Nato warns of strike against cyber attackers

Joe Greco jgreco at
Wed Jun 9 13:17:26 UTC 2010

> On Jun 9, 2010, at 5:02 AM, Joe Greco wrote:
> >> So? If said end customer is operating a network-connected system without
> >> sufficient knowledge to properly maintain it and prevent it from doing mischief
> >> to the rest of the network, why should the rest of us subsidize her negligence?
> >> I don't see where making her pay is a bad thing.
> > 
> > I see that you don't understand that.
> > 
> Seems to me that you are the one not understanding...
> I can't refinance my mortgage right now to take advantage of the current interest
> rates.  Why?  Because irresponsible people got into loans they couldn't
> afford and engaged in speculative transactions. Their failure resulted in
> a huge drop in value to my house which brought me below the magic
> 80% loan to value ratio, which, because of said same bad actors became
> a legal restriction instead of a target number around which lenders had
> some flexibility. So, because I had a house I could afford and a reasonable
> mortgage, I'm now getting penalized by paying higher taxes to cover
> mortgage absorptions, reductions, and modifications for these irresponsible
> people. I'm getting penalized by paying higher interest rates because due
> to the damage they did to my property value and the laws they forced
> to be created, I can't refinance.
> I'm mad as hell and frankly, I don't want to take it any more.
> Do you see that?  Do you still think I don't have a legitimate point on this?
> I'm tired of subsidizing stupidity and bad actors. It's too expensive. I don't
> want to do it any more.  We already have too many stupid people and bad
> actors.  We really don't need to subsidize or encourage the creation of more.

A doesn't really seem connected to B.

> >> The internet may be a vast ocean where bad guys keep dumping garbage,
> >> but, if software vendors stopped building highly exploitable code and ISPs
> >> started disconnecting abusing systems rapidly, it would have a major effect
> >> on the constantly changing currents. If abuse departments were fully funded
> >> by cleanup fees charged to negligent users who failed to secure their systems
> >> properly, it would both incentivize users to do proper security _AND_ provide
> >> for more responsive abuse departments as issues are reduced and their
> >> budget scales linearly with the amount of abuse being conducted.
> > 
> > The reality is that things change.  Forty-three years ago, you could still
> > buy a car that didn't have seat belts.  Thirty years ago, most people still
> > didn't wear seat belts.  Twenty years ago, air bags began appearing in
> > large volume in passenger vehicles.  Throughout this period, cars have been
> > de-stiffened with crumple zones, etc., in order to make them safer for
> > passengers in the event of a crash.  Mandatory child seat laws have been
> > enacted at various times throughout.  A little more than ten years ago, air
> > bags were mandatory.  Ten years ago, LATCH clips for child safety seats
> > became mandatory.  We now have side impact air bags, etc.
> > 
> Sure.
> > Generally speaking, we do not penalize car owners for owning an older car,
> > and we've maybe only made them retrofit seat belts (but not air bags,
> > crumple zones, etc) into them, despite the fact that some of those big old
> > boats can be quite deadly to other drivers in today's more easily-damaged
> > cars.  We've increased auto safety by mandating better cars, and by
> > penalizing users who fail to make use of the safety features.
> Right, but, owners of older cars are primarily placing themselves at risk, not
> others.

I am pretty sure I saw stats that suggested that old cars that crashed into
new cars did substantially more damage to the new car and its occupants than
an equivalent crash between two new cars, something to do with the old car
not absorbing about half the impact into its own (nonexistent) crumple
zones, though there are obvious deficiencies in the protection afforded to
the occupants of the old car as well...

> In this case, it's a question of others putting me at risk. That, generally,
> isn't tolerated.
> > There is only so much "proper security" you can expect the average PC user
> > to do.  The average PC user expects to be able to check e-mail, view the
> > web, edit some documents, and listen to some songs.  The average car driver
> > expects to be able to drive around and do things.  You can try to mandate
> > that the average car driver must change their own oil, just as you can try
> > to mandate that the average computer must do what you've naively referred
> > to as "proper security", but the reality is that grandma doesn't want to 
> > get under her car, doesn't have the knowledge or tools, and would rather 
> > spend $30 at SpeedyLube.  If we can not make security a similarly easy
> > target for the end-user, rather than telling them to "take it in to
> > NerdForce and spend some random amount between $50 and twice the cost of
> > a new computer," then we - as the people who have designed and provided 
> > technology - have failed, and we are trying to pass off responsibility 
> > for our collective failure onto the end user.
> > 
> I disagree.  It used to be that anyone could drive a car. Today, you need
> to take instruction on driving and pass a test showing you are competent
> to operate a motor vehicle before you are allowed to drive legally.
> Things change, as you say.  I have no problem with the same requirement
> being added to attaching a computer to the network.
> If you drive a car in a reckless manner so as to endanger others, you are
> criminally liable for violating the safe driving laws as well as civilly liable
> for the damages you cause. Why should operating an unsafe computer
> be any different?

