Even you can be hacked

Fri Jun 11 03:58:58 UTC 2004

On Jun 10, 2004, at 11:49 PM, David Krikorian wrote:

> Sometimes the provider shares the responsibility with the offender.
> For example, I can't get my telephone demark inside my house, so it
> is unlocked, and open to all comers.  This is not, nor has ever been
> within my control.  Since I'm not allowed to secure the line it is the
> provider, who prevents me from having a vaguely secured line, who 
> enabled
> the theft of service, and should take some share of the responsibility.

Not a valid comparison.  The ISP did not leave the Internet line 
outside your house, nor have they any responsibility to secure your 
systems.

In fact, most users would get upset at a provider meddling in their 
systems.

> Similarly, if I'm under an attack that is consuming my bandwidth, I'd 
> expect
> to be responsible for if I had a way of guaging the bandwidth (to 
> detect
> the abuse) and if the ISP did its part to shut down the attack.

You have your router, it gives you stats.  And what part is the ISP 
supposed to do to shut down an attack?  Did you pay for the ISP to 
monitor your line and proactively shut down an attack?  Did you give 
the ISP permission to filter traffic of certain types?  If you get 
/.'ed or run a promotion on your web site and the ISP filters the 
traffic as an attack, will you be upset?

> If I complained to the ISP about the attack, and nothing were done 
> about it
> in a reasonable amount of time, driving up my cost for the month (or 
> two) due
> to bursting, I would be unwilling to take responsibility for the added 
> cost.
> The ISP's delay resulted in the ISP charging me more money.  I think 
> most
> reasonably people would consider that extra charge to be undeserved, 
> unfair,
> and unreasonable.

If you ask the ISP to take action and they do not, it is a _TOTALLY_ 
different story.

Of course, in the original post, the ISP informed the end user of his 
problem, and even forgave his first month's bill.  Wouldn't you say the 
ISP was being more than nice?

> I think one metric of "reasonableness" is how big a surprise the added 
> cost
> would be.  If my phone/electric/net bill is double for one month, 
> that's an
> unpleasant surprise, but not a big deal.  If it consumes my whole 
> month's
> paycheck and I didn't knowingly contribute to the overrun, I will be 
> outraged
> (and possibly bankrupt).  Service companies generally don't want to 
> outrage
> (or bankrupt) their customers.

That's a fine metric, but by no means a perfect one.

Many companies have "flash crowds", get /.'ed, run promotions, get 
mentioned in a blog somewhere, etc., etc., etc.  The resulting traffic 
can be very out-of-profile, but still very wanted.

Nice ISPs call or e-mail the customer and mention this change.  But 
there is no responsibility to do so in any contract I have seen that 
does not include extra charges for security purposes.

>> Take some responsibility.
>
> Yes, when that responsibility doesn't already belong to someone else 
> who can
> be held accountable, and/or when I had some warning in advance of the 
> risk
> I was taking.

You signed a contract that said you would pay for usage.  Therefore you 
had warning.  You are over 18, you are supposed to know what you are 
doing when you sign a contract.  (And if you don't, no one cares 
anyway. :)

As for someone else being held accountable, that depends on your 
definition of "can be held accountable".  The worm writers are 
"accountable" in my book, but they cannot "be held accountable" because 
they will likely never be caught.  (And if they are, no way will they 
be able to pay.)

Should the ISP have to pay their transit bill while you get to blame a 
faceless perpetrator?  Or do you hold any responsibility and need to 
pay for the bandwidth your system consumed on the line you agreed to 
purchase, whether you personally sent the bits or not?

-- 
TTFN,
patrick