calls to be made? Do you expect to be responsible for patrolling your electric lines to make sure someone hasn't plugged into your outside outlets? Actually, I Am Not An Isp. (Yes, that is really what is stands for.) I do see things from a user perspective. And I still do not agree with you. For instance, I do believe if someone comes by and plugs something into an outside socket on my house that I should pay the bill. The power was used, it cost something, and the power company sure as hell was not responsible. Of course, if I can find the culprit, I can force him to pay. But that does not mean the power company should eat the difference. Take some responsibility. This whole thing reminds me of when we were kids and I loaned my middle brother my walkman. He left it on the floor where my baby brother was playing - who promptly smashed it with some random toy and destroyed it. My middle brother claimed it was not his fault, my baby brother did it. I was out a walkman (big bux in those days!), but I learned a valuable lesson: Never trust someone who is not willing to take responsibility. Since you seem to disagree with me, care to put your money where your mouth is? Sell me a service where I only pay for what I expect. I'm happy to have you shut me off if you notice traffic out of profile, but don't expect me to pay more than what I think I should. Oh, and you should be prepared to turn the service back on when I "fix" the problem (even if it is just going to happen again, and again, and again, and again...). -- TTFN, patrick
Re: Even you can be hacked
On Jun 10, 2004, at 10:21 PM, Laurence F. Sheldon, Jr. wrote: David Schwartz wrote: On Jun 10, 2004, at 2:06 PM, Laurence F. Sheldon, Jr. wrote: The "victim" in the case Sean posted knew he had a worm, got some of his first bill forgiven, yet did nothing to correct it and acts surprised when the same thing happens the next month. YES, he is at fault. Anyone who thinks differently .. uh .. can I buy b/w from you? :) Oh, and since you feel responsible, I'm only going to pay for the amount of traffic I think I should have gotten on my web page, even if I get /.'ed or something. Does $25/Mbps sound good? I plan to use about 1 Mbps, but I will need an un-rate-limited GigE connection. I do not believe there is credible evidence that I wrote any of that. No, I did. Not sure why it got quoted as you, especially since I did not even see David's post quoting it. Back on topic, offer still stands. Who wants to sell me b/w and take responsibility for anything over what I expect to get / send? It seems there are several people on this list who think the user is not responsible for things like attack traffic, and I would very much like to purchase the services of one or more of them. -- TTFN, patrick
Re: Even you can be hacked
David Schwartz wrote: On Jun 10, 2004, at 2:06 PM, Laurence F. Sheldon, Jr. wrote: The "victim" in the case Sean posted knew he had a worm, got some of his first bill forgiven, yet did nothing to correct it and acts surprised when the same thing happens the next month. YES, he is at fault. Anyone who thinks differently .. uh .. can I buy b/w from you? :) Oh, and since you feel responsible, I'm only going to pay for the amount of traffic I think I should have gotten on my web page, even if I get /.'ed or something. Does $25/Mbps sound good? I plan to use about 1 Mbps, but I will need an un-rate-limited GigE connection. I do not believe there is credible evidence that I wrote any of that. -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
RE: Even you can be hacked
> On Jun 10, 2004, at 2:06 PM, Laurence F. Sheldon, Jr. wrote: > The "victim" in the case Sean posted knew he had a worm, got some of > his first bill forgiven, yet did nothing to correct it and acts > surprised when the same thing happens the next month. YES, he is at > fault. Anyone who thinks differently .. uh .. can I buy b/w from you? > :) Oh, and since you feel responsible, I'm only going to pay for the > amount of traffic I think I should have gotten on my web page, even if > I get /.'ed or something. Does $25/Mbps sound good? I plan to use > about 1 Mbps, but I will need an un-rate-limited GigE connection. It all depends upon what the agreement between the customer and the ISP says. It's no unreasonable for the ISP to 'insure' the customer against risks he isn't able to mitigate which the ISP is, even if that means shutting off his service. If someone blows up my water line and $1,000,000 worth of water is wasted, I don't think the water company is going to expect me to pay for it. This is especially true if the water company knew about the leak, could have done something to mitigate it, and failed to do so. Even if that means shutting off my water, that's what I'd expect them to do, shut it off