Code Red Refunds? 377
bubblegoose writes "In Washington state Qwest customers are asking for a refund due to losses of service during the Code Red thing. Qwest is refusing to give the refunds.
Excite has a story about it here." I tend to think this is just complaining bull crap. My net connection when down too, and I don't run around demanding $5 back. I'd be more upset if I was a business and my server rooted by this. The irony is that this will probably end up just pushing subscription software.
More of the same (Score:1)
Re:More of the same (Score:2)
Good point, but Qwest isn't the incompetant company here. Microsoft is. Mind you, it's not all M$'s fault -- people who run any server on any OS, but *especially* an IIS server on Windows -- should be sane enough to secure their systems.
Re:More of the same (Score:2, Interesting)
In this regard, I would look to a not-at-fault car accident, there are a lot of similarities.
Imagine this: a car stops. The car behind it hits it and sends it carreering into the car in front.
Now, if I'm in the middle car (the first one mentioned) the guy in the very front car, who was hit through no fault of his own, sues me. I, in turn, sue the car who hit me (who was at fault) and pass on the litigation from the front guy to the one who hit me (I was not at fault for either collision and the rear vehicle was for both.).
Now lets bring this back home, Microsoft sell a product which has faults. Qwest buys said product from Microsoft and use that as a basis for their own product. I buy the Qwest product and use it to create my own product (say, a website). One day, Microsoft's product stops working. Qwest's product as a direct result, stops working. My product then stops working because of Quest's problems.
My product cannot make me any money. I am running at a loss.
I think it would be fair for me to turn around to my supplier and ask for compensation for lost earnings (at the hands of Quest's product), or at least refuse to pay for the portion of the service that was not delivered. Quest then have that option of passing on their costs to their supplier (should they be liable).
On the other hand, I could just be being too simplistic.
Re:More of the same (Score:2)
Re:More of the same (Score:2)
standing behind user agreements.... (Score:2)
Personally, my cable modem is sometime offline, but it's usually during the day while I'm at work hence I dont notice.
What is temporary (Score:2, Insightful)
Re:What is temporary (Score:2)
The only time I can think of that this became a legal issue was with AOL downtime and limited availability in early 1997 as they were switching from 20 hours a month free access to completely unmetered access. But they settled that by offering refunds (in the form of rebates on the next month's fee).
Astound/Seren has a 24 hour (Score:2)
Qwest (Score:5, Informative)
Anyway, point is.. I think they do a great job. Keep up the good work Qwest.
Re:Qwest (Score:2, Interesting)
Funny, Qwest is my provider as well, and the only phone call I got was notification that my bill was overdue.
On the whole I've been very happy with Qwest also, however I would like very much to know why they gave out bad information regarding the fix for more than a week. In case you didn't know, for some time they insisted that the only thing necessary was to disable remote web access to the Cisco router. This didn't work, and I suffered periodic outages for a week after I applied their prescription. It wasn't for quite some time that they revealed that blocking port 80 on the router was the only way to stop the scans from hanging it.
As a telecommuter, my productivity was cut enormously over those two weeks. Now, if it turns out that Qwest was negligent, i.e., they knew that their original "fix" didn't work but wasted time releasing that info, then I would expect compensation. However I suspect that, as happens often in complex systems, it simply took them a while to figure out what worked and what didn't. If that's the case, then I cannot reasonably demand anything more from them.
Re:Qwest (Score:2)
Re:Qwest (Score:2)
Brilliant idea (Score:3, Interesting)
The second option is that they can deny all incoming requests to port 80, since the UA forbids running servers anyway, and slowly wait for the code-red running machines to go away. This is what they did
I don't want "proactive measure" anywhere near my net connection. You do realize that a proactive measure would have to monitor all your traffic in depth, and then try to guess when you're behaviour was dangerous. When it has a false alarm, then you'd blame @Home for using such an error prone method, instead of a simple reactive method.
The trouble with listening to an idiot is that you might give them what they asked for.
Re:Brilliant idea (Score:3, Interesting)
Not in Dallas, they didn't.
I'm not advocating any kind of port 80 blocking. It would be a trivial matter to simply block the offenders at their gateway. All @home has to do is set up a monitor on their IP block. This is proactive, but there's no need to monitor traffic in depth, as you say: The morons announce themselves.
