Re: Nimda esponsibility - Laying appropriatel - implied warranty of sale

["Jay D. Dyson" <jdyson () treachery net>]

-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 28 Sep 2001, Chip Mefford wrote:

> > I see one problem as how to recompense those who have been
> > harmed. 
>
> How about this, 
>
> Welcome to the Internet;
> No warranties expressed or implied, 
> use at YOUR OWN RISK.

        This argument is myopic at best, fundamentally illogical at worst. 
The people who are running insecure systems are doing little but fouling
the nest for the rest of us.  I have absolutely no complaint about
defending my systems...but when the insecurity of other systems renders
the networks unusuable, that's when I draw the line.

        Let me put this in real-life terms: my upstream was infested (not
just infected...INFESTED) with Code Red since the very start.  After
getting close to one thousand scans from Code Red systems on the same
Class B as my own, I made it a point to alert the upstream about the
problem on a realtime basis (hence, Early Bird).

        Positive results gradually came to pass, but not in sufficient
quantity by the time Nimda hit on September 18th.  At that point, my
upstream was overwhelmed by the traffic generated by the worm (courtesy of
the uncaring and/or incompetent IIS admins).  ARP storms turned into
blizzards; routers began crashing faster than they could be brought up. 

        And the "solution" of the upstream?  All traffic on port 80 --
both inbound and outbound -- was BLOCKED. 

        So, thanks to a bunch of uncaring (if not incompetent) admins who
couldn't manage their own systems, *my* systems were knocked off the 'net
for close to 24 hours.  Mind you, NONE of my systems were vulnerable; NONE
were infected; NONE were spreading the worm.  Even so, both myself and my
users (not to mention the security teams for which I work) had to suffer
the blackout that was wholly the end product of the [in]actions of the
incompetents.

        Anyone who argues that the innocent should pay the price for the
conduct of the guilty should get their head examined.  Normally, I would
gladly volunteer to perform this task, but my chainsaw is presently out
for maintenance. 

- -Jay

  (    (                                                         _______
  ))   ))   .-"There's always time for a good cup of coffee."-.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson - jdyson () treachery net ------<) |    = |-'
 `--' `--'  `--------------- rm -rf /bin/laden ---------------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO7SlnblDRyqRQ2a9AQFI2gP6Ax5U95E2c3hK829JmkRpupPlC97nered
OQQthwrIdGYvlJFK90HL8hd8k91ITr9+87QkD8bZFuEKDu+IQdSmxH+ULIC/SVU5
UpwvcQLFrsRZoIF5LCHufhp+dvlUnVS9lweP7HTzuxcVZ9azanfuDJ9ql+dsJ2aU
C8U9T/w3/6w=
=X/wH
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com