[126934] in North American Network Operators' Group
Re: Nato warns of strike against cyber attackers
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Jun 9 01:39:13 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <4036E91C-ED3D-4E62-8F75-C3C7B3DD2A37@cs.columbia.edu>
Date: Tue, 8 Jun 2010 22:33:14 -0700
To: Steven Bellovin <smb@cs.columbia.edu>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 8, 2010, at 9:26 PM, Steven Bellovin wrote:
>> Problem is there's no financial liability for producing massively =
exploitable software.
>> No financial penalty for operating a compromised system.
>> No penalty for ignoring abuse complaints.
>> Etc.
>>=20
>> Imagine how fast things would change in Redmond if Micr0$0ft had to =
pay the cleanup costs for each and every infected system and any damage =
said infected system did prior to the owner/operator becoming aware of =
the infection.
>>=20
>=20
> It isn't Microsoft. It once was, but Vista and Windows 7 are really =
solid, probably much better than Linux or Mac OS. (Note that I run =
NetBSD and Mac OS; I don't run Windows not because it's insecure but =
because it's an unpleasant work environment for me.)
>=20
> Microsoft is targeted because they have the market. If Steve Jobs =
keeps succeeding with his reality distortion field, we'll see a lot more =
attacks on Macs in a very few years. It's also Flash and Acrobat =
Reader. It's also users who click to install every plug-in recommended =
by every dodgy web site they visit. It's also users who don't install =
patches, including those for XP (which really was that buggy). There's =
plenty of blame to go around here....
>=20
> A liability scheme, with penalties on users and vendors, is certainly =
worth considering. Such a scheme would also have side-effects -- think =
of the effect on open source software. It would also be a lovely source =
of income for lawyers, and would inhibit new software development. The =
tradeoff may be worth while -- or it may not, because I have yet to see =
evidence that *anyone* can produce really secure software without =
driving up costs at least five-fold.
>=20
>=20
Open source should be basically covered by the equivalent of a good =
samaritan clause.
After all, the source is open, so, anyone who wants it fixed can fix it.
OTOH, non-open-source software which is subject to dependency on a =
vendor who got paid
for the software as a professional development house should carry a =
different standard of
liability.
Just as the mechanic you pay at the local garage is held to a higher =
standard of liability than
the shade-tree mechanic on your block that changes your oil for free.
Owen
