Posted by
michael
on from the does-renter's-insurance-cover-this dept.
sagman writes "Russ at NTBugtraq is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly... Russ is taking a poll on his site. Russ states in an email that he wrote this up at the request of a US Senator staffer..."
435 comments
Danger, Will Robinson! Danger!
by
inertia187
·
· Score: 5, Funny
I can just see the virus protection software making changes to their notifications to keep track of attacks that could cost people money and list it in a tally window: "You've saved $764 in internet fines this year because you used Morton AntiVirus 2005! Want to upgrade to the Pro version?"
The Pro version will include an insurance plan in case you go on vacation for a week and leave your XP box on and a new exploit surfaces while you're gone.
-- A programmer is a machine for converting coffee into code.
Denial of Money attack?
by
soren42
·
· Score: 5, Insightful
The problem with this system is that it opens people who already aren't that skilled at running a computer to a new kind of attack. Imagine someone spoofing your IP and broadcasting worm packets, running up your fines.
ISPs probably would have too much volume to deal with to investigate every packet, so it becomes easier to pay the fine than fight the system.
There's got to be a better solution than this.
--
"Adventure? Excitement? A Jedi craves not these things."
Re:Denial of Money attack?
by
eln
·
· Score: 5, Insightful
Yes, this would effectively push >90% of today's Internet users off the network. While some people might think this is a good thing, I doubt the many thousands of people that would lose their jobs in an already down economy would agree.
The only way to do something like this is to make virus scanning software compulsory, which opens up an entirely new can of worms relating to privacy rights, freedoms related to what one can do with one's own property, and implementation of such a thing without a.) forcing every American to spend money on virus scanning software or b.) jacking up everyone's tax rates. This doesn't even take into account what sort of staggering class action lawsuit would result if a destructive virus was not picked up by the now-required scanning software.
All in all, this is a kneejerk reaction of the worst kind.
Re:Denial of Money attack?
by
El+Cubano
·
· Score: 1
The problem with this system is that it opens people who already aren't that skilled at running a computer to a new kind of attack. Imagine someone spoofing your IP and broadcasting worm packets, running up your fines.
Since part of the plan is for ISPs to monitor outbound traffic, that would only become a real issue of someone on your same subnet, that was served by the same gateway router, spoofed your address. Otherwise it would be real easy to say, "check the outbound logs on the router at xxx.xxx.xxx.1." Then it would pretty obvious that those packets originated on a different subnet and not from your machine, since the logs on your servicing gateway would be clean.
Re:Denial of Money attack?
by
soren42
·
· Score: 2, Interesting
You make an excellent point, but that is still a real risk on a system similar to my home system. I use Time Warner's RoadRunner Cable Modem service, and have hundreds of people on my subnet.
In fact, a good percentage of attacks in general against my systems have been from "local" machines.
Besides, what better way to get back at that neighbor that pissed you off - run up their fines!
--
"Adventure? Excitement? A Jedi craves not these things."
Re:Denial of Money attack?
by
Anonymous Coward
·
· Score: 0
I agree. The technology we currently have available (e.g., TCP/IP, SMTP) does not support the accuracy needed to correctly fine people.
Assuming they log the traffic... And even if they do (haven't RTFA:)) how long would they keep these logs for?... And how much manpower would it take to look into all the fraudulent claims?
This plan just adds a new possibility for committing fraud, and probably the amount of fines you collect, would barely cover the amount of money necessary to police the fraudulent claims.
Re:Denial of Money attack?
by
isomeme
·
· Score: 4, Interesting
There was a science fiction story many years ago (circa 1980, IIRC) in Analog (again IIRC) which predicted widespread networked home computers, and the threat of hostile programs spreading among them. In the story, the US government mandated installation of (what we would call) antivirus software, developed and provided by the government. An attorney successfully gets the program thrown out on Constitutional grounds, showing that it violates the Third Amendment, since a program guarding against national security threats is effectively a "soldier".
-- When all you have is a hammer, everything looks like a skull.
Re:Denial of Money attack?
by
Anonymous Coward
·
· Score: 1, Insightful
It also has all the telltale marks of blaming the victim. Just imagine a coworker saying, "I got this cold virus from you, so I am going to fine you $500." We never had any such nonsense in the real world, so why create it in the electronic world?
The real solution for consumers and admins everywhere is to vote with their dollars and avoid systems with poor imunity (cough *microsoft* cough, cough). That means the NT guy has to switch his boxes. But rather than blame the terribly weak system, which routinely goes into a coma over the slightest bug, or himself for failing to choose a good system, he chooses to blame just about everyone else - the victims of the bug.
Re:Denial of Money attack?
by
njchick
·
· Score: 3, Interesting
It would push users to ISPs that do filtering for them for a few bucks a month. Also home firewalls would become more popular. That's it. It's easy to convey an idea to the end users if it's about their money.
Re:Denial of Money attack?
by
Tackhead
·
· Score: 2, Insightful
> Since part of the plan is for ISPs to monitor outbound traffic, that would only become a real issue of someone on your same subnet, that was served by the same gateway router, spoofed your address. Otherwise it would be real easy to say, "check the outbound logs on the router at xxx.xxx.xxx.1." Then it would pretty obvious that those packets originated on a different subnet and not from your machine, since the logs on your servicing gateway would be clean.
Spoken like a man who hasn't seen the ping-flooding that's been going non-stop since Welchia came out. Your/16's a mess, dude. But then, so is mine.
Re:Denial of Money attack?
by
fdiskne1
·
· Score: 1
More likely is that most ISPs would automatically block all but http, ftp and chat ports. If you wanted more ports open, you'd have to pay more.
-- But why is the rum gone?
Re:Denial of Money attack?
by
Anonymous Coward
·
· Score: 0
The only way to do something like this is to make virus scanning software compulsory, which opens up an entirely new can of worms relating to privacy rights, freedoms related to what one can do with one's own property, and implementation of such a thing
I know what you're trying to say, but think of it in terms of your car. You can own a car and have it sit in your garage and the government can't touch you. If you want to actually drive it on public roads, you have to have a license, have the car insured, and in some locations, the vehicle must also pass a safety inspection.
Think of the internet as a public road. If you want to use it, you have to make your vehicle (the computer) safe.
Re:Denial of Money attack?
by
tomhudson
·
· Score: 4, Insightful
Sorry, buy my bullshit-o-meter went of the scale here. The article is a troll (so is the original proposal). One of the indicators is
"Russ states in an email that he wrote this up at the request of a US Senator staffer...
That can mean pretty much anything, and is pretty lame, as is the proposal itself (yes, I did RTFA).
The other indicator is the article itself. It completely misses 2 things that have to happen:
educated users, and better operating systems.
Another quote:
According to a recent TruSecure Corporation survey, 34% of networks of 100 computers or more were affected, and the average cost per computer was US$477.00.
Do you really believe these numbers on the average cost? So why isn't it ever mentioned in SEC filings? Why aren't they investing in training end-users to use more secure systems. Why aren't they getting rid of Outlook Express?
Ok, rant off.
Re:Denial of Money attack?
by
LostCluster
·
· Score: 1
It's very hard to spoof activity at the port to which your line to the ISP is physically connected, which I'm sure would be a measuring point checked when assessing fines...
Re:Denial of Money attack?
by
Anonymous Coward
·
· Score: 0
so if my car has a design flaw that causes it to explode on the freeway, it's my fault?
Nice straw man, but it's not even remotely the same.
Re:Denial of Money attack?
by
ryanvm
·
· Score: 4, Insightful
The only way to do something like this is to make virus scanning software compulsory, which opens up an entirely new can of worms
Virus scanning software is complete bullshit. Explain to me how I have NEVER been aflicted with a computer virus, yet I also do not run antivirus software. (And yes, I'm running Windows:)
Smart users don't need antivirus software. Keep your machine patched and don't open executable attachments. Problem solved. Furthermore, the most dangerous viruses spread faster than the virus definitions anyway.
Re:Denial of Money attack?
by
tomhudson
·
· Score: 2, Funny
Of course he should switch his box. Look at the bottom of the page at the article:
An error occurred on the server when processing the URL. Please contact the system administrator.
But what do you expect from an NT advice site?
Re:Denial of Money attack?
by
tomhudson
·
· Score: 1
It's not only that: there's no provision in law for someone other than a judge to sentence you to a fine. Even the **AA gets that (arbitrary search and siezure).
Re:Denial of Money attack?
by
RevMike
·
· Score: 2, Interesting
The only way to do something like this is to make virus scanning software compulsory, which opens up an entirely new can of worms relating to privacy rights, freedoms related to what one can do with one's own property, and implementation of such a thing without a.) forcing every American to spend money on virus scanning software or b.) jacking up everyone's tax rates.
You're right that it would be difficult for the government to require that individuals install anti-virus software and the like. However, the US Federal Government is empowered by the interstate commerce clause to regulate the ISPs. One could write a law that requires that ISPs act in good faith to secure their network. An ISP could then require anti-virus software, firewall software, etc. as part of their terms of service.
I would imagine that an ISP might periodically run that new version of nmap on each of the IP addresses that have been handed out to clients. If a service with known security holes is discovered, and email is sent to the owner and a restrictive filter is put on that IP until it is patched. That should reduce the incidence of worms.
The ISP would also route all outbound SMTP packets through its own mail server.
Antivirus software there would look for email attachments containing viruses. This would take a nice bite out of viruses. <tinfoilhat>This also provides a convenient place for the government to monitor your email.</tinfoilhat>
I'm not sure, yet, what the best approach to trojans is.
Re:Denial of Money attack?
by
jhylkema
·
· Score: 1
Quoth the poster:
Yes, this would effectively push >90% of today's Internet users off the network.
You say that like it's a Bad Thing. I would submit that close to that percentage of people who are on the network shouldn't be. I might get fewer emails telling me about "Bill 602P" or "if you don't forward this touching story to at least 20 people, you don't love Jesus."
