Does the water company fix your toilet if it leaks water? Or do you call a plumber? Every consumer computer has a power switch. How to stop a virus, turn off the power switch and take your computer to a repair shop. http://www.globeandmail.com/servlet/story/RTGAM.20040609.wispp0609/BNStory/T... A few months ago, Mike Bierstock, who runs a tiny property management business in Waterloo, Ont., found his office system had been compromised - either by a virus or hacker, he's not sure - and he was slapped with a terrific bill for the volume of traffic generated by his computer. His access provider forgave some of his initial bills, but did nothing to help him clean his system, so the problem continued. Ultimately the ISP killed his account, hitting him with a bill of $11,000. [...] Mr. Liber simply declared bankruptcy. "They knew about the worm way before any billing had accumulated," said Mr. Liber, now senior account executive with iTel Solutions Inc. "They also confirmed that while they knew that there was a worm and that they knew it was not our doing, they [say] the responsibility is ours. Yet only they could have stopped the worm and the massive amount of bandwidth that was flowing through because of this worm." Did your computer have a power switch? Did you turn it off? Or did you continue to let it run up the bill? Yes, even the complete computer novice can stop a computer room. Turn off your computer. If you don't know how to fix it, take it to a repair store. If you leave your lights on, the electric company will send you a bill. If you leave your faucets running, the water company will send you a bill. If you leave your computer infected, ???
Sean Donelan wrote:
Does the water company fix your toilet if it leaks water? Or do you call a plumber?
On the other hand, if the water company was sending pollutants in the water you bought, there was a perceived responsibility upon the water company. Now, which broken metaphor (leaky toilet, pollutant contaminated stream) best fits the problem at hand? Take all the time you need, we will wait. -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
** Reply to message from "Laurence F. Sheldon, Jr." <LarrySheldon@cox.net> on Thu, 10 Jun 2004 12:39:41 -0500
Sean Donelan wrote:
Does the water company fix your toilet if it leaks water? Or do you call a plumber?
On the other hand, if the water company was sending pollutants in the water you bought, there was a perceived responsibility upon the water company.
Now, which broken metaphor (leaky toilet, pollutant contaminated stream) best fits the problem at hand?
Take all the time you need, we will wait.
That's an easy one. Leaky toilet - a properly maintained toilet doesn't leak and waste water, no matter what is in the inflow. If you want to drink from your toilet, that's your problem. We offer spam and virus filtering. We block many of the popular worm access ports at the edge and core (which can be a real pain). We offer a CD full of firewall, AV, and anti-spyware programs for the asking. But ultimately, _you_ are responsible for your own systems. -- Jeff Shultz A railfan pulls up to a RR crossing hoping that there will be a train.
** Reply to message from "Laurence F. Sheldon, Jr." <LarrySheldon@cox.net> on Thu, 10 Jun 2004 13:06:43 -0500
Jeff Shultz wrote:
But ultimately, _you_ are responsible for your own systems.
Even if the water company is sending me 85% TriChlorEthane?
Right. Got it. The victim is always responsible.
There you have it folks.
A. Straw man B. Apple/Kumquat arguement Who is the victim here? The user who's computer was infected due to their own lack of responsibilty (and was not fixed... remember that part, _was_not_fixed_), or the ISP who isn't going to get a rebate on their upstream bandwidth bill that was in turn inflated by that customer. -- Jeff Shultz A railfan pulls up to a RR crossing hoping that there will be a train.
On Jun 10, 2004, at 2:06 PM, Laurence F. Sheldon, Jr. wrote:
Jeff Shultz wrote:
But ultimately, _you_ are responsible for your own systems.
Even if the water company is sending me 85% TriChlorEthane?
Right. Got it. The victim is always responsible.
There you have it folks.
The "victim" in the case Sean posted knew he had a worm, got some of his first bill forgiven, yet did nothing to correct it and acts surprised when the same thing happens the next month. YES, he is at fault. Anyone who thinks differently .. uh .. can I buy b/w from you? :) Oh, and since you feel responsible, I'm only going to pay for the amount of traffic I think I should have gotten on my web page, even if I get /.'ed or something. Does $25/Mbps sound good? I plan to use about 1 Mbps, but I will need an un-rate-limited GigE connection. Back on topic, most users get upset when you do things like block ports because it breaks random crap they want to use. If you want something open, then you are responsible for what crawls through. If you want the b/w provider to protect you, then ask them. Just be prepared to pay, because b/w prices these days do not include security services. OTOH, as a good netizen, the upstream might want to cut off those users spewing to the rest of the 'Net. :) -- TTFN, patrick
On Jun 10, 2004, at 2:06 PM, Laurence F. Sheldon, Jr. wrote:
The "victim" in the case Sean posted knew he had a worm, got some of his first bill forgiven, yet did nothing to correct it and acts surprised when the same thing happens the next month. YES, he is at fault. Anyone who thinks differently .. uh .. can I buy b/w from you? :) Oh, and since you feel responsible, I'm only going to pay for the amount of traffic I think I should have gotten on my web page, even if I get /.'ed or something. Does $25/Mbps sound good? I plan to use about 1 Mbps, but I will need an un-rate-limited GigE connection.
It all depends upon what the agreement between the customer and the ISP says. It's no unreasonable for the ISP to 'insure' the customer against risks he isn't able to mitigate which the ISP is, even if that means shutting off his service. If someone blows up my water line and $1,000,000 worth of water is wasted, I don't think the water company is going to expect me to pay for it. This is especially true if the water company knew about the leak, could have done something to mitigate it, and failed to do so. Even if that means shutting off my water, that's what I'd expect them to do, shut it off until someone fixes it. Most of the people on this list see things from the ISP's perspective. However, step back a bit and see it from the user's perspective. Do you expect to pay for phone calls you didn't make or do you expect the person whose deliberate conscious action caused those calls to be made? Do you expect to be responsible for patrolling your electric lines to make sure someone hasn't plugged into your outside outlets? For most classes of service, it makes the most sense to only charge the customer for the traffic he wants and have the ISP take the responsibility for dealing with attacks to the extent they can do so. This is because the customer can't afford to hire a full time person to guard his always-on DSL connection while he's away for two weeks but his ISP can. This may mean that you're disconnected until they can coordinate with you -- such is life. Just be aware, your customers may not have the same expectations you do, and you should make your understanding *very* clear to your customers in your contracts. DS
David Schwartz wrote:
On Jun 10, 2004, at 2:06 PM, Laurence F. Sheldon, Jr. wrote:
The "victim" in the case Sean posted knew he had a worm, got some of his first bill forgiven, yet did nothing to correct it and acts surprised when the same thing happens the next month. YES, he is at fault. Anyone who thinks differently .. uh .. can I buy b/w from you? :) Oh, and since you feel responsible, I'm only going to pay for the amount of traffic I think I should have gotten on my web page, even if I get /.'ed or something. Does $25/Mbps sound good? I plan to use about 1 Mbps, but I will need an un-rate-limited GigE connection.
I do not believe there is credible evidence that I wrote any of that. -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
On Jun 10, 2004, at 10:21 PM, Laurence F. Sheldon, Jr. wrote:
David Schwartz wrote:
On Jun 10, 2004, at 2:06 PM, Laurence F. Sheldon, Jr. wrote: The "victim" in the case Sean posted knew he had a worm, got some of his first bill forgiven, yet did nothing to correct it and acts surprised when the same thing happens the next month. YES, he is at fault. Anyone who thinks differently .. uh .. can I buy b/w from you? :) Oh, and since you feel responsible, I'm only going to pay for the amount of traffic I think I should have gotten on my web page, even if I get /.'ed or something. Does $25/Mbps sound good? I plan to use about 1 Mbps, but I will need an un-rate-limited GigE connection.
I do not believe there is credible evidence that I wrote any of that.
No, I did. Not sure why it got quoted as you, especially since I did not even see David's post quoting it. Back on topic, offer still stands. Who wants to sell me b/w and take responsibility for anything over what I expect to get / send? It seems there are several people on this list who think the user is not responsible for things like attack traffic, and I would very much like to purchase the services of one or more of them. -- TTFN, patrick
Ahhh, here is it... :) On Jun 10, 2004, at 10:07 PM, David Schwartz wrote:
On Jun 10, 2004, at 2:06 PM, Laurence F. Sheldon, Jr. wrote:
Uh, no, I wrote this part. :)
The "victim" in the case Sean posted knew he had a worm, got some of his first bill forgiven, yet did nothing to correct it and acts surprised when the same thing happens the next month. YES, he is at fault. Anyone who thinks differently .. uh .. can I buy b/w from you? :) Oh, and since you feel responsible, I'm only going to pay for the amount of traffic I think I should have gotten on my web page, even if I get /.'ed or something. Does $25/Mbps sound good? I plan to use about 1 Mbps, but I will need an un-rate-limited GigE connection.
It all depends upon what the agreement between the customer and the ISP says. It's no unreasonable for the ISP to 'insure' the customer against risks he isn't able to mitigate which the ISP is, even if that means shutting off his service.