until someone fixes it. Most of the people on this list see things from the ISP's perspective. However, step back a bit and see it from the user's perspective. Do you expect to pay for phone calls you didn't make or do you expect the person whose deliberate conscious action caused those calls to be made? Do you expect to be responsible for patrolling your electric lines to make sure someone hasn't plugged into your outside outlets? For most classes of service, it makes the most sense to only charge the customer for the traffic he wants and have the ISP take the responsibility for dealing with attacks to the extent they can do so. This is because the customer can't afford to hire a full time person to guard his always-on DSL connection while he's away for two weeks but his ISP can. This may mean that you're disconnected until they can coordinate with you -- such is life. Just be aware, your customers may not have the same expectations you do, and you should make your understanding *very* clear to your customers in your contracts. DS
Re: Even you can be hacked
Thus spake "Crist Clark" <[EMAIL PROTECTED]> > It would be great if there always was a negligent party, but there is > not always one. If Widgets Inc.'s otherwise ultra-secure web server gets > 0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc. > or the ISP? Until a patch was available or filter was installed, most ISPs would eat it as a gesture of good will (but they have no obligation to do so). A customer who fails to implement the _available_ security measures is negligent, particularly after they've been informed there's a problem and they make a conscious choice not to do anything about it. In the case of Mr. Liber, I totally side with the ISP for about the first 30 days. After that, they should have disabled or capped Mr. Liber's account (totally kosher, as he hadn't paid his outstanding bill) to prevent him from running up further charges that any rational person would know he's unlikely to pay for. Shame on both parties. > So how about this analogy: Someone breaks into my house and spends a few > hours on the phone to Hong Kong. Who eats the bill, me or my LD carrier? > Neither of us was negligent. A few years ago my cell phone was stolen, and before I was able to report it to the carrier several hours of calls were made to a foreign country. The carrier ate all the calls between when the phone was stolen and when their customer service center opened; I ate the calls that occurred after that. Seems totally reasonable, even if it did cost me ~$50. Once you have discovered or been notified there is a problem, _you_ are responsible for fixing it or you implicitly agree to pay the price of not fixing it. As the song goes, "If you choose not to decide/You still have made a choice". If one is not yet aware of the problem (and there's no reasonable expectation one should have been), I think there's room for debate, but that's not relevant to the discussion of Mr. Liber. S Stephen Sprunk"Stupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them." --Aaron Sorkin
Re: Even you can be hacked
james edwards wrote: Sean Donelan wrote: If you leave your lights on, the electric company will send you a bill. If the neighbor taps into your power lines after the meter...? Not a reasonable argument. It is expected that unpatched hosts will get infected and it has been well reported on how users should protect themselves. A neighbor tapping another power is not something to occurs often. It is not reasonable to expect this to happen. It's not even a reasonable argumnet. Suppose your neighbor is running wide open wireless... Jeff
Re: Even you can be hacked
It would be great if there always was a negligent party, but there is not always one. If Widgets Inc.'s otherwise ultra-secure web server gets 0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc. or the ISP? Widget Inc is still negligent. It is their server. They could have placed the server behind a firewall. The firewall could have been doing layer 7 inspection and noticed the 0-day event. They could also be running an IDS which would detect such an event and notify a network administer. The point is there are MANY ways to protect systems and to be notified in an event. As an ISP I would overlook a couple days worth of billing if my customer was responsible/reactive to the event. If they refuse to fix the problems they should be held liable. If we notice worm traffic entering our network from our customer we shut them down then notify them. We protect our network first, then we help with theirs. No matter how you slice it people need to be responsible for their own actions or inactions. Widget Inc, could have chosen different OS, Web server, etc that didn't have that particular 0-day event. Customers have