RE: Nimda et.al. versus ISP responsibility

["Jason Robertson" <jason () ifuture com>]

Actually in Canada, this might come to pass, I know there is a couple of Law Enforcement 
Agencies currently working at having the Law changed here, that will require an ISP to provide at 
least a certain amount of protection to their customers.  And could cost them dearly, in fines if 
these minimal standards are not met.  

But again think of the cost savings, the ISPs would reap with just a limited amount of protection.  If 
ISPs were to firewall their own customers, and to even scan email (though if we could get some 
AV company with a library for Unix, to publically release an API, or even build mime decoding 
directly into their software I would be happy), just think of the reduction of wasted bandwidth due 
to infections, the reason for our Mail Server change over was a worm from about a year ago (don't 
recall which one, off the top of my head), but for the 2 hours that we did have it, it raised our 
bandwidth to about double, our average, from just 2 machines being infected.  Now back then we 
were on a Burstable that was in 64k increments, if this was to continue for say a long period of 
time, this could have costed us dearly, but because of quick reaction time, we limited the costs.  
But now look at this Code Red is still out there, and it's still infecting machines, and still spreading 
albeit very slowly now.

Again like anything the end user doesn't see the costs incurred by the backbone, if this was 
passed on, do you think people would do half of what they do these days,  how many computers 
would actually sit online 24/7, since this would even cost money, and who would run warez 
servers, of their own machines when it costs them money.  I had a customer in my ISP Admin 
days, that was running a warez server, and was doing on the average month, about 15G of data 
transfers, and continued to lie about it, when confronted.  So the last day I confronted him, he said 
he would run what ever he wanted, and that he'd sue us if we cancelled his account, etc.  This 
user then went on to say he was going to move to Cable (at that time Rogers Wave, which was 
replaced by Rogers @home), where I did tell him, that the current contract with Rogers, limited his 
data transfers at 5G/month, and $50/5G after that.  He left us for a month, and about a month 
later he tried to get a new account with us, which we didn't accept, because we don't need to 
waste our time with someone that wants to pay $1/G of Transfer for something illegal.

Jason


On 27 Sep 2001 at 16:40, UMusBKidN () aol com wrote:

Date sent:              Thu, 27 Sep 2001 16:40:52 EDT
From:                   UMusBKidN () aol com
Subject:                RE: Nimda et.al. versus ISP responsibility
To:                     <incidents () securityfocus com>
Mailer:                 Unknown (No Version)

> Please be sure you place blame properly.
>
> No ISP is responsible for the actions of a person that releases a malicious worm
> on the Internet. No ISP is responsible for the malicious actions of such worms
> on their software. The victim of a crime is not the perpetrator of a crime!
>
> I hate to say it, but not even Microsoft is responsible for creating worms like
> Nimda. Yes, Microsoft is responsible for releasing IIS software, but providing
> they had no prior knowledge of some bug, you can't blame them for the crime,
> when some hacker discovers Yet Another Hole In A Microsoft Product. Their
> corporate pants get yanked to their ankles on a regular basis by hackers the
> world over, but you still can't blame them for committing the crime! Blame them
> for poor quality control perhaps, or say they get shot at the most because
> they're on top... but they aren't the criminals here.
>
> Good luck trying to get ISPs to be responsible for content filtering. That's an
> impossible task.
>
> Let us not forget who the criminal is and who the victims are in cases such as
> Nimda. Certainly, those who provide connectivity or hosting for others have the
> responsibility to stay on top of the latest software fixes, but you can't
> completely plug that hole either. I know people who got infected by both CRII
> and Nimda, who didn't even know they had IIS installed and running on their
> boxes. They didn't know their machines were toast until they could smell it
> burning.
>
> We can no sooner get rid of malicious worms by placing responsibility for
> "handling" them on an ISP, than we can by creating laws that make malicious
> software illegal. Until such time that we can successfully track the actual
> perpetrators of the crime, or software authors miraculously invent perfect
> bug-free programs, not much is going to change. Just make sure you place the
> blame where it belongs.
>
> -UMus B. KidN
>
> "Adcock, Matt" wrote:
> > <quote>
> >   I think we all agree that connecting an unpatched IIS machine to the
> > open Internet is acting irresponsibly. Most AUP's already prohibit
> > spamming, port scanning etc. (at least on paper). Why not include
> > "infection through negligence" as a reason for suspension? Maybe with a
> > reasonable grace period the first time.
> > </quote>
> >
> > I agree that the end administrator is ultimately responsible.  The ISPs
> > could also help by filtering this traffic.  It would take an infrastructure
> > upgrade that would end up costing the consumer, but I personally would be
> > willing to pay a little more.  Maybe give users a choice between being on a
> > filtered network or an open network?
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service. For more
> information on this free incident handling, management and tracking system
> please see: http://aris.securityfocus.com


---
Jason Robertson                
Network Analyst            
jason () ifutureinc com    
http://www.astroadvice.com      


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com