Re:Denial of Money attack?
by
njchick
·
· Score: 1
Fine with me as long as the full internet service doesn't get more expensive than it is now. It shouldn't be more expensive if ISPs can recover the money they are paying for spam and virus filtering today.
there is gotta be a better way to solve this problem than fining them if they get a virus. I know many people who probably have enough trouble getting there e-mail let alone correctly configuring a firewall.
Re:Denial of Money attack?
by
Hecubas
·
· Score: 1
I don't know if it is safe to say smart people don't need antivirus software. In today's high speed networked world, you'll find yourself up to your neck in dumbasses who don't patch or like to download and install any sort of garbage. If your system is somehow connected to said dumbasses, there is a good possibility that you could be hit. Of course, if the dumbasses got slapped with a few fines now and then, as the article suggests, then we'd see people start taking responsibility for their hack-bait systems and get with the patching and locking down.
The Blaster worm was a perfect example of how assuming perimeter defense is good enough. All it takes is one dumbass PHB bringing his infected laptop back to the office and it's game over man.
So lets try remembering these tried and true security basics:
Install antivirus software - update daily
Establish a patching system
Maintain tight perimeter security - firewall
Subscribe to a security mailing list - SANS.org
-- hecubas
--
Hecubas
Re:Denial of Money attack?
by
Anonymous Coward
·
· Score: 0
According to a totally unbiased TruSecure Corporation survey of a couple of their sales staff, it costs $477 per computer. $477??? Per computer???? For a fucking email virus that didn't even harm the host????? Maybe. I guess everybody had to go out and hire new staff members to fix it, as well as expensive software suites to eliviate the bug.
Oh wait. No they didn't. The tools to clean the machines were free and readily runnable by any shmuck (our secretary, who was the mascot of the whiteout onna screen joke, did it herself). Even if they made IT do it, they already had the staff, sitting on their thumbs and complaining like all IT fuckheads about how difficult it is to migrate a PDQ mailserver to Tronix but that they wrote a 1/2 line script to do it in JRuby, and how they spend so much time deriding people who do useful things besides stare at a blinking cursor all day that they have no time to do the things they really have to do, like change all the machines on the left side of the building to have names of famous robots. It doesn't cost anything to derail some slug from his mission of doing as little as possible and making him run a 300k patch from a floppy disk. Shit, I could do all the computers in my building in less than an hour. If your IT sloth captain quoted you $477 per machine, maybe you SHOULD outsource to India. It couldn't get any worse.
F U D. Again, computer security is worse than Microsoft or the evening news in scaring people needlessly. Sell your stock TruSecure. Use the cash to buy a couple Macs and a $100 firewall. And don't waste your time on morons and their moronic sources.
Re:Denial of Money attack?
by
Anonymous Coward
·
· Score: 0
Well, look. I can buy any car I want, but if I want to drive it on the public highways, it's got to pass the safety inspection (and emissions, in my state). In other words, you can do whatever you want, until your unsafe crap starts negatively impacting others.
If my car doesn't pass safety inspection and I drive it anyway, and I have an accident, I am in big trouble, especially if the unsafe condition of the car was a contributing factor to the accident. But if my car passed inspection and then, say, the rear axle broke and caused me to lose control, I'm still liable for any damages done in the accident, but I'm not criminally liable.
I don't see any reason (in principle) why computers should be any different. Criminal liability for criminal negligence, and mere financial liability for merely damaging others, could do a lot toward straightening out the mess that the net is becoming - if it's implemented well.
If it's implemented badly - if, say a major OS vendor manages to rig the rules so that they escape all liability - then this could be really bad...
It also has all the telltale marks of blaming the victim. Just imagine a coworker saying, "I got this cold virus from you, so I am going to fine you $500." We never had any such nonsense in the real world, so why create it in the electronic world?
Sorry, we do have this in the real world. For example, if you know you have HIV/AIDS and you have unprotected sex with someone (or otherwise expose them to your bodily fluids) without notifying them, that's assault with a deadly weapon in many jurisdictions. Even if you didn't know you had AIDS, but you should have known, you would probably face civil negligence liability.
-Isaac
-- I am not a lawyer, and this is not legal advice.
For Entertainment Purposes Only.
Re:Denial of Money attack?
by
Mesaeus
·
· Score: 1
And mine. I had to add a rule to my firewall to stop logging the damn pings so I could see the "interesting" portscans. Incidentally, is this all Welchia traffic ? Because there seems to be an awful lot of it...
Re:Denial of Money attack?
by
Anonymous Coward
·
· Score: 0
The net doesn't kill people when it stops working, and if it starts, it will be the fault of the poeple who trusted their lives to the net. That's like someone with no immune system walking around downtown and then complaining when they catch a cold and die.
Re:Denial of Money attack?
by
tomhudson
·
· Score: 4, Funny
Couldn't have said it better myself! And of course,
after the article quotes some pulled-out-of-the-ass statistics from a "TruSecure Corporation Survey", look how the whole thing is signed:
Russ Cooper -
Surgeon General of TruSecure Corporation/NTBugtraq Editor
right above this:
An error occurred on the server when processing the URL. Please contact the system administrator.
Has he been practicing do-it-(to)-yourself lobotomies again?
Re:Denial of Money attack?
by
Anonymous Coward
·
· Score: 0
Expect the internet doesn't belong to the public. So it's more like driving on private roads, which you don't need a license for. Basically you are contracting with a company to let you drive on company-owned roads. I don't see the word government or public in their. Plus, the current internet is not going to stop evolving. Eventually there will be a great deal of peer-based internet connections, and ISP's will cease to be a choke-point for this stuff. How are you going to impose this (or justify trying to impose it), then?
Re:Denial of Money attack?
by
danheskett
·
· Score: 1
I cant find any cases of people winning a civil liability case because they were infected with a disease that the other person should have known about. In fact, it is rare case that the person is even on the hook if they intentionally infect another person through consensual sex. The number of cases I can find relating to that are really insignificant.
are
The general legal principle is that if you are a willing participant the burden is on you to ensure that you are not infected with any disease, that you can live with the consequences, and that you are in fact able to make such decision.
The same principle should apply to connecting to the Internet. You assume risk, you assume the responsibility, and you must ensure that you are educated enough to make the decision to be connected.
Re:Denial of Money attack?
by
EddieSam
·
· Score: 1
<tinfoilhat>This also provides a convenient place for the government to monitor your email.</tinfoilhat>
Er... Because of course the outgoing traffic to port 25 isn't trivially easy to analyse at any other point in the ISP's network.
Re:Denial of Money attack?
by
njchick
·
· Score: 1
There are already firewalls that require no configuration. They default to blocking all incoming connections except ftp (data channel from server), ntp and dhcp.
Re:Denial of Money attack?
by
Enraged_jawa
·
· Score: 1
Fourty seconds of searching led me to a 2000 case from the Missouri Court of Appeals Western District, Deuschle v. Jobe. Here's a choice quote:
In furtherance of this objective, we hold that one has a legal duty to
exercise reasonable care by disclosing a contagious venereal disease
before entering into sexual relations with another. Several other
jurisdictions that recognize this cause of action support this
proposition.(FN18) See Berner v. Caldwell, 543 So.2d 686, 688-89 (Ala.
1989), overruled on other grounds by Tucker v. Gen. Motors Corp., 1999
WL 754213 (Ala. Sept. 24, 1999); B.N. v. K.K., 538 A.2d 1175, 1178-79
(Md. 1988); R.A.P. v. B.J.P., 428 N.W.2d 103, 107-8 (Minn. App. 1988);
Doe v. Roe, 267 Cal. Rptr. 564, 567 (Cal. Ct. App. 1990).
In an action for negligent transmission of a venereal disease, a person is liable if he knew or should have known that he was infected with a disease and failed to disclose or warn his sexual partner about this unreasonable risk of harm before engaging in a sexual
relationship.
I'm not in law school anymore, and I'm not a lawyer, so I'm not going to do any more research into this matter for some slashdot comment, but a few minutes on findlaw and google was sufficent to convince me that my memory was not faulty with respect to some jurisdictions imposing a duty of care with respect to negligent transmission of a venereal disease through consensual sexual contact. That quote alone suggests such a duty is recognized in at least Alabama, California, Maryland, Minnesota, Missouri. (Per the 2000 census, that covers 54,129,924 people.)
Please don't read my post to suggest that persons should be held liable if their machines are coopted without their knowledge to disrupt the internet. Computers often come from the store in an unpatched state (EULA disclaimer of fitness or merchantability? One of these days there's going to be a real EULA test.) and are infected the first time they are connected to a network. It's still easier to get and transmit computer viruses than STDs. I was just responding to the assertion that no similar liability existed with respect to "real" viruses. As far as I can tell, such liability does exist in some circumstances and jurisdictions.
-Isaac
-- I am not a lawyer, and this is not legal advice.
For Entertainment Purposes Only.
Re:Denial of Money attack?
by
linkjunkie
·
· Score: 2, Insightful
And you can tell me that they don't apply to you, I'll just reply "no, not these particular ones..."
Look around, this isn't the only list! NOTHING should be compulsory, but no AV on a windows box, have you never heard of a worm?
Re:Denial of Money attack?
by
theArtificial
·
· Score: 0
How do you know what you download is safe? (Not to rank on you) Patches just cover known exploits, what about yet to be found exploits? Is all the software you run safe? Lots of applications use various components that tie in to MsOffice or Internet Explorer. Good example are ActiveX controls and DLL's. Virus scanners are not all knowing (nothing is for that matter) but what is to stop homebrew solutions? ex: a custom keylogger or dll/ocx. You can pass arguements to these through the run menu or establish registry keys to do such.
-- Man blir trött av att gå och göra ingenting.
Re:Denial of Money attack?
by
MadEyeMoody
·
· Score: 1
Yes, almost all of it is. Since around 18 August, better than 99% of the ping packets I've looked at have the characteristic Welchia payload (56 bytes of 0xaa)...and I've looked at a lot of them!
-- Never grep a yacc by the i-node.
Re:Denial of Money attack?
by
Anonymous Coward
·
· Score: 0
A much better solution would be to impose the death penalty for a first offense.
Think of how much this would clean out the gene pool.
