Destructive botnet originating from California (was Japan)

• Previous message (by thread): Destructive botnet originating from California (was Japan)
• Next message (by thread): Destructive botnet originating from California (was Japan)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Dec 25, 2005, at 7:21 PM, Jon Lewis wrote:

>
> On Sun, 25 Dec 2005, Barrett G. Lyon wrote:
>
>> I would have sent out a clean list sorted via AS and IP, except I  
>> have been working from vacation on GPRS via my 1 bar of service on  
>> my cell phone.
>
> What's vacation?
>
> I gather Prolexic isn't a one man shop.  Nobody else had a better  
> internet connection and a few minutes to tidy up the data and make  
> the post?

There are special considerations that should be taken while posting  
public data, so I take responsibility for public postings.  Our team  
makes sure everything else is running usual, in the future I would  
like to formulate an internal policy and structure that helps us  
correctly post data on public forums without my involvement.

> IANAL either, but if I steal your car and run someone over with it,  
> are you liable?  Should you be?  Computers are "stolen" or at least  
> commandeered on the internet at an alarming rate because those who  
> do it know that odds are, they won't get caught.  And if they are  
> caught, odds are, nothing will happen.  And there's apparently  
> considerable profit in the sale of commandeered systems or services  
> provided by them.  I doubt you'll get anywhere trying to make an  
> example of someone who's system was hacked or even just "used  
> improperly".  I really don't think this problem can be solved by  
> scaring sysadmins or corporations.  There will always be security  
> holes.

If they have had notice about the problem and that the problem may  
damage or cause harm to others then the question is; Did they act as  
a reasonable service provider?  If they failed to act as a reasonable  
service provider to the compromised machine, then they are negligent.

In your car situation, if you know your car has been stolen, or if  
you have the ability to prevent it, then you could possibly be  
negligent.  If you left a car with the engine running and the keys in  
it, and you left it in a grammar school playground and your example  
happens, you are negligent.

If we contract an ISP and tell them about a machine that is causing  
harm, and we provide correct documentation, and they choose to do  
nothing about it.  I would say they are a negligent ISP and could be  
open for litigation.

We have a couple huge bank customers, they refused to use any  
mitigation methods that involve syn-cookes because of the liability  
that causes.  They were so concerned that a SYN flood would be  
relayed off a syn-cookie "guard" and be used to attack a competitor  
as well.  Their legal teams refused to take the liability because  
that case would have had to be settled for a huge sum of money.  As a  
result they looked for solutions that do not use syn-cookes to defend  
against syn floods.

If an ISP knew they could be found negligent then the community that  
uses Arbor and other techniques to detect inbound attacks may use it  
to detect and stop outbound attacks as well.  I think it would raise  
the bar of responsibility and responsiveness.  Otherwise, we will  
just sit and bitch about problems until there is a better protocol  
than the old one we use now.

-Barrett

• Previous message (by thread): Destructive botnet originating from California (was Japan)
• Next message (by thread): Destructive botnet originating from California (was Japan)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]