While it may not be unreasonable, it is also not unreasonable for the ISP to *not* insure the customer against such risks. It all depends. :) Also, you did not really address my question: Are you willing to sell me the service I asked for above?
Most of the people on this list see things from the ISP's perspective. However, step back a bit and see it from the user's perspective. Do you expect to pay for phone calls you didn't make or do you expect the person whose deliberate conscious action caused those calls to be made? Do you expect to be responsible for patrolling your electric lines to make sure someone hasn't plugged into your outside outlets?
Actually, I Am Not An Isp. (Yes, that is really what is stands for.) I do see things from a user perspective. And I still do not agree with you. For instance, I do believe if someone comes by and plugs something into an outside socket on my house that I should pay the bill. The power was used, it cost something, and the power company sure as hell was not responsible. Of course, if I can find the culprit, I can force him to pay. But that does not mean the power company should eat the difference. Take some responsibility. This whole thing reminds me of when we were kids and I loaned my middle brother my walkman. He left it on the floor where my baby brother was playing - who promptly smashed it with some random toy and destroyed it. My middle brother claimed it was not his fault, my baby brother did it. I was out a walkman (big bux in those days!), but I learned a valuable lesson: Never trust someone who is not willing to take responsibility. Since you seem to disagree with me, care to put your money where your mouth is? Sell me a service where I only pay for what I expect. I'm happy to have you shut me off if you notice traffic out of profile, but don't expect me to pay more than what I think I should. Oh, and you should be prepared to turn the service back on when I "fix" the problem (even if it is just going to happen again, and again, and again, and again...). -- TTFN, patrick
On Jun 10, 2004, at 10:07 PM, David Schwartz wrote:
It all depends upon what the agreement between the customer and the ISP says. It's no unreasonable for the ISP to 'insure' the customer against risks he isn't able to mitigate which the ISP is, even if that means shutting off his service.
While it may not be unreasonable, it is also not unreasonable for the ISP to *not* insure the customer against such risks.
It all depends. :)
Well, it depends upon the class of service. For lower classes of service, it's generally a non-issue because the service isn't billed based upon usage. But I would argue that for low-end service (like home DSL) that is billed based upon usage, it's unreasonable for the ISP to bill customers for attack traffic. Obviously, it's possible that someone could offer this and get a customer to agree to it, but I'd be really suspicious as to whether they actually had a meeting of the minds with the customer about the consequences.
Also, you did not really address my question: Are you willing to sell me the service I asked for above?
I've acted as a negotiator for several companies who were looking to obtain connectivity. I've had no trouble negotiating agreements where the customer does not pay for attack traffic. Some companies want a 'per incident' fee, some don't. Usually these fees are reasonable and include firewalls and tracking and other things that are worth paying for. You can certainly get flat rate connections and you can get connections where if your service goes over X dollars, they rate limit you unless you agree to let more in. Yes, you can get almost any combination of service features. Obviously, some cost more than others. However, you can certainly get your ISP to insure you if you want. Heck, buy a flat rate 100Mbps line from any carrier and they're paying for any attack traffic over 100Mbps. Put in a filter and they're paying to carry all the attack traffic to the filter.
Most of the people on this list see things from the ISP's perspective. However, step back a bit and see it from the user's perspective. Do you expect to pay for phone calls you didn't make or do you expect the person whose deliberate conscious action caused those calls to be made? Do you expect to be responsible for patrolling your electric lines to make sure someone hasn't plugged into your outside outlets?
Actually, I Am Not An Isp. (Yes, that is really what is stands for.) I do see things from a user perspective. And I still do not agree with you.
For instance, I do believe if someone comes by and plugs something into an outside socket on my house that I should pay the bill. The power was used, it cost something, and the power company sure as hell was not responsible. Of course, if I can find the culprit, I can force him to pay. But that does not mean the power company should eat the difference.
It does if the person got to your house over the power company's lines. It does if the power company knows about it. Unfortunately, every analogy breaks down.
Take some responsibility.
How does a person with a DSL line at home take responsibilty if he's away for a month? Is he supposed to hire someone?
This whole thing reminds me of when we were kids and I loaned my middle brother my walkman. He left it on the floor where my baby brother was playing - who promptly smashed it with some random toy and destroyed it. My middle brother claimed it was not his fault, my baby brother did it. I was out a walkman (big bux in those days!), but I learned a valuable lesson: Never trust someone who is not willing to take responsibility.
Certainly it was both of their faults and you're technically entitled to collect from either of them.
Since you seem to disagree with me, care to put your money where your mouth is? Sell me a service where I only pay for what I expect. I'm happy to have you shut me off if you notice traffic out of profile, but don't expect me to pay more than what I think I should. Oh, and you should be prepared to turn the service back on when I "fix" the problem (even if it is just going to happen again, and again, and again, and again...).
As I said, this kind of service is *definitely* available. You can get flat rate service where you only pay what for traffic you expect. You can get service where you can set a rate limit dynamically. You can get service where filters are put up at your whim and you do not pay for traffic that hits the filters. I think you're mostly being glib with clauses like "more than what I think I should", but it is definitely possible to negotiate contracts where you don't pay for attack traffic. It is definitely possible to negotiate contracts where there's a fixed maximum you can pay. In fact, I've never seen a contract that makes the customer responsible for attack traffic that doesn't make it to the customers' line (except for a per-incident fee). I don't that such a thing exists, but I've never seen or heard of it. As for inbound traffic, you would *definitely* bitch if you had to pay for inbound calls from telemarketers, and inbound attack traffic is much the same. DS
On Thu, Jun 10, 2004, David Schwartz wrote:
Take some responsibility.
How does a person with a DSL line at home take responsibilty if he's away for a month? Is he supposed to hire someone?
The same way I did it when I went on holiday. I turned off the DSL router. Adrian -- Adrian Chadd I'm only a fanboy if <adrian@creative.net.au> I emailed Wesley Crusher.
It all depends upon what the agreement between the customer and the ISP says. It's no unreasonable for the ISP to 'insure' the customer against risks he isn't able to mitigate which the ISP is, even if that means shutting off his service.
True, to some extent, but...
If someone blows up my water line and $1,000,000 worth of water is wasted, I don't think the water company is going to expect me to pay for it. This is especially true if the water company knew about the leak, could have done something to mitigate it, and failed to do so. Even if that means shutting off my water, that's what I'd expect them to do, shut it off until someone fixes it.
Interesting theory. I don't expect that. I expect the water company to tell me how to shut off my water, or, possibly offer to come out and shut off my water for a fee. I don't expect them to turn the water off just to protect me from an outrageous bill if the problem is on my portion of the line. I do expect them to shut off your line when it blows up if it is causing a pressure drop which is affecting other customers, whether you want them to or not.
Most of the people on this list see things from the ISP's perspective. However, step back a bit and see it from the user's perspective. Do you expect to pay for phone calls you didn't make or do you expect the person whose deliberate conscious action caused those calls to be made? Do you expect to be responsible for patrolling your electric lines to make sure someone hasn't plugged into your outside outlets?
Well, as the step-parent of two teenage daughters, both of whom have cell phones purchased for them by my wife, I routinely pay for telephone calls I didn't make with no hope of getting said teenagers to ever pay the bill. I certainly don't expect the electric company to patrol my outside electrical outlets, and, yes, when someone plugged into one of mine, I did get billed by the power company. Why should they pay for it? They delivered the electricity to me. What I did with it afterwards (in this case, giving it to someone else I didn't expect or condone) is my problem.
For most classes of service, it makes the most sense to only charge the customer for the traffic he wants and have the ISP take the responsibility for dealing with attacks to the extent they can do so. This is because the customer can't afford to hire a full time person to guard his always-on DSL connection while he's away for two weeks but his ISP can. This may mean that you're disconnected until they can coordinate with you -- such is life.
If the customer is sending the traffic to the ISP (the issue in this case), then the ISP has no ability to drop the traffic before it arrives at the ISP router. The ISP, in this case, acted responsibly and informed the customer of their problem. They were even gracious enough to give the customer credit for some period of time. The ISP in this case did not control the CPE, it was the customer's CPE. As such, the customer is responsible for maintaining and configuring the CPE to do any desired blocking.
Just be aware, your customers may not have the same expectations you do, and you should make your understanding *very* clear to your customers in your contracts.
I don't make anything for customers in contracts... We have a sales department and a legal department that do that. I make routers deliver packets, and, sometimes, I even have to make routers not deliver packets. Sometimes, I help sales and legal figure out how to explain things to customers. Once in a while, I help them clarify that in the contract. Fortunately, for the most part, I run routers, not contracts. I like it better that way. However, I will say that the customers I have dealt with on the technical level have generally expected us to deliver packets, and, expected to pay for packets we deliver according to their agreement. When they ask us to block something, we do, but, I have never had a customer expect not to pay for their infected system AFTER we told them they were spewing. YMMV, Owen -- If it wasn't crypto-signed, it probably didn't come from me.
