Nato warns of strike against cyber attackers

Karl Auer kauer at
Wed Jun 9 19:37:39 UTC 2010

On Wed, 2010-06-09 at 12:08 -0500, Joe Greco wrote:
> That's not going to happen (but I'll be happy to be proven wrong).

Oh, there are so many things that are "not going to happen", aren't
there? And because of that we shouldn't even bother suggesting
regulation as a solution to anything because "the big companies" won't
let it happen?

It took a few decades, but eventually people figured out that tobacco
killed people, and some of the biggest financial interests in the world
ended up being legislated against. That process is not finished, the
rearguard action is not played out, but the setup is not the cosy little
"we'll do whatever we want and you can't stop us" that we had in the

The Mafia in Italy seemed indomitable a few decades ago. It had the
whole country (and large chunks of the US and other countries) in its
grip, apparently unchallengeable. But the Mafia in Italy is now dying
under the weight of courageous police and judges and a legal system that
in spite of itself tries to do the will of the people. Little by little
the changes were made, little by little the structures the Mafia
depended upon were taken away. Including, most importantly, the belief
amongst Italians that the Mafia was untouchable.

Your argument seems to be "if we do X, it won't work". This is true for
almost any X, because our field, like many other specialist fields, is a
kind of ecosystem. Many factors have reached a kind of equilibrium, and
it's really hard to look at any one factor and say "fix that" without
seeing how so many other factors would work against the change.

Try thinking about what *could* happen rather than what *can't* happen.
> What legislator is going to vote for software liability reforms that will
> ruin major software companies?  When their own staff and experts will be
> willing to state that outcome, in no uncertain terms?

Why do you assume these laws will ruin anyone? Noone is seeking to
destroy software companies, any more than the people who demanded
accountability from auto manufacturers or pharmaceutical companies
wanted to put them out of business. People want cars and medicine, and
are prepared to pay for them. But if the car is defective or the
medicine proves harmful, people want recourse in law.

Same for software. When the company screws up, people should be able to
take them to court and have a realistic chance of success if their
grievance is real. It is that simple. Yet when we read of yet another
buffer overflow exploit in a Microsoft product we just sigh and update
our virus checkers, because Microsoft has *zero* obligation in law to
produce software that has no such flaws. There is no other product group
I know of where a known *class* of defect would be permitted to continue
to exist without very serious liability issues arising.

> What are the outcomes here?  We pass such legislation, it doesn't magically
> fix things.  It just means that companies like Adobe and Microsoft are
> suddenly on the hook for huge liabilities if they continue to sell their
> current products.  Do we expect them to *stop* selling Windows, etc.,?

You assume it all happens at once. You assume the change will be large.
You assume there is no grace period. You assume a lot, then act as if it
must be so.

> That's the problem, isn't it.  If we were serious about it, we could
> approach the problem differently:  rather than trying to tackle it from
> a marketplace point of view, perhaps we could instead tackle it from a 
> regulatory point of view.  Could we mandate that the next generation of 
> browsers must have certain qualities?  It's an interesting discussion,
> and in some way parallels the car safety examples I provided earlier.

Mandating specific qualities in that sense leads to legislation that is
out of date before the ink is dry. No - you mandate only that products
must be fit for their intended purpose, and you declare void any
attempts to contract away this requirement. Just like with other
products! And then you let the system and the market work out the rest.

> I certainly agree, but it isn't going to be wished away in a minute.  To
> do so would effectively destroy some major technology companies.

You do a great line in straw men. Who said it would take a minute? Not
I. Not anyone. People are just trying to point out that while it may be
difficult, it's not impossible. We are also trying to point out the
places where effective positive change could be made.

> in a way)  That's one of the reasons I had predicted more appliance-like
> computers, and now they seem to be appearing in the form of app-running
> devices like the iPad.  From a network operator's point of view, that's
> just great, because the chance of a user being able to do something bad
> to the device is greatly reduced.

There is no reduction in the chance that the manufacturer will screw up,
making their product vulnerable to attack. But even if all iPads turn
out to be totally crackable, Apple will still have no obligation at all
to fix it. Appliance computers do not address the real problem, which is
lack of accountability.

> Right, but rewriting the product liability laws to hold software vendors
> accountable, by proxying through the end user, is kind of a crazy solution,
> and one that would appear not to be workable.  Was there another solution
> being framed that I missed?

No, it's not crazy. Regulation that empowers consumers is one of the
fastest ways to better, safer products. Did you ever see a toy with a
two-page shrink wrap contract making you the consumer absolutely liable
for any fault the toy might have or any damage it might cause? No? What
about kitchen appliances? The list of areas where consumer law has
generated better, safer products is long.

You say it "appears not to be workable" but have offered not a single
argument as to why not. Remember, by the way, that in the context of
computing, I'm not suggesting consumer empowerment should be a one-way
street. I'm saying that the consumer gets the power to demand that
software and hardware be fit for purpose. In return, the consumer too
must become accountable.
> That's nice.  How much accountability should one have for having visited
> a web site that was broken into by Russian script kiddies, though?  And
> we're not talking about driving a PC through a field of pedestrians, as
> someone else so colorfully put it.  Who is going to "insure" me against
> the possibility that Russian script kiddies sent me a virus via Flash
> on some web site, and even now are trying to break into British intel via
> my computer, so one fine day the FBI comes a'knockin'?  How do I even 
> find out what happened, when I'm in jail for a year for "hacking the 
> Brits"?  That's got to be one hell of an insurance plan.

Once again you demand that everything be fixed in one fell swoop. How
did visiting the web site cause me to get a virus? Did I download it? My
bad. Did the browser have a vulnerability? Browser manufacturer's bad.
Flash vulnerability? Adobe's bad. FBI - can they prove intent?

Why are you so set against people having to face the consequences of
their actions (or inactions)? What is so wrong with Adobe having to
produce software that DOES NOT expose users to attack?

> So feel free to convince me of why Microsoft, Apple, Adobe, etc., are all
> going to just sit idly by while their EULA protections are legislated 
> away.

Microsoft et al do not actually own your country. You do.

I don't expect them to sit idly by. Like all corporate citizens, they
will attempt to protect their own interests above all other
considerations. But because they do not own the country, and because
their position is ethically and practically untenable, they will
ultimately fail.

> Go tell every webmaster who is hosting Flash on your network that it's
> now prohibited, as a security risk, due to the bulletin issued last 
> week, and that any website hosting Flash on your network a week from 
> now will be null routed.  And then follow through.

Have you done that? If not, why not?

> It's great to say "end users should be responsible" and "end users 
> need to be security-conscious."

Except that's NOT what I am saying. I am saying they need to be
*accountable*. As do network operators, software vendors, hardware
vendors and so on.

>   However, are we, as network operators,
> willing to be equally responsible and security-conscious?

Dunno. As long as it's voluntary there will be little substantive
change. Make network operators accountable, and the change will come.
Regards, K.

Karl Auer (kauer at                   +61-2-64957160 (h)                  +61-428-957160 (mob)

GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the NANOG mailing list