[Dshield] ISPs - How much monitoring is enough?

Kenneth Coney superc at visuallink.com
Mon Jan 19 16:24:26 GMT 2004


What you (the sales department) should be doing first, is letting the 
clients know you will occasionally scan and getting a specific consent. 
You have to look at it from the client's perspective.  If you want to scan 
his or her PC you need their permission.  Make it a written condition of 
sign on.  (Any landlord with half a brain puts a clause in the lease 
allowing them to reasonably access a rented premises.  For an ISP something 
along those lines is needed in a sign-up contract.  If an ISP doesn't get 
consent first then, like the landlord entering the apartment when the owner 
isn't aware the visit is coming, the ISP assumes risk and liability.) 
There is no implied consent to scan a client's machine simply because the 
client has "signed up" (by phone in *my* case, no written anything, and no 
consent was asked or given and I am not the only one) for a mail or user 
account.  From the client's perspective it is simply an intrusion attempt. 
   That it is being done by someone at their ISP is irrelevant. (How many 
ISPs screen the summer help's past?  And yes, I had a case once involving a 
hacker who got a job at a small ISP and abused the position (to put it 
mildly).)  How far does this go?  What happens if the machine is totally 
unprotected?  Or worse, only partially protected, with just enough 
protection to get a log of your scan?   Two days before someone else used 
their credit cards stored on their machine.  Do you promptly call them and 
provide free software/service?  What are your responsibilities and 
liabilities?  That mythical gardener who tried all the doors, if he found 
one open, now what?  Does he go in an explore the house (perhaps to steal), 
does he instead contact the owner and tell them the door is open and risk 
dismissal or an invasion of privacy suit, or does he simply walk away and 
perhaps share liability if a later intrusion occurs?  What is your plan if 
you find something?  Do you have written policies for the what if 
scenarios, prior to the scan?

Subject: Re: [Dshield] ISPs - How much monitoring is enough?
From: David Hart <DavidHart at TQMcube.com>
Date: Sun, 18 Jan 2004 12:15:29 -0500
To: General DShield Discussion List <list at dshield.org>

Frankly, I wish that more ISPs would scan. If you want to use their smtp
gateway then they have a right to determine if you are an open relay. It
seems to make a great deal more sense than an RBL which can be
cumbersome and arbitrary. What you message fails to address is the issue
of intent. Moreover, consent can be implied from using the ISP's gateway
to distribute your mail.

                                ---------





More information about the list mailing list