On Fri, 8 Dec 2006, Jim Popovitch wrote:
On Fri, 2006-12-08 at 19:56 +0200, Petri Helenius wrote:
Has anyone figured out a remote but lawful way to repair zombie machines?
Very interesting question. I personally believe that OS EULAs and ISP ToS guidelines provide for an ISP or an OS mfg (i.e. Microsoft) to force updates and fixes via any means. That is: if I am your customer and my PC/router/USB-Camera/whatever is throwing crap your way, crap that violates your ToS or indicates that I am out of compliance with an EULA, then I believe others have the right (and IMHO the obligation) to step in and correct things (it's what parents do for their kids everyday). So, according to me, any corrective action is lawful when dealing with customers and equipment that have violated an EULA or ToS guidelines.
Sending updates in automated way or forcing updates is only ok if person previously authorized such action, i.e. enabled automated updates. This is in fact dangerous in itself since it also presents single point of potential failure if system providing updates is itself compromised - that is why many choose not to do it and enterprises setup their own updates distribution systems. As far as your question, in my opinion it would be legal for you to check if somebody did or did not do an update but only using tools that check publicly available data reported from the system (i.e. what you can gather by sending it packets to open ports). As an ISP it would be legal for you to warn customer that if they fail to install an update you reserve the right to disconnect their system or limit access to certain ports or only to certain sites (i.e. your own for them to check email but nothing else). And obviously once issue is reported to you (i.e. their machine is spewing and compromised), that is exactly what you should do.
Just my $.02. ;-)
Due to inflation with US currency I'll make it a nickel $.05 :) -- William Leibzon Elan Networks william@elan.net