And rightfully so, if I must add.
To paraphrase Heinlein, anyone too stupid to use a computer is not fully human.
No offense, but it sounds like you've been more lucky than smart.
-- [SIG] Remember Mattel handheld games?
Re:Denial of Money attack?
by
cpeikert
·
· Score: 1
That's a pretty far-out story. I mean, really -- The Third Amendment? Nobody sues over that thing.
Re:Denial of Money attack?
by
jhylkema
·
· Score: 1
It's appreciated.:)
I have an aunt that sends crap like this out all the time. Seems like I get the "Internet tax" one every third week or so with a different reason why it's really true this time. People like her have no business whatsoever being on the Internet.
Okay, tell me. What virus did you get that smart behavior would not have protected you from? And by "smart behavior" I mean staying patched, not opening dangerous attachments, and having a proper firewall.
I didn't think so.
Re:Denial of Money attack?
by
crapulent
·
· Score: 1
You're not making any sense. I too don't use any form of AV software on Windows, and in a large number of years (online with computers since 1991 or so) I have never been infected by a virus.
What does a list of unpatched IE vulnerabilities have to do with anything? Who said I used Outlook or OE for mail? Hint: I don't. Who said I use IE to browser the web? Hint: I don't. Even if someone sent me an email worm, and even it it somehow got past the executable-attachment-blocker my email host uses, it would not do squat because I don't let email anywhere near a MS product.
Re:Denial of Money attack?
by
redsilo
·
· Score: 1
Friends don't let friends use windows. While the tired argument that windows it the target because of it's proliferation has some truth to it, the fact remains that it is the flawed design and execution of the OS that facilitates viral attacks and makes them "worthwhile".
Re:Denial of Money attack?
by
isomeme
·
· Score: 1
The Third is clearly the runt of the Bill of Rights, especially embedded as it is in the middle of the high-profile first six. I speculate that the author noticed this and decided to come up with some way to make it relevant in the modern world.
The Findlaw page I cited mentions that the Supremes have never ruled on a 3rd Amendment case, and that indeed there's only one citation from Federal case law, which they describe as being unusual without going into details. I'll have to pester a lawyer friend to look that up now that my curiosity is engaged.
-- When all you have is a hammer, everything looks like a skull.
Likewise... 10 years with computers (almost entirely DIY models), 9 years online in one form or another, all DOS and WIN machines (3.1 thru XP, with up to 7 years without a reinstall), zero infections.
I don't use IE/OE, M$Office, or their immediate kin; I disable the Windows Scripting Host; I run ZoneAlarm; I scan files manually using good old FProt for DOS. And I use a braindead email client that never heard of auto-executing anything. But I don't routinely run antivirus TSRs, and I don't apply IE/OE patches. And I take a dim view of anyone telling me that I *must* do either, when I've demonstrated that I can bloody well protect myself, thank you very much.
After all, I do have a nice zoo full of viruses, trojans, and worms, collected from clients' machines and spam:)
BTW, the pingflood that's been running 500 an hour for the past couple weeks, as of this evening has suddenly dropped to more like 10 an hour. Did Blaster disable itself today or something?
Why push? Why not just offer it as a service, for a couple bucks a month? Surely it could be automated well enough to cover users who aren't competent to protect themselves from the common online foes. And surely most newbies would choose to let someone else do the protecting, given the option -- that's just how people are about stuff they feel threatened by but don't understand.
And like most such services, it would not be liable for unexpected breaches by new nasties; it would only be liable for failing to provide reasonably competent protection. That's the norm for protective services of any sort. Rather like a vaccine -- it does its job most of the time, but it's not responsible if a new virus variant makes you sick anyway.
-- ~REZ~
#43301. Who'd fake being me anyway?
Re:Denial of Money attack?
by
darqchild
·
· Score: 1
if ford issues a recall for your car, because it's got a faulty fuel tank which may cause it to explode, and you ignore them, and it explodes, it's your fault.
if you have a computer, and you have been spewing code red out on the internet because you couldn't install the patch that was released almost 2 years ago, then yes, it's your fault.
-- What? Me? Worry?
Re:Denial of Money attack?
by
Anonymous Coward
·
· Score: 0
Same here. 17 years with computers, 8 years online, and I've only had one semi-benign infection which was easily cleaned, even without AV software.
For experts, AV is not needed. For lusers, you'd better make sure that they're running AV.
I quite agree. I use Windows and Linux more or less equally on a day-to-day basis for both work and home, and I run no virus scanners or firewalls. I've been running machines like this for years and have never been infected with a virus, trojan, worm.. I've never even been the victim of the most trivial of adware programs.
I don't use IE or OE. I don't have NetBIOS active on external interfaces unless the LAN I am connected to filters NetBIOS traffic at its edge. I update from Windows Update when I remember. =)
Not running code I don't want to run seems to be quit effective.
Re:Denial of Money attack?
by
Anonymous Coward
·
· Score: 0
Or Billy could simply buy Symantec, integrate it into his toy OS (e.g. IE) and be done with it.
Re:Denial of Money attack?
by
Magius_AR
·
· Score: 1
Yes, this would effectively push >90% of today's Internet users off the network. While some people might think this is a good thing
HELLS YEAH!
Woo! Let's take it back from the trendy morons and make it a true testament to geekdom again!:)
Re:Denial of Money attack?
by
Anonymous Coward
·
· Score: 0
You're right, but I really didn't mean STDs and intentionally infecting someone. I meant more along the lines of the common cold, flu, and the like. If you walk down the street, bump into someone and they get your cold, you don't get fined (but if you did get fined, that would be a serious problem with the law - turning every human being into a criminal).
Re:Denial of Money attack?
by
bill_mcgonigle
·
· Score: 1
Smart users don't need antivirus software. Keep your machine patched and don't open executable attachments. Problem solved.
So you don't talk to the Internet with anything written in c? No open ports incoming (e.g. SSH Furthermore, the most dangerous viruses spread faster than the virus definitions anyway.
Excellent point.
-- My God, it's Full of Source! OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Re:Denial of Money attack?
by
bill_mcgonigle
·
· Score: 1
Crap, slashcode ate my post. Let me try again:
Smart users don't need antivirus software. Keep your machine patched and don't open executable attachments. Problem solved.
So you don't talk to the Internet with anything written in c? No open ports incoming (e.g. SSH < 3.7) and no content incoming from mail or web connections? Each one has buffer overflows waiting to be exploited. I'll bet you $5, collectible in 10 years that each c program you use on a regular basis to access the net has a buffer overflow problem that can lead to remote exploit.
I'm not saying you've been infected, I'm saying you've been lucky. Not lucky that you've kept your system patched like a good user, but lucky that malware writers aren't really actively searching for buffer overflows to exploit - they almost always take advantage of published security problems whitehats and vendors have found and patched. A well-funded blackhat could do the same thing. We'd be naive to assume there are no well-funded blackhats - they just haven't decided to strike yet. God, we need reusable sandboxes.
Furthermore, the most dangerous viruses spread faster than the virus definitions anyway.
Excellent point.
-- My God, it's Full of Source! OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
No way in hell this would fly.
by
grub
·
· Score: 5, Insightful
"..whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly.."
Rather than fining the people (victims?) of poorly written software and OSes, why not have a
class-action suit against the corporations that make the worms & viruses possible in the first place?
Most people are up in arms when the RIAA goes after the wallet of individuals who knowingly download their
Evil MP3s whereas the bulk of users that get these infections just don't know any better.
Fining lusers won't give them clues, education will.
-- Trolling is a art,
Re:No way in hell this would fly.
by
Eric+Ass+Raymond
·
· Score: 1
class-action suit against the corporations that make the worms & viruses possible in the first place?
Corporations? And how would we punish the open source operating systems or software for the inevitable security holes? Sue FSF or the users?
Re:No way in hell this would fly.
by
McAddress
·
· Score: 5, Insightful
forget a lawsuit. fine the maker of the software for each copy of an OS or other piece of software that propogates a bug. After all, the OS belongs to MS. I only have a license.
Re:No way in hell this would fly.
by
OmnipotentEntity
·
· Score: 1
Absolutely, fining someone who's computer is out of date is like fining a construction worker who's hammer is breaking because of wear.
You don't fine the construction worker. You get him a new hammer. Or fix it. By fining them you make it so that they cannot get new hammers and use the same old crappy ones.
___________
-- "Build a man a fire warm him for a day, set a man on fire and warm him for the rest of his life."
Re:No way in hell this would fly.
by
Kraegar
·
· Score: 3, Insightful
So who do we file a class action suit against when a flaw like this is turned in to a worm?
I'm no Microsoft fan, but neither am I of the belief that all Open Source software (or Mac software, or *nix software) is perfect. Pull off your blinders, and realize that the solution rests not just in the hands of some major corporation, but also in the hands of anyone who chooses to place their computer on the 'net.
The blame lies in both courts.
Re:No way in hell this would fly.
by
eln
·
· Score: 5, Insightful
Sounds great for Microsoft, but in a market where successfully introducing a new competing OS is already near impossible, such a policy would push any fledgling OS company instantly into bankruptcy the minute a minor security flaw is detected in their software. Microsoft is probably the only software company in the US right now that could begin to absorb the costs of such a policy, leaving it the only company standing.
You think Microsoft owning 90% of the market is bad, wait until they own 100%.
Re:No way in hell this would fly.
by
Kaa
·
· Score: 2, Insightful
Rather than fining the people (victims?) of poorly written software and OSes, why not have a class-action suit against the corporations that make the worms & viruses possible in the first place?
A wonderful idea.
You understand, of course, that such corporations as RedHat, SuSE, etc. will be among those sued..?
And there is really no reason to limit this to corporations only. A buffer overflow in some Linux code? Look into the source for the copyright notice and sue the hell out of the poor schmuck who wrote it!
Yeah, as I've said, a great idea.
--
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
Re:No way in hell this would fly.
by
Rombuu
·
· Score: 1
Yep, time to sue K & R for writing 'C', the world's crappiest language. You wouldn't see buffer overruns in a real programming language.
