[126966] in North American Network Operators' Group
Re: Nato warns of strike against cyber attackers
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Jun 9 09:54:00 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <201006091317.o59DHQjf016480@aurora.sol.net>
Date: Wed, 9 Jun 2010 06:52:01 -0700
To: Joe Greco <jgreco@ns.sol.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 9, 2010, at 6:17 AM, Joe Greco wrote:
>> On Jun 9, 2010, at 5:02 AM, Joe Greco wrote:
>>=20
>>>> So? If said end customer is operating a network-connected system =
without
>>>> sufficient knowledge to properly maintain it and prevent it from =
doing mischief
>>>> to the rest of the network, why should the rest of us subsidize her =
negligence?
>>>> I don't see where making her pay is a bad thing.
>>>=20
>>> I see that you don't understand that.
>>>=20
>> Seems to me that you are the one not understanding...
>>=20
>> I can't refinance my mortgage right now to take advantage of the =
current interest
>> rates. Why? Because irresponsible people got into loans they =
couldn't
>> afford and engaged in speculative transactions. Their failure =
resulted in
>> a huge drop in value to my house which brought me below the magic
>> 80% loan to value ratio, which, because of said same bad actors =
became
>> a legal restriction instead of a target number around which lenders =
had
>> some flexibility. So, because I had a house I could afford and a =
reasonable
>> mortgage, I'm now getting penalized by paying higher taxes to cover
>> mortgage absorptions, reductions, and modifications for these =
irresponsible
>> people. I'm getting penalized by paying higher interest rates because =
due
>> to the damage they did to my property value and the laws they forced
>> to be created, I can't refinance.
>>=20
>> I'm mad as hell and frankly, I don't want to take it any more.
>>=20
>> Do you see that? Do you still think I don't have a legitimate point =
on this?
>>=20
>> I'm tired of subsidizing stupidity and bad actors. It's too =
expensive. I don't
>> want to do it any more. We already have too many stupid people and =
bad
>> actors. We really don't need to subsidize or encourage the creation =
of more.
>=20
> A doesn't really seem connected to B.
>=20
Proof that you still don't get it.
Punishing those that are responsible by making them pay for the behavior
of those who fail to take responsibility IS a major problem.
A and B are both examples of such a process.
>>>> The internet may be a vast ocean where bad guys keep dumping =
garbage,
>>>> but, if software vendors stopped building highly exploitable code =
and ISPs
>>>> started disconnecting abusing systems rapidly, it would have a =
major effect
>>>> on the constantly changing currents. If abuse departments were =
fully funded
>>>> by cleanup fees charged to negligent users who failed to secure =
their systems
>>>> properly, it would both incentivize users to do proper security =
_AND_ provide
>>>> for more responsive abuse departments as issues are reduced and =
their
>>>> budget scales linearly with the amount of abuse being conducted.
>>>=20
>>> The reality is that things change. Forty-three years ago, you could =
still
>>> buy a car that didn't have seat belts. Thirty years ago, most =
people still
>>> didn't wear seat belts. Twenty years ago, air bags began appearing =
in
>>> large volume in passenger vehicles. Throughout this period, cars =
have been
>>> de-stiffened with crumple zones, etc., in order to make them safer =
for
>>> passengers in the event of a crash. Mandatory child seat laws have =
been
>>> enacted at various times throughout. A little more than ten years =
ago, air
>>> bags were mandatory. Ten years ago, LATCH clips for child safety =
seats
>>> became mandatory. We now have side impact air bags, etc.
>>>=20
>> Sure.
>>=20
>>> Generally speaking, we do not penalize car owners for owning an =
older car,
>>> and we've maybe only made them retrofit seat belts (but not air =
bags,
>>> crumple zones, etc) into them, despite the fact that some of those =
big old
>>> boats can be quite deadly to other drivers in today's more =
easily-damaged
>>> cars. We've increased auto safety by mandating better cars, and by
>>> penalizing users who fail to make use of the safety features.
>>=20
>> Right, but, owners of older cars are primarily placing themselves at =
risk, not
>> others.
>=20
> I am pretty sure I saw stats that suggested that old cars that crashed =
into
> new cars did substantially more damage to the new car and its =
occupants than
> an equivalent crash between two new cars, something to do with the old =
car
> not absorbing about half the impact into its own (nonexistent) crumple
> zones, though there are obvious deficiencies in the protection =
afforded to
> the occupants of the old car as well...
>=20
Old cars without crumple zones tend to do more damage to new cars
with crumple zones. Occupants of new cars tend to receive less damage
because the crumple zones absorb some of the energy while occupants
of older cars receive more of the energy transferred directly to them =
due
to the higher stiffness of the older car.
