RE: Nimda et.al. versus ISP responsibility

["Jonathan Levy" <jlevy () imneverwrong com>]

This post is along the lines of what I've been thinking.  I am very close to
being outraged at many posts saying that any host infected with this virus
should be dropped from their ISPs immediately.  I think a lot of the
infected hosts are not sysadmins who are trying to run a webserver, they are
people with a computer for small business or home use who have very little
idea of what computer security is all about.

Blame for this should not be the users, should not be the ISPs, and should
not be the software manufactures.  I am not saying Microsoft could not have
helped to avoid the problem that we are seeing right now, but that doesn't
stop us from putting the blame in the correct location... The person(s) who
are responsible for this are the ones who wrote it and put it in the wild.

Now I don't have a complete answer to what should or even could be done.  It
would be nice and I think advantageous to the ISPs for the ISPs to contact
the users that are still infected.  It would be nice for Microsoft to issue
something that got printed in news media that isn't read just by computer
users to the effect of "If you haven't patched your system in the past few
weeks you are probably causing tons of problems..."  It would be nice if
there could be some sort of Internet coalition telling users that their PCs
are causing problems.  In my opinion, just cutting users off from the
Internet is the wrong thing to do.  Contacting them and then cutting them
off would be a lot more appropriate, but that would require more work than I
think ISPs are willing to do right now.

I will tell you that Tech Support lines need to be more aware of Code Red
and Nimda.  I use DirecPC and my roommate was noticing that the ICS was
acting really slow.  We went through all of the troubleshooting steps,
called up tech support and went through all the steps in his book (he was
obviously reading from one).  Then we asked if this could be virus related
and he said "No, it wouldn't work at all."  It turned out that I was
infected with Code Red II.  I have since treated my ICS machine running
win2k like a server that I secure and now value the importance of updating
and removing services that are unneeded on not just my servers but the
workstations I work with as well.

Hindsight is 20/20, let's urge Microsoft to not have unnecessary items
enabled in default installs of programs, let's try to educate users to patch
their systems more, let's urge ISPs to help stomp out these worms.  Let's
not try to users who are infected like criminals and punish them for things
that aren't their fault and up until now we would not even think of
expecting them to know about.

-jonathan levy

-----Original Message-----
From: UMusBKidN () aol com [mailto:UMusBKidN () aol com]
Sent: Thursday, September 27, 2001 4:40 PM
To: incidents () securityfocus com
Subject: RE: Nimda et.al. versus ISP responsibility


Please be sure you place blame properly.

No ISP is responsible for the actions of a person that releases a malicious
worm on the Internet. No ISP is responsible for the malicious actions of
such worms on their software. The victim of a crime is not the perpetrator
of a crime!

I hate to say it, but not even Microsoft is responsible for creating worms
like Nimda. Yes, Microsoft is responsible for releasing IIS software, but
providing they had no prior knowledge of some bug, you can't blame them for
the crime, when some hacker discovers Yet Another Hole In A Microsoft
Product. Their corporate pants get yanked to their ankles on a regular basis
by hackers the world over, but you still can't blame them for committing the
crime! Blame them for poor quality control perhaps, or say they get shot at
the most because they're on top... but they aren't the criminals here.

Good luck trying to get ISPs to be responsible for content filtering. That's
an impossible task.

Let us not forget who the criminal is and who the victims are in cases such
as Nimda. Certainly, those who provide connectivity or hosting for others
have the responsibility to stay on top of the latest software fixes, but you
can't completely plug that hole either. I know people who got infected by
both CRII and Nimda, who didn't even know they had IIS installed and running
on their boxes. They didn't know their machines were toast until they could
smell it burning.

We can no sooner get rid of malicious worms by placing responsibility for
"handling" them on an ISP, than we can by creating laws that make malicious
software illegal. Until such time that we can successfully track the actual
perpetrators of the crime, or software authors miraculously invent perfect
bug-free programs, not much is going to change. Just make sure you place the
blame where it belongs.

-UMus B. KidN

"Adcock, Matt" wrote:
> <quote>
>   I think we all agree that connecting an unpatched IIS machine to the
> open Internet is acting irresponsibly. Most AUP's already prohibit
> spamming, port scanning etc. (at least on paper). Why not include
> "infection through negligence" as a reason for suspension? Maybe with a
> reasonable grace period the first time.
> </quote>
>
> I agree that the end administrator is ultimately responsible.  The ISPs
> could also help by filtering this traffic.  It would take an
infrastructure
> upgrade that would end up costing the consumer, but I personally would be
> willing to pay a little more.  Maybe give users a choice between being on
a
> filtered network or an open network?

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com