--
DrLunch.com The site that tells you what's for lunch!
Re:No way in hell this would fly.
by
Anonymous Coward
·
· Score: 0
No, fining the users is exactly what you want to do. People who don't keep up on security ignore it because it cost them time and money for the education and software to secure it. It costs them nothing to ignore it.
By assigning a monetary cost to it, people will either make their systems less likely to harm others, run systems which are less likely to cause harm or avoid systems they can't use without harming other people.
Charging the companies only hides the problem from the users. We need people to see it and understand it.
Re:No way in hell this would fly.
by
El
·
· Score: 1
Even the best designed software can be installed in an insecure manner. This would be like fining lock manufacturers because people choose to leave their doors unlocked. This is not to say that software suppliers should not have ANY liability; certainly if the software when used by a knowledgable and diligent individual in the prescribed manner is still insecure, the company should have some liability. However, impossing liabilities in excess of the cost of the software would threaten to put all free or open source software out of business, as well as most for-profit software vendors.
--
"Freedom means freedom for everybody" -- Dick Cheney
Re:No way in hell this would fly.
by
enosys
·
· Score: 1
I think that's a bad analogy. It's more like fining people for not wearing seat belts. I still don't think the fines would be a good idea.
Re:No way in hell this would fly.
by
Anonymous Coward
·
· Score: 0
Yep, time to sue K & R for writing 'C', the world's crappiest language. You wouldn't see buffer overruns in a real programming language.
Fuck off Java Troll.
The C language itself does not contain any buffer overruns. It is the poor implementation of general libraries that causes the problem.
...and you could repeat that exact problem in ANY language.
Re:No way in hell this would fly.
by
njchick
·
· Score: 1
Class action lawsuit would be more effective if the users sued to recover fines they paid while using the software.
Currently, users don't lose any money if their systems are infected (except some malicious viruses that erase files), and sysadmins of the attacked systems are not necessarily customers of the maker of the unsafe OS.
Ultimately, it's the users who are responsible for their choice of the software. If they feel they were mislead by software or hardware vendors, they are welcome to sue.
Yes, that could affecxt Linux vendors who use deceptive advertizing, and that's a good thing.
Re:No way in hell this would fly.
by
BigRedFish
·
· Score: 1
Rather than fining the people (victims?) of poorly written software and OSes, why not have a class-action suit against the corporations that make the worms & viruses possible in the first place?
Wouldn't that be the effect? Seems like the connection between running a certain notoriously insecure monopoly OS and getting a mailbox full of expensive tickets would have a chilling effect on purchases of that OS. At, say, $15 a pop, times 10,000 machines, times infinity (for the number of possible infections), it would make a company think twice about buying no matter how many untrue promises the friendly sales rep made to the PHBs...
Not that I like this fine idea (I don't), but it just occurs to me that this would threaten a certain company a lot. Not that it would ever fly, it makes no sense, if the wheels fly off your car due to a defect and you crash, the company's going to have to eat that, not the driver. But if Da Gubbamint is going to fine the 'driver' in this instance, he/she will have to file a civil suit against the company to recoup... why not just have the companies cut the trial lawyers a welfare check directly, and skip the show trial?
Now, as for the mandatory AV scanner software: Does Linux count as antivirus? Does anyone besides us on/. understand that there are better ways to protect computers than scanning every single fscking packet and message for known viruses (doing nothing to stop brand-new ones)? You know these diddleheads would hit us with notices because we're not running either Norton or McAffee(sp?), so we must be vulnerable...
Re:No way in hell this would fly.
by
Anonymous Coward
·
· Score: 0
not to be a troll or anything, cuz all i run is 101% linux when i can (ie not at work), but what happens when theres a new sploit found in the linux kernel? or when anothe apache hole is discovered. this kind of system would kill oss and free software. while companies make money and can pay fines, linux couldnt afford $10 for every copy of linux running. and im sure the creators of apache couldnt either. on the other hand, the evil billy gates could pay out $100 for every copy of windowz, and still be well off for life!
Re:No way in hell this would fly.
by
1g$man
·
· Score: 1
And if the maker of the software is... Linus Torvalds... who already had a patch out 3 weeks ago?
Ridiculous.
Re:No way in hell this would fly.
by
slipstick
·
· Score: 1
Are people today just freakin' stupid?
Never heard of a warranty? You don't pay cash for a product don't expect a warranty. You pay cash than you get to recoup losses from the manufacturer. Simple no?
-- Sure information wants to be free, but how much are you willing to pay for the packaging?
Re:No way in hell this would fly.
by
vicviper
·
· Score: 1
In other words, sue SCO?
:)
Re:No way in hell this would fly.
by
geekoid
·
· Score: 1
not really. I don't think anyone reasonably believes that A company should be sued of most general bugs.
However, when Microsoft continually has the same issues over and over again, perhaps then they should be held accountable? Do my knowledge, non of MS's patches closed the offending ports in the recent round of worms. that wouldn't have fixed the offend program, but the home users would have been able so minimize the effects. MS has not taken reasonable steps to protect the users from email attacks. Maybe the address book should be protected from programs that automatically grab email address.
-- The Kruger Dunning explains most post on/. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
Re:No way in hell this would fly.
by
Anonymous Coward
·
· Score: 0
From a microsoft EULA:
. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND ITS SUPPLIERS PROVIDE THE SOFTWARE AND ANY (IF ANY) SUPPORT SERVICES RELATED TO THE SOFTWARE ("SUPPORT SERVICES") AS IS AND WITH ALL FAULTS, AND HEREBY DISCLAIM WITH RESPECT TO THE SOFTWARE AND SUPPORT SERVICES ALL WARRANTIES AND CONDITIONS, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY (IF ANY) WARRANTIES, DUTIES OR CONDITIONS OF OR RELATED TO: MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, LACK OF VIRUSES, ACCURACY OR COMPLETENESS OF RESPONSES, RESULTS, WORKMANLIKE EFFORT AND LACK OF NEGLIGENCE. ALSO, THERE IS NO WARRANTY, DUTY OR CONDITION OF TITLE, QUIET ENJOYMENT, QUIET POSSESSION, AND CORRESPONDENCE TO DESCRIPTION OR NON-INFRINGEMENT. THE ENTIRE RISK AS TO THE QUALITY, OR ARISING OUT OF THE USE OR PERFORMANCE OF THE SOFTWARE AND ANY SUPPORT SERVICES, REMAINS WITH RECIPIENT
This is some a buch of shit to get passed the lameness filter, because even/.'s stupid filter can identiy something truely lame:
STUPIDITY THEORY: The burden of "being right"
It's not easy being right. "In fact, one thing that I have noticed," said an anonymous observer, "is that all of these conspiracy theories depend on the perpetrators being endlessly clever. I think you'll find the facts also work if you assume everyone is endlessly stupid." I read that to mean that the opposite of conspiracy theory is stupidity theory - the theory that people are unaccountably stupid. Taken to its extreme, it implies that stupid people - because they don't understand you or know what you know - will "innundate you with their own stupidity." Conversely, it also implies that everyone who has a problem with you is stupid. This is a convenient belief, if you consider yourself "smart" in any way.
Stupidity Theory may be the only explanation some people can find for the frustrating experience of human communication - or lack thereof. It eliminates the confusion of misunderstanding by placing the responsibility for understanding squarely on the shoulders of the other. It not only insulates - it isolates. To borrow a violated quote from the movie "Sixth Sense," stupidity theory makes you think "I see dumb people. They're everywhere. They walk around like normal people. They don't even know they're dumb."
Stupidity theory and conspiracy theory are two of our lower types of information generators. Next up from there is gossip, then research, then observation, then inspiration. We all learn to recognize the level at which we prefer to generate information on most subjects, and we gain a sense of what level others prefer.
An apparently dumb statement is a "fact" - evidence of someone's stupidity - for a stupidity theorist. A critic driven by conspiracy theory will more easily accept as "fact" any evidence supporting his criticism. A rumor (uncorroborated hearsay) is a "fact" which a gossiper may or may not be willing to compare with other sources before enshrining it as "truth".
A researcher - student of social science, for instance - presumes many (if not most) "facts" to be inconclusive in establishing the "truth" of human behavior - research is a journey, not a destination. Information is only as reliable as human ability to observe, measure, record, and interpret accurately.
While mathematics may offer a sanctuary of objectivity, some of our most certain scientific verities have led us on to some of humanity's most horrific conclusions (as genetics and physics led to the cold logic of Hitler's "final solution" and the atomic bomb, for instance).
Thus, it is wise to assume that information generated at any level must be handled with care.
To save us from confusion and tragedy in our mismanagement of information, we have a duty to become adept at discerning the level at whi
Re:No way in hell this would fly.
by
JoeBuck
·
· Score: 1
While everyone should quickly update their ssh, I haven't seen any evidence so far that there is an exploit "in the wild" as the article states (that is, it appears that script kiddies don't have a 'sploit yet, though they might have one by tomorrow).
Re:No way in hell this would fly.
by
JoeBuck
·
· Score: 1
Well, we could require one of two policies: permit others to fix your bug (by open source licensing), or bear responsibility for fixing the bug yourself in a timely manner (if you prefer to ship binaries only).
Re:No way in hell this would fly.
by
Anonymous Coward
·
· Score: 0
why not have a class-action suit against the corporations that make the worms & viruses possible in the first place?
Ah, but that's the beauty of fining the individuals. Now they have real damages when they go after Microsoft in a class-action suit.
It's not such a bad idea, really. People can be fined for all sorts of damage they cause unwittingly or through negligence (e.g. your dog chewed up your neighbor's flowers for the tenth time), so this is hardly new. People tend not to change their behavior unless there's a real reason (a large fine might make you inclined to fence your dog in). So something like this proposal might actually generate a mass market for secure software.
I'm not saying it will, I'm just pointing out that this is at least an interesting idea, despite the/. allergic reaction.
Re:No way in hell this would fly.
by
Anonymous Coward
·
· Score: 0
Here's even better analogy: Buying a car that's marketed as environmentally safe, then getting fined for polluting because you don't have the necessary skills or the equipment to determine that you are driving a car that pollutes. Hell, even better, the car company tells you to go pick up a new engine on your own time, and then do the assembly on your own. Ville...
