[LINK] OzIT: 'ISPs could strangle zombies / disconnect subscribers'
Roger.Clarke at xamax.com.au
Tue Sep 29 11:17:50 AEST 2009
A colleague at UNSW's Cyberspace Law & Policy Centre, Alana
Maurushat, drew my attention to an IETF Draft:
>You may be interested in the US Comcast approach to these issues,
>now before the IETF. My guess is that quarantine would only occur
>to those who take NO measures to clean up their site, even after
>being given guidance, materials, etc.
When I checked with her that it was okay to re-post, she added:
>Google has a similar policy which has been in place for several
>years. Stopbadware.org out of the Berkman Centre assists Google in
>helping those removed from the search engine how to reconnect their
>device to Google's algorithym. Disconnect usually only occurs in
>EXTREME cases where fairly severe negligent behaviour on part of the
>user/website owner is present. I see this as a VERY POSITIVE move
>for Australia. You can add that bit too.
My quick reactions (before a deep reading of the above Internet Draft) are:
I think we may need to submit to IIA, and to communicate to whatever
regulatory agencies are in play, that ISPs only be permitted to
'quarantine' devices (and only protected against liability) if they
have first undertaken, and can demonstrate that they have undertaken,
a graduated series of measures to communicate the problem and
solution to the person responsible for the device, sufficient time
was allowed, and the response was seriously inadequate.
It seems to me to be vital that communication of the problem alone is
not enough. There has to be a solution proposed (e.g. of the form
'download and run the following software from the following location;
and we vouch for the reliability of the source and the solution!').
I'd be very concerned about Internet-access-denial because of
infection with new malware for which no antidote is yet available.
I'm also wondering about whether it's really necessary to 'deny
access to the Internet', as distinct from 'interdicting specific
transmissions'. If a bot's usage is sufficiently well-understood for
an ISP to be confident in taking steps, then presumably a lot is
known about the offending data-stream that emanates from zombies,
such that that particular data-stream can be blocked, rather than all
That said, it might be quite reasonable that the 'graduated series of
measures' be able to accumulate across multiple incidents of
exploitation of the particular zombie (i.e. a device-owner's response
to the effect of 'oh, it stopped last time, so I didn't bother fixing
it' isn't good enough).
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link