Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
On 6/9/2010 10:58, Owen DeLong wrote:
What happened to the acronyms "AUP" and "TOS"?
I'm not sure what you mean by that. I'm talking about an ISPs liability to third party victims, not to their customers.
"Acceptable Use Policy" and "Terms of Service"
AUP/TOS are between the ISP and their customer.
Very good. Does that provide an answer to the earlier question about "what is a provider to do?" when a customer misbehaves? Does that provide a method for assigning liability? I am not a lawyer, but it doesn't seem a stretch to me to include, in this context, traffic from peers and transit providers. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Larry Sheldon wrote:
On 6/9/2010 10:58, Owen DeLong wrote:
What happened to the acronyms "AUP" and "TOS"?
I'm not sure what you mean by that. I'm talking about an ISPs liability to third party victims, not to their customers.
"Acceptable Use Policy" and "Terms of Service"
AUP/TOS are between the ISP and their customer.
Very good. Does that provide an answer to the earlier question about "what is a provider to do?" when a customer misbehaves? Does that provide a method for assigning liability?
I am not a lawyer, but it doesn't seem a stretch to me to include, in this context, traffic from peers and transit providers.
"Acceptable Use Policy" and "Terms of Service" Imagine for a moment you're speeding... You get pulled over, get off with a warning. Phew! You speed again, get pulled over again, you get a warning. How long will it be before you just outright ignore the law and speed simply because you know all you will get is a warning. AUP's and TOS' mean little if they're not enforced and I theorize that they're not enforced perhaps because a company's staff is likely to be overwhelmed or underclued as to how to proceed past a generic: "Thou shall not spew dirty traffic in my network or else..." Or else what? You're going to flood their inbox with "Thou shall not" messages? In the case of Mr. Amodio and I believe Owen griping about insecure software, I offer you this analogy... You buy a car and as you're driving along a message comes into the dashboard: "Car Update needed, to fix A/C" you ignore it. Don't update it who cares, you're driving smoothly. Another alert comes into the car dashboard: "Critical alert, your breaks need this patch"... You ignore it and drive along. 5-10 years later the car manufacturer EOL's the car and support for it. You crash... Who is to blame, the car manufacturer or you for not applying the updates. Granted the manufacturer could have given you a better product, the fact remains, it is what it is. Don't blame the software vendors blame oneself. I've seen even the most savvy users using OS' *other* than Windows get compromised. I performed an incident response about 8 months ago... 42 machines 41 Linux, 1 Windows... Guess what, all the Linux boxes running Apache were compromised. They were running vulnerable software on them (Wordpress, etc). So to compare Apples and Oranges (Windows versus another) is pointless. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
On 6/9/2010 11:50, J. Oquendo wrote: [Lots of good stuff snipped.]
Don't blame the software vendors blame oneself. I've seen even the most savvy users using OS' *other* than Windows get compromised. I performed an incident response about 8 months ago... 42 machines 41 Linux, 1 Windows... Guess what, all the Linux boxes running Apache were compromised. They were running vulnerable software on them (Wordpress, etc). So to compare Apples and Oranges (Windows versus another) is pointless.
Exactly so (applies also to the snipped material). Responsibility. Individual, personal and corporate responsibility. Using only the fingers of a clinched fist to indicate the location of the best agent for correcting a problem. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
You buy a car and as you're driving along a message comes into the dashboard: "Car Update needed, to fix A/C" you ignore it. Don't update it who cares, you're driving smoothly. Another alert comes into the car dashboard: "Critical alert, your breaks need this patch"... You ignore it and drive along. 5-10 years later the car manufacturer EOL's the car and support for it. You crash... Who is to blame, the car manufacturer or you for not applying the updates. Granted the manufacturer could have given you a better product, the fact remains, it is what it is.
