Nato warns of strike against cyber attackers

Karl Auer kauer at
Wed Jun 9 12:45:11 UTC 2010

On Wed, 2010-06-09 at 07:02 -0500, Joe Greco wrote:
> There is only so much "proper security" you can expect the average PC user
> to do.

Sure - but if their computer, as a result of their ignorance, starts
belching out spam, ISPs should be able at very least to counteract the
problem. For example, by disconnecting that user and telling them why
they have been disconnected. Why should it be the ISP's duty to silently
absorb the blows? Why should the user have no responsibility here?

To carry your analogy a bit too far, if someone is roaming the streets
in a beat-up jalopy with wobbly wheels, no lights, no brakes, no
mirrors, and sideswiping parked cars, is it up to the city to somehow
clear the way for that driver? No - the car is taken off the road and
the driver told to fix it or get a new one. If the problem appears to be
the driver rather than the vehicle, the driver is told they cannot drive
until they have obtained a Clue.

If the user, as a result of their computer being zombified or whatever,
has to

> "take it in to
> NerdForce and spend some random amount between $50 and twice the cost of
> a new computer,"

...then that's the user's problem. They can solve it with insurance
(appropriate policies will come into being), or they can solve it by
becoming more knowledgeable, or they can solve it by hiring know how.
But it is *their* problem. The fact that it is the user's problem will
drive the industry to solve that problem, because anywhere there is a
problem there is a market for a solution.

>  then we - as the people who have designed and provided 
> technology - have failed, and we are trying to pass off responsibility 
> for our collective failure onto the end user.

I think what's being called for is not total abdication of
responsibility - just some sharing of the responsibility.

> This implies that our
> operating systems need to be more secure, way more secure, our applications
> need to be less permissive, probably way less permissive, probably even
> sandboxed by default

Yep! And the fastest way to get more secure systems is to make consumers
accountable, so that they demand accountability from their vendors. And
so it goes, all the way up the chain. Make people accountable. At every

> We can make their Internet cars safer for them - but we largely haven't.

I'm not sure that the word "we" is appropriate here. Who is "we"? How
can (say) network operators be held responsible for (say) a weakness in
Adobe Flash? At that level too, the consumer needs comeback - on the
providers of weak software.

Regards, K.

Karl Auer (kauer at                   +61-2-64957160 (h)                  +61-428-957160 (mob)

GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the NANOG mailing list