Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
On Tue, Jun 08, 2010 at 11:14:10PM -0700, Paul Ferguson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To cut through the noise and non-relevant discussion, let's see if we can boil this down to a couple of issues: 1. Should ISPs be responsible for abuse from within their customer base? No and no. The first no being legally, the second, morally. The user is responsible for the abuse. Now, if the question had been whether the ISP should be responsible for dealing with it appropriately, then the answer would be yes. Of course, when it comes to the legal aspect, it would probably vary from country to country. No, let me rephrase that: It _does_ vary from country to country, and probably also state to state. However, to hold someone else responsible for a person's criminal activity would be just plain wrong, as long as the ISP's part in the activity is only to give their customer access to networks and services that every other customer also gets access to. 2. Should hosting providers also be held responsible for customers who abuse their services in a criminal manner? No. For several reasons. First, the hosting provider normally does not have too much control over what the customers actually do. If someone complains, or they detect something through audits or similar, that is different. But even then, there will be certain problems. How does the hosting provider know that something is, in fact, criminal? In some cases, that may be obvious, but there will be cases where the case is not so clear. If the provider might be held responsible for something their customers do, they might decide to remove legal content 'just in case'. Also, who would determine whether something is illegal or not? Tech support? The admin? I doubt that any of those are able to determine something that courts tend to spend a lot of time and resources on. I think anyone in their right mind would agree that if a provider see criminal activity, they should take action, no? Not necessarily. Again, this would of course depend on the laws in the given state or country. However, people disagree on what is considered legal or not. If everyone _had_ agreed on this, the courts would have had less work. It is the responsibility of the judicial system to determine whether someone is breaking the law or not. For commercial companies to start making that sort of judgements is, at least in my opinion, _not_ a good thing. -- Ina Faye-Lund
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
On Tue, Jun 08, 2010 at 11:14:10PM -0700, Paul Ferguson wrote: 1. Should ISPs be responsible for abuse from within their customer base? Yes -- if they wish to be considered at least minimally professional. The principle is if it comes from your host/network on your watch, it's your abuse. Given that many common forms of abuse are easily identified, and in many cases, easily prevented with cursory due diligence upfront, there's really no excuse for what we see on a regular basis. Abusers have learned that they don't have to make the slightest effort at concealment or subtlety; even the most egregious and obvious instances can operate with impunity for extended periods of time. [1] As I've often said, spam (to pick one form out of abuse) does not just magically fall out of the sky. If I can see it arriving on one of my networks, then surely someone else can see it leaving theirs...if only they bother to look. And of course in many cases they need not even do that, because others have already done it for them and generously published the results or furnished them to the RFC2142-designated contact address for abuse issues. ---Rsk [1] One would think, for example, that many ISPs and web hosts would have learned by now that when a new customer fills a /24 with nonsensically named domains or with sequentially numbered domains that the spam will start any minute now. But fresh evidence arrives every day suggesting that this is still well beyond their capabilities.
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
On Jun 8, 2010, at 11:14 PM, Paul Ferguson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To cut through the noise and non-relevant discussion, let's see if we can boil this down to a couple of issues: 1. Should ISPs be responsible for abuse from within their customer base? Yes, but, there should be an exemption from liability for ISPs that take action to resolve the situation within 24 hours of first awareness (by either internal detection or external report). 1a. If so, how? Unless exempt as I suggested above, they should be financially liable for the cleanup costs and damages to all affected systems. They should be entitled to recover these costs from the responsible customer through a process like subrogation. 2. Should hosting providers also be held responsible for customers who abuse their services in a criminal manner? Absolutely, with the same exemptions specified above. 2.a If so, how? See my answer to 1a above. I think anyone in their right mind would agree that if a provider see criminal activity, they should take action, no? Yes. If that also holds true, then why doesn't it happen? Because we don't inflict any form of liability or penalty when they fail to do so. Owen
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