Re:Brilliant idea (Score:3, Insightful)
>The second option is that they can deny all
>incoming requests to port 80, since the UA
>forbids running servers anyway
You are mistaken, and you have NOT researched
the facts before posting this.
*MY* agreement with Qwest expressly allows
running servers. They are quite up-front and
honest about the whole thing. It's what makes
their relatively expensive, but somewhat slower,
service an attractive choice in markets where
there's cable or other dsl providers.
They even offered to help me setup my LAN, my linux boxes, a static IP netblock, you name it.
I would suggest that when you talk trash, you
stick to subjects that you know something about.
Re:Brilliant idea (Score:2)
And then, what's wrong with routing a packet containing default.ida?... into
I think all ISPs should have dropped packets on port 80 that appeared to be CodeRed. It'd have stopped this thing quickly.
But then I think the Anti-CodeRed scripts that use the same hole, but to apply the patch or shutdown IIS and display a message explaining it, should have been used, and should be legal.
Attempted analogy. I shouldn't go into your car, even if unlocked. But, if your car was rolling slowly down the hill towards mine, would it be wrong if I opened the door and set the parking brake, to save both of us a large repair bill? Especially if I left you a nice note explaining the parking break, how to set/unset it, and why I did what I did.
In fact, in some jurisdictions, you'd be held responsible for not preventing an accident if you could have safely/easily done so, regardless of it being your "fault" to being with.
Re:Qwest (Score:2)
Anecdotal evidence is COMPLETELY irrelevant when you're discussing issues that address thousands or millions. UNLESS, of course, you have anecdotal evidence from every member of the studied population...
My Qwest experience... (Score:2)
I received the call (and the letter, for that matter) from Qwest about the Cisco/Code Red issues. I had already heard about it, but, I had a bit of a related DSL problem I had to ask them about. Oh no, the caller informed me, he couldn't help me with that. He gave me a phone number to call.
Ok, says I, I'll just call them up right now and get this taken care of. I call, go through the system
Well....this isn't so convenient, says I, but I'll give 'er a shot. I called up this second phone number and I'm told that all lines are busy now. They'll take my call as soon as they can. My estimated wait is... 60 minutes.
Ok, I wasn't that desperate. So, I went to their website to request help through their online customer service form. They usually get back to people quite promptly, I'm informed.
Five days later
OMG you could just substitute PAC-BELL (Score:2)
Re:Qwest (Score:2)
Nice logic (Score:2)
why not? (Score:3)
I cheerfully pay my ISP every month, because they provide me with a reliable, stable, fast DSL line. If it wasn't that way, I'd be in line clamoring for a refund too.
The computer industry is way too lax on quality of service - every program, OS, or hardware device has a disclaimer that they aren't responsible if it doesn't work. What am I paying for then?!?
Re:why not? (Score:3)
DID they takew reasonable precautions ? (Score:2)
and are looking for anyway to blame someone, anyone else. There were very simple steps to remove ANY machine that was infected, rather than DO THE JOB they were getting PAYED FOR, they will blame someone else. If you offer a network, your clients have a right to assume YOU KNOW HOW TO RUN IT.
Re:why not? NOT! it's "Who!" (Score:2)
Whose responsible for the lax security in the #1 email client?
Who lets the idiot users that use their idiot software run attachments?
I'll give ya a hint. They have plenty o' cash, and his name is Bill. Last name Gates. Works for Microsoft. In Redmond, Washington. He's friggen rich, dumbass! Sue that guy! now your damn ISP which is gonna go out of business anyway! Good grief!
Re:why not? NOT! it's "Who!" (Score:2)
Americans sue who they want, when they want, over the stupidest things, and it doesn't have to make sense! that's the beauty of the system!
Re: (Score:2)
Re:Did I miss something? (Score:1)
Re:Did I miss something? (Score:1)
It wasn't packet size, it was that CBOS (Cisco Broadband OS) versions earlier than 2.4 suffer the same vulnerability to specifically malformed URI's as IIS.
Re:Did I miss something? (Score:1)
Re:Did I miss something? (Score:2)
Yes. At least with AT&T@home the Tech Support people are authorized to give refunds for outages. At least that was the way it was when I worked there.
Re:Did I miss something? (Score:2)
It hit bugtraq a few months ago, while cisco was fairly responsive and issued a patch, Qwest at that time declared that patch unsupported.