Re:No way in hell this would fly.
by
Eric+Ass+Raymond
·
· Score: 1
Yeah, right.
Have you ever taken a look at the licenses you agree to when you install commercial software? I've never run across a one that would say something else than that the software is provided without any warranty or proof of correctness.
The law should apply equally to everyone. If the corporations are to be punished for their bad-behaving code, so should be the authors and/or copyright holders of free software.
Re:No way in hell this would fly.
by
slipstick
·
· Score: 1
Excuse me but...
I'm a libertarian at heart and I would prefer to deal with issues of software without writing laws. But the story specifically refers to passing a law to make the users of a faulty product responsible for their use of a faulty product. This makes absolutely no sense.
If laws must be passed to fix this problem at least make it make some sense. Passing laws making anyone who SELLS a product fully libel for their product at least is consistant with current practice in the "other" world(e.g. everything but software). This means opensource vendors as well.
Now if someone offers you a product for free and you use it, your the one who should be libel for everything but gross negligence. If Redhat wants to sell product than they should be responsible for the contents of that product. If you download their ISO and use it for free(as in beer) than you've taken the responsibility. If this means Microsoft has to give away Window's than so be it. If it means Redhat has to take responsibility for code I write and they incorporate in their product and sell it to you than that's what has to happen.
The fact is if you get something for free(as in beer) you have no one to bitch to for any problems. If you paid money for it than you should have a warranty. I simply don't see how that's a problem.
-- Sure information wants to be free, but how much are you willing to pay for the packaging?
Never Work
by
Anonymous Coward
·
· Score: 0
The logistics and implications of infringments of rights, it would never happen
Fines won't cut it...
by
TopShelf
·
· Score: 4, Funny
Re:Fines won't cut it...
by
The+Old+Burke
·
· Score: 1
Internet officials from a consortium consisting of ISP's, ICANN and IEEE put a $2500 price Thursday on Jenny Oldviruslady, hoping to generate tips and information that will lead them to the her spam-machine whose presence remains pervasive in northern USA.
Rewards of $10000 were also set for Jenny Oldviruslady leading figure in the unsecure world of Windows computers.
"We want her dead or alive", a coworker of the oresident said on condition of anonymity.
In Washington, a leading senator on intelligence issues said that Jenny Oldviruslady most likely is still alive.
Many observers think Jenny Oldviruslady may be hiding in Kansas with vast amounts of cookies, although it has been about three months since she was last reported seen.
The reward offers on Jenny Oldviruslady are part of the State Department's Rewards for Justice Program, with the high amounts authorized by the USA Patriot Act III of 2004.
OrgName: Internet Assigned Numbers Authority OrgID: IANA Address: 4676 Admiralty Way, Suite 330 City: Marina del Rey StateProv: CA PostalCode: 90292-6695 Country: US
well, in that case, we should just make another law at the same time which will fine someone who fails to enforce this law a minimum of twice the amount the original fine would have been.
though, they'd probably get a better response in general if they just allowed the person who discovered a perpetrator and caused the fine to keep a percentage.
Great
by
Anonymous Coward
·
· Score: 4, Insightful
Great,
Just what I need, my grandma getting hit with fines because she wants email to talk to the grandkids.
Yes, my mother and siblings are all potentially on the list of "will get fined". So what? The ONLY way that people are going to pay any attention to home computer security is if it hits them where they live.
Perhaps THAT will stir the bulk of the bell curve victims into actually starting that class action suit against MickeySoft....
-- If you're not living on the edge, you're just taking up space!
Re:Great
by
Anonymous Coward
·
· Score: 1, Insightful
But then again, how can you get other generations excited about technology when they see it as a potential financial drain. A person is going to look at it and say... oh dear, you have to be some super computer nerd or you spend even more on monthly "fees" due to viruses.
This only leads to people who are already afraid of the internet falling farther behind, and thier children not learning about the internet and getting excited about technology and technology related jobs.
Like my grandma needs her car and licence to get around even if she can't drive anymore and poses a significant risk to other road users?
Being old doesn't excuse social responsibility, and it doesn't make people stupid or unable to learn. Teach your grandma how to click the "update" button, or just set it up to happen automatically. Give her some credit for being a sentient human being.
That's exactly what I was thinking! Imagine having to explain that to a person that he'll have to pay a fine if he's on the internet (the IE Icon) and doesn't make sure his windows update (insert 2 hour explanation here) and virus software ("you know the 'messages', right? From where you get all that jokes? Well sometimes[...]" *DieOfExhaustion*) aren't up-tp-date.
-- "Be careful or be roadkill" - Calvin
Re:yes!
by
Anonymous Coward
·
· Score: 0
Conveniently forgetting that you were also stupid once, aren't you?
My mother is not particularly computer literate. She is nearly 70 years old and likes to email her friends around the country. I keep her PC up to date as much as I can, but it is too much to ask of this sweet lady to try to understand what a 'patch' or an 'exploit' is. She does the best she can and should not be denied that privilege, or fined for her inexperience.
You are one of those irritating wannabes who knows just enough to get excited over the idea that you might be l33ter than someone else. Fuck you. We should be helping "lusers" to become less so, and encouraging software companies to be diligent in writing secure code... things that will actually help, rather than fining grandma.
In relatedly fascial news...
by
Anonymous Coward
·
· Score: 0
... Mrs Granny, 82, is being fined $5000 after two young 15y old hoodlums by the names "1337" & "31331" stole her car and drove it into a shopfront.
There are "attractive nuisance" laws. Be careful what you wish for.
-- MORTAR COMBAT!
Re:In relatedly fascial news...
by
wcdw
·
· Score: 1
If she left the keys in it (equivalent to leaving an unprotected operating system), then yes, she's probably being sued for more than that by the shopowner, and the fines are utterly appropriate.
What, she doesn't know she shouldn't leave the keys in her car? You know what they say about ignorance and the law....
-- If you're not living on the edge, you're just taking up space!
Re:In relatedly fascial news...
by
tomhudson
·
· Score: 1
No, it's not equivalent. She buys a system that currently works, and only later someone else fucks with it, and SHE has to pay the fine? I like the idea that people other than/.ers find computers useful. This is just a money-grab idea being floated on bad statistics and stupid perceptions. I mean, he's even counting spam, for fuck sake:
If you add SoBig.F and
Spam messages as "attacks", you're up to 340 identifiable attacks per hour
Hey, I hate spam as much as anyone else, but let's put some reality into this (oh - that would mean admitting it was a dumb idea in the first place).
And Russ, fix your server (from bottom of page at ntbugtraq.ntadvice.com):
An error occurred on the server when processing the URL. Please contact the system administrator.
That's what you get for running W2K Advanced Server Beta 3
Re:In relatedly fascial news...
by
wcdw
·
· Score: 1
Yes, exactly. She either has to pay the fine, OR PREVENT IT FROM HAPPENING IN THE FIRST PLACE.
That's the whole point.
And I, personally, would LOVE to see those mindless twits who facilitate SPAMMERS either fixed or taken off the net.
Also, I hate to say it, but the odds that Russ is going to read your comment would seem rather low.
-- If you're not living on the edge, you're just taking up space!
Re:In relatedly fascial news...
by
tomhudson
·
· Score: 1
Or maybe we should fix the smtp protocol so that spammers can't spam?
Re:In relatedly fascial news...
by
wcdw
·
· Score: 1
That would be nice, if effectively impossible, IMHO. One is always going to need the ability to e.g. send an uninitiated e-mail to a vendor. Taking over a drone will allow SPAMMERs to continue sending such messages, even if only one at a time. Not too mention mailing lists, etc.
And this only addresses the issue of SPAM, hardly the only purpose for which drones are used. "Fixing" the SMTP protocol will do nothing to address those other issues.
-- If you're not living on the edge, you're just taking up space!
Draconian measures
by
Eric+Ass+Raymond
·
· Score: 2, Interesting
Failing to install a patch is not good enough a reason to punish anyone.
I maintain several win and linux computers and I certainly don't have the time to lurk security mailing lists to stay ahead of every friggin' exploit.
Failing to install a patch is not good
enough a reason to punish anyone.
No. But crippling your local broadband
segment because of a virus for which a
patch exists does count as a good
enough reason.
I certainly don't have the time to lurk
security mailing lists to stay ahead of every
friggin' exploit.
Then, put simply, you do not do your job (assuming
security on those boxes does fall under
your responsibility). Doing a quick check on
the major exploits discovered on any given
day takes about 5 minutes of your time. If that
day's check turns up a new serious exploit,
do you suppose it will take you longer to
patch your machines, or to deal with
having them infected (along with the unknown
costs associated with possible leaking of
sensitive information)?
More importantly, realize that this wouldn't
necessarily (I realize they could make yet
another bad law, but assuming they get it
right for a change) affect you just because you
didn't apply some obscure patch and someone
rooted one of your boxes - More that, if you
have a gaping security hole from the
well-publicized Outlook-exploit-of-the-week
that you choose to ignore for a few days,
you have demonstrated total negligence
in forcing your machine(s) to play nicely.
The internet depends on cooperative
effort at many levels. The sooner the masses
of clueless computer users realize that, the
better. If it takes small fines to do so,
I see no problem with that. And as a bonus,
perhaps people would finally stop
using Outlook, once they realize that it may
well cost them a few bucks.
It's like the fascist bullshit I endure whenever I want to take my unregistered, uninsured, uninspected, unmaintained 1972 Pinto out on the highway and Joe Law hassles me. I mean, who are these Nazis to tell me that a taxpayer like myself (well, sales tax anyway...cuz after all, everyone knows Uncle $ham has no legal authority to collect income tax) can't pilot his beloved Pinto at 85mph in the HOV lane.
Shit, all I'm trying to do is commute, and just because my tires are bald and I've only got one headlight working these sunzabeeyatches are totally oppressing me!
They're all like "Sir, are you aware that it is against the law to operate this motor vehicle?"...