1. Should ISPs be responsible for abuse from within their customer base? Not sure, ISPs role is just to move packets from A to B, you need to clearly define what constitutes abuse and how much of it is considered a crime. If I call your home every five minutes to harass you over the phone is ATT responsible ? 1a. If so, how? Pull the plug without looking at how much you are billing. 2. Should hosting providers also be held responsible for customers who abuse their services in a criminal manner? Same as 1, 2.a If so, how? Same as 1a. I think anyone in their right mind would agree that if a provider see criminal activity, they should take action, no? If that also holds true, then why doesn't it happen? What incentive they have to do so ? and how liable they become if do something without a court order or such ? Providers in the U.S. are the worst offenders of hosting/accommodating criminal activities by Eastern European criminals. Period. Probably true, here money talks. Cheers Jorge
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
:I think anyone in their right mind would agree that if a provider see :criminal activity, they should take action, no? What a provider should do and what makes sense under the law of the land are two different things. :If that also holds true, then why doesn't it happen? The laws pertaining to what's required of people when witnessing a crime vary by locality within the U.S. I dunno how they work for the rest of the NANOG audience. What is required of people versus what's required of corporate entities varies, too. Good Samaritan laws are hardly universal, and don't always play well with the other laws of the land. Things can get ugly when some murky behavior gets retroactively deemed a crime (perhaps by some tech-challenged judge or jury) and a provider becomes an accessory after the fact. You mean, the DMCA makes THAT illegal?!? Or, perhaps a provider tries to take some small action in the face of a crime, then is deemed to have a special relationship making them liable for not being quite helpful enough. You mean, I have to rebuild my entire network because my customer support rep has reported bad behavior to the authorities? Ultimately, acting on crime is a rat's nest. Some providers have enough trouble dealing with attacks from Pax0rland, extracting sane prices for last-mile service, evaluating/deploying new technology, keeping up with all the off-topic emails on NANOG, etc. Raise the bar so the least-paid front-line rep requires a customer support within the law class. Create a legal climate where the only way it makes sense to provide bits involves a big army of attorneys and lobbyists to define the regulatory climate. Let's make total provider consolidation a reality... then we won't need those pesky 32-bit ASNs. :) Back to work... -- Michael J. O'Connor m...@dojo.mi.org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= Not baked goods, professor... baked BADS!-The Tick
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
On 6/9/2010 01:14, Paul Ferguson wrote: To cut through the noise and non-relevant discussion, let's see if we can boil this down to a couple of issues: If I may offer a few edits and comments . 1. Should ISPs be responsible for abuse from within their customer base? 1. Should ISPs be responsible for every thing from within their customer base? 1a. If so, how? [Good question. The answers will be hard, and some of the answers will seem to some to be against their own self interest. How does a toll-road operator do it? An inn-keeper?] 2. Should hosting providers also be held responsible for customers who abuse their services in a criminal manner? [A legal question--is the inn keeper responsible for the harm to you of a meth lab he allows to operate in the room next to yours?] 2.a If so, how? See above. I think anyone in their right mind would agree that if a provider see criminal activity, they should take action, no? In some US states the law requires it. If that also holds true, then why doesn't it happen? It's hard. It costs to much (actually false in my opinion--see trashed hotel rooms). Somebody else should be doing it. Personal (see also corporations as persons) responsibility is now an undefined term. Providers in the U.S. are the worst offenders of hosting/accommodating criminal activities by Eastern European criminals. Period. All the crap I get, I get from a (nominally[1]) US provider. [1] China probably holds the mortgage, which is another problem for discussion another day (and somewhere else). -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
On 6/9/2010 06:14, Owen DeLong wrote: On Jun 8, 2010, at 11:14 PM, Paul Ferguson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To cut through the noise and non-relevant discussion, let's see if we can boil this down to a couple of issues: 1. Should ISPs be responsible for abuse from within their customer base? Yes, but, there should be an exemption from liability for ISPs that take action to resolve the situation within 24 hours of first awareness (by either internal detection or external report). What happened to the acronyms AUP and TOS? -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