On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote:
But ultimately, _you_ are responsible for your own systems.
Even if the water company is sending me 85% TriChlorEthane?
Which water company is sending you 85% TriChlorEthane? More than likely its your next door neighbor with a defective system leaking it. The water company didn't put TriChlorEthane in the water, someone else did.
Right. Got it. The victim is always responsible.
Who is the perpetrator and who is the victim? The mistake is trying to put the blame on one of the parties, which isn't responsible for it. Blaming the water company simply distracts you from fixing the real problem, your neighbor's chemical waste dump. If your ISP tells you your computer is infected, do you have any responsibility to fix your computer? If you fail to fix your computer, or have it fixed, are you still an "innocent" victim or have you become part of the problem? Have you become the chemical waste dump, and you are now responsible for dumping 85% TriChlorEthane in your neighbor's water?
On Thu, Jun 10, 2004 at 01:06:43PM -0500, Laurence F. Sheldon, Jr. wrote:
Jeff Shultz wrote:
But ultimately, _you_ are responsible for your own systems.
Even if the water company is sending me 85% TriChlorEthane?
Right. Got it. The victim is always responsible.
There you have it folks.
...the distinction btwn content, delivery systems, and customer owned equipment. context shifting... anyone (else) remember when all kit that touched the telephone network was owned by the telco? ... and ostensibly why? bit-pipes are a -very- comfortable business model; "we just pass the bits, we don't mess w/ them" - pushes the mitigation issues elsewhere and/or opens new business opportunities. of course neither my mother nor my daughters know or care about gcc ... and they pay to have someone to blame. --bill
Laurence F. Sheldon, Jr. wrote:
Even if the water company is sending me 85% TriChlorEthane?
Right. Got it. The victim is always responsible.
There you have it folks.
Are they really a victim though? In Sean's post the person had fair warning. The problem in this day in age is the terrible lack of self responsibility. That and the fact that a large percentage of people are just plain lazy, which makes for a bad combination. Instead of taking action it's much easier to just be lazy and blame someone else. Victims are innocent bystanders, not excuse makers.
On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote:
Jeff Shultz wrote:
But ultimately, _you_ are responsible for your own systems.
Even if the water company is sending me 85% TriChlorEthane?
Right. Got it. The victim is always responsible.
There you have it folks.
Change the word "victim" to "negligent party" and you're correct. Ignoring all of the analogies and metaphors, the bottom line is that ISPs are _not responsible_ for the negligence of their customers, and that ISPs are _not responsible_ for the _content_ of the packets we deliver. In fact, blocking the packets based on content would run counter to our sole responsibility: delivering the well-formed packets (ip verify unicast reverse-path) where they belong. Remember, we're service providers, not content providers. Unless your AUP or customer contract spells out security services provided (most actually go the other way and limit the liability of the service provider specifically in this event), then your customers have to pay you to secure their network (unless you feel like doing it for free), or they are responsible, period. As far as I'm concerned, that guy would have a better shot at suing Microsoft then challenging his bandwidth bill. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
Andy Dills wrote:
On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote:
Jeff Shultz wrote:
But ultimately, _you_ are responsible for your own systems.
Even if the water company is sending me 85% TriChlorEthane?
Right. Got it. The victim is always responsible.
There you have it folks.
Change the word "victim" to "negligent party" and you're correct.
It would be great if there always was a negligent party, but there is not always one. If Widgets Inc.'s otherwise ultra-secure web server gets 0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc. or the ISP? So how about this analogy: Someone breaks into my house and spends a few hours on the phone to Hong Kong. Who eats the bill, me or my LD carrier? Neither of us was negligent. [0] Unless someone can prove the software flaw was sloppy enough that it constitutes negligence and goes after the software authors. Good luck with that. -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387
It would be great if there always was a negligent party, but there is not always one. If Widgets Inc.'s otherwise ultra-secure web server gets 0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc. or the ISP?
1. In Sean's example, clearly the customer was a negligent party. 2. If Widgets Inc. doesn't promptly disconnect their system from the network upon notification of the problem, and/or fails to fix the system before reconnecting it to the network, then they have become a negligent party. 3. Although there's no real obligation for ISPs to do so, most that I know will eat it on the customer's behalf until some reasonable amount of time after they told the customer. That is exactly what happened in the case Sean brought up, except, the ISP ate it for far longer than reasonable.
So how about this analogy: Someone breaks into my house and spends a few hours on the phone to Hong Kong. Who eats the bill, me or my LD carrier? Neither of us was negligent.
Well... When I had a similar situation, the phone company tried very hard to tell me it was my problem. Finally, I found out what had happened, and provided them with photographs of a person tapping into lines from the junction on my pole and making phone calls. They did give me credit at that point, but, it took a lot of convincing and I got lucky with a camera.
[0] Unless someone can prove the software flaw was sloppy enough that it constitutes negligence and goes after the software authors. Good luck with that.
Actually, I'd say that anyone who hasn't signed Micr0$0ft's EULA and is a victim of the crap their software ends up spewing has a pretty good case against them for negligence at this point, but, IANAL. Owen -- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery.
On Thu, 10 Jun 2004, Crist Clark wrote:
Change the word "victim" to "negligent party" and you're correct.
It would be great if there always was a negligent party, but there is not always one. If Widgets Inc.'s otherwise ultra-secure web server gets 0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc. or the ISP?
That's between the customer and Widgets Inc. The ISP is certainly not legally obligated to eat the cost of the bandwidth. They may choose to do so in the interest of furthering the business relationship, but that only covers so many bits.
So how about this analogy: Someone breaks into my house and spends a few hours on the phone to Hong Kong. Who eats the bill, me or my LD carrier? Neither of us was negligent.
Keep in mind, this guy's ISP, like many (most?) ISPs would do, gave the guy a serious break on the first jaw-dropping bill. But if you're the phone company, and a customer mysteriously has somebody break into their house month after month to call Hong Kong for a few hours, do you really think they're going to keep voiding those charges? Clearly the customer is negligent, even if another party is directly responsible. Speaking for Xecunet, we offer both capped and metered billing packages, and we always make a point of offering customers a capped solution when something like this happens. If they decline, we make sure they understand that in the future they will be liable for 100% of the packets coming from their port, regardless of the circumstances. Maybe we should start putting this in writing, but it hasn't really been a problem. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
Andy Dills wrote:
Keep in mind, this guy's ISP, like many (most?) ISPs would do, gave the guy a serious break on the first jaw-dropping bill.
Why do I have to get two and three copies of each of these? I'm on the list folks, if you send it to the list I'll get it. I don't need a copy to the list and Cc:'s until the end of time. But since I am here, let me also ask that we kee in mind, that if this guy is anyting like folks close to home here, his ISP requires him to run a current version of IE, OE and NT of some kind. He hooked that up, his ISP delivered a a successful attack on the combination. Now, let's stop the movie and identify the negligent parties and the responsible parties. No huge bill yet, no infected anybody else yet.
But if you're the phone company, and a customer mysteriously has somebody break into their house month after month to call Hong Kong for a few hours, do you really think they're going to keep voiding those charges? Clearly the customer is negligent, even if another party is directly responsible.
Speaking for Xecunet, we offer both capped and metered billing packages, and we always make a point of offering customers a capped solution when something like this happens. If they decline, we make sure they understand that in the future they will be liable for 100% of the packets coming from their port, regardless of the circumstances. Maybe we should start putting this in writing, but it hasn't really been a problem.
Andy
--- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
-- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote:
Why do I have to get two and three copies of each of these?
Because you havn't set a Reply-To header? Eg with the list as address?
I'm on the list folks, if you send it to the list I'll get it. I don't need a copy to the list and Cc:'s until the end of time.
Then set a Reply-To. Pretty simple.. regards, -- Paul Jakma paul@clubi.ie paul@jakma.org Key ID: 64A2FF6A warning: do not ever send email to spam@dishone.st Fortune: Coding is easy; All you do is sit staring at a terminal until the drops of blood form on your forehead.
Paul Jakma wrote:
On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote:
Why do I have to get two and three copies of each of these?
Because you havn't set a Reply-To header? Eg with the list as address?
I'm on the list folks, if you send it to the list I'll get it. I don't need a copy to the list and Cc:'s until the end of time.
Then set a Reply-To. Pretty simple..
regards,
Really? My responsibility to make sure you control your outbound mail. Got it. Oh. Any suggestions on how to do that using my mailer? And I'll delete the other copy you sent me for you. Where is RFC 2821 is this requirement, by the way? RFC 2822 says it is optional but seems to be less than useful in the context here. -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
reply-to: headers are bad. the replier can be sending to the list when they intended to reply privately. hence, many of us have our MTAs strip them before we even get the mail. again, procmail is your friend # prevent dupes # :0 Wh: msgid.lock | formail -D 65536 msgid.cache randy
On Fri, 11 Jun 2004, Randy Bush wrote:
reply-to: headers are bad.