choices, they need to be responsible for the choices they make. I can guide them in good design up to a certain extent for free. I'll design/build for them for a fee. IT is always the first cut in a budget crunch, Bean counters overlook IT issues. The problem is the way you run your network affects other networks. You can save $30,000 today and spend $100,000 in repairs for a failure, your choice. So how about this analogy: Someone breaks into my house and spends a few hours on the phone to Hong Kong. Who eats the bill, me or my LD carrier? Neither of us was negligent. Do you ever expect to call Hong Kong? No, call your LD carrier before the fact and block all international calls from your line. You can also put an access code on your outbound calls or block everything and use a calling card. You chose to make it easy for yourself, you get hacked, you should pay. [0] Unless someone can prove the software flaw was sloppy enough that it constitutes negligence and goes after the software authors. Good luck with that. Software flaw or not. Design your network so you have safe guards in place. Have other machines watching for irregular traffic, set off pagers when your traffic goes 300% above normal. Pay for a network engineer to watch it and make it better. React to problems, don't turn a blind eye and hope it all goes away. Come on, whatsup gold is cheap enough, SNMP monitor your switch traffic and set off pagers using thresholds, it really isn't that hard. I'm rambling, the root of the problem is not IT or MS or the Internet. It is society and everyone doing the bare minimum. Going with the least common denominator is not a way to live your life, run your business or your network. I'll take the high road, thank you very much. I have little patience for people who do not expend the effort complaining and looking for hand outs from those that do. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387
Re: Even you can be hacked
Andy Dills wrote: Keep in mind, this guy's ISP, like many (most?) ISPs would do, gave the guy a serious break on the first jaw-dropping bill. Why do I have to get two and three copies of each of these? I'm on the list folks, if you send it to the list I'll get it. I don't need a copy to the list and Cc:'s until the end of time. But since I am here, let me also ask that we kee in mind, that if this guy is anyting like folks close to home here, his ISP requires him to run a current version of IE, OE and NT of some kind. He hooked that up, his ISP delivered a a successful attack on the combination. Now, let's stop the movie and identify the negligent parties and the responsible parties. No huge bill yet, no infected anybody else yet. But if you're the phone company, and a customer mysteriously has somebody break into their house month after month to call Hong Kong for a few hours, do you really think they're going to keep voiding those charges? Clearly the customer is negligent, even if another party is directly responsible. Speaking for Xecunet, we offer both capped and metered billing packages, and we always make a point of offering customers a capped solution when something like this happens. If they decline, we make sure they understand that in the future they will be liable for 100% of the packets coming from their port, regardless of the circumstances. Maybe we should start putting this in writing, but it hasn't really been a problem. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 --- -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
Re: Even you can be hacked
** Reply to message from Crist Clark <[EMAIL PROTECTED]> on Thu, 10 Jun 2004 14:54:07 -0700 > > It would be great if there always was a negligent party, but there is > not always one. If Widgets Inc.'s otherwise ultra-secure web server gets > 0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc. > or the ISP? > Just out of curiosity, what was the last 0-Day (not that I've heard of any, really) that made itself obvious by chewing up tons of bandwidth? Most of the nasty worms seem to be the ones that either do some efficient social engineering, or exploit a hole MS patched 6 months ago. In any case, I expect it would be negotiated on a case by case basis. But Widgets Inc. would operating from a position of weakness. Regardless of the circumstances, their systems did use the bandwidth. > So how about this analogy: Someone breaks into my house and spends a few > hours on the phone to Hong Kong. Who eats the bill, me or my LD carrier? > Neither of us was negligent. Depends on how nice your LD carrier is - with a police report they might cut you some slack. Otherwise... how many parents have been stuck with the bills for their teenage kids $200+ SMS bills? -- Jeff Shultz A railfan pulls up to a RR crossing hoping that there will be a train.
