Re: Nimda et.al. versus ISP responsibility

[John Oliver <john.oliver () hosting com>]

Luc Pardon wrote:
>    I'd like the opinion of the list on the attitude of ISP's versus
> worms. It is clear that we're going to see more of this.
>
>   I think we all agree that connecting an unpatched IIS machine to the
> open Internet is acting irresponsibly. Most AUP's already prohibit
> spamming, port scanning etc. (at least on paper). Why not include
> "infection through negligence" as a reason for suspension? Maybe with a
> reasonable grace period the first time.
>
>   Problem is that one ISP can't go it alone. If they pull the plug, they
> may loose the customer to a less responsible competitor.
>
>   Unlike spammers, most worm victims are "offending" out of ignorance.
> Such a provision in the AUP would likely get their attention and maybe
> cause a mind shift towards "Unpatched Is Bad (tm)".

My $.02 (speaking for myself, not my employer...)

Personally, I would like to disallow any Windows machines from
connecting to a public network without first seeing proof that they're
properly patched, secured, and managed.  Further, as soon as someone
announces "I'm an MCSE", their Ethernet should be pulled.  I know
several good, knowledgeable people who are MCSEs, but they do *not* need
to go around trumpeting that fact... :-)  As an extension to that,
seeing proof that all machines, whatever the OS, are properly managed
would be really nice, but a pipe dream (and insulting to your potential
customers).

Professionally, when I get an abuuse report, I have someone in our tech
support staff contact the customer and explain the problem.  Sometimes
we can only leave VM and/or email.  If more reports come in with no
response from the customer, they get suspended.  If they say they fixed
it, and more reports come in, they get a much firmer warning and a close
eye on the situation.  And God help the poor "admin" who says "What does
that mean?", or "That's impossible!"... :-)

Basically, it will be very, very difficult to reach a point where proper
security is a nearly universal requirement.  As it stands now, if
someone is tossed for their negligence, they can find hosting or
connectivity again within an hour.  Especially with the economy the way
it is... *somebody* will take their money, just like the spam-friendly
ISPs.  But that can't change the fact that there's only so many warnings
you can give as an ISP before *you're* negligent for not getting rid of
a known problem.

As for AUP provisions, they will help in legal after-the-fact
proceedings ("You can't just turn me off because some hacker took me
over!"  "Ohhhh, yes we can!").  Nobody reads those.  Sales will never
spend time going over stuff like that.  And I doubt there's more than
five people on the face of the Earth who would read that and say "Oh,
geez... I think this means me.  I don't really know what I'm doing..."

Now that we're going to be offering managed and dedicated hosting, these
incidents can probably be used as a sales tool... "You guys keep having
these security problems... for $XXXX per month, we'll take alll those
headaches off of your back" :-)  And even for those without the ability
to offer such services, keeping the names and numbers of a few good,
trusted consultants around helps.  

-- 
John Oliver
System Administrator
hosting.com, an Allegiance Telecom company
mailto:john.oliver () hosting com
(858) 637-3600
http://www.hosting.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com