Oh, on that I agree. There are draft RFCs to specify these things better, eg seperating the concept of 'Reply-to' into one policy for list related replies and another for personal, mutt supports these drafts already[1], but there hasnt been much apparent movement in these drafts becoming standards track. (primarily because there are already similar headers defined and RFC standards tracked for NNTP readers/posters). 1. which can be annoying when dealing with mutt users. regards, -- Paul Jakma paul@clubi.ie paul@jakma.org Key ID: 64A2FF6A warning: do not ever send email to spam@dishone.st Fortune: The soul would have no rainbow had the eyes no tears.
My last on the topic--maybe even the list. I take the responsibilty for a number of things, depending on the topic of the discussion. In the case of email conversations, particularly email converations on mailing lists, I think there are responsibilites on the author to: Delete all the baggage that has accumulated that is not relevant to the instant message, like the addresses in excess of the intended recipent or recipient-list, like the material that is not the object of the current comments, like the collection of cute .sig things that were not separated by a proper separator or not dropped by a proper mailer. (And it happens that I am reduced to using Netscape as a mailer, and to the best of my ability I have not found a way to add not-required headers to the messages.) But I'm big on "responsibility" and I understand that I am pretty close to alone here on that. -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
On Fri, 11 Jun 2004, Laurence F. Sheldon, Jr. wrote:
But I'm big on "responsibility" and I understand that I am pretty close to alone here on that.
You're big on responsibility...just as long as the end users aren't held responsible for their networks, right? Which network do you run again? I'm starting to think I'm talking to a kook. Here this whole time I thought you represented cox.net. Clearly not. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
On Fri, 11 Jun 2004 11:50:26 CDT, "Laurence F. Sheldon, Jr." said:
Where is RFC 2821 is this requirement, by the way? RFC 2822 says it is optional but seems to be less than useful in the context here.
2821 is about the SMTP side of things. By the time the MTA is handed a list of RCPT TO's, it's waaay past time to argue about Reply-to:. (As a matter of fact, careful reading of 2821 will reveal that there's no *specific* requirement that the stuff between the DATA and final '.' even be an 822-style e-mail - I've seen blecherous things that toss an X.400 blob around in there instead...) 2822 and related would be the right place, as that's about the 822-style headers on the mail itself. As already noted by several people, Reply-To: doesn't necessarily impose the proper semantics (and before anybody pipes up, Bernstein's "Mail-Followup-To:" isn't perfect either, *and* there's not even an active I-D for it, much less any sort of RFC).
On Fri, 11 Jun 2004, Laurence F. Sheldon, Jr. wrote:
Really? My responsibility to make sure you control your outbound mail. Got it.
You really think everyone on this list should remember the preference of every other poster as to whether they do or do not want a direct copy? Maybe we could have a list on a web page and everyone could check the list before replying to a post. That'd be really useful. But wait, seeing as how we've got these new-fangled computer thingies that can take care of drudgery for us, how about we provide a way to allow the poster to specify what their preference is, and then other people's computers could automatically use that preference! Oh wait: http://www.freesoft.org/CIE/RFC/822/28.htm Someone already thought of that! In *1982*. Gosh, how prescient! (sorry if the sarcasm is a little thick, but I groan and shake my head every time someone posts to NANOG about how people should please stop including them in list replies. When I see someone who usually has a modicum of clue do same I just have to reply. :) )
Oh. Any suggestions on how to do that using my mailer?
No idea, consult its documentation. I do ctrl+r in my MUA, in Netscape Communicator or Mozilla mail or Thunderbird you just add the address in a new field and click the drop down list and change the 'To' to 'Reply-To' If your mailer can not do something as simple as allow you to specify the Reply-To, I suggest you upgrade to something that is at least half-decent.
And I'll delete the other copy you sent me for you.
That's another option I guess.
Where is RFC 2821 is this requirement, by the way? RFC 2822 says it is optional but seems to be less than useful in the context here.
Yes, of course Reply-To is optional. Absence of Reply-to indicates reply should go to sender. regards, -- Paul Jakma paul@clubi.ie paul@jakma.org Key ID: 64A2FF6A warning: do not ever send email to spam@dishone.st Fortune: October 12, the Discovery. It was wonderful to find America, but it would have been more wonderful to miss it. -- Mark Twain, "Pudd'nhead Wilson's Calendar"
Paul Jakma wrote:
On Fri, 11 Jun 2004, Laurence F. Sheldon, Jr. wrote:
Really? My responsibility to make sure you control your outbound mail. Got it.
You really think everyone on this list should remember the preference of every other poster as to whether they do or do not want a direct copy? Maybe we could have a list on a web page and everyone could check the list before replying to a post. That'd be really useful. But wait, seeing as how we've got these new-fangled computer thingies that can take care of drudgery for us, how about we provide a way to allow the poster to specify what their preference is, and then other people's computers could automatically use that preference!
Oh wait:
http://www.freesoft.org/CIE/RFC/822/28.htm
Someone already thought of that! In *1982*. Gosh, how prescient!
Or the document a little out-dated and replaced. But not your responsibility huh?
(sorry if the sarcasm is a little thick, but I groan and shake my head every time someone posts to NANOG about how people should please stop including them in list replies. When I see someone who usually has a modicum of clue do same I just have to reply. :) )
Oh. Any suggestions on how to do that using my mailer?
No idea, consult its documentation. I do ctrl+r in my MUA, in Netscape Communicator or Mozilla mail or Thunderbird you just add the address in a new field and click the drop down list and change the 'To' to 'Reply-To'
If your mailer can not do something as simple as allow you to specify the Reply-To, I suggest you upgrade to something that is at least half-decent.
And I'll delete the other copy you sent me for you.
That's another option I guess.
Where is RFC 2821 is this requirement, by the way? RFC 2822 says it is optional but seems to be less than useful in the context here.
Yes, of course Reply-To is optional. Absence of Reply-to indicates reply should go to sender.
regards,
-- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
On Fri, 11 Jun 2004, Laurence F. Sheldon, Jr. wrote:
Or the document a little out-dated and replaced. But not your responsibility huh?
822 might have been superceded, yes, however no newer standards track RFC has made Reply-to obsolete. My point was that Reply-to isnt something new, it's something I'd expect anyone on a network ops mailling list to know about and be able to use. (if they really wish to run the risk of other people accidently mailling private correspondence to the Reply-To address). NB: The other thing you can do is filter your email into seperate mailboxes, eg each list into a seperate folder. If you do this, the direct copy will become useful. regards, -- Paul Jakma paul@clubi.ie paul@jakma.org Key ID: 64A2FF6A warning: do not ever send email to spam@dishone.st Fortune: Innovation is hard to schedule. -- Dan Fylstra
I suspect most of us who are failing to feel Mr. Sheldon's pain on this just fail to understand the burden that's been placed on him by this problem. As an occasional poster to this and other lists, I sometimes get a few duplicate replies, which, being sent directly to me, end up in my regular mailbox instead of my NANOG folder, and thus require me to actively delete or sort through them. As an occasional issue, it seems like a natural result of sending out a message to a few thousand people. Not being all that important I often find it hard to believe that a few thousand people will want to read what I have to say, so I don't do it all that often. I can see, however, that some scaling issues would come into play here. If I have to spend a few minutes sorting out duplicate replies every few weeks after posting something to the list, it's not a big deal. Besides, if I've taken the time to write something and send it to a few thousand people, I generally want to know what people have to say about it. But, never having posted to the NANOG list eight times in less than two days, I can only imagine how the time spent dealing with duplicate replies would add up. Besides, coming up with that many things worth sending to a few thousand people, in such a short period of time, must be really time consuming. With such a busy posting schedule, should we be surprised that the time to deal with an unfathomable quantity of duplicate responses would be hard to come by? -Steve On Fri, 11 Jun 2004, Laurence F. Sheldon, Jr. wrote:
Paul Jakma wrote:
On Fri, 11 Jun 2004, Laurence F. Sheldon, Jr. wrote:
Really? My responsibility to make sure you control your outbound mail. Got it.
You really think everyone on this list should remember the preference of every other poster as to whether they do or do not want a direct copy? Maybe we could have a list on a web page and everyone could check the list before replying to a post. That'd be really useful. But wait, seeing as how we've got these new-fangled computer thingies that can take care of drudgery for us, how about we provide a way to allow the poster to specify what their preference is, and then other people's computers could automatically use that preference!
Oh wait:
http://www.freesoft.org/CIE/RFC/822/28.htm
Someone already thought of that! In *1982*. Gosh, how prescient!
Or the document a little out-dated and replaced. But not your responsibility huh?
(sorry if the sarcasm is a little thick, but I groan and shake my head every time someone posts to NANOG about how people should please stop including them in list replies. When I see someone who usually has a modicum of clue do same I just have to reply. :) )
Oh. Any suggestions on how to do that using my mailer?
No idea, consult its documentation. I do ctrl+r in my MUA, in Netscape Communicator or Mozilla mail or Thunderbird you just add the address in a new field and click the drop down list and change the 'To' to 'Reply-To'
If your mailer can not do something as simple as allow you to specify the Reply-To, I suggest you upgrade to something that is at least half-decent.
