RE: Nimda et.al. versus ISP responsibility

[Dave Salovesh <salovesh () ramassociates com>]

>   I think we all agree that connecting an unpatched IIS machine to the
> open Internet is acting irresponsibly. Most AUP's already prohibit
> spamming, port scanning etc. (at least on paper). Why not include
> "infection through negligence" as a reason for suspension? 
> Maybe with a reasonable grace period the first time. 

That might give one recourse for the CodeReds and the Nimdas, but a future
event might exploit unpatched problems.  What to do in that case?

In the standard agreement I offer my customers (hosting and colo, not
connectivity), after all the normal stuff about "do this, don't do that" and
how I'll escalate and inform them about problems, there's a clause that says
in essence "I reserve the right to stop you from messing things up."  It
doesn't really specify what all possible forms of "messing things up" are,
or how I may stop them.  It's my catch-all to give me enough latitude to fix
things that need to be fixed without running afoul of the agreements (N.B. -
it ONLY comes into play if all normal means fail).  I've relied on it for
stopping worm activity, misconfigured software, and even a slashdot DoS or
two.  Nobody has ever objected to the principle.  Whatever it takes...

>   Problem is that one ISP can't go it alone. If they pull the 
> plug, they may loose the customer to a less responsible competitor.

There will always be a less responsible operator out there somewhere.  I
don't try to compete on that level.

If someone doesn't like how I've operated this place, I encourage them to go
elsewhere and be happy about it - but I've never lost a customer because of
how I've handled exceptional situations (worst case was I had to pro-rate
their fees minus a couple of days, and I offered that before they had to ask
for it).  These ARE exceptions, after all, and this is such a dynamic
service anyway.  If some terms and conditions aren't explicitly in the
agreement, I get more latitude for them when I need it.  In return, I try my
best to solve problems in the least disruptive ways possible.  

>   Unlike spammers, most worm victims are "offending" out of ignorance.
> Such a provision in the AUP would likely get their attention and maybe
> cause a mind shift towards "Unpatched Is Bad (tm)".

Unpatched may be bad, but if that's your message then that's what you should
say, and don't rely on people having the same abilty to see the same
evidence you see and always come to the same conclusion you do.  The
connection between keeping patches and configs safe & up to date and the
effects of negligence can be a little abstract for some people.  If they
don't get it on their own, they probably won't get it out of an AUP/TOS.

Do we really need more laws and lawyers on the case?

-- 
Dave Salovesh
RAM Associates, Inc.
(800) 543-3635

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com