At least in the studies I have read.
>> In this case, it's a question of others putting me at risk. That, =
generally,
>> isn't tolerated.
>>=20
>>> There is only so much "proper security" you can expect the average =
PC user
>>> to do. The average PC user expects to be able to check e-mail, view =
the
>>> web, edit some documents, and listen to some songs. The average car =
driver
>>> expects to be able to drive around and do things. You can try to =
mandate
>>> that the average car driver must change their own oil, just as you =
can try
>>> to mandate that the average computer must do what you've naively =
referred
>>> to as "proper security", but the reality is that grandma doesn't =
want to=20
>>> get under her car, doesn't have the knowledge or tools, and would =
rather=20
>>> spend $30 at SpeedyLube. If we can not make security a similarly =
easy
>>> target for the end-user, rather than telling them to "take it in to
>>> NerdForce and spend some random amount between $50 and twice the =
cost of
>>> a new computer," then we - as the people who have designed and =
provided=20
>>> technology - have failed, and we are trying to pass off =
responsibility=20
>>> for our collective failure onto the end user.
>>>=20
>> I disagree. It used to be that anyone could drive a car. Today, you =
need
>> to take instruction on driving and pass a test showing you are =
competent
>> to operate a motor vehicle before you are allowed to drive legally.
>>=20
>> Things change, as you say. I have no problem with the same =
requirement
>> being added to attaching a computer to the network.
>>=20
>> If you drive a car in a reckless manner so as to endanger others, you =
are
>> criminally liable for violating the safe driving laws as well as =
civilly liable
>> for the damages you cause. Why should operating an unsafe computer
>> be any different?
>=20
> Generally speaking, because the computer is unsafe by design, and most =
of
> the problems we're discussing are not "driving the car in a reckless
> manner." I do not live in mortal fear that I am going to steer my car =
into
> the median and it's going to jump over into oncoming traffic and ram =
into
> an oncoming semi, because that's simply not something I'd do, and it's =
not
> something the car designers expected would be a regular thing to do. =
On
> the other hand, I do live in mortal fear of opening a PDF document on =
a
> Windows machine, something that both Adobe and Microsoft deliberately
> engineered to be as easy and trivial as possible, and which millions =
of
> people do on a daily and regular basis, but which nonetheless can have
> the undesirable side effect of infecting my computer with the latest
> stealth exploit, at least if I read the news correctly.
>=20
I don't agree with your premise. Yes, some operating systems are unsafe
by design, but, not all. As I said, you should be accountable for the =
behavior
of your computer. If you can show that the behavior was the result of =
faulty
software, then, you should be able to recover from the manufacturer of =
that
software (assuming you paid a professional for your software).
Just as a driver of a car with a stuck accelerator due to manufacturer =
defect
is liable to the pedestrians they plow, and, the manufacturer is liable =
to the
driver, I see no reason not to have a similar liability chain for =
software.
Strangely, I don't live in mortal fear of opening a PDF document on my
Macs or Linux systems. As such, I don't see why we should all be =
punished
for the fact that you chose to buy software from the morons in Redmond.
A bad choice made by a majority of people is still a bad choice.
(Note: You are the one who singled out Micr0$0ft first.)
> As a Windows user, I *am* *expected* to open web documents and go =
browsing
> around. The Internet has been deliberately designed with millions =
upon
> millions of domains and web sites; it's ridiculous to suggest that =
users
> should be aware that visiting a particular web site is likely to be
> harmful, especially given that we can't even keep servers safe, and =
some
> legitimate high-volume web sites have even been known to serve up bad
> stuff.
>=20
I assume all web sites are potentially harmful unless I have good reason
to believe otherwise. Why shouldn't everyone be expected to behave
in a similar manner?
Seems to me that is the only rational approach. Don't you tell your =
kids
not to talk to strangers? Isn't this sort of the same thing?
>>> I'm all fine with noting that certain products are particularly =
awful.
>>> However, we have to be aware that users are simply not going to be =
required
>>> to go get a CompSci degree specializing in risk management and virus
>>> cleansing prior to being allowed to buy a computer. This implies =
that our
>>> operating systems need to be more secure, way more secure, our =
applications
>>> need to be less permissive, probably way less permissive, probably =
even
>>> sandboxed by default, our networks need to be more resilient to =
threats,
>>> ranging from simple things such as BCP38 and automatic detection of =
certain
>>> obvious violations, to more comprehensive things such as mandatory =
virus
>>> scanning by e-mail providers, etc., ... there's a lot that could be =
done,
>>> that most on the technology side of things have been unwilling to =
commit
>>> to.
