[Dshield] Blackworm liability with ISPs?

Frank Knobbe frank at knobbe.us
Thu Feb 2 00:31:36 GMT 2006


the recent SANS NewsBites had a mention regarding the current efforts to
notify ISPs of machines that access the counter the worm uses.

To my amazement, I saw the following quote by Alan Paller:
"(Paller): This is a great opportunity to establish a financial
precedent for negligence by ISPs and system owners. The ISPs have
several days to inform and protect their customers as does every other
large network owner such as government agencies, academic institutions
and large companies. If you learn of anyone who is damaged by this worm,
please connect them with me (paller at sans.org) and we will work together
to make sure that ISPs and network owners who are in a position to
protect their users understand that not providing such protection will
be considered negligence and carry penalties.]"

Isn't this a bit off-the-wall? Why would ISPs be liable when their
consumers are stupid enough to get themselves infected? (Yes, I call it
stupid. Anyone who doesn't run AntiVirus software on their PC *and*
blindly clicks on links in email that promise Kama Sutra pictures and
such, I do consider stupid. Not just that, but that *person* can be
considered negligent in regards of their own IT security.)

How can anyone propose that the companies offering Internet access are
to be held liable when the consumers don't use the access, or their
equipment, properly and get infected with viruses? Isn't this like
calling train and other transportation operators liable in the case that
I catch a fever, or perhaps the avian-flu, by riding a bus to work or
during airplane ride?

Is our litigious society spiraling out of control such that we always
blame someone else?

In email borne worms like these, the breakdown, fault, and liability
lies squarely with the user in my opinion. While vulnerabilities of an
operating system may be blamed on the vendor of such, being tricked into
performing damaging actions on ones computer clearly is the fault of the
trickster, but also the executor of such action.

Anyone else having a problem with putting liability on... (/me rolls the
magic 8-ball...) the ISP?


It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20060201/0ef7ab20/attachment.bin

More information about the list mailing list