RE: Even you can be hacked

["David Schwartz" <davids () webmaster com>]

> >     Of course, except in this case, the phone company can't
> > easily tell the
> > legitimate calls from the illegitimate ones and block only the
> > illegitimate ones. Every analogy will break down, so don't expect to be
> > able to convince people with analogies that seem so obviously right to
> > you. Nothing is exactly accurate except the actual situation itself.

> And how, exactly, did you expect the ISP to tell which packets you were
> sending were legitimate and which were from the malware running on your
> computer?  Please enlighten me as to how I tell a customer's legitimate
> outbound email from his system apart from the email from the same system
> which is being sent not by him, but, by the malware that has infected his
> system?

        In this case, the ISP informed the customer that there was illegitimate
traffic. If it's your position that the ISP can't tell the difference, then
the notification that we know happened would have been impossible.
Presumably they even identified the particular customer responsible for the
traffic, given that they notified him about it!

        Since it's obvious in this case that the customer would have preferred
being disconnected to having to pay for the traffic, and the ISP could
certainly have disconnected him, the question becomes, why didn't they?
Especially since they knew the attack traffic was creating other innocent
victims.

        My guess is that they *were* filtering it (probably by port) and never
delivered the attack traffic to its destination anyway. They probably still
billed the customer because they bill for traffic over the customer's line,
regardless of whether it hits their emergency or bogon filters.

> >     And, again, almost every contract has some insurance elements to it.
> > There will be unusual cases where it's actually possible for the utility
> > to lose money if something unusual happens. My main point is that the
> > understanding that seems so obviously right to you may not seem so
> > obviously right to your customers.

> No sane ISP will insure a usage-based customer against traffic sent by
> that customer's infected machines AFTER he has informed the customer
> of the problem.

        No sane ISP will allow attack traffic to continue to hit the Internet after
they know it's coming from one of their customers regardless of what the
customer does or does not do. So why should the customer pay for "Internet
traffic" that their ISP likely did not (and certainly should not have)
actually sent or delivered?

> >     As for all the people who talk about turning off their DSL
> > access when
> > they're away from home, they're missing the point. Obviously a person
> > could do that. We could shut off our electricity when we leave home. We
> > could have our telephone service temporarily disabled when we go on
> > vacation too. A person could do all of these things. My point is that
> > it's also perfectly reasonable for a person not to do these things.
> > Because in general an ISP has more ability to control these
> > things and it
> > makes very little sense for a home user to insure an ISP, it makes more
> > sense for the ISP to insure the user.

> I still don't understand why you insist that my ISP has (or should have)
> more control over what traffic my systems deliver to my internet
> connection
> than I do.  This simply isn't the case, and I would be very unhappy if
> it were to become the case.

        For the classes of service I'm talking about, like home DSL, they do. They
choose which ports to block and they have a responsibility to monitor their
customers for machines that are causing problems for others. In this case,
they actually did that and detected the problem -- good for them. But they
then decided that instead of remedying the problem, they'd bill their
customer for it. Maybe they blocked the attack traffic, maybe not. If so,
why charge for traffic you won't deliver? If not, then that's serious
negligence, no?

> >     In any unfortunate situation, you can find a hundred things
> > that anyone
> > could have done differently that would have avoided the situation. But
> > that is not how you establish responsibility, financial or moral. You
> > look at people who failed to use reasonable prudence.

> And you don't think that a person who is informed that their system is
> infected and chooses not to fix it has failed the reasonable prudence
> test?

        You think an ISP that knows that their customer is sending attack traffic
but neither blocks the traffic nor shuts off the customer has failed the
reasonable prudence test? And who should be more subject to a reasonable
prudence test for Internet practices, a home DSL customer who may not know
very much about computers, or an ISP that specializes in Internet access
that has monitoring equipment a trained staff 24/7?

        Your customers expect you to deal with this stuff. You may or may not find
their expectations reasonable, but dammit, you had better know what they
are!

> >     And, of course, the ISP always (or very nearly always)
> > insures the user
> > against the costs of inbound attack traffic that exceeds his line rate.
> > The more demands you make of your customers, the more you decrease the
> > value of your very own product.

> Right, but, that's not what happened in this case.

        No, this is much worse. This is a case where an ISP allowed an attack to
continue, probably creating more innocent victims.

> >     The arguments that seem so obviously right to you may be greeted by
> > amusement and the analogies you think work will be found unconvincing.
> > This is because this argument is largely about other people's
> > expectations.

> Yep... and generally, no matter what, if you find a large enough group of
> people you will find a certain percentage that will give up their lives
> before they give up their unrealistic expectations.

        I don't think they're so unrealistic. It takes a level of expertise to keep
a system safe and secure on the Internet, and the costs of obtaining that
level are so high that you would lose half your customers if you insisted on
imposing those costs on them. This is why home DSL is so heavily filtered.

> However, that doesn't change the fact that a user who has an
> infected system
> sending traffic on his usage-based line may have a resonable
> expectation not
> to pay for it before his ISP informs him of the problem.  However, any
> expectation not to pay for it _AFTER_ the ISP has informed him of the
> problem
> is unrealistic, unreasonable, and, completely fails "reasonable prudence".

        Why? Because the ISP has no responsibility to stop attack traffic from its
own customers after it has detected it?! (By adding filters, shutting off
customers, repeatedly pestering them, or *whatever* it takes.) If you really
believe that, you'll set inter-ISP cooperation back many years.

        DS