nanog mailing list archives

Re: Even you can be hacked

From: "Stephen Sprunk" <stephen () sprunk org>
Date: Thu, 10 Jun 2004 19:33:11 -0500


Thus spake "Crist Clark" <crist.clark () globalstar com>

It would be great if there always was a negligent party, but there is
not always one. If Widgets Inc.'s otherwise ultra-secure web server gets
0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc.
or the ISP?


Until a patch was available or filter was installed, most ISPs would eat it
as a gesture of good will (but they have no obligation to do so).  A
customer who fails to implement the _available_ security measures is
negligent, particularly after they've been informed there's a problem and
they make a conscious choice not to do anything about it.

In the case of Mr. Liber, I totally side with the ISP for about the first 30
days.  After that, they should have disabled or capped Mr. Liber's account
(totally kosher, as he hadn't paid his outstanding bill) to prevent him from
running up further charges that any rational person would know he's unlikely
to pay for.  Shame on both parties.

So how about this analogy: Someone breaks into my house and spends a few
hours on the phone to Hong Kong. Who eats the bill, me or my LD carrier?
Neither of us was negligent.


A few years ago my cell phone was stolen, and before I was able to report it
to the carrier several hours of calls were made to a foreign country.  The
carrier ate all the calls between when the phone was stolen and when their
customer service center opened; I ate the calls that occurred after that.
Seems totally reasonable, even if it did cost me ~$50.

Once you have discovered or been notified there is a problem, _you_ are
responsible for fixing it or you implicitly agree to pay the price of not
fixing it.  As the song goes, "If you choose not to decide/You still have
made a choice".  If one is not yet aware of the problem (and there's no
reasonable expectation one should have been), I think there's room for
debate, but that's not relevant to the discussion of Mr. Liber.

S

Stephen Sprunk        "Stupid people surround themselves with smart
CCIE #3723           people.  Smart people surround themselves with
K5SSS         smart people who disagree with them."  --Aaron Sorkin

Current thread:

Re: [OnTopic] common list sense and responsibility, (continued)
- - - Re: [OnTopic] common list sense and responsibility Andy Dills (Jun 11)
    - Re: [OnTopic] common list sense (Re: Even you can be hacked) Valdis . Kletnieks (Jun 11)
    - Re: [OnTopic] common list sense (Re: Even you can be hacked) Paul Jakma (Jun 11)
    - Re: [OnTopic] common list sense (Re: Even you can be hacked) Laurence F. Sheldon, Jr. (Jun 11)
    - Re: [OnTopic] common list sense (Re: Even you can be hacked) Paul Jakma (Jun 11)
    - Re: [OnTopic] common list sense (Re: Even you can be hacked) Steve Gibbard (Jun 11)
    - Re: [OnTopic] common list sense (Re: Even you can be hacked) Joel Jaeggli (Jun 11)
    - Re: [OnTopic] common list sense (Re: Even you can be hacked) Valdis . Kletnieks (Jun 11)
    - Re: Even you can be hacked Jeff Shultz (Jun 10)
    - Re: Even you can be hacked Matthew Crocker (Jun 10)
    - Re: Even you can be hacked Stephen Sprunk (Jun 10)
    - Re: Even you can be hacked Laurence F. Sheldon, Jr. (Jun 11)
    - Re: Even you can be hacked Henry Linneweh (Jun 11)
    - Re: Even you can be hacked Laurence F. Sheldon, Jr. (Jun 11)
    - Re: Even you can be hacked Laurence F. Sheldon, Jr. (Jun 11)
    - Re: Even you can be hacked Randy Bush (Jun 11)
    - Re: Even you can be hacked Laurence F. Sheldon, Jr. (Jun 11)
    - Re: Even you can be hacked Andy Dills (Jun 11)
    - Re: Even you can be hacked Scott Stursa (Jun 11)
    - was: Even you can be hacked Matthew McGehrin (Jun 11)
    - Re: Even you can be hacked Stephen J. Wilcox (Jun 11)

(Thread continues...)