Even you can be hacked
Stephen Sprunk
stephen at sprunk.org
Fri Jun 11 00:33:11 UTC 2004
Thus spake "Crist Clark" <crist.clark at globalstar.com>
> It would be great if there always was a negligent party, but there is
> not always one. If Widgets Inc.'s otherwise ultra-secure web server gets
> 0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc.
> or the ISP?
Until a patch was available or filter was installed, most ISPs would eat it
as a gesture of good will (but they have no obligation to do so). A
customer who fails to implement the _available_ security measures is
negligent, particularly after they've been informed there's a problem and
they make a conscious choice not to do anything about it.
In the case of Mr. Liber, I totally side with the ISP for about the first 30
days. After that, they should have disabled or capped Mr. Liber's account
(totally kosher, as he hadn't paid his outstanding bill) to prevent him from
running up further charges that any rational person would know he's unlikely
to pay for. Shame on both parties.
> So how about this analogy: Someone breaks into my house and spends a few
> hours on the phone to Hong Kong. Who eats the bill, me or my LD carrier?
> Neither of us was negligent.
A few years ago my cell phone was stolen, and before I was able to report it
to the carrier several hours of calls were made to a foreign country. The
carrier ate all the calls between when the phone was stolen and when their
customer service center opened; I ate the calls that occurred after that.
Seems totally reasonable, even if it did cost me ~$50.
Once you have discovered or been notified there is a problem, _you_ are
responsible for fixing it or you implicitly agree to pay the price of not
fixing it. As the song goes, "If you choose not to decide/You still have
made a choice". If one is not yet aware of the problem (and there's no
reasonable expectation one should have been), I think there's room for
debate, but that's not relevant to the discussion of Mr. Liber.
S
Stephen Sprunk "Stupid people surround themselves with smart
CCIE #3723 people. Smart people surround themselves with
K5SSS smart people who disagree with them." --Aaron Sorkin
More information about the NANOG
mailing list