> I think we all agree that connecting an unpatched IIS machine to the > open Internet is acting irresponsibly. Most AUP's already prohibit > spamming, port scanning etc. (at least on paper). Why not include > "infection through negligence" as a reason for suspension? > Maybe with a reasonable grace period the first time. That might give one recourse for the CodeReds and the Nimdas, but a future event might exploit unpatched problems. What to do in that case? In the standard agreement I offer my customers (hosting and colo, not connectivity), after all the normal stuff about "do this, don't do that" and how I'll escalate and inform them about problems, there's a clause that says in essence "I reserve the right to stop you from messing things up." It doesn't really specify what all possible forms of "messing things up" are, or how I may stop them. It's my catch-all to give me enough latitude to fix things that need to be fixed without running afoul of the agreements (N.B. - it ONLY comes into play if all normal means fail). I've relied on it for stopping worm activity, misconfigured software, and even a slashdot DoS or two. Nobody has ever objected to the principle. Whatever it takes... > Problem is that one ISP can't go it alone. If they pull the > plug, they may loose the customer to a less responsible competitor. There will always be a less responsible operator out there somewhere. I don't try to compete on that level. If someone doesn't like how I've operated this place, I encourage them to go elsewhere and be happy about it - but I've never lost a customer because of how I've handled exceptional situations (worst case was I had to pro-rate their fees minus a couple of days, and I offered that before they had to ask for it). These ARE exceptions, after all, and this is such a dynamic service anyway. If some terms and conditions aren't explicitly in the agreement, I get more latitude for them when I need it. In return, I try my best to solve problems in the least disruptive ways possible. > Unlike spammers, most worm victims are "offending" out of ignorance. > Such a provision in the AUP would likely get their attention and maybe > cause a mind shift towards "Unpatched Is Bad (tm)". Unpatched may be bad, but if that's your message then that's what you should say, and don't rely on people having the same abilty to see the same evidence you see and always come to the same conclusion you do. The connection between keeping patches and configs safe & up to date and the effects of negligence can be a little abstract for some people. If they don't get it on their own, they probably won't get it out of an AUP/TOS. Do we really need more laws and lawyers on the case? -- Dave Salovesh RAM Associates, Inc. (800) 543-3635 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 27 2001 - 13:36:52 PDT