nanog mailing list archives
Re: Even you can be hacked
From: Matthew Crocker <matthew () crocker com>
Date: Thu, 10 Jun 2004 19:23:45 -0400
It would be great if there always was a negligent party, but there isnot always one. If Widgets Inc.'s otherwise ultra-secure web server gets0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc. or the ISP?
Widget Inc is still negligent. It is their server. They could have placed the server behind a firewall. The firewall could have been doing layer 7 inspection and noticed the 0-day event. They could also be running an IDS which would detect such an event and notify a network administer. The point is there are MANY ways to protect systems and to be notified in an event. As an ISP I would overlook a couple days worth of billing if my customer was responsible/reactive to the event. If they refuse to fix the problems they should be held liable. If we notice worm traffic entering our network from our customer we shut them down then notify them. We protect our network first, then we help with theirs. No matter how you slice it people need to be responsible for their own actions or inactions. Widget Inc, could have chosen different OS, Web server, etc that didn't have that particular 0-day event. Customers have choices, they need to be responsible for the choices they make. I can guide them in good design up to a certain extent for free. I'll design/build for them for a fee. IT is always the first cut in a budget crunch, Bean counters overlook IT issues. The problem is the way you run your network affects other networks. You can save $30,000 today and spend $100,000 in repairs for a failure, your choice.
So how about this analogy: Someone breaks into my house and spends a few hours on the phone to Hong Kong. Who eats the bill, me or my LD carrier?Neither of us was negligent.
Do you ever expect to call Hong Kong? No, call your LD carrier before the fact and block all international calls from your line. You can also put an access code on your outbound calls or block everything and use a calling card. You chose to make it easy for yourself, you get hacked, you should pay.
[0] Unless someone can prove the software flaw was sloppy enough that it constitutes negligence and goes after the software authors. Good luck withthat.
Software flaw or not. Design your network so you have safe guards in place. Have other machines watching for irregular traffic, set off pagers when your traffic goes 300% above normal. Pay for a network engineer to watch it and make it better. React to problems, don't turn a blind eye and hope it all goes away. Come on, whatsup gold is cheap enough, SNMP monitor your switch traffic and set off pagers using thresholds, it really isn't that hard.
I'm rambling, the root of the problem is not IT or MS or the Internet. It is society and everyone doing the bare minimum. Going with the least common denominator is not a way to live your life, run your business or your network. I'll take the high road, thank you very much. I have little patience for people who do not expend the effort complaining and looking for hand outs from those that do.
-- Crist J. Clark crist.clark () globalstar com Globalstar Communications (408) 933-4387
Current thread:
- Re: [OnTopic] common list sense and responsibility, (continued)
- Re: [OnTopic] common list sense and responsibility Laurence F. Sheldon, Jr. (Jun 11)
- Re: [OnTopic] common list sense and responsibility Andy Dills (Jun 11)
- Re: [OnTopic] common list sense (Re: Even you can be hacked) Valdis . Kletnieks (Jun 11)
- Re: [OnTopic] common list sense (Re: Even you can be hacked) Paul Jakma (Jun 11)
- Re: [OnTopic] common list sense (Re: Even you can be hacked) Laurence F. Sheldon, Jr. (Jun 11)
- Re: [OnTopic] common list sense (Re: Even you can be hacked) Paul Jakma (Jun 11)
- Re: [OnTopic] common list sense (Re: Even you can be hacked) Steve Gibbard (Jun 11)
- Re: [OnTopic] common list sense (Re: Even you can be hacked) Joel Jaeggli (Jun 11)
- Re: [OnTopic] common list sense (Re: Even you can be hacked) Valdis . Kletnieks (Jun 11)
- Re: Even you can be hacked Jeff Shultz (Jun 10)
- Re: Even you can be hacked Matthew Crocker (Jun 10)
- Re: Even you can be hacked Stephen Sprunk (Jun 10)
- Re: Even you can be hacked Laurence F. Sheldon, Jr. (Jun 11)
- Re: Even you can be hacked Henry Linneweh (Jun 11)
- Re: Even you can be hacked Laurence F. Sheldon, Jr. (Jun 11)
- Re: Even you can be hacked Laurence F. Sheldon, Jr. (Jun 11)
- Re: Even you can be hacked Randy Bush (Jun 11)
- Re: Even you can be hacked Laurence F. Sheldon, Jr. (Jun 11)
- Re: Even you can be hacked Andy Dills (Jun 11)
- Re: Even you can be hacked Scott Stursa (Jun 11)
- was: Even you can be hacked Matthew McGehrin (Jun 11)