[126927] in North American Network Operators' Group
Re: Nato warns of strike against cyber attackers
daemon@ATHENA.MIT.EDU (Mark)
Wed Jun 9 00:51:04 2010
From: Mark <mark@edgewire.sg>
In-Reply-To: <6AC7A7DC-7F75-4FE6-9362-C6B80E924769@ianai.net>
Date: Wed, 9 Jun 2010 12:45:14 +0800
To: "Patrick W. Gilmore" <patrick@ianai.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 09-Jun-2010, at 12:36 PM, Patrick W. Gilmore wrote:
> On Jun 9, 2010, at 12:26 AM, Steven Bellovin wrote:
>=20
>>> Problem is there's no financial liability for producing massively =
exploitable software.
>>> No financial penalty for operating a compromised system.
>>> No penalty for ignoring abuse complaints.
>>> Etc.
>>>=20
>>> Imagine how fast things would change in Redmond if Micr0$0ft had to =
pay the cleanup costs for each and every infected system and any damage =
said infected system did prior to the owner/operator becoming aware of =
the infection.
>>>=20
>>=20
>> It isn't Microsoft. It once was, but Vista and Windows 7 are really =
solid, probably much better than Linux or Mac OS. (Note that I run =
NetBSD and Mac OS; I don't run Windows not because it's insecure but =
because it's an unpleasant work environment for me.)
>>=20
>> Microsoft is targeted because they have the market. If Steve Jobs =
keeps succeeding with his reality distortion field, we'll see a lot more =
attacks on Macs in a very few years. It's also Flash and Acrobat =
Reader. It's also users who click to install every plug-in recommended =
by every dodgy web site they visit. It's also users who don't install =
patches, including those for XP (which really was that buggy). There's =
plenty of blame to go around here....
>>=20
>> A liability scheme, with penalties on users and vendors, is certainly =
worth considering. Such a scheme would also have side-effects -- think =
of the effect on open source software. It would also be a lovely source =
of income for lawyers, and would inhibit new software development. The =
tradeoff may be worth while -- or it may not, because I have yet to see =
evidence that *anyone* can produce really secure software without =
driving up costs at least five-fold.
>=20
> I agree the miscreants go for the bigger bang for the buck. That =
said, earlier versions of Windows really were soft targets. I don't =
know enough about Win7 to comment, but I respect Steve and will accept =
his opinion. Let's hope MS keeps up the good work - I do not want to =
bash Windows (no matter how fun it is :), I want to stop being attacked.
>=20
> But it is not -just- market share. There are a lot more Windows =
Mobile compromises, viruses, etc., than iOS, Symbian, and RIM. I think =
combined. Yet Windows Mobile has the lowest market share of the four. =
So unless that is spill over because Windows Mobile & Windows Desktop =
have the same vulnerabilities, it shows that market share is only one =
piece of the puzzle.
>=20
> All that said, the biggest problem is users. Social Engineering is a =
far bigger threat than anything in software. And I don't know how we =
stop that. Anyone have an idea?
>=20
Remove the users. The problem goes away. Just kidding on that. Really, =
the only way ahead is educating the users of the threats and all and =
maybe a "learning experience" is due for most of them.
> --=20
> TTFN,
> patrick
>=20
>=20