On 6/9/2010 07:39, Jorge Amodio wrote: 1. Should ISPs be responsible for abuse from within their customer base? Not sure, ISPs role is just to move packets from A to B, you need to clearly define what constitutes abuse and how much of it is considered a crime. If I call your home every five minutes to harass you over the phone is ATT responsible ? 1a. If so, how? Pull the plug without looking at how much you are billing. I'd say pull the plug while watching the balance sheet. I have no idea how many providers of netnews service there are left--not many because they waited for somebody else to solve the problems. I subscribe to one that rigorously polices spam and troll traffic (from their own customers _and_from_the_world). And for less than some of the other services. (They are associated with a German University, I think, so there may be a subsidy issue. I would pay several times as much as I do for the service--maybe an order of magnitude more.) What incentive they have to do so ? and how liable they become if do something without a court order or such ? Is survival an incentive? Providers in the U.S. are the worst offenders of hosting/accommodating criminal activities by Eastern European criminals. Period. Probably true, here money talks. But it doesn't listen. It waits for the bailout. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
On 6/9/2010 07:39, Jorge Amodio wrote: 1. Should ISPs be responsible for abuse from within their customer base? Not sure, ISPs role is just to move packets from A to B, you need to clearly define what constitutes abuse and how much of it is considered a crime. If I call your home every five minutes to harass you over the phone is ATT responsible ? How does the question change with a regulator telling them they are? And does it matter if I refuse all calls from ATT because they don't? -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
On 6/9/2010 10:58, Owen DeLong wrote: What happened to the acronyms AUP and TOS? I'm not sure what you mean by that. I'm talking about an ISPs liability to third party victims, not to their customers. Acceptable Use Policy and Terms of Service AUP/TOS are between the ISP and their customer. Very good. Does that provide an answer to the earlier question about what is a provider to do? when a customer misbehaves? Does that provide a method for assigning liability? I am not a lawyer, but it doesn't seem a stretch to me to include, in this context, traffic from peers and transit providers. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
Larry Sheldon wrote: On 6/9/2010 10:58, Owen DeLong wrote: What happened to the acronyms AUP and TOS? I'm not sure what you mean by that. I'm talking about an ISPs liability to third party victims, not to their customers. Acceptable Use Policy and Terms of Service AUP/TOS are between the ISP and their customer. Very good. Does that provide an answer to the earlier question about what is a provider to do? when a customer misbehaves? Does that provide a method for assigning liability? I am not a lawyer, but it doesn't seem a stretch to me to include, in this context, traffic from peers and transit providers. Acceptable Use Policy and Terms of Service Imagine for a moment you're speeding... You get pulled over, get off with a warning. Phew! You speed again, get pulled over again, you get a warning. How long will it be before you just outright ignore the law and speed simply because you know all you will get is a warning. AUP's and TOS' mean little if they're not enforced and I theorize that they're not enforced perhaps because a company's staff is likely to be overwhelmed or underclued as to how to proceed past a generic: Thou shall not spew dirty traffic in my network or else... Or else what? You're going to flood their inbox with Thou shall not messages? In the case of Mr. Amodio and I believe Owen griping about insecure software, I offer you this analogy... You buy a car and as you're driving along a message comes into the dashboard: Car Update needed, to fix A/C you ignore it. Don't update it who cares, you're driving smoothly. Another alert comes into the car dashboard: Critical alert, your breaks need this patch... You ignore it and drive along. 5-10 years later the car manufacturer EOL's the car and support for it. You crash... Who is to blame, the car manufacturer or you for not applying the updates. Granted the manufacturer could have given you a better product, the fact remains, it is what it is. Don't blame the software vendors blame oneself. I've seen even the most savvy users using OS' *other* than Windows get compromised. I performed an incident response about 8 months ago... 42 machines 41 Linux, 1 Windows... Guess what, all the Linux boxes running Apache were compromised. They were running vulnerable software on them (Wordpress, etc). So to compare Apples and Oranges (Windows versus another) is pointless. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
You buy a car and as you're driving along a message comes into the dashboard: Car Update needed, to fix A/C you ignore it. Don't update it who cares, you're driving smoothly. Another alert comes into the car dashboard: Critical alert, your breaks need this patch... You ignore it and drive along. 5-10 years later the car manufacturer EOL's the car and support for it. You crash... Who is to blame, the car manufacturer or you for not applying the updates. Granted the manufacturer could have given you a better product, the fact remains, it is what it is. Unfortunately in the software industry you get (when you do, not always) the alert and the patch after the fact, ie the exploit has been already out there and your machine may probably have been already compromised. I never seen any operating system coming with a sign saying Use at your own risk, why when I buy a piece of software I have to assume it to be insecure, and why I have to spend extra money on a recurring basis to make it less insecure, when there is no guarantee whatsoever that after maintenance, upgrades, patches and extra money my system will not get compromised because a moron forgot to include a term inside an if before compiling. Insecurity and exploitable software is a huge business. I don't expect software to be 100% safe or correct, but some of the holes and issues are derived form bad quality stuff and as car manufacturers the software producers should have a recall/replacement program at their own cost. My .02 Jorge
