[Dshield] Blackworm liability with ISPs?

Chris Wright dshield at yaps4u.net
Thu Feb 2 12:13:11 GMT 2006

My first reaction is that is a great idea.
Of course the ISP is responsible for the people who use their networks.

They go off, spend a few hundred dollars on getting a nice and legal AUP
written and published to their site and then think that is the end of their

* They hardly ever follow up on AUP violations.
* They remain blinkered to the problems that are happening providing they
are getting their monthly fees from the customers

So is the problem that there is no legislation by which to hold the ISP's
It's ok having an AUP, but is there a legal president to hold them
responsible for not enforcing it. (Obviously, certain parts of the AUP would
be enforced).

Why the heck do we bother sending reports of abuse, or reports identifying
PC's on a network that have been infected when the ISP does nothing or very
little to prevent it, protect its other uses etc  etc.

IMHO I feel that ISP's 'should' be held responsible, but then at the end of
the day, 'they' should hold their users responsible.  Whilst the ISP should
do all in its powers to prevent misuse of their network, they should
ultimately sort out their users, invest in network equipment to reduce the
problem etc.

We all know that there are ways in which we can reduce the amount of
problems, but there is no financial reason for the ISP's to move forward
with it.

I fully accept that there are quite a few good ISP's, but there are far far
more bad ISP's that just don't give a damn.

So whilst I agree that ISP's should be held responsible, I also agree that
the user should also take responsibility, but then its hard for Joe Public
if he is not given the guidance or assistance in doing so. (Go to a shop,
buy a PC, take it home, plug it in, take it online and begin infecting the
world in circ. 20mins !!). 

What's wrong with "You will not connect your PC to the network unless you
have up to date this and that (protection etc), and that you ensure you will
keep it up to date.  Any violations of this will result in your account
being terminated or moving you to a higher tariffs where you will be
connected via every known hardware firewall tools etc etc".
But there still isn't any law to say that they have to enforce that.

Big can of worms.

There is no way I can charge 9.99 for high speed broadband access if I have
to follow up on all of my AUP violations, provide 99.9999% effective
protection against SPAM, trojans, root kits, and all other forms of network
That I am afraid is the single issue that will prevent ISP's or users being
held responsible. 

So if we can't hold the ISP to shame, who else? 
* The person that sells the computer?
* The user ?

Again for either of the two above, there are no laws to enforce any actions.
Do we instigate a 'test' that deems you suitable or qualified to own and
'drive' a PC on the network? 
That will never work.

So although I 'want' to hold the ISP's responsible, it is only because I
can't see any other viable option at present, or in the future.  
I'd love to blame the end user but...

You know the more I wrote about this, the more I started thinking, why can't
we hold the end user responsible.  Perhaps I am aiming at ISP's because they
appear to do so little to protect other users, but why should they?
But who gets the blame when I misuse anything else in society? Ultimately
me...So why not for network abuse?
Have there been cases where User xxxx has taken User yyyy to court because
they could trace DOS attacks/SPAM/Bots etc on User xxxx's PC has been
targeting User yyyy's PC.
But then if User yyyy was up to date with all his protecting system, why
should he be bothered about what User xxxxx does. 

Doh.. Thanks Frank....I thought I had views on this before I really started
thinking about it.
I really should sit down and spend more time researching it and perhaps
create a decent report instead of rambling on and on ;)




> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Frank Knobbe
> Sent: 02 February 2006 00:32
> To: General DShield Discussion List
> Subject: [Dshield] Blackworm liability with ISPs?
> Greetings,
> the recent SANS NewsBites had a mention regarding the current 
> efforts to notify ISPs of machines that access the counter 
> the worm uses.
> To my amazement, I saw the following quote by Alan Paller:
> "(Paller): This is a great opportunity to establish a 
> financial liability precedent for negligence by ISPs and 
> system owners. The ISPs have several days to inform and 
> protect their customers as does every other large network 
> owner such as government agencies, academic institutions and 
> large companies. If you learn of anyone who is damaged by 
> this worm, please connect them with me (paller at sans.org) and 
> we will work together to make sure that ISPs and network 
> owners who are in a position to protect their users 
> understand that not providing such protection will be 
> considered negligence and carry penalties.]"
> Isn't this a bit off-the-wall? Why would ISPs be liable when 
> their consumers are stupid enough to get themselves infected? 
> (Yes, I call it stupid. Anyone who doesn't run AntiVirus 
> software on their PC *and* blindly clicks on links in email 
> that promise Kama Sutra pictures and such, I do consider 
> stupid. Not just that, but that *person* can be considered 
> negligent in regards of their own IT security.)
> How can anyone propose that the companies offering Internet 
> access are to be held liable when the consumers don't use the 
> access, or their equipment, properly and get infected with 
> viruses? Isn't this like calling train and other 
> transportation operators liable in the case that I catch a 
> fever, or perhaps the avian-flu, by riding a bus to work or 
> during airplane ride?
> Is our litigious society spiraling out of control such that 
> we always blame someone else?
> In email borne worms like these, the breakdown, fault, and 
> liability lies squarely with the user in my opinion. While 
> vulnerabilities of an operating system may be blamed on the 
> vendor of such, being tricked into performing damaging 
> actions on ones computer clearly is the fault of the 
> trickster, but also the executor of such action.
> Anyone else having a problem with putting liability on... 
> (/me rolls the magic 8-ball...) the ISP?
> Regards,
> Frank
> --
> It is said that the Internet is a public utility. As such, it 
> is best compared to a sewer. A big, fat pipe with a bunch of 
> crap sloshing against your ports.

More information about the list mailing list