[Dshield] Blackworm liability with ISPs?

Mark markt442 at yahoo.com
Thu Feb 9 03:34:26 GMT 2006


I'm not an advocate for or against the idea. I do
believe in standard commercial code. I believe we have
too many "specific laws" when existing commercial code
should be applied. If one has information from a
reliable source - and I consider SANS and ISC to be
reliable - AND the information is believed to be
accurate - which many in infosec believed it was - AND
proper dissemination of that information could prevent
undue harm (property damage, loss of functionality,
loss of life, etc), then yes - I believe that anyone
who comes into that information is liable if they fail
to act on it.


If I was a typical ISP (or other business for that
matter), I wouldn't necessarily like to take action on
this data - hey, it costs money. But the executives
must start considering the "risk" of receiving this
data and the cost of action/non-action. This is
commonly referred to as "corporate responsibility".
This trait is a rare one - lock on to the ones that
demonstrate it! :)

Legal action - this is a tough one. Disclosure: I'm
not a lawyer, but I deal with enough of them on a
daily basis. It would be a difficult case to
prosecute. Many ISPs are not keeping logs as a result
of the DMCA - they don't want to be forced to chase
down their subscribers by the RIAA (it costs money to
respond to those subpoenas) - so it is simply much
easier to not keep those pesky logs. Similar function
here, if they don't have a log that ties "you" to one
of their "IPs" during a specific time - they have no
actionable data based on said list. 

Putting laws to the Internet

I believe that in the USA, the states and even the
federal gov't have examined "taxing" the internet. All
have failed as the Internet isn't governed by a single
government. So who is going to moderate things such as
"Internet Driver's Licenses"? Remember, inviting
government regulation in is similar to inviting a bad
house guest to stay with you - they overstay their
welcome, add undue burden to your life and really
seldom leave. And trying to get the ISPs to
self-govern or co-operate is a fairy tale. 

I vote for enforcing standard business laws (which
will vary from country to country) to ensure that ISP
"A", which has a business license (not an Internet
license) to be held to the same laws that govern other
service industries. If a business fails to act
ethically and with good intentions, they should be
penalized. I won't even attempt to comment on
penalties and fines. The penalty should fit the
"crime". Remember, there are differences between
criminal and civil penalties. 

Folks - it has to be simple. I am reminded of two
quotes, the first is that "Information is Power" and
the second is "with great power comes great

With this, I have respectfully shared my peace.


From:	"Frank Knobbe" <frank at knobbe.us>
Subject:	Re: [Dshield] Blackworm liability with ISPs?
Date:	Tue, 07 Feb 2006 10:02:40 -0600
To:	"General DShield Discussion List"
<list at lists.dshield.org>

On Thu, 2006-02-02 at 17:32 -0800, Mark wrote:
> So I take it you've never made a mistake? Stupid
> enough to click on a link or open an attachment?
> sounds a bit harsh.

Nope, I made mistakes. But I admit the they were my

> Liability is shared if a party has a reasonable
> expectation to prevent damage (life/property) and
> neglects to do so.

Sure, but this was not given under these
circumstances. And I doubt that "notifying a user that
he *may* have a virus" will ever qualify for that.

> I find it a very reasonable expectation that a party
> with knowledge of an infection share it with the
> property owner if it prevents damage to a system.

Sure, it's a reasonable expectation. but should it be
a requirement by law? Otherwise you can't claim
liability and enforce it, or take legal action for
lasck of the action by the ISP.

> this case, the ISP is handed a list of IP addresses.
> They didn't have to seek the info, it was provided
> them by the community.

Put yourself in the situation of the ISP and ask
yourself if you trust the list someone else gave you.
Keep in mind that if you fail to act,
you might get sued (according to this silly idea).
Would you enjoy to be forced to notify clients on an
hunch? How often do you think you will 
do this if the information turns out to be incomplete?

> Lighten up and let's hope that the ISPs that had the
> information did act in a manner that benefits
> and do so in the future.

Speaking of light, I think folks take this a bit too
lightly. You really need to think these issues through
thoroughly before mandating that there should be some
legal anchor that can provide for liabilities.

Making it good business practice to alert customers
based on information of third parties is one thing.
Making it a legal requirement is another.


Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

More information about the list mailing list