Re: Even you can be hacked
I completely agree that the customers in these cases should be held responsible for the services they purchased from their ISPs. Let's all try to keep in mind that the two customers mentioned in the article as being on the receiving end of large bills were businesses, not consumers. In the course of running his "small high-tech company," Mr. Liber could have hired a part-time IT guy to watch over his systems and keep them patched and healthy. Doing so could have cost him less than the $85,000 his ISP billed him for. He also could have procured liability insurance for his business. Perhaps he also could have bought a firewall, or a better one. Any of these options would have cost Mr. Liber's business some money. He appears to have chosen instead to accept higher business risk in exchange for a higher potential profit margin. And, when the bills arrived, he could have chosen to pay them. Instead, he chose to file for bankruptcy. Each step of the way, he had options, and he made his choices as he saw fit. Was this truly negligence, or a calculated business risk? -DaveU
Re: Even you can be hacked
On Thu, 10 Jun 2004, Crist Clark wrote: > > Change the word "victim" to "negligent party" and you're correct. > > It would be great if there always was a negligent party, but there is > not always one. If Widgets Inc.'s otherwise ultra-secure web server gets > 0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc. > or the ISP? That's between the customer and Widgets Inc. The ISP is certainly not legally obligated to eat the cost of the bandwidth. They may choose to do so in the interest of furthering the business relationship, but that only covers so many bits. > So how about this analogy: Someone breaks into my house and spends a few > hours on the phone to Hong Kong. Who eats the bill, me or my LD carrier? > Neither of us was negligent. Keep in mind, this guy's ISP, like many (most?) ISPs would do, gave the guy a serious break on the first jaw-dropping bill. But if you're the phone company, and a customer mysteriously has somebody break into their house month after month to call Hong Kong for a few hours, do you really think they're going to keep voiding those charges? Clearly the customer is negligent, even if another party is directly responsible. Speaking for Xecunet, we offer both capped and metered billing packages, and we always make a point of offering customers a capped solution when something like this happens. If they decline, we make sure they understand that in the future they will be liable for 100% of the packets coming from their port, regardless of the circumstances. Maybe we should start putting this in writing, but it hasn't really been a problem. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
Re: Even you can be hacked
It would be great if there always was a negligent party, but there is not always one. If Widgets Inc.'s otherwise ultra-secure web server gets 0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc. or the ISP? 1. In Sean's example, clearly the customer was a negligent party. 2. If Widgets Inc. doesn't promptly disconnect their system from the network upon notification of the problem, and/or fails to fix the system before reconnecting it to the network, then they have become a negligent party. 3. Although there's no real obligation for ISPs to do so, most that I know will eat it on the customer's behalf until some reasonable amount of time after they told the customer. That is exactly what happened in the case Sean brought up, except, the ISP ate it for far longer than reasonable. So how about this analogy: Someone breaks into my house and spends a few hours on the phone to Hong Kong. Who eats the bill, me or my LD carrier? Neither of us was negligent. Well... When I had a similar situation, the phone company tried very hard to tell me it was my problem. Finally, I found out what had happened, and provided them with photographs of a person tapping into lines from the junction on my pole and making phone calls. They did give me credit at that point, but, it took a lot of convincing and I got lucky with a camera. [0] Unless someone can prove the software flaw was sloppy enough that it constitutes negligence and goes after the software authors. Good luck with that. Actually, I'd say that anyone who hasn't signed Micr0$0ft's EULA and is a victim of the crap their software ends up spewing has a pretty good case against them for negligence at this point, but, IANAL. Owen -- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery. pgpPdAdXEszmY.pgp Description: PGP signature
Re: Even you can be hacked
--On Thursday, June 10, 2004 16:31 -0400 Alex Rubenstein <[EMAIL PROTECTED]> wrote: On Thu, 10 Jun 2004, Crist Clark wrote: Sean Donelan wrote: > If you leave your lights on, the electric company will send you a bill. If the neighbor taps into your power lines after the meter...? That will be a criminal matter between you and your neighbour. Technically, it's a civil matter between you and your neighbor, but, it could also be a criminal matter between the district attorney and your neighbor. > If you leave your faucets running, the water company will send you a > bill. If you leave your computer infected, ??? If you lose your credit card and someone runs up thousands of dollars in charges, the credit card company sends you a bill... But you can at most be held responsible for $50. Which is a 'feature' of most credit cards, irrelevant to criminal law. We're not talking about criminal law here, for the most part. We're talking about civil law. There are laws specific to credit cards and credit fraud that have absolutely no applicability to internet usage. I think we can generally agree that the internet looks much more like a utility than it looks like a revolving charge account. Owen -- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery. pgp8H7KL0JVPk.pgp Description: PGP signature
