Even you can be hacked
Patrick W.Gilmore
patrick at ianai.net
Fri Jun 11 03:58:58 UTC 2004
On Jun 10, 2004, at 11:49 PM, David Krikorian wrote:
> Sometimes the provider shares the responsibility with the offender.
> For example, I can't get my telephone demark inside my house, so it
> is unlocked, and open to all comers. This is not, nor has ever been
> within my control. Since I'm not allowed to secure the line it is the
> provider, who prevents me from having a vaguely secured line, who
> enabled
> the theft of service, and should take some share of the responsibility.
Not a valid comparison. The ISP did not leave the Internet line
outside your house, nor have they any responsibility to secure your
systems.
In fact, most users would get upset at a provider meddling in their
systems.
> Similarly, if I'm under an attack that is consuming my bandwidth, I'd
> expect
> to be responsible for if I had a way of guaging the bandwidth (to
> detect
> the abuse) and if the ISP did its part to shut down the attack.
You have your router, it gives you stats. And what part is the ISP
supposed to do to shut down an attack? Did you pay for the ISP to
monitor your line and proactively shut down an attack? Did you give
the ISP permission to filter traffic of certain types? If you get
/.'ed or run a promotion on your web site and the ISP filters the
traffic as an attack, will you be upset?
> If I complained to the ISP about the attack, and nothing were done
> about it
> in a reasonable amount of time, driving up my cost for the month (or
> two) due
> to bursting, I would be unwilling to take responsibility for the added
> cost.
> The ISP's delay resulted in the ISP charging me more money. I think
> most
> reasonably people would consider that extra charge to be undeserved,
> unfair,
> and unreasonable.
If you ask the ISP to take action and they do not, it is a _TOTALLY_
different story.
Of course, in the original post, the ISP informed the end user of his
problem, and even forgave his first month's bill. Wouldn't you say the
ISP was being more than nice?
> I think one metric of "reasonableness" is how big a surprise the added
> cost
> would be. If my phone/electric/net bill is double for one month,
> that's an
> unpleasant surprise, but not a big deal. If it consumes my whole
> month's
> paycheck and I didn't knowingly contribute to the overrun, I will be
> outraged
> (and possibly bankrupt). Service companies generally don't want to
> outrage
> (or bankrupt) their customers.
That's a fine metric, but by no means a perfect one.
Many companies have "flash crowds", get /.'ed, run promotions, get
mentioned in a blog somewhere, etc., etc., etc. The resulting traffic
can be very out-of-profile, but still very wanted.
Nice ISPs call or e-mail the customer and mention this change. But
there is no responsibility to do so in any contract I have seen that
does not include extra charges for security purposes.
>> Take some responsibility.
>
> Yes, when that responsibility doesn't already belong to someone else
> who can
> be held accountable, and/or when I had some warning in advance of the
> risk
> I was taking.
You signed a contract that said you would pay for usage. Therefore you
had warning. You are over 18, you are supposed to know what you are
doing when you sign a contract. (And if you don't, no one cares
anyway. :)
As for someone else being held accountable, that depends on your
definition of "can be held accountable". The worm writers are
"accountable" in my book, but they cannot "be held accountable" because
they will likely never be caught. (And if they are, no way will they
be able to pay.)
Should the ISP have to pay their transit bill while you get to blame a
faceless perpetrator? Or do you hold any responsibility and need to
pay for the bandwidth your system consumed on the line you agreed to
purchase, whether you personally sent the bits or not?
--
TTFN,
patrick
More information about the NANOG
mailing list