...and I'm all like "Dude, I work for a living and have no time to waste on compliance with your Draconian mandates!"
Vive la revolution!
--
3000+ comments meta-modded. 0 mod points awarded. Lesson for other meta-suckers: Don't believe the hype!
Out of curiosity where do you go every
morning for 5 minutes of bug checking?
CERT's vulnerabilities page makes a good
start, covering almost anything worth noticing.
For the really big exploits, such as
Blaster, just checking Slashdot and/or
NewsForge daily will inform you of their
existance at least a few days before they
hit the mainstream press (and, more importantly,
before the Script Kiddies have a nice and tidy
all-in-one package to take advantage of the
problem). That alone leads me to the statement
I made about lazy admins not doing their jobs
if they ignore major patches - Not a single
regular reader of Slashdot has the teensiest
bit of "plausible deniability" regarding the
recent Blaster worm problems.
Unfortunately, we can only hope that CERT
remains a decent source of info on this topic,
what with them recently agreeing to act as the
lackeys of the US government. But I can
hope that they'll at least remain moderately
valuable in reporting exploits early enough
to avoid damage.
Re:Draconian measures
by
Anonymous Coward
·
· Score: 0
Hell ya! If those Nazi's want to be safe, they can succeed in our freedom-driven capitalist utopia and buy a freakin' Volvo!
Rather than making my great Aunt pay if her computer gets infected with a virus... Make the computer maker, and and Operating system vendor pay. Their the ones that told her she could run her own system, and who sold her overpriced, out-of-date, insecure software and hardware.
Wouldn't that be a big kick in the butt to make commercially-available Operating systems more secure!
No this is no good either... what about Linux
and other free (tm) OSes. It's not fair to expect a Linux distributor to pay a huge fine when a comploinetn inlcude in their distro has a bug. Jeeze. They're only barely breaking even as it is!
What about foriegn computers that propogate this problem?
-- --fetch daddy's blue fright wig, i must be handsome when i release my rage
Re:Soo
by
Anonymous Coward
·
· Score: 1, Interesting
That could be a valid reason to go to war. We will find the Worms of Mass Destruction.
Re:Soo
by
Anonymous Coward
·
· Score: 0
I think you mean terrorists. They will be dealt with accordingly.
Re:Soo
by
Anonymous Coward
·
· Score: 0
Nah that would never work, besides the good american sheeple already tried suing Osama, it's so passe now. I'm sure some would still try if given the chance.
it's more like the manufacturer has a defect that allows your car to be stolen easily, which then someone else steals and runs a red light camera. Now who's fault is it, now that there's three parties involved?
Factor this in to the TCO comparisons of Windows and Linux. Companies are being hit by these worms as well.
Of course the Microsoft lobby will make sure that it never happens, and if it did then a group of virus writers would convene in a well hidden room in Redmond . . .
What he proposes is way too strict. Right now, I run through a firewall and proxy, keep my system up to date, etc. Is it my fault if someone hacks into my computer and uses it? No. I've done everything possible to make my computer secure, short of spending thousands of dollars on corporate-level firewalls, etc., or disconnecting it from the internet completely. No computer is 100% hackproof.
Is it my fault if someone hacks into my computer and uses it?
Apparently, judging from the editorial. It's like someone rear-ending you and you are responsible because you didn't move out of the way soon enough. Also read the following quote:
The fines would be used by ISPs to support the significant efforts required to continually block identified attack traffic.
What a nice way to encourage ISPs to scan their own [users'] network for vulnerabilities and inject them with viruses to increase their revenues.
From the article... We aren't trying to penalize everyone for not being up-to-date or security savvy, but the level of attacks which continue to occur daily after any en-masse attack is enormous. It represents a significant lack of awareness by a very large segment of the public, be they individuals or corporations. Financial incentives have proven effective in increasing public awareness for a very long time. Applying them here is simply a logical extension of our social environment.
Right. A person who doesn't know about patching gets fined? An understaffed public library that has no-one to patch their public terminals gets fined?
And last time I checked, speeding tickets didn't stop people from speeding...
Speeding tickets don't stop people from speeding? Hello?!? Imagine a world in which speeding tickets did not exist (equivalent to the fineless-Internet). Now, how many people are speeding, and how much faster than before??? Do YOU want to drive under those conditions?
-- If you're not living on the edge, you're just taking up space!
And as my friend would say, "Damnit, I keep getting these annoying pop-ups!"
-- -jls
Techno-pagan
Re:Right...
by
Anonymous Coward
·
· Score: 0
The rich can afford to speed, and the poor can't. Great. Now the ghetto kids can't get online because Momma heard that somebody on Wilson St. got fined $50 for something their kid 'failed to protect against' online.
Hey, I'm not trying to solve the problem of the digital divide - just trying to keep my little corner of the 'net safe from harm. AND annoyances, like SPAM.
As for the rich, make the fine schedule escalate with repeated offenses.
If such a plan is implemented, there will be lots of proactive activity on the part of ISPs, OS manufacturers, etc. - if only to provide value add, or sell additional software/services. For thems that don't want to do it themselves, they can pay a small premium on their net connection to have it done for them.
-- If you're not living on the edge, you're just taking up space!
I think the problem here is in the definition of the word "people". No, speeding tickets don't prevent _EVERYONE_ from speeding. However, they do deter the large majority of people from so doing. Saying that they do nothing to deter speeding is obviously nonsense.
-- If you're not living on the edge, you're just taking up space!
What about Microsoft?
by
LoudMusic
·
· Score: 1, Insightful
What about a penalty for Microsoft for being the reason behind the viruses in the first place? You can't fine granny for not patching her computer - it's unethical and just plain ignorant.
Yeah, obviously,if anybody, companies manufacturing the system should be the ones to pay the fines. Poor user buys his first computer, the "best" operating system for it in good believe, connects to internet and next think he knows his computer doesn't work anymore shutting itself unexpectedly and on top of this frustration he is fined for something he doesn't have slightes what it is or how it could be prevented.
-- "Two beers or not two beers. That's the question." -- Shakesbeer
Re:What about Microsoft?
by
brkello
·
· Score: 3, Insightful
Give me a break. What about Microsoft? Any computer on a network is vulnerable, even Linux boxes, why don't we fine Red Hat? Who should we go after when there is a crime? Maybe the criminal who wrote the freaking virus. I guarantee you, any OS that is the most used is going to be hacked...often. You don't fine grandma, nor do you fine the OS company, you find the hackers/script kiddies/etc, and you fine and jail them. Ignorant indeed.
-- Support a great indie game: http://www.abaddon360.com
No. No. No. No. Whilst I entirely agree with your sentiment, I can foresee gangs of hooded men in black forcing their way into your home or office unbidden, duct taping you to a chair and forcibly installing the latest patch on your machine so you don't get 'the company' fined.
Re:What about Microsoft?
by
CausticWindow
·
· Score: 1, Insightful
You are closing in on the truth here.
"The OS that is most used is going to be hacked...often"
The Linux/Apache combination is one of the most common webservers on the net (68% on last Netcraft survey?), and more Linux/Apache webservers get defaced than NT/IIS servers. I assure you that there are many Linux servers that perform a lot of services on the net, and that a lot of them are breached (a Linux box would be more interesting to breach than a Windows box in most cases, at least in my opinion).
Still, you don't get these terrible worm outbreaks, that cause massive damage to innocent bystanders, for Linux (or BSD or whatever).
Do you really think that the only reason for this is that Windows is more "popular"?
I think some of the reasons might be:
Those who write the worms want to harm Microsoft
Microsoft have a bad track record when it comes to patching holes (they have been known to wait until somebody release an exploit to react)
Almost all Windows exploits are remote administrator exploits
A lot of Windows administrators are generally more clueless than their *nix counterparts
Holes in popular open source packages like Apache and OpenSSH are swiftly dealt with and patched
Almost all Windows users login to their desktop as administrators
I think this issue is way more convoluted than "Microsoft is more popular", and that MS have to take a lot of the blame. Both because their programming conventions have been below par in the security area, and because they have reacted slow and irresponsible in the past (granted, the patches for the latest RDP holes were released before the blaster worm).
-- How small a thought it takes to fill a whole life
I think the hacker "culture" is more about infamy than a cause. They want to do the most damange to the most computers and bring down as many networks as possible to show they are 1337. Windows has the most machines out there, so it is an easier target. You don't shoot the baby dear when daddy is standing right next to it. Ok...bad analogy...but I hope you see my point. I do see what you are saying and agree with you to a certain extent. Windows, by design, is more accessible to the common user because there is less configuration issues (an upside) but you have administrative privledges on by default for most non-business users(a down side for security). I think this quality is what makes Windows popular to Joe the user because he doesn't have to know what a su is, he already has full control. Recently, it seems that MS has made more of an effort to put out patches before exploits are released. Our company was hit with Blaster though, because no one trusts the MS patches to be bug free and they wanted to test them first.
The main thing that bothered me about the post I first replied to is that they thought it is ok to fine MS but ignore the fact that you would have to fine Linux too. MS patching is actually easier for a novice user, so does that make Linux more liable for fines? No way, always blame the cause (hackers), don't pass it on to others just because you don't like them (though don't let the OS company off the hook either if they are extremely negligent).
-- Support a great indie game: http://www.abaddon360.com
Re:What about Microsoft?
by
Anonymous Coward
·
· Score: 0
The difference is Microsoft wants to claim no responsibility for putting vulnerabilities in their software. If you're paying money to Microsoft, and you still get vulnerabilities, what are you paying Microsoft for? It's comparable to the Red Cross giving out water versus some company selling bottled water. If the water is contaminated in both situations, you're not going to see a judge/jury supporting any punative damages against the Red Cross, but you almost certainly will against the company. You get what you pay for, and you have more of a right to fine/sue what you pay for than that which is free. Why should electronic works be any different than any other service?
Re:What about Microsoft?
by
Anonymous Coward
·
· Score: 0
>Maybe the criminal who wrote the freaking virus
Writing a virus isn't a crime. Letting that live virus loose onto your own property isn't a crime either. Only letting that live virus onto other peoples' property without their permission is the crime, as it should be.