And I'll delete the other copy you sent me for you.
That's another option I guess.
Where is RFC 2821 is this requirement, by the way? RFC 2822 says it is optional but seems to be less than useful in the context here.
Yes, of course Reply-To is optional. Absence of Reply-to indicates reply should go to sender.
regards,
-- Requiescas in pace o email
Ex turpi causa non oritur actio
a quick duplicate elimination in procmail is something like: :0 Whc: msgid.lock | formail -D 16384 msgid.cache :0 a: /dev/null for me it's a substantial lifestyle improvement. On Fri, 11 Jun 2004, Steve Gibbard wrote:
I suspect most of us who are failing to feel Mr. Sheldon's pain on this just fail to understand the burden that's been placed on him by this problem.
As an occasional poster to this and other lists, I sometimes get a few duplicate replies, which, being sent directly to me, end up in my regular mailbox instead of my NANOG folder, and thus require me to actively delete or sort through them. As an occasional issue, it seems like a natural result of sending out a message to a few thousand people. Not being all that important I often find it hard to believe that a few thousand people will want to read what I have to say, so I don't do it all that often.
I can see, however, that some scaling issues would come into play here. If I have to spend a few minutes sorting out duplicate replies every few weeks after posting something to the list, it's not a big deal. Besides, if I've taken the time to write something and send it to a few thousand people, I generally want to know what people have to say about it. But, never having posted to the NANOG list eight times in less than two days, I can only imagine how the time spent dealing with duplicate replies would add up. Besides, coming up with that many things worth sending to a few thousand people, in such a short period of time, must be really time consuming. With such a busy posting schedule, should we be surprised that the time to deal with an unfathomable quantity of duplicate responses would be hard to come by?
-Steve
On Fri, 11 Jun 2004, Laurence F. Sheldon, Jr. wrote:
Paul Jakma wrote:
On Fri, 11 Jun 2004, Laurence F. Sheldon, Jr. wrote:
Really? My responsibility to make sure you control your outbound mail. Got it.
You really think everyone on this list should remember the preference of every other poster as to whether they do or do not want a direct copy? Maybe we could have a list on a web page and everyone could check the list before replying to a post. That'd be really useful. But wait, seeing as how we've got these new-fangled computer thingies that can take care of drudgery for us, how about we provide a way to allow the poster to specify what their preference is, and then other people's computers could automatically use that preference!
Oh wait:
http://www.freesoft.org/CIE/RFC/822/28.htm
Someone already thought of that! In *1982*. Gosh, how prescient!
Or the document a little out-dated and replaced. But not your responsibility huh?
(sorry if the sarcasm is a little thick, but I groan and shake my head every time someone posts to NANOG about how people should please stop including them in list replies. When I see someone who usually has a modicum of clue do same I just have to reply. :) )
Oh. Any suggestions on how to do that using my mailer?
No idea, consult its documentation. I do ctrl+r in my MUA, in Netscape Communicator or Mozilla mail or Thunderbird you just add the address in a new field and click the drop down list and change the 'To' to 'Reply-To'
If your mailer can not do something as simple as allow you to specify the Reply-To, I suggest you upgrade to something that is at least half-decent.
And I'll delete the other copy you sent me for you.
That's another option I guess.
Where is RFC 2821 is this requirement, by the way? RFC 2822 says it is optional but seems to be less than useful in the context here.
Yes, of course Reply-To is optional. Absence of Reply-to indicates reply should go to sender.
regards,
-- Requiescas in pace o email
Ex turpi causa non oritur actio
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
On Fri, 11 Jun 2004 10:52:40 PDT, Steve Gibbard said:
As an occasional poster to this and other lists, I sometimes get a few duplicate replies, which, being sent directly to me, end up in my regular mailbox instead of my NANOG folder, and thus require me to actively delete or sort through them. As an occasional issue, it seems like a natural result of sending out a message to a few thousand people. Not being all that important I often find it hard to believe that a few thousand people will want to read what I have to say, so I don't do it all that often.
Much more annoying are borked Out-of-Brain responders that annoy you when you post to a list because they don't understand the concept of a list. What's really sad is when an Out-of-Brain responder manages to trigger my procmail duplicate detector.. ;)
** Reply to message from Crist Clark <crist.clark@globalstar.com> on Thu, 10 Jun 2004 14:54:07 -0700
It would be great if there always was a negligent party, but there is not always one. If Widgets Inc.'s otherwise ultra-secure web server gets 0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc. or the ISP?
Just out of curiosity, what was the last 0-Day (not that I've heard of any, really) that made itself obvious by chewing up tons of bandwidth? Most of the nasty worms seem to be the ones that either do some efficient social engineering, or exploit a hole MS patched 6 months ago. In any case, I expect it would be negotiated on a case by case basis. But Widgets Inc. would operating from a position of weakness. Regardless of the circumstances, their systems did use the bandwidth.
So how about this analogy: Someone breaks into my house and spends a few hours on the phone to Hong Kong. Who eats the bill, me or my LD carrier? Neither of us was negligent.
Depends on how nice your LD carrier is - with a police report they might cut you some slack. Otherwise... how many parents have been stuck with the bills for their teenage kids $200+ SMS bills? -- Jeff Shultz A railfan pulls up to a RR crossing hoping that there will be a train.
It would be great if there always was a negligent party, but there is not always one. If Widgets Inc.'s otherwise ultra-secure web server gets 0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc. or the ISP?
Widget Inc is still negligent. It is their server. They could have placed the server behind a firewall. The firewall could have been doing layer 7 inspection and noticed the 0-day event. They could also be running an IDS which would detect such an event and notify a network administer. The point is there are MANY ways to protect systems and to be notified in an event. As an ISP I would overlook a couple days worth of billing if my customer was responsible/reactive to the event. If they refuse to fix the problems they should be held liable. If we notice worm traffic entering our network from our customer we shut them down then notify them. We protect our network first, then we help with theirs. No matter how you slice it people need to be responsible for their own actions or inactions. Widget Inc, could have chosen different OS, Web server, etc that didn't have that particular 0-day event. Customers have choices, they need to be responsible for the choices they make. I can guide them in good design up to a certain extent for free. I'll design/build for them for a fee. IT is always the first cut in a budget crunch, Bean counters overlook IT issues. The problem is the way you run your network affects other networks. You can save $30,000 today and spend $100,000 in repairs for a failure, your choice.
So how about this analogy: Someone breaks into my house and spends a few hours on the phone to Hong Kong. Who eats the bill, me or my LD carrier? Neither of us was negligent.
Do you ever expect to call Hong Kong? No, call your LD carrier before the fact and block all international calls from your line. You can also put an access code on your outbound calls or block everything and use a calling card. You chose to make it easy for yourself, you get hacked, you should pay.
[0] Unless someone can prove the software flaw was sloppy enough that it constitutes negligence and goes after the software authors. Good luck with that.
Software flaw or not. Design your network so you have safe guards in place. Have other machines watching for irregular traffic, set off pagers when your traffic goes 300% above normal. Pay for a network engineer to watch it and make it better. React to problems, don't turn a blind eye and hope it all goes away. Come on, whatsup gold is cheap enough, SNMP monitor your switch traffic and set off pagers using thresholds, it really isn't that hard. I'm rambling, the root of the problem is not IT or MS or the Internet. It is society and everyone doing the bare minimum. Going with the least common denominator is not a way to live your life, run your business or your network. I'll take the high road, thank you very much. I have little patience for people who do not expend the effort complaining and looking for hand outs from those that do.
-- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387
Thus spake "Crist Clark" <crist.clark@globalstar.com>
It would be great if there always was a negligent party, but there is not always one. If Widgets Inc.'s otherwise ultra-secure web server gets 0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc. or the ISP?
Until a patch was available or filter was installed, most ISPs would eat it as a gesture of good will (but they have no obligation to do so). A customer who fails to implement the _available_ security measures is negligent, particularly after they've been informed there's a problem and they make a conscious choice not to do anything about it. In the case of Mr. Liber, I totally side with the ISP for about the first 30 days. After that, they should have disabled or capped Mr. Liber's account (totally kosher, as he hadn't paid his outstanding bill) to prevent him from running up further charges that any rational person would know he's unlikely to pay for. Shame on both parties.
So how about this analogy: Someone breaks into my house and spends a few hours on the phone to Hong Kong. Who eats the bill, me or my LD carrier? Neither of us was negligent.
A few years ago my cell phone was stolen, and before I was able to report it to the carrier several hours of calls were made to a foreign country. The carrier ate all the calls between when the phone was stolen and when their customer service center opened; I ate the calls that occurred after that. Seems totally reasonable, even if it did cost me ~$50. Once you have discovered or been notified there is a problem, _you_ are responsible for fixing it or you implicitly agree to pay the price of not fixing it. As the song goes, "If you choose not to decide/You still have made a choice". If one is not yet aware of the problem (and there's no reasonable expectation one should have been), I think there's room for debate, but that's not relevant to the discussion of Mr. Liber. S Stephen Sprunk "Stupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them." --Aaron Sorkin
Andy Dills wrote:
On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote:
Jeff Shultz wrote:
But ultimately, _you_ are responsible for your own systems.
