Security Incidents mailing list archives
RE: Nimda et.al. versus ISP responsibility
From: "Mogull,Rich" <rich.mogull () gartner com>
Date: Thu, 27 Sep 2001 14:05:39 -0700
Yes, the blame lays with the perpetrators. That said those responsible for the public infrastructure have a responsibility to maintain the functioning of that infrastructure for their customers (directly, there's also the "public good"). Infected computers staging attacks on other systems or abusing network resources should be notified and shut off by the ISP. ISPs should also imrpove ingress and egress filtering to limit spoofing. ISPs do their customers a disservice by ignoring abuse on their networks, even if some clients suffer some down time. It's also probably in the interests of the ISPs to provide their clients the tols to limit abuse over the network, I suspect there's a measurable ROI hiding in there someplace. Rich Mogull rich.mogull () gartner com <opinions expressed to this list are personal, and do not necessarily reflect those of Gartner> -----Original Message----- From: UMusBKidN () aol com [mailto:UMusBKidN () aol com] Sent: Thursday, September 27, 2001 2:41 PM To: incidents () securityfocus com Subject: RE: Nimda et.al. versus ISP responsibility Please be sure you place blame properly. No ISP is responsible for the actions of a person that releases a malicious worm on the Internet. No ISP is responsible for the malicious actions of such worms on their software. The victim of a crime is not the perpetrator of a crime! I hate to say it, but not even Microsoft is responsible for creating worms like Nimda. Yes, Microsoft is responsible for releasing IIS software, but providing they had no prior knowledge of some bug, you can't blame them for the crime, when some hacker discovers Yet Another Hole In A Microsoft Product. Their corporate pants get yanked to their ankles on a regular basis by hackers the world over, but you still can't blame them for committing the crime! Blame them for poor quality control perhaps, or say they get shot at the most because they're on top... but they aren't the criminals here. Good luck trying to get ISPs to be responsible for content filtering. That's an impossible task. Let us not forget who the criminal is and who the victims are in cases such as Nimda. Certainly, those who provide connectivity or hosting for others have the responsibility to stay on top of the latest software fixes, but you can't completely plug that hole either. I know people who got infected by both CRII and Nimda, who didn't even know they had IIS installed and running on their boxes. They didn't know their machines were toast until they could smell it burning. We can no sooner get rid of malicious worms by placing responsibility for "handling" them on an ISP, than we can by creating laws that make malicious software illegal. Until such time that we can successfully track the actual perpetrators of the crime, or software authors miraculously invent perfect bug-free programs, not much is going to change. Just make sure you place the blame where it belongs. -UMus B. KidN "Adcock, Matt" wrote:
<quote> I think we all agree that connecting an unpatched IIS machine to the open Internet is acting irresponsibly. Most AUP's already prohibit spamming, port scanning etc. (at least on paper). Why not include "infection through negligence" as a reason for suspension? Maybe with a reasonable grace period the first time. </quote> I agree that the end administrator is ultimately responsible. The ISPs could also help by filtering this traffic. It would take an
infrastructure
upgrade that would end up costing the consumer, but I personally would be willing to pay a little more. Maybe give users a choice between being on
a
filtered network or an open network?
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Nimda et.al. versus ISP responsibility, (continued)
- RE: Nimda et.al. versus ISP responsibility John Campbell (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Adcock, Matt (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Tracy Martin (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Homer Wilson Smith (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Tracy Martin (Sep 27)
- Re: Nimda et.al. versus ISP responsibility Neil Dickey (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Michael B. Morell (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Dave Salovesh (Sep 27)
- RE: Nimda et.al. versus ISP responsibility UMusBKidN (Sep 27)
- Re: Nimda et.al. versus ISP responsibility robertm (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Jason Robertson (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Mogull,Rich (Sep 27)
- RE: Nimda et.al. versus ISP responsibility ahoward (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Greg A. Woods (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Jay D. Dyson (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Greg A. Woods (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Stephen Villano (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Chad Mawson (Sep 27)
- RE: Nimda et.al. versus ISP responsibility UMusBKidN (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Jonathan Levy (Sep 27)
- Re: Nimda et.al. versus ISP responsibility Brian Cervenka (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Tony Langdon (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Dean Cunningham (Sep 27)
(Thread continues...)