Where would the money go?
by
Jason1729
·
· Score: 2, Insightful
If someone's negligence allows their computer to participate in a DoS, why should they have to pay money to a 3rd party regulatory body or government?
So then, how are they going to do a real-world beta test and NOT get fined?
A couple of problems
by
aridhol
·
· Score: 5, Interesting
First, I think this will lead to ISPs only allowing "approved" OSs on their networks, in order to prevent themselves from getting fined. Unfortunately, the approved list will probably contain the worst offenders.
Second:
ISPs must receive freedom from liability for dropping the identified traffic. False detections are the fault of the "Independent Authority", who should also be free from liability.
Sorry we blocked your critical data, but you can't do anything about it.
-- I can't say that I don't give a fuck. I've just run out of fuck to give.
Re:A couple of problems
by
WuphonsReach
·
· Score: 1
"approved OSs" on ISP networks...
Hmmm, reminds me of the bad ol' days of early internet dial-up. If you weren't using Windows, you got no support (and sometimes couldn't run the software needed to connect to the network unless you knew the geeky way around).
Frankly, I think the onus lies both on the shoulders of Microsoft and the standards bodies. MS because after 2 years have proven they still don't know how to write secure code. Standards bodies because they like to hem and haw over the little things until the cows get blown away in the tornado.
MSBlaster would have had less of an effect if defaulted to leaving ports closed and turning on the firewall by default.
E-mail worms would have less of an effect if reverse-MX proposals were in place and working. (Sure, the e-mail might have just be routed then through the official outbound SMTP server... but at least then you have a chokepoint that is more likely to be within the control of the admins responsible for the machine spewing out the garbage.)
Fines are a bad idea given the current technology's implementation (trusting model, low authentication).
-- Wolde you bothe eate your cake, and have your cake?
Whoa, now, wait a minute....
by
sixteenraisins
·
· Score: 2, Insightful
In order for some entity to levy a fine, there must first be some sort of law broken. As far as I know, there are no laws requiring virus protection or mandatory software/OS updates.
Are we really willing to consider allowing our computers' software, configurations, etc. to be dictated to us by the government? After all, isn't one of the selling points of "free" software having a choice in which OS/programs we use?
I don't want to be told by anybody that I must/must not download any updates to any software I choose to use (unless that particular program's EULA requires it). And I don't think I'm the only one.
William
-- When you're not looking, this sig is in Latin.
Re:Whoa, now, wait a minute....
by
idontgno
·
· Score: 1
In order for some entity to levy a fine, there must first be some sort of law broken. As far as I know, there are no laws requiring virus protection or mandatory software/OS updates.
"Turing. You are under arrest."
William Gibson, Neuromancer
-- Welcome to the Panopticon. Used to be a prison, now it's your home.
Re:Whoa, now, wait a minute....
by
wcdw
·
· Score: 1
No, you don't have to do any of that. You simply have to disconnect your computer from the Internet. Your right to have an unpatched server ends when your unpatched server starts sending me SPAM, viruses, trojans, etc.
-- If you're not living on the edge, you're just taking up space!
Re:Whoa, now, wait a minute....
by
TeamLive
·
· Score: 1
of course. the whole idea is that laws WILL get passed. thats why the senate staffer asked him to write the proposal in the first place.
granted, it is very strict, but it isnt a mandate to use one particular OS or program. And, if you choose to use a program, its only fair that you should be required to patch it so that it isnt capable of inadvertantly infecting many, many more computers.
There should be a minimum standard of security.
However, that said, the blame shouldnt fall on the spreaders so much as Microsoft, which has a history of "release now, patch later" software launches. Mabey there should instead be federal mandate for software companies to at least insure a modicum of security?
Punish people for a crime they didn't know they commited?This is horrible. To commit a crime, you should have to have INTENT.
The truth is, "ignorant" is a case sometimes.
Just look at the English man who lots his children because someone put a virus on his computer that downloaded porn and he was charged with looking at Child Porn. He was found innocent, but he STILL lost his kids.
According to the article, this kind of thing IS the VICTIMS fault.
Consumer of the product to be responsible for...
by
mTor
·
· Score: 1
Well this is certainly not a well thought out idea. Why should a consumer of the product be responsible for the product? Computers are not pets, they're an appliance. If a computer is malfunctioning, hold the manufacturer responsible! You should start with holding MS responsible for their bugs and refuse their license which allows them to be untouchable.
But users don't own the OS
by
RichMan
·
· Score: 4, Insightful
For the majority of enduser systems out there the user does not own the software on the system. Microsoft owns the software and has all rights to modify and control the software.
Is the enduser responsible or the actual owner of the software?
The real damage is done by Microsoft employees, these kids with purple hair who had 1.9 GPAs in college and were hired just because they're good at riddles, and their tendency to write horrible, horrible code that is incredibly insecure.
Someone once emailed me some code review and QA type data from the Web department at Microsoft (the IIS people, SQL folks, etc.) and it was absolutely horrible and a bit funny to read the kinds of simple mistakes that were being made.
It seems that Microsoft really does try to push the "innovation" envelope, but they do so at the cost of security. There are dozens of programs today with huge holes that go unpatched.
Let's hold Microsoft accountable, not the people who paid for their products (which are supposed to work).
(I don't see anyone suing Ford owners because their tires don't work properly.)
--
Reply or e-mail; don't vaguely moderate. Ex-O'Reilly/MIT employee, now a full-time Google employee.
I feel bad for Russ' server (TEXT)
by
Anonymous Coward
·
· Score: 1, Informative
Russ Cooper's Internet Penalties Plan Written by Russ Cooper - 9/16/2003 5:18:48 PM
At the bottom of this document is a poll I'd like you to participate in indicating your agreement, or disagreement, with the information contained here-in. Please take the time to respond to the poll. Internet Penalities Plan
I have previously made proposals regarding the use of penalties to limit malicious code on the Internet. It is important to realize that the vast majority of the volume of attacks caused by any malicious code come as a result of ignorance;
* Computers that Corporations don't realize they even have
* Home computers without anti-virus protection
* Student computers connected to high-bandwidth University networks outside of the University Network Administrator's control
* Computers owned by individuals who don't know how to complete Windows Update
* Individuals who either haven't heard that attachments are bad, or, don't believe attachments represent a risk
This idea, put simply, is to monitor the Internet for new viruses, worms, or trojans. They may be network-based or email-borne. Based on TruSecure's proven Ballistic Threat Model, these new attacks will be assessed to determine if they will represent a significant wide-spread threat. Each year there are approximately 10-20 such attacks. The attack will be profiled, and a method determined, so Internet Service Providers (ISPs) can accurately (99.99%) identify it, and given to them. From that point forward, ISPs will be expected to drop the attack traffic from their networks. When fines are levied from that point depends on the method of attack;
* If the attack exploits a missing patch or a mis-configuration, fines are levied immediately
or
* If the attack requires updated Anti-Virus definitions to stop and/or cleanse, fines begin once the majority of AV companies have released updates which include detection
Customers who will be levied any fine will be notified by email by their ISP immediately upon the first infraction, and then daily after that. Fines will be included in the customer's ISP invoice. The organization responsible for providing ISPs with the accurate identification information (possibly TruSecure Corporation, or maybe the new US-CERT) would determine the point at which fines will be imposed. The fines would be used by ISPs to support the significant efforts required to continually block identified attack traffic.
Such an effort could be implemented within the U.S. only, or more broadly if other countries choose to participate. It would require modifications to existing contracts, both between ISPs, and between ISPs and customers. If mandated by law, it would make such contract modifications easier.
A more detailed look follows;
1. A new attack occurs, be it a new email-borne virus or a new network-based worm. Security companies, and ISPs, constantly monitor for such new attacks.
2. The attack is captured by anyone and sent to the "Identification Authority", that organization responsible for determining the most accurate method to identify the attack "on the wire" with a false positive rate less than 0.001%.
3. The "Identification Authority" establishes the criteria and method to identify attacks for the nation it represents.
4. The "Identification Authority" provides the method to its nation's ISPs. Any ISP conducting business in that nation is to abide by the criteria, identification, and policies provided by that nation's "Identification Authority". Further, the receipt of this identification for a given attack represents the date and time at which fines will begin if it is a network-based attack. In the case of Slammer, this was less than 4 hours into the event, after a considerable number of hosts had already been compromised. In the case of Blaster, this was less than 5 hours into the event, at which point comparatively very few hosts had been compromised.
This guy needs a reality check. A majority of computer users are dumb. When they get OSes like XP, they have absolutely no idea how to secure it. The problem lies in the OS and not in the user.
A majority of computer users are dumb. When they get OSes like XP, they have absolutely no idea how to secure it.
And these dumb users would have an easier time patching Linux? Come on. Any computer on a network is vulnerable, even ones that are patched and maintained. The problem is not in the OS (though every effort should be put in to security both before and after a product is released), but with the people who are breaking the law: the virus writers and the people who initially unleash them. They should be found, fined, and prosecuted. If the problem lies in the OS, you need to have the guts to stand up in slashdot and realize unpatched Linux boxes are just as open as unpatched XP boxes. I agreed with your first two sentences, though.
-- Support a great indie game: http://www.abaddon360.com
I never said anyone would have an easier time patching Linux. In fact, I think an average person would be even more vulnerable with Linux if they unknowingly do a super-mega-server install and keep all ports open. I just picked XP because that's what a majority of novice users use. The OS makers need to start being a little more aware of the fact that most of their users aren't experts at downloading and applying patches, setting up firewalls, etc.
But in part, the OS that Microsoft delivers is the one that most consumers are willing to accept. If Windows developed a reputation for attracting fines, then Windows would either have to shape up or be totally rejected by the market...
first virus fines, what next..
by
InShadows
·
· Score: 2, Funny
a fine for slashdotting a site into oblivion?
