Re: What would you tell the White House?

[Steve Sobol <sjsobol () NorthShoreTechnologies net>]

Valdis.Kletnieks () vt edu wrote:

> On Tue, 15 Feb 2000 16:03:49 EST, Steve Sobol said:
> > <IANAL>
> > The blocking issue is BS. Make the customers... all customers, dialup AND
> > dedicated... sign something that says that they will agree to the AUP and
> > Terms of
> > Service, and specify that traffic will be filtered for security reasons.
> > </IANAL>
>
> The problem here is that although IANAL either, and YANAL, you WILL
> need one to craft an AUP and rules that will work, in spite of
> users.

Yup.

> First thing to remember:  The traffic we *want* to stop is the payload
> traffic of the DDOS system, which in general is NOT filterable.
> Fortunately, at the current time the *control* traffic is identifiable
> and filterable in most cases.
>
> Second thing to remember: The traffic is being generated by machines
> that are subverted - and the cracker didn't sign your AUP.  You can't
> code "I will not allow my machine to be subverted" in the AUP, because
> it's unenforcable.

Someone replied just earlier today, and I don't think the reply has made it
to all of the list recipients yet... they said that it is still a good idea to
include
language to protect yourself from people attempting to use your network to
initiate DOS, whether singly or as part of a DDOS attack. I think that that's
really a no-brainer. I don't own my own dialups, but I own a server that I use
to offer Unix shell services, so this is a big issue for me (and I do offer
dialup
access, and I need to be sure that my AUP/TOS is strong enough that if
someone violates the dialup provider's AUP/TOS they're also violating mine,
and I can nuke their account).

> Third thing to remember:  Users can be incredibly stupid.

I'm fully aware of that fact, having done tech support for the
past five years.

> those that it's an issue.  If we advertise a system/network change,
> and then cancel at the last minute, we will still get calls about
> the change breaking things.  Warn your help desk, as they WILL get
> calls about how the (high-visibility) "filtering broke my Netscape". ;)

Right. Well, in general, I operate on the premise that the customer
is always right; however, there are only so many warnings I can give
them before I actually have to make the change. If people refuse
to listen to me, what am I supposed to do? The best thing to do
is to archive the mail you send to the customer mailing list announcing
the changes, and if someone complains, point them to the archive
and say "there, this is when I first told you it was going to happen,
please pay attention next time."

> Fourth thing to remember: Even if the user signs a form saying that
> traffic will be filtered for security reasons, they *will* either sue

Let me put forth a suggestion.

When crafting my Acceptable Use Policy some time ago,
I turned to the people I know on the anti-spam mailing lists and
on news.admin.net-abuse.email because I wanted to do as much
as I possibly could to make it very painful for spammers to use
me to send spam.

I want to do the same thing here. Let's come up with a standard
AUP that is worded strongly enough that we'll be able to protect
ourselves.

I think that a discussion of AUPs is only quasi-operational, at
best, and therefore, if we decide that it's not really ontopic for
NANOG I'll set up a mailing list on my server.

Thoughts? Would anyone actually participate in a discussion
like this?

--
North Shore Technologies, Cleveland, OH  http://NorthShoreTechnologies.net
Steve Sobol, President, Chief Website Architect and Janitor
sjsobol () NorthShoreTechnologies net - 888.480.4NET - 216.619.2NET