Not quite... (Score:2)
Nuts to you... (Score:1)
Maybe you should. TimeWarner Austin (part of the evil AOL Empire) will give credits for service problems with RoadRunner. All I have to do is call up whenever there is a problem (outages, etc.) and they credit me for the inconvenience.
Mister Black
complete package? (Score:1)
I look at it like my cell phone service: if the phone that I own breaks, it is my responsibility to get it fixed. If my providers towers all go down and I can't get service for a month, I wouldn't expect to have to pay!
hmmm (Score:2, Funny)
Oh, I'm sorry, when we all sold our souls to microsoft when we signed the user agreement I bet that was covered.
passing the blame (Score:1)
Of course, the responsible thing to do would be any or all of the following
Whose problem? (Score:2)
What Qwest clearly fails to comprehend is that, by choosing the tools they did, which have a known history of virus vulnerability, they are responsible for the reprocussions.
It's a well-settled legal principle that persons are held responsible for the actions of their agents when those agents act in the furtherance of their employers' wishes and in a manner not contradictory to responsible behavior.
Microsoft and Cisco perhaps should be held independently responsible for their failings here, but it certainly does not follow that Qwest ought be absolved of all duty to its customers.
The rationale behind such a legal relationship is readily apparent. The customers have their dealings with Qwest.
The customers often are not provided the opportunity to inquire into the methods Qwest is using to provide customers with services.
And even when they are, there is no reasonable expectation that these subcontractors will listen to these end customers. (After all, their customers aren't Qwest's customers. Their customer is Qwest alone.)
But Qwest has no real reason to complain to Microsoft and Cisco, since Qwest can simply pass the costs on to their consumers as they're trying to do here.
In the end, consumers are shafted, and everyone else profits.
Only by extending legal reliability up the foodchain to people making the final decision can we attempt to ensure that moronic decisions like these accurately produce the reprocussions for decision-makers that consumers feel.
Re:Whose problem? (Score:1)
Umm....Cisco has a long history of virus vulnerability? Please Explain. Because IIRC, it was a Cisco Bug that caused the Cisco router to crash/hang when Code Red hit the Management interface that Cisco has on port 80. And I was unaware of Cisco having a "known history of virus vulnerability".
-= Rhyas =-
Re:Whose problem? (Score:2)
Microsoft and Cisco perhaps should be held independently responsible for their failings here, but it certainly does not follow that Qwest ought be absolved of all duty to its customers.
This problem has been known for a few months prior to the CodeRed outbreak. Cisco was fairly responsive in issuing a fix (not as fast as their normal bug fixes... but this isn't an IOS so it's somewhat understandable.)
Qwest should be somewhat held responsible because the fix had been out for a decent period of time, during which Qwest had declared the patch unsupported, leaving people who wanted to patch their routers without much of a choice but to leave it broken, and DOSable.
Re:Whose problem? (Score:2)
When MS lists the IIS holes in the EULA and the user signs off on them, I'll accept it as the user's fault.
But, the EULA says, in as lawyerly prose as possible, that Microsoft isn't liable for anything. Even if they intentionally bundled a virus with the OS and targetted it at you, the EULA disclaims all responsibility.
I too think that people should be able to purchase less-than-perfect products, and then be unable to sue, if it was clear what the defects were, or the extent of the sellers knowledge.
For instance, if you buy a Machine, and it's marked "As Is", you're entitled to take it back for a full refund if you find that that the seller knew it didn't work. You see, "As Is" means "I don't know" not "I tested it and it failed". It's perfectly reasonable to sell something broken, even something you believe will never work again, as long as you make its condition clear when you sell it.
Microsoft *knows* its products are shit. If they don't take immediate steps to correct this, along with notifying potential customers, imho they're liable for the damages. Hell, there's a ton of companies who are skilled in fixing security bugs. Counterpane does security audits, both network and code. They could even bring in Theo from OpenBSD; whatever else it true about Theo, he's smart enough to know which C and C++ functions risk overwriting a buffer.
Because Microsoft makes NONE of these attempts to fix their products, in my eyes, they are liable for the damages caused.
Re:Whose problem? (Score:2)
1) Oops, my bad.
2) I know the law would protect you, I was saying that if MS had their way and the EULA was a contract, that you wouldn't be protected. Hypothetical.
