Even you can be hacked
Matthew Crocker
matthew at crocker.com
Thu Jun 10 23:23:45 UTC 2004
>
> It would be great if there always was a negligent party, but there is
> not always one. If Widgets Inc.'s otherwise ultra-secure web server
> gets
> 0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc.
> or the ISP?
>
Widget Inc is still negligent. It is their server. They could have
placed the server behind a firewall. The firewall could have been
doing layer 7 inspection and noticed the 0-day event. They could also
be running an IDS which would detect such an event and notify a network
administer. The point is there are MANY ways to protect systems and to
be notified in an event. As an ISP I would overlook a couple days
worth of billing if my customer was responsible/reactive to the event.
If they refuse to fix the problems they should be held liable. If we
notice worm traffic entering our network from our customer we shut them
down then notify them. We protect our network first, then we help
with theirs. No matter how you slice it people need to be responsible
for their own actions or inactions. Widget Inc, could have chosen
different OS, Web server, etc that didn't have that particular 0-day
event. Customers have choices, they need to be responsible for the
choices they make. I can guide them in good design up to a certain
extent for free. I'll design/build for them for a fee. IT is always
the first cut in a budget crunch, Bean counters overlook IT issues.
The problem is the way you run your network affects other networks.
You can save $30,000 today and spend $100,000 in repairs for a failure,
your choice.
> So how about this analogy: Someone breaks into my house and spends a
> few
> hours on the phone to Hong Kong. Who eats the bill, me or my LD
> carrier?
> Neither of us was negligent.
Do you ever expect to call Hong Kong? No, call your LD carrier before
the fact and block all international calls from your line. You can
also put an access code on your outbound calls or block everything and
use a calling card. You chose to make it easy for yourself, you get
hacked, you should pay.
> [0] Unless someone can prove the software flaw was sloppy enough that
> it
> constitutes negligence and goes after the software authors. Good luck
> with
> that.
Software flaw or not. Design your network so you have safe guards in
place. Have other machines watching for irregular traffic, set off
pagers when your traffic goes 300% above normal. Pay for a network
engineer to watch it and make it better. React to problems, don't turn
a blind eye and hope it all goes away. Come on, whatsup gold is cheap
enough, SNMP monitor your switch traffic and set off pagers using
thresholds, it really isn't that hard.
I'm rambling, the root of the problem is not IT or MS or the Internet.
It is society and everyone doing the bare minimum. Going with the
least common denominator is not a way to live your life, run your
business or your network. I'll take the high road, thank you very
much. I have little patience for people who do not expend the effort
complaining and looking for hand outs from those that do.
> --
> Crist J. Clark crist.clark at globalstar.com
> Globalstar Communications (408) 933-4387
>
More information about the NANOG
mailing list