Nato warns of strike against cyber attackers

Joe Greco jgreco at ns.sol.net
Wed Jun 9 07:02:06 CDT 2010


> So? If said end customer is operating a network-connected system without
> sufficient knowledge to properly maintain it and prevent it from doing mischief
> to the rest of the network, why should the rest of us subsidize her negligence?
> I don't see where making her pay is a bad thing.

I see that you don't understand that.

> The internet may be a vast ocean where bad guys keep dumping garbage,
> but, if software vendors stopped building highly exploitable code and ISPs
> started disconnecting abusing systems rapidly, it would have a major effect
> on the constantly changing currents. If abuse departments were fully funded
> by cleanup fees charged to negligent users who failed to secure their systems
> properly, it would both incentivize users to do proper security _AND_ provide
> for more responsive abuse departments as issues are reduced and their
> budget scales linearly with the amount of abuse being conducted.

The reality is that things change.  Forty-three years ago, you could still
buy a car that didn't have seat belts.  Thirty years ago, most people still
didn't wear seat belts.  Twenty years ago, air bags began appearing in
large volume in passenger vehicles.  Throughout this period, cars have been
de-stiffened with crumple zones, etc., in order to make them safer for
passengers in the event of a crash.  Mandatory child seat laws have been
enacted at various times throughout.  A little more than ten years ago, air
bags were mandatory.  Ten years ago, LATCH clips for child safety seats
became mandatory.  We now have side impact air bags, etc.

Generally speaking, we do not penalize car owners for owning an older car,
and we've maybe only made them retrofit seat belts (but not air bags,
crumple zones, etc) into them, despite the fact that some of those big old
boats can be quite deadly to other drivers in today's more easily-damaged
cars.  We've increased auto safety by mandating better cars, and by
penalizing users who fail to make use of the safety features.

There is only so much "proper security" you can expect the average PC user
to do.  The average PC user expects to be able to check e-mail, view the
web, edit some documents, and listen to some songs.  The average car driver
expects to be able to drive around and do things.  You can try to mandate
that the average car driver must change their own oil, just as you can try
to mandate that the average computer must do what you've naively referred
to as "proper security", but the reality is that grandma doesn't want to 
get under her car, doesn't have the knowledge or tools, and would rather 
spend $30 at SpeedyLube.  If we can not make security a similarly easy
target for the end-user, rather than telling them to "take it in to
NerdForce and spend some random amount between $50 and twice the cost of
a new computer," then we - as the people who have designed and provided 
technology - have failed, and we are trying to pass off responsibility 
for our collective failure onto the end user.

I'm all fine with noting that certain products are particularly awful.
However, we have to be aware that users are simply not going to be required
to go get a CompSci degree specializing in risk management and virus
cleansing prior to being allowed to buy a computer.  This implies that our
operating systems need to be more secure, way more secure, our applications
need to be less permissive, probably way less permissive, probably even
sandboxed by default, our networks need to be more resilient to threats,
ranging from simple things such as BCP38 and automatic detection of certain
obvious violations, to more comprehensive things such as mandatory virus
scanning by e-mail providers, etc., ...  there's a lot that could be done,
that most on the technology side of things have been unwilling to commit
to.

We can make their Internet cars safer for them - but we largely haven't.
Now we can all look forward to misguided government efforts to mandate
some of this stuff.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.




More information about the NANOG mailing list