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
Jorge Amodio wrote: Unfortunately in the software industry you get (when you do, not always) the alert and the patch after the fact, ie the exploit has been already out there and your machine may probably have been already compromised. I never seen any operating system coming with a sign saying Use at your own risk, why when I buy a piece of software I have to assume it to be insecure, and why I have to spend extra money on a recurring basis to make it less insecure, when there is no guarantee whatsoever that after maintenance, upgrades, patches and extra money my system will not get compromised because a moron forgot to include a term inside an if before compiling. Insecurity and exploitable software is a huge business. I don't expect software to be 100% safe or correct, but some of the holes and issues are derived form bad quality stuff and as car manufacturers the software producers should have a recall/replacement program at their own cost. My .02 Jorge Again, apples and oranges to a degree. Car owners don't receive a use at your own risk disclaimer either. Yet some Toyota owners faced horrifying instances of subpar prechecks. GM recalled a million or so cars and the list will always go on and on. Mistakes happen period and when mistakes DON'T happen Murphy's Law does. I can speak for any software vendor but I can speak about insecurity and exploitability of software. That too is what it is from any standpoint be it anywhere in Redmond to any other location. Look at Sun's horrible misstep with telnet: humor Highlights The Solaris 10 Operating System, the most secure OS on the planet, provides security features previously only found in Sun's military-grade Trusted Solaris OS. /humor Really? http://blogs.securiteam.com/index.php/archives/814 9 Vulnerabilities for Microsoft *ANYTHING* of the first 60 published. But again, this is irrelevant. I don't care for any operating system anymore. I care for the one that accomplishes what I need to do at any given time. Be it Linux, Windows, BSD, Solaris heck get me plan9 with Rio, I could care less. However, myself as an end user, I'm the one responsible for my machine as I am the one running it. If I find it to be insecure or virus/trojan/malware/exploitability prone, there is no one shoving it down my throat. Even if I didn't know any better. So for those who are unaware of what's going on, how difficult would it be to create a function within an ISP tasked with keeping a network structured to avoid allowing OUTBOUND malicious traffic. We could argue about: But that would be snooping where I could always point at that a NAC could be set up prior to allowing a client to connect. Can anyone honestly tell me that one of their clients would be upset slash disturbed slash alarmed about an ISP protecting them (the customer) as well as other neighbors (customers)? That's like saying: Oh they set up a neighborhood watch association... and they're watching over my house when I'm not home or capable of watching all sides of my house... HOW DARE THEY! Sorry I can't picture that happening. What I picture is fear and people dragging their feet. I can tell you what though, for the first company to pick up on that framework, I can guarantee you the turnover rate wouldn't be as high as say being on a network where now the business connection is lagged because of spam, botnets and other oddities that could have been prevented. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
On June 9, 2010 at 07:39 jmamo...@gmail.com (Jorge Amodio) wrote: 1. Should ISPs be responsible for abuse from within their customer base? Not sure, ISPs role is just to move packets from A to B, you need to clearly define what constitutes abuse and how much of it is considered a crime. If I call your home every five minutes to harass you over the phone is ATT responsible ? Actually, that might be in their purview. The example I would use is if someone called you to sell you swamp land in Florida or otherwise try to swindle you is that the phone company's responsibility, to ensure the honesty of all phone transactions? -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
Again, apples and oranges to a degree. Car owners don't receive a use at your own risk disclaimer either. Yet some Toyota owners faced horrifying instances of subpar prechecks. GM recalled a million or so cars and the list will always go on and on. Mistakes happen period and when mistakes DON'T happen Murphy's Law does. I can speak for any software vendor but I can speak about insecurity and exploitability of software. That too is what it is from any standpoint be it anywhere in Redmond to any other location. Look at Sun's horrible misstep with telnet: Note, however, that in all of these cases, the car manufacturers were liable and did have to take action to resolve the issues. WHY are software companies not held to these same standards? There's no need for new law, just for the judiciary to wake up and stop granting them a bizarre and unreasonable exemption from the existing laws. Owen