>>=20
>> I'm not out to target specific products. Yes, I'll celebrate the =
death of
>> our favorite convicted felon in Redmond, but, that's not the point.
>>=20
>> I don't have a CompSci degree specializing in that stuff and I seem =
to
>> be able to run clean systems. I don't have a CompSci degree at all.
>> It's not that hard to run clean systems, actually. Mostly it takes =
not being
>> willing to click yes to every download and exercising minimal =
judgment
>> about which web sites you choose to trust.
>=20
> It takes an understanding of how it all works behind the scenes in =
order
> to understand what all those silly "Yes/No" prompts mean; that whole
> mechanism is part of what I mean when I say "defective by design."
>=20
Agreed. Interestingly, I don't have very many of those prompts on my
Mac, and, when I do, it seems to me that I have very little need to =
understand
what is going on behind the scenes to make an intelligent choice in
response. Generally it says "You are about to open an application
that you downloaded from a web site. Are you sure you want to do
this? If you aren't sure you can trust the website, you should say no."
> Why is it okay to click "Yes" when a website asks if we want to =
install
> "Flash" or "Silverlight" but it's not okay to click "Yes" when a =
website
> asks if we want to install "DodgyCodec"? How do you explain that to =
your
> grandmother?
>=20
Poor choices of examples... I'm not sure it is OK to click yes for =
Flash.
It's pretty obviously a huge vulnerability. However, I usually tell =
people
to make that decision along the lines of how much they think they should
trust the website. Micr0$0ft starts at -10. Adobe starts at -5. =
$randomsite
starts at -50. Paypal starts at 0. Apple starts at 2. as an example of =
some
of my trust levels.
>> The point is that if I run a clean system, why should I have to pay a
>> subsidy to those that do not? I'm tired of this mentality that says =
let's
>> penalize the good actors to subsidize the bad actors. I'm tired of it
>> with mortgages. I'm tired of it with businesses. I'm tired of =
watching
>> the government, time after time, reward bad behavior and punish
>> good behavior and then wonder why they get more bad and less
>> good behavior. =20
>=20
> Hey, I agree. Look, we run a clean network here. I have the same =
gripes.
> We see all sorts of probe traffic and crap, why should we bother being
> clean? Why should we have to go to extra work to defend against =
networks
> that aren't?
>=20
I'm not saying "why should I bother being clean?" I think I should =
bother
being clean because it should be the minimal obligation to society if
you connect to the network. I'm saying why should we accept and be
forced to pay subsidies to those who ignore that responsibility?
I'm saying that we should have accountability and the ability to recover
our costs from those that aren't. You'd be surprised how fast that
would reduce the number of those that aren't.
>>> We can make their Internet cars safer for them - but we largely =
haven't.
>>> Now we can all look forward to misguided government efforts to =
mandate
>>> some of this stuff.
>>>=20
>> I'm not opposed to making operating systems and applications safer.
>> As I said, just as with cars, the manufacturers should be held liable
>> by the consumers. However, the consumer that is operating the
>> car that plows a group of pedestrians is liable to the pedestrians.
>> The manufacturer is usually liable to the operator through =
subrogation.
>=20
> Which would mean anything if we had computer users that were =
deliberately
> injuring or killing people with their computers. Unfortunately, I'd =
say
> that most sick computers are more akin to those awful oil-burning, =
smog-
> generating, black-smoke-belching cars. You don't have much of a =
private
> right of action against the guy that drives by you and blasts a wave =
of
> awful black particulate matter out his exhaust at you. We've handled =
a
> lot of that through mandatory emissions inspections (not sure how
> universal that is). Regulation, in that case, seems to be a generally
> positive effect.
>=20
Nope... Even if the consumer plows the pedestrians because of a defect
in the vehicle, the pedestrians generally sue the driver who then goes
after the manufacturer through subrogation.
If it wasn't a defect in the car, then, the manufacturer has no =
liability, but,
whether deliberate or negligent, the driver still does.
> I don't see any simple solutions, regardless.
>=20
A proper chain of liability wouldn't be too difficult and would go a =
long
way to solving the problem.
A few users who paid the price of clicking yes in the wrong place would
serve as a good lesson for the majority of users. A few users =
successfully
getting their costs reimbursed by Micr0$0ft would lead to major changes
in Micr0$0ft's approach to software development.
Global "charge everyone a security fee" proposals will only preserve the
status quo. Heck, McAfee and Norton are arguably implementations of
just that sort of thing.
Owen
