[Dshield] Blackworm liability with ISPs?
stasinia at msoe.edu
Thu Feb 2 15:42:25 GMT 2006
Granted universities are not ISPs in the typical sense, but we still
have a large collection of computers for which we don't have direct
control over (i.e. res halls). I am one of the many people who end up
having to deal with the multitude of viruses and other random junk that
we get from the res halls, and as much as I would like to say we do a
good job in cleaning the halls up, I would never want to be held liable
for the few computers that I missed. And quite frankly I think the
average American university does a far greater job of protecting their
continuants than the average American ISP. We will use Dshield reports,
abuse@ emails, IDS logs, firewall logs, and sandtraps to find as many
infected computers as we possibly can, but we will always miss a few.
Also what about spyware? Minus the "phone-home" feature on some of
them, it is fairly hard to detect them from the network. I really would
not want someone suing me over some spyware which they got on their
computer from downloading porn.
We tell our users how to be safe and offer help in dealing with problems
that may crop up. We also try to detect (from the network) as many
infected computers as we can. But at the end of the day, what the user
chooses to do is something we cannot be held liable for.
Computer and Communication Services Department
Milwaukee School of Engineering
MSCE: Messaging & Security 2003
> -----Original Message-----
> From: list-bounces at lists.dshield.org [mailto:list-
> bounces at lists.dshield.org] On Behalf Of Frank Knobbe
> Sent: Wednesday, February 01, 2006 6:32 PM
> To: General DShield Discussion List
> Subject: [Dshield] Blackworm liability with ISPs?
> the recent SANS NewsBites had a mention regarding the current efforts
> notify ISPs of machines that access the counter the worm uses.
> To my amazement, I saw the following quote by Alan Paller:
> "(Paller): This is a great opportunity to establish a financial
> precedent for negligence by ISPs and system owners. The ISPs have
> several days to inform and protect their customers as does every other
> large network owner such as government agencies, academic institutions
> and large companies. If you learn of anyone who is damaged by this
> please connect them with me (paller at sans.org) and we will work
> to make sure that ISPs and network owners who are in a position to
> protect their users understand that not providing such protection will
> be considered negligence and carry penalties.]"
> Isn't this a bit off-the-wall? Why would ISPs be liable when their
> consumers are stupid enough to get themselves infected? (Yes, I call
> stupid. Anyone who doesn't run AntiVirus software on their PC *and*
> blindly clicks on links in email that promise Kama Sutra pictures and
> such, I do consider stupid. Not just that, but that *person* can be
> considered negligent in regards of their own IT security.)
> How can anyone propose that the companies offering Internet access are
> to be held liable when the consumers don't use the access, or their
> equipment, properly and get infected with viruses? Isn't this like
> calling train and other transportation operators liable in the case
> I catch a fever, or perhaps the avian-flu, by riding a bus to work or
> during airplane ride?
> Is our litigious society spiraling out of control such that we always
> blame someone else?
> In email borne worms like these, the breakdown, fault, and liability
> lies squarely with the user in my opinion. While vulnerabilities of an
> operating system may be blamed on the vendor of such, being tricked
> performing damaging actions on ones computer clearly is the fault of
> trickster, but also the executor of such action.
> Anyone else having a problem with putting liability on... (/me rolls
> magic 8-ball...) the ISP?
> It is said that the Internet is a public utility. As such, it is best
> compared to a sewer. A big, fat pipe with a bunch of crap sloshing
> against your ports.
More information about the list