Re: Even you can be hacked
Andy Dills wrote: On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote: Jeff Shultz wrote: But ultimately, _you_ are responsible for your own systems. Even if the water company is sending me 85% TriChlorEthane? Right. Got it. The victim is always responsible. There you have it folks. Change the word "victim" to "negligent party" and you're correct. It would be great if there always was a negligent party, but there is not always one. If Widgets Inc.'s otherwise ultra-secure web server gets 0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc. or the ISP? So how about this analogy: Someone breaks into my house and spends a few hours on the phone to Hong Kong. Who eats the bill, me or my LD carrier? Neither of us was negligent. [0] Unless someone can prove the software flaw was sloppy enough that it constitutes negligence and goes after the software authors. Good luck with that. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387
Re: Even you can be hacked
--On Thursday, June 10, 2004 11:11 -0700 Mark Kent <[EMAIL PROTECTED]> wrote: But ultimately, _you_ are responsible for your own systems. When I detect abusive behavior coming from a customer site then it is my responsibility to make sure that doesn't affect the rest of the world. To some extent, yes. I agree that his ISP should have shut him down much earlier than they did, but, I suspect this guy would be pretty unhappy about that, too. Also, if I know how to fix it at source and the customer doesn't know then it's my responsibility to make sure the customer has the tools and resources to fix it. How fast it gets fixed is not a primary concern because of the previous paragraph. I'm less convinced of this. Certainly, it's the nice thing to do, but, I'm not convinced you have any responsibility. It's what I would do. It's the neighborly thing to do. It's the good customer service thing to do. All of those things put it in a very different context than "I have a responsibility". Parallels to fire/water/electricity/etc. don't quite work because there is a big difference between the worm that came out yesterday and the National Electrical Codes that came out last century. Yes and no. If a customer starts dumping dirty power onto the electric grid, believe me, it will cause problems for other customers almost as quickly (although over a smaller area) as yesterday's worm. If the sanitary sewer develops a clog at the end of the street, it is the neighbor at the bottom of the hill that will suffer when the neighbor at the top of the hill flushes. The analogies at least work in terms of who has responsibility for fixing the machine. It is not your responsibility to fix your customer's machine unless that is an additional service they have contracted you for. I don't want my ISP telling me how to run my machine, nor do I want them controlling what packets I do and don't receive. Customers who do want those services should be able to find ISPs that offer them as a value add. I don't want them, and I would be angered if they were dictated to me. Owen -- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery. pgptrjmuPmEuP.pgp Description: PGP signature
Re: Even you can be hacked
Your contract with the water company is for them to deliver you water. They make a best effort to do just that, but, inherently, there's stuff besides dihydrogen-oxide in your water. In most parts of the US, for the most part, the other stuff isn't significant and nobody worries about it. However, if you have a broken toilet that leaks, there is not a single water company on the planet that will forgive your bill for the water that leaked through it. On the other hand, generally, your contract with your ISP says that you expect them to deliver packets destined for your IP address to your system and that you expect them to accept packets from your computer system and deliver them to the rest of the internet. You've contracted for the internet, not for water. The internet contains worms, viruses, hackers, spammers, and the like. It is well known, and, expected behavior of the internet. You have not contracted your ISP to run your system for you. You have contracted them to deliver packets. In the scenario described, the "victim" was a victim of his own actions. The ISP was generous in forgiving his bill(s) at first, but, he chose not to fix the toilet. He could have fixed the toilet at any time and yet, for months, he chose not to. Why should the ISP pay the costs incurred because he chose to continue to run a system he knew was infected and chose not to fix? Owen pgpaN0XUskXl3.pgp Description: PGP signature
Re: Even you can be hacked
> Look at it from this perspective: it's the responsibility of the various > Departments of Transportation (and other Governmental and Private > authorities) to upkeep roads, but it's not their job to fix your car. If > your car is broken, you may be stopped by a police officer, but he's not > going to fix your car either. That's the user's responsibility. i have a tee shirt from about '96 which says "we build the information superhighway. we don't fix your car."
