[Dshield] Blackworm liability with ISPs?

Laura Vance vancel at winfreeacademy.com
Fri Feb 3 18:18:34 GMT 2006

The problems here sound like what we were discussing a few weeks ago in 
the thread "Possible solution for ISP".  I know some of you were 
wondering when I'd bring this up, and I'm glad you were.  It shows that 
I'm not the only one that sees a parallel between this thread and that 
one. :)

Just for refreshing everyone's memory, here is what was discussed... a 
"typical" scenario if you will.  Below is a list of benefits for this 
system, and the list was updated based on discussion in the prior 
thread.  Thanks to everyone's kind input.

1) ISP has unrestricted access for all initially.
2) User gets infected, ISP cuts their access (either limit to a 
"help-web" environment, or complete disconnect with a number to call for 
information.  At the same time, the ISP (or software) adds their info to 
a database with the "no access" selection.)
3) User takes computer to an authorized facility to make the 
repairs/patches/etc, *and* educate the user.  Then they log into the DB 
and change the "no access" to "cleaned/educated".
4) User calls ISP and gets their account turned back on (or if the ISP 
automates it, their systems automatically see that the user is allowed 
and all the user has to do is go back online).

- The database is available to anyone who is authorized to use it.
- The DB could be behind an IP-specific firewall so that it only accepts 
connections from authorized sites.  Then login security is next, along 
with connection encryption, and possibly data encryption in the fields 
of the database.  (This would prevent a physical theft from having 
immediate access to the data.)
- It could be as simple to check (or simpler) than doing a credit check.
- The ISP is no longer responsible for troubleshooting the user's computer.
- The ISP is no longer responsible for educating the user.
- The ISP doesn't have to maintain hundreds or thousands of port block / 
port allow rules in a firewall.
- There is no need for a license, because everyone is allowed until they 
mess up.
- Non-participating ISPs users can still get to all business web-sites 
across the entire web, they are just restricted from accessing the 
participating ISP user machines directly.  (and everyone already knows 
how to distinguish between user-space and business-space in 90% of cases.)
- OS doesn't matter, because the ISP doesn't care.  An infection is 
determined by network activity, not by probing the machine.
- If the ISP chooses to probe, they can do what the bad guys do... 
simply try to exploit a flaw... if they get in, the machine is assumed 
to be already compromised.  No need to "ask" the computer that could 
potentially lie.
- Repair shops would be checked before allowed to be certified... 
whatever that process is would be agreed as a minimum standard...  (The 
standard whould not necessarily include vendor-based certifications, but 
should be more in line with wether they can perform the task.)
- Currently most computers on the Internet that are infected have been 
for extended periods of time (weeks/months/years).  A solution that 
waits for someone to be infected before acting will still only allow 
infections to last for a day or a week compared to much much longer.

There are more items that need to be in this list, but without 
re-reading the entire Possibile solution for ISP thread, this is what I 
remember off the top of my head that addressed most of the concerns 
people had.  Plus, I don't want this email to be too terribly long.

I know as well as everyone on this list that there is no solution that 
is 100% foolproof.  It is impossible.  All that can be done is a good 
effort that will at least let the users know when they need to fix 
something and prevent them from infecting others.... without punishing 
uninfected users.  Those of you that think we can come up with a 
solution that will be 100% are only fooling yourselves, because that 
will not exist as long there are dishonest people in the world.  Any 
solution is going to have flaws, but I believe the goal is to minimize 
the exposure and risk of those flaws.

Laura Vance
Systems Engineer
Winfree Academy Charter Schools

More information about the list mailing list