Even if the water company is sending me 85% TriChlorEthane?
Right. Got it. The victim is always responsible.
There you have it folks.
Change the word "victim" to "negligent party" and you're correct.
Ignoring all of the analogies and metaphors, the bottom line is that ISPs are _not responsible_ for the negligence of their customers, and that ISPs are _not responsible_ for the _content_ of the packets we deliver. In fact, blocking the packets based on content would run counter to our sole responsibility: delivering the well-formed packets (ip verify unicast reverse-path) where they belong.
Remember, we're service providers, not content providers. Unless your AUP or customer contract spells out security services provided (most actually go the other way and limit the liability of the service provider specifically in this event), then your customers have to pay you to secure their network (unless you feel like doing it for free), or they are responsible, period.
As far as I'm concerned, that guy would have a better shot at suing Microsoft then challenging his bandwidth bill.
Andy
--- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
How many more of these do I need, do you think? -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
Here are a list of very active ports that attempt to hack into peoples systesm from various parts of the world China in particular. I think unassigned ports should be dropped from routing tables unless they are registered with the host and or providers as to their legitimate use.... smpnameres 901/tcp SMPNAMERES smpnameres 901/udp SMPNAMERES blackjack 1025/tcp network blackjack blackjack 1025/udp network blackjack cap 1026/tcp Calender Access Protocol cap 1026/udp Calender Access Protocol exosee 1027/tcp ExoSee exosee 1027/udp ExoSee # 1124-1154 Unassigned ssslic-mgr 1203/tcp License Validation ssslic-mgr 1203/udp License Validation ms-sql-s 1433/tcp Microsoft-SQL-Server ms-sql-s 1433/udp Microsoft-SQL-Server ms-sql-m 1434/tcp Microsoft-SQL-Monitor ms-sql-m 1434/udp Microsoft-SQL-Monitor # 6851-6887 Unassigned monkeycom 9898/tcp MonkeyCom monkeycom 9898/udp MonkeyCom And I need a list that shows who or what owns Dynamic and/or Private Ports -Henry --- "Laurence F. Sheldon, Jr." <LarrySheldon@cox.net> wrote:
Andy Dills wrote:
On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote:
Jeff Shultz wrote:
But ultimately, _you_ are responsible for your own systems.
Even if the water company is sending me 85% TriChlorEthane?
Right. Got it. The victim is always responsible.
There you have it folks.
Change the word "victim" to "negligent party" and you're correct.
Ignoring all of the analogies and metaphors, the bottom line is that ISPs are _not responsible_ for the negligence of their customers, and that ISPs are _not responsible_ for the _content_ of the packets we deliver. In fact, blocking the packets based on content would run counter to our sole responsibility: delivering the well-formed packets (ip verify unicast reverse-path) where they belong.
Remember, we're service providers, not content providers. Unless your AUP or customer contract spells out security services provided (most actually go the other way and limit the liability of the service provider specifically in this event), then your customers have to pay you to secure their network (unless you feel like doing it for free), or they are responsible, period.
As far as I'm concerned, that guy would have a better shot at suing Microsoft then challenging his bandwidth bill.
Andy
--- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
How many more of these do I need, do you think?
-- Requiescas in pace o email
Ex turpi causa non oritur actio
Henry Linneweh wrote:
Here are a list of very active ports that attempt to hack into peoples systesm from various parts of the world China in particular.
Thank you.
I think unassigned ports should be dropped from routing tables unless they are registered with the host and or providers as to their legitimate use....
smpnameres 901/tcp SMPNAMERES smpnameres 901/udp SMPNAMERES blackjack 1025/tcp network blackjack blackjack 1025/udp network blackjack cap 1026/tcp Calender Access Protocol cap 1026/udp Calender Access Protocol exosee 1027/tcp ExoSee exosee 1027/udp ExoSee # 1124-1154 Unassigned ssslic-mgr 1203/tcp License Validation ssslic-mgr 1203/udp License Validation ms-sql-s 1433/tcp Microsoft-SQL-Server ms-sql-s 1433/udp Microsoft-SQL-Server ms-sql-m 1434/tcp Microsoft-SQL-Monitor ms-sql-m 1434/udp Microsoft-SQL-Monitor # 6851-6887 Unassigned monkeycom 9898/tcp MonkeyCom monkeycom 9898/udp MonkeyCom
And I need a list that shows who or what owns Dynamic and/or Private Ports
-Henry
--- "Laurence F. Sheldon, Jr." <LarrySheldon@cox.net> wrote:
Andy Dills wrote:
On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr.
wrote:
Jeff Shultz wrote:
But ultimately, _you_ are responsible for your
own systems.
Even if the water company is sending me 85%
TriChlorEthane?
Right. Got it. The victim is always responsible.
There you have it folks.
Change the word "victim" to "negligent party" and
you're correct.
Ignoring all of the analogies and metaphors, the
bottom line is that ISPs
are _not responsible_ for the negligence of their
customers, and that ISPs
are _not responsible_ for the _content_ of the
packets we deliver. In
fact, blocking the packets based on content would
run counter to our sole
responsibility: delivering the well-formed packets
(ip verify unicast
reverse-path) where they belong.
Remember, we're service providers, not content
providers. Unless your AUP
or customer contract spells out security services
provided (most actually
go the other way and limit the liability of the
service provider
specifically in this event), then your customers
have to pay you to secure
their network (unless you feel like doing it for
free), or they are
responsible, period.
As far as I'm concerned, that guy would have a
better shot at suing
Microsoft then challenging his bandwidth bill.
Andy
--- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
How many more of these do I need, do you think?
-- Requiescas in pace o email
Ex turpi causa non oritur actio
-- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
Henry Linneweh wrote:
Here are a list of very active ports that attempt to hack into peoples systesm from various parts of the world China in particular.
I think unassigned ports should be dropped from routing tables unless they are registered with the host and or providers as to their legitimate use....
smpnameres 901/tcp SMPNAMERES smpnameres 901/udp SMPNAMERES blackjack 1025/tcp network blackjack blackjack 1025/udp network blackjack cap 1026/tcp Calender Access Protocol cap 1026/udp Calender Access Protocol exosee 1027/tcp ExoSee exosee 1027/udp ExoSee # 1124-1154 Unassigned ssslic-mgr 1203/tcp License Validation ssslic-mgr 1203/udp License Validation ms-sql-s 1433/tcp Microsoft-SQL-Server ms-sql-s 1433/udp Microsoft-SQL-Server ms-sql-m 1434/tcp Microsoft-SQL-Monitor ms-sql-m 1434/udp Microsoft-SQL-Monitor # 6851-6887 Unassigned monkeycom 9898/tcp MonkeyCom monkeycom 9898/udp MonkeyCom
And I need a list that shows who or what owns Dynamic and/or Private Ports
-Henry
--- "Laurence F. Sheldon, Jr." <LarrySheldon@cox.net> wrote:
Andy Dills wrote:
On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr.
wrote:
Jeff Shultz wrote:
But ultimately, _you_ are responsible for your
own systems.
Even if the water company is sending me 85%
TriChlorEthane?
Right. Got it. The victim is always responsible.
There you have it folks.
Change the word "victim" to "negligent party" and
you're correct.
Ignoring all of the analogies and metaphors, the
bottom line is that ISPs
are _not responsible_ for the negligence of their
customers, and that ISPs
are _not responsible_ for the _content_ of the
packets we deliver. In
fact, blocking the packets based on content would
run counter to our sole
responsibility: delivering the well-formed packets
(ip verify unicast
reverse-path) where they belong.
Remember, we're service providers, not content
providers. Unless your AUP
or customer contract spells out security services
provided (most actually
go the other way and limit the liability of the
service provider
specifically in this event), then your customers
have to pay you to secure
their network (unless you feel like doing it for
free), or they are
responsible, period.
As far as I'm concerned, that guy would have a
better shot at suing
Microsoft then challenging his bandwidth bill.
Andy
--- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
How many more of these do I need, do you think?
-- Requiescas in pace o email
Ex turpi causa non oritur actio
Thanks -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
Randy Bush wrote:
I think unassigned ports should be dropped from routing tables
your wish is the internet's comman. ports are no longer in routing tables.
Thank you -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
On Fri, 11 Jun 2004, Henry Linneweh wrote:
Here are a list of very active ports that attempt to hack into peoples systesm from various parts of the world China in particular.
I think unassigned ports should be dropped from routing tables unless they are registered with the host and or providers as to their legitimate use....
