RE: Nimda et.al. versus ISP responsibility

[Tony Langdon <tlangdon () atctraining com au>]

> While I might support this on first blush, there is the possibility of
> unintended consequence to be considered.

It might be a case of needing to provide a service that suits different
users.  There are at least 3 broad classes of users on the Internet, which
are (roughly):

1.  The basic Internet user - limited technical expertise, only interested
in being an end user.  Most would fall into this category.
2.  The hobbyist/students - Varying levels of expertise.  Many are able to
manage their own security, with a bit of instruction, and most would be able
to install patches, if directed to them and provided with instructions.
3.  IT professionals (when not at work - to distinguish from actual
corporate networks :) ) - Most should (one might argue, in the light of
recent events) be able to keep their systems relatively safe and also
respond to any alerts, or even proactively take countermeasures.

The skill set of the groups will overlap somewhat.

Anyway, my point is that the needs of the first group are somewhat different
to those of the others.  The first group, in addition to a basic service,
also need additional protection from Internet threats, such as port
blocking.  This group is unlikely to want to host their own servers, so
blocking connections to the relevant ports on their machine is likely to
have little, if any negative impact.

With the latter two groups, unecessary port blocking and restrictive AUPs
are likely to be an impedimant to what these people want to do.  Usually the
hobbyist comes off worst with restrictive AUPs, as they want to run the odd
web server on their machine.  SMTP is popular as well here.  These people
will be dissatisfied with a "client only" Internet service.

Maybe the answer for the ISP is to assume every (home) customer is in the
first (non technical) group, unless they can demonstrate otherwise.  Such
demonstration might involve a workshop or submission of appropriate
evidence.  The ISP need not be directly involved in running these workshops.
All that matters to them is the evidence of some level of basic competency
in managing a PC's security (i.e. awareness that viruses and worms exist,
installing patches and antivirus software, understanding advisories so they
don't panic if the ISP informs them of a problem, etc).

Sounds a little over the top, but with the increasing risks on the Internet,
something will have to be done.  An analogy:  Cars can be dangerous in the
wrong hands.  As a result, almost all countries require drivers to submit
evidence of a basic level of competency (i.e. by undergoing a driving test
and possibly a written test on road laws), before issueing their licence.
That licence is the evidence of their (basic) competency that is accepted by
law enforcement authorities.  Those who don't have a licence to drive are
still free to be a passenger or take public transport, if it's available.

It's a similar situation with my hobby of ham radio.  I'm licenced by my
government to build and operate transmitters, and conduct experiments on the
ham bands.  Those without these qualifications are not allowed to build or
modify radio equipment, but instead must use type approved radios and are
restricted to very specific services (e.g. CB radio, mobile phones, wireless
gadgets, wireless networking) on specific frequency bands over which the end
user has little (selection of a few channels) or no control (fixed frequency
or auto frequncy control, as in the case of mobile phones).

Perhaps the same will happen with the Internet - that only a basic form of
Internet connection will be provided, unless the user can demonstrate a
basic level of security proficiency.

Who's responsible in this scenario?

Obviously, the ISP would assume a higher level of responsibility (but it
can't be 100%, due to the nature of security issues), except where the user
is accredited as detailed above, in which case, the responsibility is on the
user to manage their security issues.

Just my $0.02 worth, hope it makes sense.

P.S.  Dunno if I like the idea or not, but I see it happening down the
track.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com