3) Yeah, I know. They fail most of the prerequisites for a valid contract.
4) There's a difference between 'no the best' and 'shit'. MS fraudulently sells the product as enterprise ready for servers yet knows they are not capable, yet alone less capable than the free stuff.
5) Yes, monopolies should get different treatment than other companies. The spirit of capitalism is companies competing to bring you a product, not someone lying, cheating, and stealing to drive everyone else out of business, leaving the consumers with no choice.
Re:Whose problem? (Score:2)
Vigorous competition is the solution to these problems, IMHO.
I completely agree, unfortunately cable is a shared medium, so a solution like the phone company's line sharing agreements is impossible. You could at least force the cable companies to offer pure internet connectivity with no services to resellers at competitive prices though. Personally I'd like to see the communities buy out their local cable companies, even through local bonds if needed. There is real competition in the DSL broadband market though. The phone companies have a monopoly on the lines themselves, and on the colocation space in the COs, but this is highly regulated (and a natural monopoly). It wouldn't take too many people to create a co-op for DSL service for your local community, and you could easily expand that to a long distance and even local phone service co-op. Get enough revenues and maybe you could even start thinking about buying out your local CO. I don't know the regulations, but maybe you could even make a deal with some TV stations and offer cable TV service through the phone lines. Be sure to let me know where you do this, I'll strongly consider moving there.
Yeah, most of that is nothing more than shitty pipe dreams, but I still contend that the efforts should be spent treating the problem, not the symptoms.
I have a better idea... (Score:1)
Or if Qwest doesn't wish to offend their customers, they should just blame Microsoft. I understand that this is standard practice... just yesterday, some Delphi fucktard (you know the type... "just drag and drop the components! yes, that all it takes to be a real programmer!" ha ha ha) was telling me that the ability to blame Microsoft -- even for things that aren't really Redmond's fault -- is an advantage of running NT! It's really getting difficult for me to defend Windows as a rightful player in the heterogenous world of computing when its users display such poor judgement and reasoning.
Re:I have a better idea... (Score:1)
Re:I have a better idea... (Score:1)
Also, I happen to be a resedential Qwest DSL customer as well, and I made DAMN sure there was nothing in the language of the contract that restricted me from running a webserver, mailserver, or any other server I might get a hankerin' for. So no, you can't charge people for abusing thier lines.
excite article (Score:2)
E.
Why shouldn't they get refunds? (Score:2)
When a telephone pole near my house was struck by lightning last year, I lost cable (and cable modem Internet access) for a couple of weeks. The cable company not only happily refunded me half a month's worth of charges, but I didn't even have to ask.
- A.P.
Re:Why shouldn't they get refunds? (Score:1)
code red (Score:1)
Excite@home (Score:1)
I hope Excite@HOME [slashdot.org] customers don't demand refunds.
Damn (Score:5, Interesting)
First, if you lost cablemodem service for almost a WEEK, WHILE BEING LIED TO about the cause, wouldn't you be a little mad? This was the case here in Fairfax. They tried to say it was "sheduled router upgrades", only to backpedal a couple days later after everyone figured it out (and they had to implore their users to patch, and their email system was down, etc etc).
Second, I guess I'm wacky, but if I pay for something, I want what I paid for, as other people have said here. I pay $45 a month for cable service. I don't call and complain if it goes out during a storm for a couple hours. But if its down for DAYS, their tech support line is TURNED OFF, and no one will tell me when it's coming back up, I expect to not have to pay for this service! I am not being given anything but a blinking data light. Some of us do not maintain multiple backup dial-up accounts; yes, I'll freely admin I'm spoiled by broadband, but at the same time, I can't justify spending $25 a month in case I lose my connection for a week.All the DSL providers in my area are dead or dying; roadrunner is my only option besides modeming (which is a bad scene in and of itself, die to "multiplexed lines" or some such nonsense which means I get 28.8 tops).
Third, if no one says anything and just rolls over, then the company will not be challenged to provide a high level of service, since they will know customers will just take it.
Sorry, Taco, but you're a helmet.
Re:Damn (Score:2)
anyway, where you at in fairfax? i'm right near the high school. mmmm, china gourmet. did you know that think geek is situated in fairfax too?