Better yet, we should hire illegal immigrants to hand deliver our packets! Or if you really wanted to get creative, you could bind the inverse multiplexer to the outflow of the negative ion generator. Just be careful not to cross your streams. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
On Fri, 11 Jun 2004, Andy Dills wrote:
On Fri, 11 Jun 2004, Henry Linneweh wrote:
Here are a list of very active ports that attempt to hack into peoples systesm from various parts of the world China in particular.
I think unassigned ports should be dropped from routing tables unless they are registered with the host and or providers as to their legitimate use....
Better yet, we should hire illegal immigrants to hand deliver our packets!
Ah. A tunneling implementation.
Or if you really wanted to get creative, you could bind the inverse multiplexer to the outflow of the negative ion generator. Just be careful not to cross your streams.
You'll need a cold fusion generator to power that. This is starting to look like a meower thread in an unmoderated Usenet group. - SLS ------------------------------------------------------------------------ Scott L. Stursa 850/644-2591 Network Security Officer stursa@acns.fsu.edu Academic Computing and Network Services Florida State University - No good deed goes unpunished -
Coupled with a Flux Capacitor for the ultimate in message delivery :) ----- Original Message ----- From: "Scott Stursa" <stursa@acns.fsu.edu> To: <nanog@merit.edu> Sent: Friday, June 11, 2004 4:44 PM Subject: Re: Even you can be hacked
Ah. A tunneling implementation. You'll need a cold fusion generator to power that.
Henry, from the email address I'm assuming youre not trolling and are therefore missing a few facts, IP!=IPX, that is.. ports arent in the routing table It is not the ports below that cause the security issues, it is the applications which are using them, you need to either fix the apps or take the apps off the Internet Nobody owns ports, they are arbitrary, some may get given a special purpose by the IANA but theres nothing to say they -have- to use those numbers.. therefore you cannot get a list of them.. and if they're dynamic or private (if I understand what you mean) then by defintion they arent static and cant be documented? Steve On Fri, 11 Jun 2004, Henry Linneweh wrote:
Here are a list of very active ports that attempt to hack into peoples systesm from various parts of the world China in particular.
I think unassigned ports should be dropped from routing tables unless they are registered with the host and or providers as to their legitimate use....
smpnameres 901/tcp SMPNAMERES smpnameres 901/udp SMPNAMERES blackjack 1025/tcp network blackjack blackjack 1025/udp network blackjack cap 1026/tcp Calender Access Protocol cap 1026/udp Calender Access Protocol exosee 1027/tcp ExoSee exosee 1027/udp ExoSee # 1124-1154 Unassigned ssslic-mgr 1203/tcp License Validation ssslic-mgr 1203/udp License Validation ms-sql-s 1433/tcp Microsoft-SQL-Server ms-sql-s 1433/udp Microsoft-SQL-Server ms-sql-m 1434/tcp Microsoft-SQL-Monitor ms-sql-m 1434/udp Microsoft-SQL-Monitor # 6851-6887 Unassigned monkeycom 9898/tcp MonkeyCom monkeycom 9898/udp MonkeyCom
And I need a list that shows who or what owns Dynamic and/or Private Ports
-Henry
--- "Laurence F. Sheldon, Jr." <LarrySheldon@cox.net> wrote:
Andy Dills wrote:
On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote:
Jeff Shultz wrote:
But ultimately, _you_ are responsible for your own systems.
Even if the water company is sending me 85% TriChlorEthane?
Right. Got it. The victim is always responsible.
There you have it folks.
Change the word "victim" to "negligent party" and you're correct.
Ignoring all of the analogies and metaphors, the bottom line is that ISPs are _not responsible_ for the negligence of their customers, and that ISPs are _not responsible_ for the _content_ of the packets we deliver. In fact, blocking the packets based on content would run counter to our sole responsibility: delivering the well-formed packets (ip verify unicast reverse-path) where they belong.
Remember, we're service providers, not content providers. Unless your AUP or customer contract spells out security services provided (most actually go the other way and limit the liability of the service provider specifically in this event), then your customers have to pay you to secure their network (unless you feel like doing it for free), or they are responsible, period.
As far as I'm concerned, that guy would have a better shot at suing Microsoft then challenging his bandwidth bill.
Andy
--- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
How many more of these do I need, do you think?
-- Requiescas in pace o email
Ex turpi causa non oritur actio
Your contract with the water company is for them to deliver you water. They make a best effort to do just that, but, inherently, there's stuff besides dihydrogen-oxide in your water. In most parts of the US, for the most part, the other stuff isn't significant and nobody worries about it. However, if you have a broken toilet that leaks, there is not a single water company on the planet that will forgive your bill for the water that leaked through it. On the other hand, generally, your contract with your ISP says that you expect them to deliver packets destined for your IP address to your system and that you expect them to accept packets from your computer system and deliver them to the rest of the internet. You've contracted for the internet, not for water. The internet contains worms, viruses, hackers, spammers, and the like. It is well known, and, expected behavior of the internet. You have not contracted your ISP to run your system for you. You have contracted them to deliver packets. In the scenario described, the "victim" was a victim of his own actions. The ISP was generous in forgiving his bill(s) at first, but, he chose not to fix the toilet. He could have fixed the toilet at any time and yet, for months, he chose not to. Why should the ISP pay the costs incurred because he chose to continue to run a system he knew was infected and chose not to fix? Owen
But ultimately, _you_ are responsible for your own systems.
When I detect abusive behavior coming from a customer site then it is my responsibility to make sure that doesn't affect the rest of the world. Also, if I know how to fix it at source and the customer doesn't know then it's my responsibility to make sure the customer has the tools and resources to fix it. How fast it gets fixed is not a primary concern because of the previous paragraph. Parallels to fire/water/electricity/etc. don't quite work because there is a big difference between the worm that came out yesterday and the National Electrical Codes that came out last century. -mark
--On Thursday, June 10, 2004 11:11 -0700 Mark Kent <mark@noc.mainstreet.net> wrote:
But ultimately, _you_ are responsible for your own systems.
When I detect abusive behavior coming from a customer site then it is my responsibility to make sure that doesn't affect the rest of the world.
To some extent, yes. I agree that his ISP should have shut him down much earlier than they did, but, I suspect this guy would be pretty unhappy about that, too.
Also, if I know how to fix it at source and the customer doesn't know then it's my responsibility to make sure the customer has the tools and resources to fix it. How fast it gets fixed is not a primary concern because of the previous paragraph.
I'm less convinced of this. Certainly, it's the nice thing to do, but, I'm not convinced you have any responsibility. It's what I would do. It's the neighborly thing to do. It's the good customer service thing to do. All of those things put it in a very different context than "I have a responsibility".
Parallels to fire/water/electricity/etc. don't quite work because there is a big difference between the worm that came out yesterday and the National Electrical Codes that came out last century.
Yes and no. If a customer starts dumping dirty power onto the electric grid, believe me, it will cause problems for other customers almost as quickly (although over a smaller area) as yesterday's worm. If the sanitary sewer develops a clog at the end of the street, it is the neighbor at the bottom of the hill that will suffer when the neighbor at the top of the hill flushes. The analogies at least work in terms of who has responsibility for fixing the machine. It is not your responsibility to fix your customer's machine unless that is an additional service they have contracted you for. I don't want my ISP telling me how to run my machine, nor do I want them controlling what packets I do and don't receive. Customers who do want those services should be able to find ISPs that offer them as a value add. I don't want them, and I would be angered if they were dictated to me. Owen -- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery.
On Thu, 10 Jun 2004, Laurence F. Sheldon, Jr. wrote:
Does the water company fix your toilet if it leaks water? Or do you call a plumber?
On the other hand, if the water company was sending pollutants in the water you bought, there was a perceived responsibility upon the water company.
The plumbing code require water consumers to have/install/maintain backflow prevention valves at the customer's expense to prevent pollutants from one customer from affecting the water supply. Water companies issue "boil orders" but usually don't shut off the water supply if the water fails to meet EPA standards. In that case it is the responsibility of the user to boil the water before drinking or using in cooking. Almost every ISP has a "boil order" in their terms and conditions.
Sean Donelan wrote:
If you leave your lights on, the electric company will send you a bill.
If the neighbor taps into your power lines after the meter...?
If you leave your faucets running, the water company will send you a bill. If you leave your computer infected, ???
If you lose your credit card and someone runs up thousands of dollars in charges, the credit card company sends you a bill... But you can at most be held responsible for $50. Does that really mean anything with respect to Mr. Donelan's quoted article? Not really. But neither do electric and water bills. I have some sympathy for the malware victim. But I don't expect the ISP to eat all of the costs. The article is more balanced than the selected quotes portray. -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387
On Thu, 10 Jun 2004, Crist Clark wrote:
Sean Donelan wrote:
If you leave your lights on, the electric company will send you a bill.
If the neighbor taps into your power lines after the meter...?
That will be a criminal matter between you and your neighbour.
If you leave your faucets running, the water company will send you a bill. If you leave your computer infected, ???
If you lose your credit card and someone runs up thousands of dollars in charges, the credit card company sends you a bill... But you can at most be held responsible for $50.
