On Fri, 2003-09-19 at 09:08, Carl Cerecke wrote:
Hi,
My ISP has updated its terms of service. Included is the following paragraph:
The Customer may be liable for all charges and expenses incurred by <ISP> resulting from any security breach or attack or customer error that involves Customer hardware, software, or network configuration, including IP addresses.
Isn't this casting their net a bit wide? Or am I just paranoid.
And what happens is someone simply does a DOS/DDOS and spoofs your IP?
Funny enough, that's what I said when I replied to the message. The guy didn't grok what I meant though. Here's my reply to his reply to my reply mentioning spoofs (If you can follow that).
[ISP] > There is still the opportunity for you to state your case should you > experience such an issue.
[ME]
This is not mentioned in the <ISP> terms (unless I missed it), and relies on the goodwill of <ISP>. It should be explicitly stated as a right, not mentioned in passing as an opportunity.
[ISP] > However, this condition will save us from > bearing the burden of Network outages due to DOS attacks, which many > have occurred, due to Viruses like the Blaster worm and certain trojans > like the one you have mentioned. We consider system security to > ultimately be in the hands of the end user, and that any breech of their > systems should make them accountable, and we do not accept the liability > for costs incurred as a result of such conditions.
[ME]
The problem is, that there are ways to "breech my system" that are
the fault of <ISP>, not me. Two examples: 1. uploading web pages to
the user's webserver uses standard ftp that transmits passwords in the clear. secure-ftp is not available (last time I checked). 2. email is accessed via pop3, which also transmits passwords in the clear. pop3 over SSL or IMAP is not available.
I usually access my mail from work - 11 hops away from <ISP> over the internet. My system security is not in my hands alone, it is also partly the responsibility of <ISP>. I should not be held liable for damage done to <ISP> due to a security weakness at <ISP> (like the two listed above) even if it involves my system or setup in some way. Yet the wording of the <ISP> terms *does* hold me liable.
[ISP] > This should encourage users to extend a more thorough awareness to such > issues, therefore protecting our other customers.
[ME] My experience is that it probably won't.
[ISP] > If we do not meet your expectations then we can only suggest another > ISP.
This last sentence suprised me. Perhaps I am too much hassle as a customer :-)
Cheers, Carl.
