[LINK] OzIT: 'ISPs could strangle zombies / disconnect subscribers'

Roger Clarke Roger.Clarke at xamax.com.au
Tue Sep 29 11:17:50 AEST 2009 

A colleague at UNSW's Cyberspace Law & Policy Centre, Alana 
Maurushat, drew my attention to an IETF Draft:

>You may be interested in the US Comcast approach to these issues, 
>now before the IETF.  My guess is that quarantine would only occur 
>to those who take NO measures to clean up their site, even after 
>being given guidance, materials, etc.
>
>http://tools.ietf.org/html/draft-oreirdan-mody-bot-remediation-03

When I checked with her that it was okay to re-post, she added:

>Google has a similar policy which has been in place for several 
>years.  Stopbadware.org out of the Berkman Centre assists Google in 
>helping those removed from the search engine how to reconnect their 
>device to Google's algorithym.  Disconnect usually only occurs in 
>EXTREME cases where fairly severe negligent behaviour on part of the 
>user/website owner is present.  I see this as a VERY POSITIVE move 
>for Australia.  You can add that bit too.


My quick reactions (before a deep reading of the above Internet Draft) are:

I think we may need to submit to IIA, and to communicate to whatever 
regulatory agencies are in play, that ISPs only be permitted to 
'quarantine' devices (and only protected against liability) if they 
have first undertaken, and can demonstrate that they have undertaken, 
a graduated series of measures to communicate the problem and 
solution to the person responsible for the device, sufficient time 
was allowed, and the response was seriously inadequate.

It seems to me to be vital that communication of the problem alone is 
not enough.  There has to be a solution proposed (e.g. of the form 
'download and run the following software from the following location; 
and we vouch for the reliability of the source and the solution!').

I'd be very concerned about Internet-access-denial because of 
infection with new malware for which no antidote is yet available.

I'm also wondering about whether it's really necessary to 'deny 
access to the Internet', as distinct from 'interdicting specific 
transmissions'.  If a bot's usage is sufficiently well-understood for 
an ISP to be confident in taking steps, then presumably a lot is 
known about the offending data-stream that emanates from zombies, 
such that that particular data-stream can be blocked, rather than all 
data-streams?

That said, it might be quite reasonable that the 'graduated series of 
measures' be able to accumulate across multiple incidents of 
exploitation of the particular zombie (i.e. a device-owner's response 
to the effect of 'oh, it stopped last time, so I didn't bother fixing 
it' isn't good enough).


-- 
Roger Clarke                                 http://www.rogerclarke.com/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list