Re: Even you can be hacked
On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote: > > Jeff Shultz wrote: > > > > But ultimately, _you_ are responsible for your own systems. > > Even if the water company is sending me 85% TriChlorEthane? > > Right. Got it. The victim is always responsible. > > There you have it folks. Change the word "victim" to "negligent party" and you're correct. Ignoring all of the analogies and metaphors, the bottom line is that ISPs are _not responsible_ for the negligence of their customers, and that ISPs are _not responsible_ for the _content_ of the packets we deliver. In fact, blocking the packets based on content would run counter to our sole responsibility: delivering the well-formed packets (ip verify unicast reverse-path) where they belong. Remember, we're service providers, not content providers. Unless your AUP or customer contract spells out security services provided (most actually go the other way and limit the liability of the service provider specifically in this event), then your customers have to pay you to secure their network (unless you feel like doing it for free), or they are responsible, period. As far as I'm concerned, that guy would have a better shot at suing Microsoft then challenging his bandwidth bill. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
Re: Even you can be hacked
I suspect I might be come after with pitchforks for this analogy, but here goes... ;) Look at it from this perspective: it's the responsibility of the various Departments of Transportation (and other Governmental and Private authorities) to upkeep roads, but it's not their job to fix your car. If your car is broken, you may be stopped by a police officer, but he's not going to fix your car either. That's the user's responsibility. --- Adam Debus Network Engineer, ReachONE Internet [EMAIL PROTECTED]
Re: Even you can be hacked
I think we're drifting from the original point here.. What it boils down to is this: If I have a DS3 to a provider in my office and my provider notifies me that I have a worm, is it my provider's responsibility to fly someone out here to help me fix my systems? No. I'm the guy controlling them and I'm the one who has to take the responsibility. So what if I don't know how? Well, surely they can advise me where to look for the requisite information. And if thats insufficient, I can contact a consultant to come in and help me clean up my network but thats the key, it's MY network and MY job. My service provider is responsible for transporting the traffic. Even if it's "bad" traffic. I'm the one who is responsible for making sure that the traffic originating from my network is the traffic I *want* to originate from my network. Obviously, if the provider chooses to implement policies (such as cable modem providers and so forth) that restrict the type of traffic I'm allowed to source, thats their business. It's still my job to make sure that my servers are clean. On Thu, Jun 10, 2004 at 01:17:46PM -0700, Crist Clark wrote: > > Sean Donelan wrote: > > >If you leave your lights on, the electric company will send you a bill. > > If the neighbor taps into your power lines after the meter...? > > >If you leave your faucets running, the water company will send you a bill. > >If you leave your computer infected, ??? > > If you lose your credit card and someone runs up thousands of dollars > in charges, the credit card company sends you a bill... But you can at > most be held responsible for $50. > > Does that really mean anything with respect to Mr. Donelan's quoted > article? Not really. But neither do electric and water bills. > > I have some sympathy for the malware victim. But I don't expect the > ISP to eat all of the costs. The article is more balanced than the > selected quotes portray. > -- > Crist J. Clark [EMAIL PROTECTED] > Globalstar Communications(408) 933-4387 --- Wayne Bouchard [EMAIL PROTECTED] Network Dude http://www.typo.org/~web/
Re: Even you can be hacked
> > Sean Donelan wrote: > > > If you leave your lights on, the electric company will send you a bill. > > If the neighbor taps into your power lines after the meter...? Not a reasonable argument. It is expected that unpatched hosts will get infected and it has been well reported on how users should protect themselves. A neighbor tapping another power is not something to occurs often. It is not reasonable to expect this to happen. It's not even a reasonable argumnet. -- James H. Edwards Routing and Security Administrator At the Santa Fe Office: Internet at Cyber Mesa [EMAIL PROTECTED] [EMAIL PROTECTED] (505) 795-7101
Re: Even you can be hacked
On Thu, 10 Jun 2004, Crist Clark wrote: > > Sean Donelan wrote: > > > If you leave your lights on, the electric company will send you a bill. > > If the neighbor taps into your power lines after the meter...? That will be a criminal matter between you and your neighbour. > > If you leave your faucets running, the water company will send you a bill. > > If you leave your computer infected, ??? > > If you lose your credit card and someone runs up thousands of dollars > in charges, the credit card company sends you a bill... But you can at > most be held responsible for $50. Which is a 'feature' of most credit cards, irrelevant to criminal law. -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- --Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Re: Even you can be hacked
Sean Donelan wrote: If you leave your lights on, the electric company will send you a bill. If the neighbor taps into your power lines after the meter...? If you leave your faucets running, the water company will send you a bill. If you leave your computer infected, ??? If you lose your credit card and someone runs up thousands of dollars in charges, the credit card company sends you a bill... But you can at most be held responsible for $50. Does that really mean anything with respect to Mr. Donelan's quoted article? Not really. But neither do electric and water bills. I have some sympathy for the malware victim. But I don't expect the ISP to eat all of the costs. The article is more balanced than the selected quotes portray. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387
Re: Even you can be hacked
Laurence F. Sheldon, Jr. wrote: Even if the water company is sending me 85% TriChlorEthane? Right. Got it. The victim is always responsible. There you have it folks. Are they really a victim though? In Sean's post the person had fair warning. The problem in this day in age is the terrible lack of self responsibility. That and the fact that a large percentage of people are just plain lazy, which makes for a bad combination. Instead of taking action it's much easier to just be lazy and blame someone else. Victims are innocent bystanders, not excuse makers.
