[Dshield] Blackworm liability with ISPs?

Micheal Patterson micheal at tsgincorporated.com
Tue Feb 7 20:03:24 GMT 2006


----- Original Message ----- 
From: "Johannes B. Ullrich" <jullrich at sans.org>
To: "General DShield Discussion List" <list at lists.dshield.org>
Sent: Thursday, February 02, 2006 6:53 AM
Subject: Re: [Dshield] Blackworm liability with ISPs?


>I do agree with Alan's remark that ISPs should face some responsibility
>for notifying infected users.

I agree. At minimum, they should be responsible for enforcing their AUP upon
notification, with proof, of a problem user within their network.

>If we would have an established minimum effort an ISP has to provide,
>the playing field would be more leveled for a responsible ISP.

I agree totally with this. Standardization is necessary for it to work
across the scope.

>That said, it is very much a matter of everybody involved doing their
>part. ISPs are just one part of the chain. Users need to respond to
>these notifications (or better: not click on the virus in the first
>place) and software has to become better in protecting the user.
>
>But right now, everybody is pushing the responsibility to the weakest
>link: The user who pays for all of it and is not expected to know
>anything in the first place (or do people actually want an Internet
>drivers license?)

--------------------

I had thought about this at one point many years back. It seemed rather
stupid at the time but since then, I've thought about it more and more as
each new problem occurs because someone didn't know what to do to be safe.

I mean, ham radio requires a license to purchase and operate the equipment.
You have to show skill at using the equipment and be competent with the
established protocols to get your license for the most part.

You have to have a license to drive a car legally. You must be able to
understand it's control mechanisms, how to interact with the rest of the
public when operating it. If you are licensed to operate the vehicle and you
fail to follow the rules, you're ticketed and/or fined for your lack of
*clue*.

I hate to say this, but requiring a training session to be able to purchase
a PC these days isn't as ludicrous to me today as it was 10 years ago. There
are far too many end users that have no idea how to update it, don't know
what a virus is, nor do they understand the necessity of keeping the OS
patched.

Would it really be so terrible to have a prospective PC user sign paperwork
either stating that they know how to operate the unit or are required to
take a short course in it's operation before they're allowed to purchase the
equipment? What about requiring ISP's to do the same before they're allowed
to offer network service to a prospective buyer?

I'll admit I'm not too fond of the idea myself, but as it stands, there's
nothing to really tell a new PC user what they're in for unless those of us
with clue are willing to literally stand in the PC section of any retail
store and preach it to them as they leave. While the school of hard knocks
is an excellent teacher, her methods also cause us all grief while the user
is getting knocked around by her teachings while we wade out the storm.

A lot of the problem of today's naive internet user is that they don't
understand or simply don't know what can happen when they plug it in. All
they see is a pretty screen, play music, games and check email, etc. They
don't understand that their 12 year old can sit down and code out a virus
right under their eyes. All they know is that Billy here, is playing with
the computer and he's quiet and busy until he goes to bed. They don't know
what he's doing because they have no knowledge of it and think it's cute
that their 12 year old can figure it all out. They didn't have computer
classes when they were in high school. If they did, it was a Tandy Model I,
II, or a PC Jr with a green screen if they were lucky or if unlucky, had a
line printer for their display and they could do some basic programming on
them. They damn sure don't know that they're responsible for his actions
until the police charge the place at 2am to find out that the world renown
hacker Lucifer is in reality, a 12 year old boy, sleeping in his room in his
pajamas.

It's at that point that Mom and Dad realize that they're in a world of hurt
and shock. They needed to know the possible problems last year when they
bought the PC to do their taxes and send email to Grandma in her summer
Florida home. If they had known more about it then, they might have an idea
about what Billy was doing all this time.

Mike P.



More information about the list mailing list