Unfortunately in the software industry you get (when you do, not always) the alert and the patch after the fact, ie the exploit has been already out there and your machine may probably have been already compromised. I never seen any operating system coming with a sign saying "Use at your own risk", why when I buy a piece of software I have to assume it to be insecure, and why I have to spend extra money on a recurring basis to make it less insecure, when there is no guarantee whatsoever that after maintenance, upgrades, patches and extra money my system will not get compromised because a moron forgot to include a term inside an if before compiling. Insecurity and exploitable software is a huge business. I don't expect software to be 100% safe or correct, but some of the holes and issues are derived form bad quality stuff and as car manufacturers the software producers should have a recall/replacement program at their own cost. My .02 Jorge
Jorge Amodio wrote:
Unfortunately in the software industry you get (when you do, not always) the alert and the patch after the fact, ie the exploit has been already out there and your machine may probably have been already compromised.
I never seen any operating system coming with a sign saying "Use at your own risk", why when I buy a piece of software I have to assume it to be insecure, and why I have to spend extra money on a recurring basis to make it less insecure, when there is no guarantee whatsoever that after maintenance, upgrades, patches and extra money my system will not get compromised because a moron forgot to include a term inside an if before compiling.
Insecurity and exploitable software is a huge business. I don't expect software to be 100% safe or correct, but some of the holes and issues are derived form bad quality stuff and as car manufacturers the software producers should have a recall/replacement program at their own cost.
My .02 Jorge
Again, apples and oranges to a degree. Car owners don't receive a "use at your own risk" disclaimer either. Yet some Toyota owners faced horrifying instances of "subpar" prechecks. GM recalled a million or so cars and the list will always go on and on. Mistakes happen period and when mistakes DON'T happen Murphy's Law does. I can speak for any software vendor but I can speak about insecurity and exploitability of software. That too is what it is from any standpoint be it anywhere in Redmond to any other location. Look at Sun's horrible misstep with telnet: <humor> Highlights The Solaris 10 Operating System, the most secure OS on the planet, provides security features previously only found in Sun's military-grade Trusted Solaris OS. </humor> Really? http://blogs.securiteam.com/index.php/archives/814 9 Vulnerabilities for Microsoft *ANYTHING* of the first 60 published. But again, this is irrelevant. I don't care for any operating system anymore. I care for the one that accomplishes what I need to do at any given time. Be it Linux, Windows, BSD, Solaris heck get me plan9 with Rio, I could care less. However, myself as an end user, I'm the one responsible for my machine as I am the one running it. If I find it to be insecure or "virus/trojan/malware/exploitability" prone, there is no one shoving it down my throat. Even if I didn't know any better. So for those who are unaware of what's going on, how difficult would it be to create a function within an ISP tasked with keeping a network structured to avoid allowing OUTBOUND malicious traffic. We could argue about: "But that would be snooping" where I could always point at that a NAC could be set up prior to allowing a client to connect. Can anyone honestly tell me that one of their clients would be upset slash disturbed slash alarmed about an ISP protecting them (the customer) as well as other "neighbors" (customers)? That's like saying: "Oh they set up a neighborhood watch association... and they're watching over my house when I'm not home or capable of watching all sides of my house... HOW DARE THEY!" Sorry I can't picture that happening. What I picture is fear and people dragging their feet. I can tell you what though, for the first company to pick up on that framework, I can guarantee you the turnover rate wouldn't be as high as say being on a network where now the business connection is lagged because of spam, botnets and other oddities that could have been prevented. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
Again, apples and oranges to a degree. Car owners don't receive a "use at your own risk" disclaimer either. Yet some Toyota owners faced horrifying instances of "subpar" prechecks. GM recalled a million or so cars and the list will always go on and on. Mistakes happen period and when mistakes DON'T happen Murphy's Law does. I can speak for any software vendor but I can speak about insecurity and exploitability of software. That too is what it is from any standpoint be it anywhere in Redmond to any other location. Look at Sun's horrible misstep with telnet:
Note, however, that in all of these cases, the car manufacturers were liable and did have to take action to resolve the issues. WHY are software companies not held to these same standards? There's no need for new law, just for the judiciary to wake up and stop granting them a bizarre and unreasonable exemption from the existing laws. Owen
participants (4)
-
J. Oquendo
-
Jorge Amodio
-
Larry Sheldon
-
Owen DeLong