[Dshield] Blackworm liability with ISPs?
vancel at winfreeacademy.com
Fri Feb 3 18:18:34 GMT 2006
The problems here sound like what we were discussing a few weeks ago in
the thread "Possible solution for ISP". I know some of you were
wondering when I'd bring this up, and I'm glad you were. It shows that
I'm not the only one that sees a parallel between this thread and that
Just for refreshing everyone's memory, here is what was discussed... a
"typical" scenario if you will. Below is a list of benefits for this
system, and the list was updated based on discussion in the prior
thread. Thanks to everyone's kind input.
1) ISP has unrestricted access for all initially.
2) User gets infected, ISP cuts their access (either limit to a
"help-web" environment, or complete disconnect with a number to call for
information. At the same time, the ISP (or software) adds their info to
a database with the "no access" selection.)
3) User takes computer to an authorized facility to make the
repairs/patches/etc, *and* educate the user. Then they log into the DB
and change the "no access" to "cleaned/educated".
4) User calls ISP and gets their account turned back on (or if the ISP
automates it, their systems automatically see that the user is allowed
and all the user has to do is go back online).
- The database is available to anyone who is authorized to use it.
- The DB could be behind an IP-specific firewall so that it only accepts
connections from authorized sites. Then login security is next, along
with connection encryption, and possibly data encryption in the fields
of the database. (This would prevent a physical theft from having
immediate access to the data.)
- It could be as simple to check (or simpler) than doing a credit check.
- The ISP is no longer responsible for troubleshooting the user's computer.
- The ISP is no longer responsible for educating the user.
- The ISP doesn't have to maintain hundreds or thousands of port block /
port allow rules in a firewall.
- There is no need for a license, because everyone is allowed until they
- Non-participating ISPs users can still get to all business web-sites
across the entire web, they are just restricted from accessing the
participating ISP user machines directly. (and everyone already knows
how to distinguish between user-space and business-space in 90% of cases.)
- OS doesn't matter, because the ISP doesn't care. An infection is
determined by network activity, not by probing the machine.
- If the ISP chooses to probe, they can do what the bad guys do...
simply try to exploit a flaw... if they get in, the machine is assumed
to be already compromised. No need to "ask" the computer that could
- Repair shops would be checked before allowed to be certified...
whatever that process is would be agreed as a minimum standard... (The
standard whould not necessarily include vendor-based certifications, but
should be more in line with wether they can perform the task.)
- Currently most computers on the Internet that are infected have been
for extended periods of time (weeks/months/years). A solution that
waits for someone to be infected before acting will still only allow
infections to last for a day or a week compared to much much longer.
There are more items that need to be in this list, but without
re-reading the entire Possibile solution for ISP thread, this is what I
remember off the top of my head that addressed most of the concerns
people had. Plus, I don't want this email to be too terribly long.
I know as well as everyone on this list that there is no solution that
is 100% foolproof. It is impossible. All that can be done is a good
effort that will at least let the users know when they need to fix
something and prevent them from infecting others.... without punishing
uninfected users. Those of you that think we can come up with a
solution that will be 100% are only fooling yourselves, because that
will not exist as long there are dishonest people in the world. Any
solution is going to have flaws, but I believe the goal is to minimize
the exposure and risk of those flaws.
Winfree Academy Charter Schools
More information about the list