RE: Even you can be hacked
Laurence F. Sheldon, Jr. wrote: >Even if the water company is sending me 85% TriChlorEthane? >Right. Got it. The victim is always responsible. >There you have it folks. Ok. Being resposible as network manager, if I think something is strange and I nor my staff can fix it. I call for help. Either Vendor support, a good consultant, or community help. In many cases the Victim always has some portion of responsibilty. If I leave a Windows 2000 server SP 0 no security fixes on my network, get it hacked and have a lawsuit cause XYZ company caught a hacker attack from it who is the Victim? who is responsible? This may be exactly what that guy did I think Sean sent out the California law reference last year that said the VICTIM of a security breach must report it to their customers... I think we have alot of operational issues that we must look at here.. What do we do? Many AUP's I have seen would have shut down that customer, if someone complained. Does this mean if we go to a for profit bandwidth charge system that we let people destroy others with the worms they have for money we would get chargeing for the worm attack? Jim
Re: Even you can be hacked
** Reply to message from "Laurence F. Sheldon, Jr." <[EMAIL PROTECTED]> on Thu, 10 Jun 2004 13:06:43 -0500 > Jeff Shultz wrote: > > > > But ultimately, _you_ are responsible for your own systems. > > Even if the water company is sending me 85% TriChlorEthane? > > Right. Got it. The victim is always responsible. > > There you have it folks. A. Straw man B. Apple/Kumquat arguement Who is the victim here? The user who's computer was infected due to their own lack of responsibilty (and was not fixed... remember that part, _was_not_fixed_), or the ISP who isn't going to get a rebate on their upstream bandwidth bill that was in turn inflated by that customer. -- Jeff Shultz A railfan pulls up to a RR crossing hoping that there will be a train.
Re: Even you can be hacked
On Thu, Jun 10, 2004 at 01:06:43PM -0500, Laurence F. Sheldon, Jr. wrote: > > Jeff Shultz wrote: > > >But ultimately, _you_ are responsible for your own systems. > > Even if the water company is sending me 85% TriChlorEthane? > > Right. Got it. The victim is always responsible. > > There you have it folks. > ...the distinction btwn content, delivery systems, and customer owned equipment. context shifting... anyone (else) remember when all kit that touched the telephone network was owned by the telco? ... and ostensibly why? bit-pipes are a -very- comfortable business model; "we just pass the bits, we don't mess w/ them" - pushes the mitigation issues elsewhere and/or opens new business opportunities. of course neither my mother nor my daughters know or care about gcc ... and they pay to have someone to blame. --bill
Re: Even you can be hacked
On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote: > > But ultimately, _you_ are responsible for your own systems. > > Even if the water company is sending me 85% TriChlorEthane? Which water company is sending you 85% TriChlorEthane? More than likely its your next door neighbor with a defective system leaking it. The water company didn't put TriChlorEthane in the water, someone else did. > Right. Got it. The victim is always responsible. Who is the perpetrator and who is the victim? The mistake is trying to put the blame on one of the parties, which isn't responsible for it. Blaming the water company simply distracts you from fixing the real problem, your neighbor's chemical waste dump. If your ISP tells you your computer is infected, do you have any responsibility to fix your computer? If you fail to fix your computer, or have it fixed, are you still an "innocent" victim or have you become part of the problem? Have you become the chemical waste dump, and you are now responsible for dumping 85% TriChlorEthane in your neighbor's water?