Generally speaking, because the computer is unsafe by design, and most of
the problems we're discussing are not "driving the car in a reckless
manner."  I do not live in mortal fear that I am going to steer my car into
the median and it's going to jump over into oncoming traffic and ram into
an oncoming semi, because that's simply not something I'd do, and it's not
something the car designers expected would be a regular thing to do.  On
the other hand, I do live in mortal fear of opening a PDF document on a
Windows machine, something that both Adobe and Microsoft deliberately
engineered to be as easy and trivial as possible, and which millions of
people do on a daily and regular basis, but which nonetheless can have
the undesirable side effect of infecting my computer with the latest
stealth exploit, at least if I read the news correctly.

As a Windows user, I *am* *expected* to open web documents and go browsing
around.  The Internet has been deliberately designed with millions upon
millions of domains and web sites; it's ridiculous to suggest that users
should be aware that visiting a particular web site is likely to be
harmful, especially given that we can't even keep servers safe, and some
legitimate high-volume web sites have even been known to serve up bad

> > I'm all fine with noting that certain products are particularly awful.
> > However, we have to be aware that users are simply not going to be required
> > to go get a CompSci degree specializing in risk management and virus
> > cleansing prior to being allowed to buy a computer.  This implies that our
> > operating systems need to be more secure, way more secure, our applications
> > need to be less permissive, probably way less permissive, probably even
> > sandboxed by default, our networks need to be more resilient to threats,
> > ranging from simple things such as BCP38 and automatic detection of certain
> > obvious violations, to more comprehensive things such as mandatory virus
> > scanning by e-mail providers, etc., ...  there's a lot that could be done,
> > that most on the technology side of things have been unwilling to commit
> > to.
> I'm not out to target specific products. Yes, I'll celebrate the death of
> our favorite convicted felon in Redmond, but, that's not the point.
> I don't have a CompSci degree specializing in that stuff and I seem to
> be able to run clean systems. I don't have a CompSci degree at all.
> It's not that hard to run clean systems, actually. Mostly it takes not being
> willing to click yes to every download and exercising minimal judgment
> about which web sites you choose to trust.

It takes an understanding of how it all works behind the scenes in order
to understand what all those silly "Yes/No" prompts mean; that whole
mechanism is part of what I mean when I say "defective by design."

Why is it okay to click "Yes" when a website asks if we want to install
"Flash" or "Silverlight" but it's not okay to click "Yes" when a website
asks if we want to install "DodgyCodec"?  How do you explain that to your

> The point is that if I run a clean system, why should I have to pay a
> subsidy to those that do not? I'm tired of this mentality that says let's
> penalize the good actors to subsidize the bad actors. I'm tired of it
> with mortgages. I'm tired of it with businesses. I'm tired of watching
> the government, time after time, reward bad behavior and punish
> good behavior and then wonder why they get more bad and less
> good behavior.  

Hey, I agree.  Look, we run a clean network here.  I have the same gripes.
We see all sorts of probe traffic and crap, why should we bother being
clean?  Why should we have to go to extra work to defend against networks
that aren't?

> > We can make their Internet cars safer for them - but we largely haven't.
> > Now we can all look forward to misguided government efforts to mandate
> > some of this stuff.
> > 
> I'm not opposed to making operating systems and applications safer.
> As I said, just as with cars, the manufacturers should be held liable
> by the consumers.  However, the consumer that is operating the
> car that plows a group of pedestrians is liable to the pedestrians.
> The manufacturer is usually liable to the operator through subrogation.

Which would mean anything if we had computer users that were deliberately
injuring or killing people with their computers.  Unfortunately, I'd say
that most sick computers are more akin to those awful oil-burning, smog-
generating, black-smoke-belching cars.  You don't have much of a private
right of action against the guy that drives by you and blasts a wave of
awful black particulate matter out his exhaust at you.  We've handled a
lot of that through mandatory emissions inspections (not sure how
universal that is).  Regulation, in that case, seems to be a generally
positive effect.

I don't see any simple solutions, regardless.

... JG
Joe Greco - Network Services - Milwaukee, WI -
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

More information about the NANOG mailing list