Re:Damn (Score:2)
Traffic jams are often not the fault of the state, but morons rubbernecking. The state, in nearly every case I can remember, mentions to me in advance when they're going to tear the roads up, so I can plan an alternate route.
Try again.
Re:Damn (Score:2)
>state, but morons rubbernecking.
You can't really compare public roadways
to privately owned telecommunications.
Re:Damn (Score:2)
Stuff happens. Pick your battles. Win them and you won't have anything to complain about.
Re:Damn (Score:2)
They may be able to make a case if the customer was infected. But what if they weren't? Either way, they still lied to their customers and the service was still down for a WEEK.
Re:Damn (Score:2)
Why would he do that? There is no other comparable service available. One vendor. One choice if you want broadband. Just because they're the only vendor doesn't mean they should be allowed to get off so easy. They failed to provide service for a week. Why should customers have to pay for a month of service when they only received 3 weeks worth? I wouldn't cancel. I'd pursue the matter til it gets resolved. If I get stonewalled somewhere along the line, I'd make sure it makes the news (they love this sort of stuff). Perhaps get my rep involved. There are options.
Refund or Service. (Score:2)
Oh an option number 3: Be a pissed off customer and complain you want your $5 in this time of economic uncertanty for broadband companies and if enough other people do it the company is unable to pay its bills and you are left with no service at all.
Lets just say that when my nntp connection goes down with @home for a few hours each month I do not call demanding a refund.
Re:Refund or Service. (Score:2)
I know of many ISPs that cap customers, either in momentary bandwidth (ie, speed caps) or in total bandwidth, or both, where the speed cap drops lower, the more you've downloaded.
This way that can afford their backbone costs and provide service to everyone without letting a few people use up a T3.
The reason QWest is providing unlimited bandwidth is so that they can drive all the competition out of business. Monopolistic practices.
And we're supposed to go easy on them when they don't provide what they contract to provide?
Do you think the board of QWest is sitting around, discussing overdue bills, saying "We don't have a realistic understanding of living on one wage and supporting children, so we should let these people slide a month" or do they automatically forward all overdue bills to collection, thus ruining your credit rating?
I might be prepared to cut them some slack if 1) they'd ever return the favor and 2) they we're monopolistic jerks trying to run everyone else out of business.
From an affected party (Score:1)
I just don't think that Qwest was proactive enough in coming to a solution. They tossed out "patches" and "quick-fixes" without really testing them. I just think that the whole issue could have been resolved much faster than it was. They *should* be handing out refunds, but they never will. I for one am looking into new ISP alternatives. This is not the first time my company has gotten screwed by Qwest.
Problem Solved (Score:1)
then your dumb Microsoft product using ISP sues microsoft,
Microsft disappears into the blackhole created by the massive gravitational effect caused by so many money-hungry lawyers rushing to Redmond to jockey for position at the trough.
Lets see, microsft disappears and we lose the lawyers, perhaps human civilization might have a change to survive afterall
Who's really to blame? (Score:1)
I have to wonder what the implications for responsibility would be if they were using open source code instead.
Reminds me of the whole Ford/Firestone fiasco.
Anybody who's ever blown a tire would know that you shouldn't get into an accident unless you do something stupid. (Car&Driver verified this with an elaborate road test). Ford and Firestone have to blame each other to avoid directly calling their customers idiots. (just for the record, I drive a Ford, so flame away
Anyway, to get back on topic, this is a classic case of blaming the "fall guy" because it's too tough to go after the real problem.
Flame Away!
hypocrites (Score:1)
Using Microsoft in infrastructure? (Score:1)
If my line went down because the people that run my ISP are inept, I would DEMAND a refund of the time that it was down. If I had an option, I'd switch ISPs.
Honest accidents, or causes like weather, are understandable. Large tech companies that have extensive tech staff running Microsoft products is unexcusable.
I was hit... (Score:2)
Re:I was hit... (Score:2)
How many of those Qwest customers had PWS (IIS) installed because they have no fucking clue what the hell they're doing? Probably just as many people who are demanding money back from Qwest.
Do your homework.
I did, are you the who's going to correct it?
Don't jump to conclusions, it's a lonely place.
RE: Qwest (Score:1)
I think it sucks because I was told that Qwest waited to patch their servers not thinking that this was a big problem. A company as big and powerfull (bandwidth wise) as Qwest is should be carefull with their servers, especially with things like this that could take out service for everyone.
