[Dshield] ISPs - How much monitoring is enough?
superc at visuallink.com
Mon Jan 19 16:24:26 GMT 2004
What you (the sales department) should be doing first, is letting the
clients know you will occasionally scan and getting a specific consent.
You have to look at it from the client's perspective. If you want to scan
his or her PC you need their permission. Make it a written condition of
sign on. (Any landlord with half a brain puts a clause in the lease
allowing them to reasonably access a rented premises. For an ISP something
along those lines is needed in a sign-up contract. If an ISP doesn't get
consent first then, like the landlord entering the apartment when the owner
isn't aware the visit is coming, the ISP assumes risk and liability.)
There is no implied consent to scan a client's machine simply because the
client has "signed up" (by phone in *my* case, no written anything, and no
consent was asked or given and I am not the only one) for a mail or user
account. From the client's perspective it is simply an intrusion attempt.
That it is being done by someone at their ISP is irrelevant. (How many
ISPs screen the summer help's past? And yes, I had a case once involving a
hacker who got a job at a small ISP and abused the position (to put it
mildly).) How far does this go? What happens if the machine is totally
unprotected? Or worse, only partially protected, with just enough
protection to get a log of your scan? Two days before someone else used
their credit cards stored on their machine. Do you promptly call them and
provide free software/service? What are your responsibilities and
liabilities? That mythical gardener who tried all the doors, if he found
one open, now what? Does he go in an explore the house (perhaps to steal),
does he instead contact the owner and tell them the door is open and risk
dismissal or an invasion of privacy suit, or does he simply walk away and
perhaps share liability if a later intrusion occurs? What is your plan if
you find something? Do you have written policies for the what if
scenarios, prior to the scan?
Subject: Re: [Dshield] ISPs - How much monitoring is enough?
From: David Hart <DavidHart at TQMcube.com>
Date: Sun, 18 Jan 2004 12:15:29 -0500
To: General DShield Discussion List <list at dshield.org>
Frankly, I wish that more ISPs would scan. If you want to use their smtp
gateway then they have a right to determine if you are an open relay. It
seems to make a great deal more sense than an RBL which can be
cumbersome and arbitrary. What you message fails to address is the issue
of intent. Moreover, consent can be implied from using the ISP's gateway
to distribute your mail.
More information about the list