ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]

J. Oquendo sil at infiltrated.net
Wed Jun 9 11:50:49 CDT 2010


Larry Sheldon wrote:
> On 6/9/2010 10:58, Owen DeLong wrote:
>
>   
>>> What happened to the acronyms "AUP" and "TOS"?
>>>
>>>       
>> I'm not sure what you mean by that.  I'm talking about an ISPs liability to
>> third party victims, not to their customers.
>>     
>
> "Acceptable Use Policy" and "Terms of Service"
>   
>> AUP/TOS are between the ISP and their customer.
>>     
>
> Very good.  Does that provide an answer to the earlier question about
> "what is a provider to do?" when a customer misbehaves?  Does that
> provide a method for assigning liability?
>
> I am not a lawyer, but it doesn't seem a stretch to me to include, in
> this context, traffic from peers and transit providers.
>   

"Acceptable Use Policy" and "Terms of Service"

Imagine for a moment you're speeding... You get pulled over, get off
with a warning. Phew! You speed again, get pulled over again, you get a
warning. How long will it be before you just outright ignore the law and
speed simply because you know all you will get is a warning. AUP's and
TOS' mean little if they're not enforced and I theorize that they're not
enforced perhaps because a company's staff is likely to be overwhelmed
or underclued as to how to proceed past a generic: "Thou shall not spew
dirty traffic in my network or else..." Or else what? You're going to
flood their inbox with "Thou shall not" messages?

In the case of Mr. Amodio and I believe Owen griping about insecure
software, I offer you this analogy...

You buy a car and as you're driving along a message comes into the
dashboard: "Car Update needed, to fix A/C" you ignore it. Don't update
it who cares, you're driving smoothly. Another alert comes into the car
dashboard: "Critical alert, your breaks need this patch"... You ignore
it and drive along. 5-10 years later the car manufacturer EOL's the car
and support for it. You crash... Who is to blame, the car manufacturer
or you for not applying the updates. Granted the manufacturer could have
given you a better product, the fact remains, it is what it is.

Don't blame the software vendors blame oneself. I've seen even the most
savvy users using OS' *other* than Windows get compromised. I performed
an incident response about 8 months ago... 42 machines 41 Linux, 1
Windows... Guess what, all the Linux boxes running Apache were
compromised. They were running vulnerable software on them (Wordpress,
etc). So to compare Apples and Oranges (Windows versus another) is
pointless.


-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E





More information about the NANOG mailing list