Nato warns of strike against cyber attackers

Owen DeLong owen at
Wed Jun 9 11:21:07 UTC 2010

On Jun 8, 2010, at 10:37 PM, Paul Ferguson wrote:

> Hash: SHA1
> On Tue, Jun 8, 2010 at 10:22 PM, Owen DeLong <owen at> wrote:
>>> Please, be for real -- the criminals go after the entrenched majority.
>>> If it were any other OS, the story would be the same.
>> If this were true, the criminals would be all over Apache and yet it is
>> IIS that gets compromised most often.
> Actually, that is another fallacy.
> The majority of SQL Injections are on Apache-based systems.
SQL injection is an SQL attack, not a compromise of the HTTP daemon
itself (usually partially a compromise of PHP or similar scripting language).

The majority of compromises (buffer overflows, etc.) against the web server
itself are IIS.

> Look, this isn't a blame-game in which we need to point out one vendor,
> operating system, plug-in, browser, or whatever.
Agreed... All vulnerable vendors should be treated the same. If you are
selling software without source code and making money as "professional
developers" by selling that software, then, it should come with liability for
the damages caused by your failure to secure the software properly.

If you're providing source code and allowing others to use it and you are
not getting paid for developing it, then, obviously, it is ridiculous to hold you
liable since the person who chose to use your source code has the ability
to fix it to resolve any security issues.

> The problem is that it is a wide-spread problem wherein we have millions of
> compromised consumer (and non-consumer) hosts doing the bidding of Bad
> Guys.

> I would certainly love to hear your solution to this problem.
Hold the owners of compromised systems financially liable for the damage they
do. Make it possible for said owners to subrogate such claims against any suppliers
of commercial closed insecure software which contributed to the compromise of their

> And stop pointing fingers.
No finger pointing there, just actual liability targeted at those actually resposnible.


More information about the NANOG mailing list