Even you can be hacked

• Previous message (by thread): Even you can be hacked
• Next message (by thread): Even you can be hacked
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Jun 10, 2004, at 10:07 PM, David Schwartz wrote:

> > It all depends upon what the agreement between the customer and the
> > ISP
> > says. It's no unreasonable for the ISP to 'insure' the customer against
> > risks he isn't able to mitigate which the ISP is, even if that means
> > shutting off his service.

> While it may not be unreasonable, it is also not unreasonable for the
> ISP to *not* insure the customer against such risks.
>
> It all depends. :)

	Well, it depends upon the class of service. For lower classes of service,
it's generally a non-issue because the service isn't billed based upon
usage. But I would argue that for low-end service (like home DSL) that is
billed based upon usage, it's unreasonable for the ISP to bill customers for
attack traffic. Obviously, it's possible that someone could offer this and
get a customer to agree to it, but I'd be really suspicious as to whether
they actually had a meeting of the minds with the customer about the
consequences.

> Also, you did not really address my question: Are you willing to sell
> me the service I asked for above?

	I've acted as a negotiator for several companies who were looking to obtain
connectivity. I've had no trouble negotiating agreements where the customer
does not pay for attack traffic. Some companies want a 'per incident' fee,
some don't. Usually these fees are reasonable and include firewalls and
tracking and other things that are worth paying for. You can certainly get
flat rate connections and you can get connections where if your service goes
over X dollars, they rate limit you unless you agree to let more in.

	Yes, you can get almost any combination of service features. Obviously,
some cost more than others. However, you can certainly get your ISP to
insure you if you want. Heck, buy a flat rate 100Mbps line from any carrier
and they're paying for any attack traffic over 100Mbps. Put in a filter and
they're paying to carry all the attack traffic to the filter.

> > 	Most of the people on this list see things from the ISP's
> > perspective.
> > However, step back a bit and see it from the user's perspective. Do you
> > expect to pay for phone calls you didn't make or do you expect the
> > person
> > whose deliberate conscious action caused those calls to be made? Do you
> > expect to be responsible for patrolling your electric lines to make
> > sure
> > someone hasn't plugged into your outside outlets?
>
> Actually, I Am Not An Isp.  (Yes, that is really what is stands for.)
> I do see things from a user perspective.  And I still do not agree with
> you.
>
> For instance, I do believe if someone comes by and plugs something into
> an outside socket on my house that I should pay the bill.  The power
> was used, it cost something, and the power company sure as hell was not
> responsible.  Of course, if I can find the culprit, I can force him to
> pay.  But that does not mean the power company should eat the
> difference.

	It does if the person got to your house over the power company's lines. It
does if the power company knows about it. Unfortunately, every analogy
breaks down.

> Take some responsibility.

	How does a person with a DSL line at home take responsibilty if he's away
for a month? Is he supposed to hire someone?

> This whole thing reminds me of when we were
> kids and I loaned my middle brother my walkman.  He left it on the
> floor where my baby brother was playing - who promptly smashed it with
> some random toy and destroyed it.  My middle brother claimed it was not
> his fault, my baby brother did it.  I was out a walkman (big bux in
> those days!), but I learned a valuable lesson: Never trust someone who
> is not willing to take responsibility.

	Certainly it was both of their faults and you're technically entitled to
collect from either of them.

> Since you seem to disagree with me, care to put your money where your
> mouth is?  Sell me a service where I only pay for what I expect.  I'm
> happy to have you shut me off if you notice traffic out of profile, but
> don't expect me to pay more than what I think I should.  Oh, and you
> should be prepared to turn the service back on when I "fix" the problem
> (even if it is just going to happen again, and again, and again, and
> again...).

	As I said, this kind of service is *definitely* available. You can get flat
rate service where you only pay what for traffic you expect. You can get
service where you can set a rate limit dynamically. You can get service
where filters are put up at your whim and you do not pay for traffic that
hits the filters. I think you're mostly being glib with clauses like "more
than what I think I should", but it is definitely possible to negotiate
contracts where you don't pay for attack traffic. It is definitely possible
to negotiate contracts where there's a fixed maximum you can pay.

	In fact, I've never seen a contract that makes the customer responsible for
attack traffic that doesn't make it to the customers' line (except for a
per-incident fee). I don't that such a thing exists, but I've never seen or
heard of it. As for inbound traffic, you would *definitely* bitch if you had
to pay for inbound calls from telemarketers, and inbound attack traffic is
much the same.

	DS

• Previous message (by thread): Even you can be hacked
• Next message (by thread): Even you can be hacked
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]