Luckily my company was able to eventually get through to some semi-compietent people at tech support that helped us through it. Unfortunately my dads company wasn't so lucky. They had 6 hour waits just to get hung up on, and call back, wait 4 more hours just to get someone that avoided the fact that it was there.
I eventually ended up giving him the way to fix it and they were up again in a few minutes. But without experiances with Qwest we are not in a position to highly reccomend them as an ISP. Though, when they're up, they're good. But so goes the story of broadband connections, right?
Unbelieveable.... (Score:2)
Unfortunatly, the courts will either help these "poor" users. or it will be swept under the table.
I just wish for once we'd get a judge that would publically announce that the plaintiffs in a friviouls lawsuit were morons and idiots... but then that'll bring more friviolus lawsuits... and so starts the spiral downward...
If this case is won by the users.... when can we sue microsoft for all the lost productivity their operating system causes weekly?
Shouldn't.. (Score:2)
Qwest are slime! (Score:2)
Spammers like Qwest Re:Qwest are slime! (Score:2)
Want to Sue? Sue Microsoft! (Score:2)
2) If you are runnng, oh say unix, you didn't agree to their licence.
3) Their shoddy product is unsafe on the information superhighway, and create unsafe conditions for the others.
Microsoft has had staffers and employees state the goal is to push out new product, andding features over 'good code' or fixing old bugs. You might just get #3 to stick.
All you have to do is get a jury to buy #3. The lawyers will like 1 and 2.
Lost business (Score:2)
It isn't "five bucks" for a loss of downtime. Most connections alone run between $30-50 in the DSL/Cable range a month, so 10 days, or 1/3 of that, is a loss of at least $10. Add to that work that cannot be completed over the internet, and the downtime can become severe.
Also, I don't think this situation is helping my provider, @Home, stay in the business any longer. If they can't start blocking these packets they're going to lose subscribers, which is the very last thing they should be doing right now.
Re:Lost business (Score:2)
refund for what ? (Score:2)
as they were identified as infected. If you are looking for a refund for the FIRST you should sit down and be quiet, IF you are looking for a refund for the SECOND then I APPLAUD your efforts.
Let me spell it out in small words then... (Score:2)
"it" happens (Score:2)
In some cases, there may be those whom had never actually had the bug, and had experienced a network outage because of the "other people.". This happens. Quest cannot control the weather from destorying a router station just as much as it can't control a virus. Downtimes are a fact of life, a network is dynamic. Shit happens.
Avoid blaming at all, but at least when you need to, put blame where blame is deserved -- the Code Red virus. Don't sue the messenger.
Re:"it" happens (Score:2)
Which is why I assume you posted as Anonymous Coward?
Code Red and Cisco 675 (Score:4, Interesting)
1. I have received announcements about Code Red in everything security-related that I was subscribed to, and as usual, ignored it because I don't use IIS, Windows and other garbage of that kind.
2. Cisco 675 router that connects me to my providers (ISP is Megapath, line was Rhythms) started hanging in the most outrageous manner possible, being not accessible even from its serial console that I have attached to one of my Linux boxes through USB multiport serial converter. It was "outrageous" and not merely "bad" because same Linux box happened to have still-working Ricochet modem attached to another USB port, and I was able to reach it from work even when DSL was down, but couldn't reset DSL until I was physically at home.
3. Later announcements mentioned Cisco routers as vulnerability, and recommended to disable web administration on the router as a workaround, and upgrade the firmware. Cisco page mentioned an upgrade but did not offer anything to download -- required to call their phone number or email them and beg for firmware update. Knowing that everybody who ever bought Cisco 6xx, plus a bunch of people who didn't know how their company's Catalyst differs from bitty box 675, will be trying to reach Cisco, I have chosen to do a workaround.
4. I have disabled web administration, it stopped working, but router continued listening on the port 80. I assumed, it will just ignore all data that it receives, so a bug won't be triggered.
5. Router still hangs. I have set a filter to block everything that comes from outside to the port 80 on the router. It looked like router stopped responding to this, so I was confident that I am not vulnerable to that thing anymore.
6. Router still hangs. Apparently my mind was not advanced enough to comprehend the brokenness of CBOS -- broken code was receiving packets BEFORE THEY PASSED THE FILTERS.
