On Fri, 11 Jun 2004, David Schwartz wrote:

So why does everyone think the ISP is almost certainly entitled to be paid? Is it because they're ISPs? Is it because it's easy to blame someone else?

I notice that Webmaster's license agreement includes this clause: DISCLAIMER OF WARRANTY. The Software is provided on an AS IS basis, without warranty of any kind, including without limitation the warranties of merchantability, fitness for a particular purpose and non-infringement. The entire risk as to the quality and performance of the Software is borne by you. Should the Software prove defective, you and not WebMaster assume the entire cost of any service and repair. In addition, the security mechanism implemented by the Software has inherent limitations, and you must determine that the Software sufficiently meets your requirements. This disclaimer of warranty constitutes an essential part of the agreement. Why does Webmaster put the entire risk on the customer, including warning that the security mechanism has inherent limitations? Shouldn't Webmaster be responsible if their customer suffer a loss whatsover the cause, even if it wasn't due to any negligence on the part of Webmaster? It is the customer's responsibility to ask any specific questions about implementation or scalability or arrange for a more extensive trial prior to requesting that a permanent key be issued. Once a permanent key has been issued there are no refunds and all sales are final. Seems like Webmaster is requiring customers to be experts in Webmaster's products. Shouldn't it be Webmaster's responsibility to analyze and warn customers about every possible problem they could ever experience, secure the customer against all possible harm, and compenstate the customer for all losses?

On Fri, 11 Jun 2004, David Schwartz wrote:

This will be my last post on this issue.

In this case:

1) Almost certainly the traffic was due to a worm.

2) Almost certainly the ISP knew (or strongly suspected) the traffic was due to a worm.

3) Quite likely, the ISP never carried most of the traffic to its destination. Once they knew it was worm traffic, they were probably filtering by port.

4) The ISP should not have carried the attack traffic, if they actually did. Doing so is negligent and creates additional innocent victims. Maybe they would give their customer a short time to straighten things out, but that's it.

Erm.. Forgive me if this is a repeat posting but from what i've seen of this thread it needs to be stated. - My ISP Provide me with Internet Services. - I get Authentication, an IP, DNS. - I get a pipe to the world. - I pay for my own bandwidth based on the plan the ISP provides me . If I have a usage limit, and I exceed it due to a worm infection, its MY problem. Noone elses. I'm responsible for the security aspect of my own personal computers. Note the list of things above. I havnt paid for a managed circuit, with warnings after unusual activity, I havnt paid for a filtering service to filter by port for traffic that might be suspicious... so how is this not cut-and-dried? The ISP provides me with service, and puts a meter on it, and they bill me by the byte, or whatever- Thats the service they're providing, im not expecting to be billed for 'certain types of traffic' - I have a pipe, i'm using that pipe, and I pay for what travels down it. Any 'overusage' or unusual spikes in bandwidth usage are mine to handle - thats part of the risk of purchasing this service. If you want the provider to give you a solution which includes circuit monitoring, content filtering and other such things - then by all means make sure thats specified in the terms of service before you sign the dotted line. This all seems so simple to me - I simply don't understand how I can blame my ISP when my Windows machine gets a trojan on it and starts spitting out emails - whether 0 day or otherwise, its my problem, because *I* decided to take the (calculated) risk of putting that box online. (in whatever state - current, or not, firewalled or not, etc..). You can mitigate that risk through various factors - firewalls, Antivirus, WindowsUpdate, Alternative OSs... these all modify or change the risks involved but my ISP hasn't been involved in the calculation of this risk - so how can they be involved in accepting the responsibility for that risk?!? Mark. (Apparently I share a name with someone else on NANOG. So i'm not him... and hes not me :))