Even you can be hacked

Matthew Crocker matthew at crocker.com
Thu Jun 10 23:23:45 UTC 2004


>
> It would be great if there always was a negligent party, but there is
> not always one. If Widgets Inc.'s otherwise ultra-secure web server 
> gets
> 0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc.
> or the ISP?
>

Widget Inc is still negligent.  It is their server.  They could have 
placed the server behind a firewall.  The firewall could have been 
doing layer 7 inspection and noticed the 0-day event.  They could also 
be running an IDS which would detect such an event and notify a network 
administer.  The point is there are MANY ways to protect systems and to 
be notified in an event.  As an ISP I would overlook a couple days 
worth of billing if my customer was responsible/reactive to the event.  
  If they refuse to fix the problems they should be held liable.  If we 
notice worm traffic entering our network from our customer we shut them 
down  then notify them.  We protect our network first, then we help 
with theirs.  No matter how you slice it people need to be responsible 
for their own actions or inactions.  Widget Inc, could have chosen 
different OS, Web server, etc that didn't have that particular 0-day 
event.  Customers have choices, they need to be responsible for the 
choices they make.  I can guide them in good design up to a certain 
extent for free.  I'll design/build for them for a fee.  IT is always 
the first cut in a budget crunch, Bean counters overlook IT issues.  
The problem is the way you run your network affects other networks.  
You can save $30,000 today and spend $100,000 in repairs for a failure, 
your choice.

> So how about this analogy: Someone breaks into my house and spends a 
> few
> hours on the phone to Hong Kong. Who eats the bill, me or my LD 
> carrier?
> Neither of us was negligent.

Do you ever expect to call Hong Kong?  No,  call your LD carrier before 
the fact and block all international calls from your line.   You can 
also put an access code on your outbound calls or block everything and 
use a calling card.  You chose to make it easy for yourself, you get 
hacked, you should pay.

> [0] Unless someone can prove the software flaw was sloppy enough that 
> it
> constitutes negligence and goes after the software authors. Good luck 
> with
> that.

Software flaw or not.   Design your network so you have safe guards in 
place.   Have other machines watching for irregular traffic,  set off 
pagers when your traffic goes 300% above normal.  Pay for a network 
engineer to watch it and make it better.  React to problems, don't turn 
a blind eye and hope it all goes away.  Come on,  whatsup gold is cheap 
enough,  SNMP monitor your switch traffic and set off pagers using 
thresholds,  it really isn't that hard.

I'm rambling,  the root of the problem is not IT or MS or the Internet. 
  It is society and everyone doing the bare minimum.   Going with the 
least common denominator is not a way to live your life, run your 
business or your network.  I'll take the high road, thank you very 
much.  I have little patience for people who do not expend the effort 
complaining and looking for hand outs from those that do.

> -- 
> Crist J. Clark                               crist.clark at globalstar.com
> Globalstar Communications                                (408) 933-4387
>




More information about the NANOG mailing list