Which is a 'feature' of most credit cards, irrelevant to criminal law. -- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
--On Thursday, June 10, 2004 16:31 -0400 Alex Rubenstein <alex@nac.net> wrote:
On Thu, 10 Jun 2004, Crist Clark wrote:
Sean Donelan wrote:
If you leave your lights on, the electric company will send you a bill.
If the neighbor taps into your power lines after the meter...?
That will be a criminal matter between you and your neighbour.
Technically, it's a civil matter between you and your neighbor, but, it could also be a criminal matter between the district attorney and your neighbor.
If you leave your faucets running, the water company will send you a bill. If you leave your computer infected, ???
If you lose your credit card and someone runs up thousands of dollars in charges, the credit card company sends you a bill... But you can at most be held responsible for $50.
Which is a 'feature' of most credit cards, irrelevant to criminal law.
We're not talking about criminal law here, for the most part. We're talking about civil law. There are laws specific to credit cards and credit fraud that have absolutely no applicability to internet usage. I think we can generally agree that the internet looks much more like a utility than it looks like a revolving charge account. Owen -- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery.
Sean Donelan wrote:
If you leave your lights on, the electric company will send you a bill.
If the neighbor taps into your power lines after the meter...?
Not a reasonable argument. It is expected that unpatched hosts will get infected and it has been well reported on how users should protect themselves. A neighbor tapping another power is not something to occurs often. It is not reasonable to expect this to happen. It's not even a reasonable argumnet. -- James H. Edwards Routing and Security Administrator At the Santa Fe Office: Internet at Cyber Mesa jamesh@cybermesa.com noc@cybermesa.com (505) 795-7101
james edwards wrote:
Sean Donelan wrote:
If you leave your lights on, the electric company will send you a bill. If the neighbor taps into your power lines after the meter...?
Not a reasonable argument. It is expected that unpatched hosts will get infected and it has been well reported on how users should protect themselves. A neighbor tapping another power is not something to occurs often. It is not reasonable to expect this to happen. It's not even a reasonable argumnet.
Suppose your neighbor is running wide open wireless... Jeff
I think we're drifting from the original point here.. What it boils down to is this: If I have a DS3 to a provider in my office and my provider notifies me that I have a worm, is it my provider's responsibility to fly someone out here to help me fix my systems? No. I'm the guy controlling them and I'm the one who has to take the responsibility. So what if I don't know how? Well, surely they can advise me where to look for the requisite information. And if thats insufficient, I can contact a consultant to come in and help me clean up my network but thats the key, it's MY network and MY job. My service provider is responsible for transporting the traffic. Even if it's "bad" traffic. I'm the one who is responsible for making sure that the traffic originating from my network is the traffic I *want* to originate from my network. Obviously, if the provider chooses to implement policies (such as cable modem providers and so forth) that restrict the type of traffic I'm allowed to source, thats their business. It's still my job to make sure that my servers are clean. On Thu, Jun 10, 2004 at 01:17:46PM -0700, Crist Clark wrote:
Sean Donelan wrote:
If you leave your lights on, the electric company will send you a bill.
If the neighbor taps into your power lines after the meter...?
If you leave your faucets running, the water company will send you a bill. If you leave your computer infected, ???
If you lose your credit card and someone runs up thousands of dollars in charges, the credit card company sends you a bill... But you can at most be held responsible for $50.
Does that really mean anything with respect to Mr. Donelan's quoted article? Not really. But neither do electric and water bills.
I have some sympathy for the malware victim. But I don't expect the ISP to eat all of the costs. The article is more balanced than the selected quotes portray. -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387
--- Wayne Bouchard web@typo.org Network Dude http://www.typo.org/~web/
I suspect I might be come after with pitchforks for this analogy, but here goes... ;) Look at it from this perspective: it's the responsibility of the various Departments of Transportation (and other Governmental and Private authorities) to upkeep roads, but it's not their job to fix your car. If your car is broken, you may be stopped by a police officer, but he's not going to fix your car either. That's the user's responsibility. --- Adam Debus Network Engineer, ReachONE Internet adam@reachone.com
Look at it from this perspective: it's the responsibility of the various Departments of Transportation (and other Governmental and Private authorities) to upkeep roads, but it's not their job to fix your car. If your car is broken, you may be stopped by a police officer, but he's not going to fix your car either. That's the user's responsibility.
i have a tee shirt from about '96 which says "we build the information superhighway. we don't fix your car."
On Thu, 10 Jun 2004, Sean Donelan wrote: :Did your computer have a power switch? Did you turn it off? Or did you :continue to let it run up the bill? Yes, even the complete computer :novice can stop a computer room. Turn off your computer. If you don't :know how to fix it, take it to a repair store. : :If you leave your lights on, the electric company will send you a bill. :If you leave your faucets running, the water company will send you a bill. :If you leave your computer infected, ??? What the ISP failed to do in this case was protect their infrastructure from being abused by a worm, which would have also infected other customers from this users host. That is to say, the worm caused them an alleged $11,000 loss because they failed to do anything to prevent it, after being made aware of the situation. The ISP (I would say negligently) exposed themselves to absurd financial risk by continuing to provide service to a site which they knew to be abusing their resources. The reality of this situation is that if the bandwidth being used by the ISP was actually costing them $5000, let alone $11,000, it would have been grossly negligent from a financial perspective to allow the worm to continue consuming bandwidth. The other reality is that bandwidth is not valuable enough for the ISP to declare an $11,000 loss unless they had booked the revenue before having some evidence they would recieve it. That is, the ISP's accounting practices should be investigated if they are booking revenue that is effectively theoretical in light of the risks they knowingly accept regarding the odds of actually recieving it. The leaving lights on/faucets running simile is inaccurate, as the burden of risk was acknowledged and borne by the ISP, in not taking steps to protect their infrastructure from loss, they got burned and are sticking the blame wherever they think it will stick. Exploiting someones lack of technological sophistication to assign liability is disingenuous and possibly fraudulent. Maybe the only bandwidth simile that could be appropriate would be to a car in the 1950's, one which was unsafe at any speed. -- James Reid, CISSP
We'll agree to disagree on the majority of your post and your interpretation of the facts... However, this tidbit attracted my attention...
Maybe the only bandwidth simile that could be appropriate would be to a car in the 1950's, one which was unsafe at any speed.
Yes... I have long felt that Micr0$0ft was the Exploding Pinto of the information super highway (yes, I realize that's a different unsafe car, but, bear with). However, the ISP didn't sell the customer the computer. The ISP didn't install Windows on the computer or sell Windows to the customer. The ISP didn't install the malware on the computer. The ISP didn't have administrative rights to the computer. Should the ISP have shut the customer off? Probably. I certainly would have. Are there ISPs that don't? You bet... Some because they are afraid to. Have ISPs been sued for turning off abusive or abusing customers? You bet. Is it prudent for an ISP to turn someone off? Depends on how you evaluate the risks involved. Either decision you make carries some risk. Owen -- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery.
Disclaimer: I am not a lawyer; consult yours before relying on advice from any layperson, including me. Thus spake "Owen DeLong" <owen@delong.com>
Should the ISP have shut the customer off? Probably. I certainly would have. Are there ISPs that don't? You bet... Some because they are afraid to. Have ISPs been sued for turning off abusive or abusing customers? You bet.
You can be sued for doing anything or nothing (or both). The real question is whether the plaintiff has any chance of winning, or even of getting past a pre-trial motion to dismiss. Presumably every ISP has some sort of AUP that allows the ISP to, at its discretion, shut off a customer based on suspicion of abuse. Hopefully by now they've all been updated to include in the definition of abuse a failure of the customer to secure their system(s). Even if not, I can't see a customer winning a case against an ISP who cuts them off for being infected with a worm (the activity of which would fall under abuse).
Is it prudent for an ISP to turn someone off? Depends on how you evaluate the risks involved. Either decision you make carries some risk.
Opening your doors for business invites all sorts of risks, including being sued for totally ridiculous and frivolous reasons. Acting as allowed under your contract with a customer does not substantially increase those risks. Fear of exercising your contractual rights means you don't have much faith in your contracts or representation. S Stephen Sprunk "Those people who think they know everything CCIE #3723 are a great annoyance to those of us who do." K5SSS --Isaac Asimov
participants (29)
-
Adam Debus -
Adrian Chadd -
Alex Rubenstein -
Andy Dills -
bmanning@vacation.karoshi.com -
Crist Clark -
David Schwartz -
Henry Linneweh -
james edwards -
James Reid -
Jeff Kell -
Jeff Shultz -
Joel Jaeggli -
Laurence F. Sheldon, Jr. -
Mark Kent -
Matthew Crocker -
Matthew McGehrin -
Owen DeLong -
Patrick W.Gilmore -
Paul Jakma -
Randy Bush -
Robert Blayzor -
Scott Stursa -
Sean Donelan -
Stephen J. Wilcox -
Stephen Sprunk -
Steve Gibbard -
Valdis.Kletnieks@vt.edu -
Wayne E. Bouchard