7. I have looked at the Cisco site to check if they got the idea, how many requests for copies of CBOS patches they are supposed to process and posted the binaries. Nothing -- the page still contained a phone number and email address, and since I was at home, I could be pretty sure that people who were supposed to answer at Cisco weren't at work either.
As opposed to other Cisco products, CBOS has no optional pieces, and is useful for a single puprose of upgrading shitty 6xx boxes, so why they needed my phone call to make sure that I am indeed going to use their software to upgrade their router and not, say, print as a hex dump and smoke it, is still a mystery for me.
8. While constantly resetting Cisco, I have started IRC, and asked some of my friends if they know, where to find those damn patches. After few minutes I have received some rather unflattering description of CBOS, Cisco and Intel (who happened to be the real authors of this shit), and the URL on Qwest site with CBOS images.
9. CBOS images were distributed as Windows executables, with Windows upload program but no instructions -- probably following the logic that if a customer has his servers infected by a virus, running downloaded executables is the least of his concerns. Fortunately, Windows executable was a wrapped zip file, and upload procedure over a serial console was in the router's documentation.
10. Router worked fine ever since, but it looks like it's still impossible to filter or completely disable web administration on it.
---
Of course, this was that simple only because I had a full access ("exec" and "enable" passwords) to the router. I am afraid to think, how Qwest technicians would have to work if they had to upgrade customers' routers over the network while routers were being attacked, or to distribute passwords to the customers to make them able to run the updater program (I have never seen it running, I assume that it uploads updates either by xmodem over console or by TFTP -- in the first case only customer can enter the password, and in the second one _someone_ has to login to the router and still enter the password), so I kinda understand why Qwest couldn't do much in this situation. OTOH, Cisco could at least issue binary patches as a public-accessible download.
Re:Code Red and Cisco 675 (Score:2)
Very bad (Score:2)
Very bad that you do not. If you did, and everybode around did the same, probably the current sore state of the security would improve, some knowledgeable sysadmins would be hired and some holes would be plugged.
As long as the users agree to get crappy service, crappy software and crappy security for their money, they will get crap. The only way to not get crap is to refuse to tolerate that anymore. So if somebody sues their ISP that neglected to provide them the required service and to maintain secuirty, it's a very good thing. If people are promised 24x7 connection and support and then when the problem comes they are said "well, it doesn't work, just wait and maybe it will be fixed in a day or two or more" - they have the right to demand compensation.
Qwests level of responsibility. (Score:2)
On the other hand, I believe they (along with others) had problems relating to bugs in the DSL modems. Bugs which they had a patch for but didn't inform their customers about immediatly. For that they are potentially responsible for.
I want my money back. (Score:2)
If I'm paying through the nose for a high speed connection, and it disappears for 2 solid weeks, you can bet that I want some money back. They're giving us all a free month of service now.
So with this logic (Score:2)
How was it down? (Score:2)
The article doesn't say how the service didn't work.
Did Qwest actually shut down stuff, or was it just so clogged with traffic that it was effectively unusable? If the former, it's QWest's problem and people deserve a refund. If the latter, it's just Life.
Re:How was it down? (Score:2)
Basically, Code Red somehow affected USQwest's Cisco DSL modems, which all stopped working and had to be reset. That's how they lost service: the USQwest equipment located in the customer's premisis failed, and USQwest left it up to the customer to fix it. The sooner you figured out what was wrong, learned how to fix it, and successfully performed the repair, the sooner you were back on-line. Since the delay in fixing USQwest's equipment was entirely due to the cusomer's inaction, ignorance, and/or technical inexperience, USQwest feel they don't need to offer any refunds.
And since the Explorer wouldn't have rolled over and killed Uncle Fred if he wasn't driving it, it's Uncle Fred's fault, not Firestone or Ford's. Ain't Republ^h^h^h^h^h^hCorporate Logic wonderful?