Re: Even you can be hacked
On Jun 10, 2004, at 2:06 PM, Laurence F. Sheldon, Jr. wrote: Jeff Shultz wrote: But ultimately, _you_ are responsible for your own systems. Even if the water company is sending me 85% TriChlorEthane? Right. Got it. The victim is always responsible. There you have it folks. The "victim" in the case Sean posted knew he had a worm, got some of his first bill forgiven, yet did nothing to correct it and acts surprised when the same thing happens the next month. YES, he is at fault. Anyone who thinks differently .. uh .. can I buy b/w from you? :) Oh, and since you feel responsible, I'm only going to pay for the amount of traffic I think I should have gotten on my web page, even if I get /.'ed or something. Does $25/Mbps sound good? I plan to use about 1 Mbps, but I will need an un-rate-limited GigE connection. Back on topic, most users get upset when you do things like block ports because it breaks random crap they want to use. If you want something open, then you are responsible for what crawls through. If you want the b/w provider to protect you, then ask them. Just be prepared to pay, because b/w prices these days do not include security services. OTOH, as a good netizen, the upstream might want to cut off those users spewing to the rest of the 'Net. :) -- TTFN, patrick
Re: Even you can be hacked
>> But ultimately, _you_ are responsible for your own systems. When I detect abusive behavior coming from a customer site then it is my responsibility to make sure that doesn't affect the rest of the world. Also, if I know how to fix it at source and the customer doesn't know then it's my responsibility to make sure the customer has the tools and resources to fix it. How fast it gets fixed is not a primary concern because of the previous paragraph. Parallels to fire/water/electricity/etc. don't quite work because there is a big difference between the worm that came out yesterday and the National Electrical Codes that came out last century. -mark
Re: Even you can be hacked
Jeff Shultz wrote: But ultimately, _you_ are responsible for your own systems. Even if the water company is sending me 85% TriChlorEthane? Right. Got it. The victim is always responsible. There you have it folks.
Re: Even you can be hacked
** Reply to message from "Laurence F. Sheldon, Jr." <[EMAIL PROTECTED]> on Thu, 10 Jun 2004 12:39:41 -0500 > Sean Donelan wrote: > > > Does the water company fix your toilet if it leaks water? Or do you call > > a plumber? > > On the other hand, if the water company was sending pollutants in the > water you bought, there was a perceived responsibility upon the water > company. > > Now, which broken metaphor (leaky toilet, pollutant contaminated > stream) best fits the problem at hand? > > Take all the time you need, we will wait. That's an easy one. Leaky toilet - a properly maintained toilet doesn't leak and waste water, no matter what is in the inflow. If you want to drink from your toilet, that's your problem. We offer spam and virus filtering. We block many of the popular worm access ports at the edge and core (which can be a real pain). We offer a CD full of firewall, AV, and anti-spyware programs for the asking. But ultimately, _you_ are responsible for your own systems. -- Jeff Shultz A railfan pulls up to a RR crossing hoping that there will be a train.
Re: Even you can be hacked
On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote: > > Does the water company fix your toilet if it leaks water? Or do you call > > a plumber? > > On the other hand, if the water company was sending pollutants in the > water you bought, there was a perceived responsibility upon the water > company. The plumbing code require water consumers to have/install/maintain backflow prevention valves at the customer's expense to prevent pollutants from one customer from affecting the water supply. Water companies issue "boil orders" but usually don't shut off the water supply if the water fails to meet EPA standards. In that case it is the responsibility of the user to boil the water before drinking or using in cooking. Almost every ISP has a "boil order" in their terms and conditions.
Re: Even you can be hacked
Sean Donelan wrote: Does the water company fix your toilet if it leaks water? Or do you call a plumber? On the other hand, if the water company was sending pollutants in the water you bought, there was a perceived responsibility upon the water company. Now, which broken metaphor (leaky toilet, pollutant contaminated stream) best fits the problem at hand? Take all the time you need, we will wait. -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/