Nato warns of strike against cyber attackers

Joe Greco jgreco at ns.sol.net
Wed Jun 9 08:50:51 CDT 2010


> On Wed, 2010-06-09 at 07:02 -0500, Joe Greco wrote:
> > There is only so much "proper security" you can expect the average PC use=
> r
> > to do.
> 
> Sure - but if their computer, as a result of their ignorance, starts
> belching out spam, ISPs should be able at very least to counteract the
> problem. For example, by disconnecting that user and telling them why
> they have been disconnected. Why should it be the ISP's duty to silently
> absorb the blows? Why should the user have no responsibility here?

Primarily because the product that they've been given to use is defective
by design.  I'm not even saying "no responsibility"; I'm just arguing that
we have to be realistic about our expectations of the level of
responsibility users will have.  At this point, we're teaching computers
to children in elementary school, and kids in second and third grade are
being expected to submit homework to teachers via e-mail.  How is that
supposed to play out for the single mom with a latchkey kid?  Let's be
realistic here.  It's the computer that ought to be safer.  We can expect 
modest improvements on the part of users, sure, but to place it all on 
them is simply a fantastic display of incredible naivete.

> To carry your analogy a bit too far, if someone is roaming the streets
> in a beat-up jalopy with wobbly wheels, no lights, no brakes, no
> mirrors, and sideswiping parked cars, is it up to the city to somehow
> clear the way for that driver? No - the car is taken off the road and
> the driver told to fix it or get a new one. If the problem appears to be
> the driver rather than the vehicle, the driver is told they cannot drive
> until they have obtained a Clue.

Generally speaking, nobody wants to be the cop that makes that call. 
Theoretically an ISP *might* be able to do that, but most are unwilling,
and those of us that do actually play BOFH run the risk of losing
customers to a sewerISP that doesn't.

> If the user, as a result of their computer being zombified or whatever,
> has to
> 
> > "take it in to
> > NerdForce and spend some random amount between $50 and twice the cost of
> > a new computer,"
> 
> ...then that's the user's problem. They can solve it with insurance
> (appropriate policies will come into being), or they can solve it by
> becoming more knowledgeable, or they can solve it by hiring know how.
> But it is *their* problem. The fact that it is the user's problem will
> drive the industry to solve that problem, because anywhere there is a
> problem there is a market for a solution.

That shows an incredible lack of understanding of how the market actually
works.  It's nice in theory.

We (as technical people) have caused this problem because we've failed to 
design computers and networks that are resistant to this sort of thing.
Trying to pin it on the users is of course easy, because users (generally
speaking) are "stupid" and are "at fault" for not doing "enough" to
"secure" their own systems, but that's a ridiculous smugness on our part.

> >  then we - as the people who have designed and provided=20
> > technology - have failed, and we are trying to pass off responsibility=20
> > for our collective failure onto the end user.
> 
> I think what's being called for is not total abdication of
> responsibility - just some sharing of the responsibility.

I'm fine with that, but as long as we keep handing loaded guns without 
any reasonably-identifiable safeties to the end users, we can expect to
keep getting shot at now and then.

> > This implies that our
> > operating systems need to be more secure, way more secure, our applicatio=
> ns
> > need to be less permissive, probably way less permissive, probably even
> > sandboxed by default
> 
> Yep! And the fastest way to get more secure systems is to make consumers
> accountable, so that they demand accountability from their vendors. And
> so it goes, all the way up the chain. Make people accountable. At every
> level.

Again, that shows an incredible lack of understanding of how the market
actually works.  It's still nice in theory.

We would be better off short-circuiting that mechanism; for example, how
about we simply mandate that browsers must be isolated from their 
underlying operating systems?  Do you really think that the game of
telephone works?  Are we really going to be able to hold customers
accountable?  And if we do, are they really going to put vendor feet to
the fire?  Or is Microsoft just going to laugh and point at their EULA,
and say, "our legal department will bankrupt you, you silly little twerp"?

Everyone has carefully made it clear that they're not liable to the users,
so the users are left holding the bag, and nobody who's actually
responsible is able to be held responsible by the end users.

> > We can make their Internet cars safer for them - but we largely haven't.
> 
> I'm not sure that the word "we" is appropriate here. Who is "we"? How
> can (say) network operators be held responsible for (say) a weakness in
> Adobe Flash? At that level too, the consumer needs comeback - on the
> providers of weak software.

Yes, "we" needs to include all the technical stakeholders, and "we" as
network operators ought to be able to tell "we" the website operators to
tell "we" the web designers to stop using Flash if it's that big a
liability.  This, of course, fails for the same reasons that expecting
end users to hold vendors responsible does, but there are a lot less of
us technical stakeholders than there are end users, so if we really want
to play that sort of game, we should try it here at home first.

What's good for the goose, and all that ...

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.




More information about the NANOG mailing list