Even you can be hacked
James Reid
jreid at vapour.net
Fri Jun 11 21:03:14 UTC 2004
On Thu, 10 Jun 2004, Sean Donelan wrote:
:Did your computer have a power switch? Did you turn it off? Or did you
:continue to let it run up the bill? Yes, even the complete computer
:novice can stop a computer room. Turn off your computer. If you don't
:know how to fix it, take it to a repair store.
:
:If you leave your lights on, the electric company will send you a bill.
:If you leave your faucets running, the water company will send you a bill.
:If you leave your computer infected, ???
What the ISP failed to do in this case was protect their
infrastructure from being abused by a worm, which would
have also infected other customers from this users host.
That is to say, the worm caused them an alleged $11,000
loss because they failed to do anything to prevent it,
after being made aware of the situation.
The ISP (I would say negligently) exposed themselves to
absurd financial risk by continuing to provide service
to a site which they knew to be abusing their resources.
The reality of this situation is that if the bandwidth
being used by the ISP was actually costing them $5000, let
alone $11,000, it would have been grossly negligent from
a financial perspective to allow the worm to continue
consuming bandwidth.
The other reality is that bandwidth is not valuable
enough for the ISP to declare an $11,000 loss unless
they had booked the revenue before having some evidence
they would recieve it. That is, the ISP's accounting
practices should be investigated if they are booking
revenue that is effectively theoretical in light of
the risks they knowingly accept regarding the odds
of actually recieving it.
The leaving lights on/faucets running simile is inaccurate,
as the burden of risk was acknowledged and borne by the ISP,
in not taking steps to protect their infrastructure from loss,
they got burned and are sticking the blame wherever they
think it will stick. Exploiting someones lack of technological
sophistication to assign liability is disingenuous and possibly
fraudulent.
Maybe the only bandwidth simile that could be appropriate
would be to a car in the 1950's, one which was unsafe at
any speed.
--
James Reid, CISSP
More information about the NANOG
mailing list