Not the whole story (Score:2)
Times:
Qwest refuses refunds to DSL customers for Code Red outages [nwsource.com]
Qwest falls short tackling Code Red worm, but other DSL customers appear to fare better [nwsource.com]
'Code Red' wrigglings put users in knots [nwsource.com]
PI:
State pressing Qwest for refunds after 'Code Red II' DSL breakdowns [seattlep-i.com]
Worm has Qwest DSL customers seeing red [seattlep-i.com]
The real story is not in the articles about the State pressing USQwest for refunds, but the earlier ones describing how USQwest basically ignored the problem for as long as possible, then gave people like your Aunt Mildred complex instructions on how to patch their computers and DSL modems, which were broken by Code Red even though the affected customers were not running NT and ISS! Naturally, the Aunt Mildred's of the world had, shall we say, difficulty following the instructions, and if you didn't follow them exactly you only made it worse. It was USQwest's Cisco DSL modems that got hosed, not their customer's PCs, and the customers were first demanding that USQwest fix it and now are rightly demanding a refund for the DSL service they paid for and did not receive.
As the excite.com article said, this is the same as not getting your newspaper or cable TV -- if a customer pays for a service they did not get, they deserve a refund. Unfortunately the outcome in this case will be less than optimal, because it won't result in USQwest leaving Washington State for good!
Re:Does anybody else... (Score:1)
Re:Qwest was negligent (Score:2)
Actually, with that version of the Cisco firmware the router would crash due to Code Red's probe packets even if the port was disabled.
If Qwest was negligent it was because they didn't upgrade the firmware in the routers they supplied, and didn't provide the users with a notification of the need to upgrade and a convenient way to do so.
Re:Qwest was negligent (Score:2)
Could I see some evidence for this claim?
I'm just quoting something I found on another site. Unfortunately, I was unable to find it again with about 10 minutes of web searching.
Sorry. (If I run across it again I'll post a followup.)
Re:Qwest was negligent (Score:2)
Re:Qwest was negligent (Score:2)
The problem is, that leaves you behind NAT, and people with "business" DSL service have bunches of servers behind their routers.
Re:Qwest was negligent (Score:2)
This isn't rocket science. NAT each of the public IP's to the same firewall machine and set up the rules to redirect to the private servers as appropriate. Done.
BTW, this is a business network. I just threw out a simple rule for the 99.9% user. Tweaking it is like eating popcorn.
Refunds for not providing internet access... (Score:2)
It's important to note that Internet access is fundamentally, essentially, and always peer-to-peer. If you don't allow peer-to-peer access, you can call it "client-server" access or something else, but it's a lie to call it Internet access.
Anyone who wants to limit service in this way is incompetent to boot, since the Right Way to prevent abuse is not port blocking, but bandwidth capping. At a time when AT&T cable access is such a takeover target, it makes you wonder what the hell they are thinking.
Worse, by getting away with such a deceptive, unfair, and unnecessary abuse of their relationship with the customer, they are only paving the way to battle the Internet back into the traditional broadcast mode, where a few big companies have a voice, and individuals have none. I'm sure DisneyTimeWarnerNbcABCBSViaColumbialetric would love that, but you should hate that unless you also hate freedom. Like I said, if that's the service they want to offer, let them, but they can't claim that it's "Internet access" without ripping you off.
If i had any mod points (Score:2)
The parent makes several salient points about
a pssible internet model.
Freeway Guardrail Ping-Pong - An Analogy (Score:3, Funny)
Quoting from article:
Steve Larsen, who heads the attorney general's new Cyber consumer resource center, said in a message to Mangus: "It seems reasonable that a customer should not have to pay for service they can't get. If you can't watch your cable TV or your newspaper doesn't show up for days/weeks at a time, I assume you won't pay. I believe that is all your customers ask here regardless of fault."Scenario. Some idiot is driving a poorly-maintained car which was ill-conceived at the design stage. Maybe he didn't even know he was driving...
A wheel breaks off and his car plays Guardrail Ping-Pong on the turnpike.
The ensuing traffic jam shuts down the city's busiest artery, halting all commerce in the city. Your newspaper doesn't arrive as a result.
Multiply that by many, many cars at the same time [glowingplate.com].
Why don't we go after the bigger problem and charge the jackasses [microsoft.com] who designed perpetually failure-prone cars and the jackass owners [google.com] who don't maintain them?
Going after them instead of the local highway contractor [qwest.com] seems like a better idea to me.
Especially since these drivers have no excuse for not knowing [yahoo.com] how dangerous their flawed little cars are.
Re:Freeway Guardrail Ping-Pong - An Analogy (Score:2)
Oh c'mon, Lawrence. It was a tractor-trailer whose wheel broke off, and it was the 401. Anyone could'a guessed THAT...
Re: (Score:2)