North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Even you can be hacked

  • From: Patrick W.Gilmore
  • Date: Fri Jun 11 00:01:14 2004 
On Jun 10, 2004, at 11:49 PM, David Krikorian wrote:
Sometimes the provider shares the responsibility with the offender.
For example, I can't get my telephone demark inside my house, so it
is unlocked, and open to all comers. This is not, nor has ever been
within my control. Since I'm not allowed to secure the line it is the
provider, who prevents me from having a vaguely secured line, who enabled
the theft of service, and should take some share of the responsibility.
Not a valid comparison. The ISP did not leave the Internet line outside your house, nor have they any responsibility to secure your systems.

In fact, most users would get upset at a provider meddling in their systems.


Similarly, if I'm under an attack that is consuming my bandwidth, I'd expect
to be responsible for if I had a way of guaging the bandwidth (to detect
the abuse) and if the ISP did its part to shut down the attack.
You have your router, it gives you stats. And what part is the ISP supposed to do to shut down an attack? Did you pay for the ISP to monitor your line and proactively shut down an attack? Did you give the ISP permission to filter traffic of certain types? If you get /.'ed or run a promotion on your web site and the ISP filters the traffic as an attack, will you be upset?


If I complained to the ISP about the attack, and nothing were done about it
in a reasonable amount of time, driving up my cost for the month (or two) due
to bursting, I would be unwilling to take responsibility for the added cost.
The ISP's delay resulted in the ISP charging me more money. I think most
reasonably people would consider that extra charge to be undeserved, unfair,
and unreasonable.
If you ask the ISP to take action and they do not, it is a _TOTALLY_ different story.

Of course, in the original post, the ISP informed the end user of his problem, and even forgave his first month's bill. Wouldn't you say the ISP was being more than nice?


I think one metric of "reasonableness" is how big a surprise the added cost
would be. If my phone/electric/net bill is double for one month, that's an
unpleasant surprise, but not a big deal. If it consumes my whole month's
paycheck and I didn't knowingly contribute to the overrun, I will be outraged
(and possibly bankrupt). Service companies generally don't want to outrage
(or bankrupt) their customers.
That's a fine metric, but by no means a perfect one.

Many companies have "flash crowds", get /.'ed, run promotions, get mentioned in a blog somewhere, etc., etc., etc. The resulting traffic can be very out-of-profile, but still very wanted.

Nice ISPs call or e-mail the customer and mention this change. But there is no responsibility to do so in any contract I have seen that does not include extra charges for security purposes.


Take some responsibility.
Yes, when that responsibility doesn't already belong to someone else who can
be held accountable, and/or when I had some warning in advance of the risk
I was taking.
You signed a contract that said you would pay for usage. Therefore you had warning. You are over 18, you are supposed to know what you are doing when you sign a contract. (And if you don't, no one cares anyway. :)

As for someone else being held accountable, that depends on your definition of "can be held accountable". The worm writers are "accountable" in my book, but they cannot "be held accountable" because they will likely never be caught. (And if they are, no way will they be able to pay.)

Should the ISP have to pay their transit bill while you get to blame a faceless perpetrator? Or do you hold any responsibility and need to pay for the bandwidth your system consumed on the line you agreed to purchase, whether you personally sent the bits or not?

--
TTFN,
patrick