Lawsuits abound
by
chia_monkey
·
· Score: 3, Interesting
I just see lawsuits left and right with this one. On one hand, you've got Ma and Pa Kettle who know how to turn on their computer, check their email, and play solitaire. All of a suddent they're notified they owe $2.4 billion because their computer was used to take down sixteen major corporations. Do they get to sue the ISP for not filtering? Or do they get to sue the virus programmer if they're caught? Or hell, do I get to sue them because maybe they infected me and my computer infected the corner store. Sure my fine was only $50, but maybe I'll sue them $250,000 for pain and suffering (hey, this is America, we do that). Scary...
--
"He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
I agree but pain and suffering refers to PHYSICAL or EMOTIONAL suffering. Although using MS products may constitut emotional suffering, there is no legal precedent.
-- [SIG] Remember Mattel handheld games?
Apologies from the Cooper Family
by
Peter+Cooper
·
· Score: 1
I'm sorry, I'm sorry. Russ was just a little crabby yesterday when he came up with this idea.
I personally blame my parents, they smoked pot in college, and being older than me, he managed to inhale. Luckily I was raised in a less dirty-hippy fashion.
But, again, my apologies.
Russ posted this to NTBugTraq:
by
Medieval
·
· Score: 3, Informative
I was recently quoted in a WashingtonPost.com article saying I was in favor of fines against people who emit viruses or worms (not just originate, but infectees who perpetuate attacks.) There wasn't any meat in that article describing my proposal, so it comes off sounding kind of cold. I've had this proposal for quite some time, after being asked by a U.S. Senator staffer once to write something up to identify what's lacking in the U.S. National CyberSecurity Strategy document.
I've tried to explain it as clearly as I can, and have included a poll to take your feedback on whether you think the idea would be valuable to you. I'd appreciate it if you'd give it a read and take the poll.
I hereby acknowledge that the poll is hosted on my little T1, so you may well experience bandwidth-related fun. At least you only have to click two buttons to take the vote.
Feel free to repost this request to other lists.
Cheers,
Russ - NTBugtraq Editor
Re:Russ posted this to NTBugTraq:
by
Anonymous Coward
·
· Score: 0
OK, so we know he's really an idiot.
Who the fuck still uses T1's? Cable and DSL are faster and cheaper.
Re:Russ posted this to NTBugTraq:
by
NTBugtraq
·
· Score: 1
Lol, only when you can get it, not all rural locations like mine have such luxuries. I'd be happier to get water, sewage, and natural gas before they bring cable here.
Cheers,
Russ
--
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Re:Danger, Will Robinson! Danger!
by
turg
·
· Score: 1
I don't think insurance can (or want to) pay fines for you.
-- <sig>Guvf vf abg n frperg zrffntr
Great idea for Microsoft...
by
Anonymous Coward
·
· Score: 0
if this were to happen the Microsoft could create a anti-virus company. Make money from insecure software and from the viruses.
Why don't we just remove them for a period of time
by
AxelTorvalds
·
· Score: 2, Insightful
Instead of trying to get money out of them (look at all the young pirates bitching about being sued for a few grand, they don't have money) why don't we just cut their link for a period of time, say 8 days? It's short enough that you can deal but long enough to really piss you off so you had better make sure you don't let that stuff happen.
Grasping any opportunity at all (never mind if the measure will be effective, or even if it is practical) just to squeeze some more tax dollars out of their constituents.
Problem with this...
by
chrisgeleven
·
· Score: 3, Interesting
people aren't licensed/educated properly to use the internet. So how will they know that they have to update virus definitions and patch their systems? By e-mail notifications? When I used to work for a local ISP doing tech support, most people only checked their ISP e-mail once a month for their monthly statements, they instead had hotmail accounts for their regular e-mail. We would have to call customers non-stop to remind them to check their ISP e-mail for their bill. Now we would have to call them for their weekly virus breakout?
The key is some type of manditory education before you can advocate fines. My grandmother doesn't know a thing about antivirus protection, she just expects it to work. My grandmother doesn't know a thing about Windows Update, because she assumes the computer is safe.
So what can I do? There is no easy answers, but I guarentee fines are the last resort since none of the other options have been tried at a large scale.
The government can't even figure out a way to keep me from getting a hundred penis enlargement spams a day, but somehow they are going to figure this out?
would be much smarter to make the companies who's voulnerabilities alowed for the trojan/worm/virus to infest the comp, instead of having the users do it...
if a car maker has a flaw in it's engine causing it to blow up, should the car user or the car maker be forced to pay the damages?
...For smaller customers, such as a home or small company, the ISP policy might be to simply disconnect them, either for a time or permanently, their choice as specified in the customer contract...
And just how are they supposed to get the virus and patch updates? And don't just say "Oh well they can just go over to a friend's house, family member's house, or the library." And then what do they do? Put them on a floppy? That's funny. Norton virus definitions are several megs these days. Stuff isn't easy for the regular 5 hours a month computer user. Sure it'd be easy for/.ers, but we don't make up the majority of the internet subscribers.
ISP's can block the viruses too. Mail filters, port blocking, etc. This is not something that can only be prevented by the end user.
And do what to the rest of the World??
by
Mad-Mage1
·
· Score: 1
I mean the majority of attacks originate or are written outside of the US, it's just that Microsoft is based here. you gonna hold just a very small percentage of the total Internet users responsible and FINE them?? FUck man, my Ip is going to originate from Thailand from now on.
-- The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants.
Fine the O/S vendors instead
by
Dark+Coder
·
· Score: 5, Interesting
The operating system vendors should face the music.
If the U.S. Federal government mandates automobile recall because of some faulty protection system, exceeding exepected normal operation or rusted-thru "firewall", then the same should apply toward operating systems; be that may Microsoft, Linux or Unix-based.
Re:Fine the O/S vendors instead
by
_avs_007
·
· Score: 1
So if the factory alarm on my car didn't prevent a car thief from stealing my car, are you saying we should fine the owner and/or the manufacturer, instead of just finding/prosecuting the car thief?
Of course, the manufucaturer calls it a theft detterent system, and does not make any claims to actually prevent a theft from taking place. Just as I'm sure, (at least I hope), the OS vendors make no such claims as, "Our OS will never get hacked", etc...
Now if the car alarm caught fire, and killed the owner thats a different story. Likewise, if the OS cause the processor to burst into flames, igniting the gasoline that KrappyKewl uses in its liquid cooler unit, causing an explosion sending shrapnel of the depleted uranium used in the casing everywhere, I'm sure you'll see some government action really quick.
Hierarchal Denial of Service
by
4of12
·
· Score: 1
So I can see how when a bill comes in from Nigeria to some random department's web server at a university in Myanmar that the threat of fine will have a profound impact, NOT!
The penalty that is understood is loss of network service.
Successively, pestilant host owners should be notified and given a decent interval to fix their problem.
If not, then the ISP is notified and given a decent interval to get the owner to clean up his act or to disconnect service.
Likewise, up the chain, to the largest ISPs, who would have to agree to knock down major service if the client didn't play the game.
Distributed problem fixing at its finest.
-- "Provided by the management for your protection."
Re:Hierarchal Denial of Service
by
tomhudson
·
· Score: 1
you wrote:
The penalty that is understood is loss of network service.
Kind of makes wardrivingmore attractive (also give you a chance to rack up HUGE bills for your asshole neighbours/business competitors/whoever)
I support the fines
by
Anonymous Coward
·
· Score: 0
Folks, the USA is a socialist country. The government needs more of your wealth to implement vast domestic and global welfare programs. It needs money to properly arm the police with the latest military equipment to make sure that the populace is obedient and to confiscate any guns they might have. It's time for you people to grow up and become adults. You're here to serve the state, not the other way around. If you don't support our great socialist government then you're unamerican... besides, ww can't kill the gun toting right wingers without money. Support these fines.
Take computers used, software used, servers used, general topo of network, speed of pipes (together) and competancy of admin. The conglomeration is the "Computer and Network Insurance (CANI)".
I wonder how much would be charged for a competant unix admin, on heavilly firewalled subnet of mac and windows (seperated, of course) boxen, with Linux servers, and a T-3. --- Probably not as much as Winders with MCSE.
--
Mod parent up! by Anonymous Coward (Score:1) Thurs, Nov 31, @13:37
ABSOLUTELY! There are no (apparent) limits (at least in the US) to how frivilous a lawsuit one can initiate. And many small claims courts allow for up to $15,000 suits, for under $100 filing fees. Enjoy!
-- If you're not living on the edge, you're just taking up space!
Is he vaccinated against all possible illnesses, including the latest strain of the common cold? No? Well, he was clearly negligent, and has resulted in you being off work for at least a week, when you could have worked 42 hours plus 126 hours overtime at triple rate, and may well have receied a promotion and a 1000% pay rise as a result of doing al that extra time, so he owes you roughly 100 times your week's salary, plus a little extra for pain and suffering.
You'll need representation. Here's my card. Right now I'm suing the driver of an ambulance that reversed over me as I was chasing it.
Simple. Trap the virus, release relevant patches, then after a short grace period, re-engineer the virus to snoop the user's credit card details and make a small payment into my bank account on a daily basis, causing the fine to continue until the security hole is fixed.
A plan with no drawbacks, I feel.
-- ++ Say to Elrond "Hello.".
Elrond says "No.". Elrond gives you some lunch.
Another impartial proposal (not)
by
Rosco+P.+Coltrane
·
· Score: 5, Informative
Russ at NTBugtraq is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly...
In other news, the Haagen Das corporation is pushing a proposal to hasten global warming...
Another fine impartial article brought to you by Slashdot.
-- "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Re:Another impartial proposal (not)
by
Krelnik
·
· Score: 1
I'd mod you up but I don't have any points right now. As I read it I was wondering how many times he was going to work the name of his company into the proposal.
This seems like just a ploy to get some publicity for TruSecure. I don't think any rational person would expect this to fly.
Re:Another impartial proposal (not)
by
micromoog
·
· Score: 1
Slashdot publishes approximately 1-2 sponsored articles per day. And no, they don't tell you which ones.
As I read the BugTraq article I was wondering who was going to provide the "approved" software to monitor all this bad traffic and keep up with the fines, etc. "The organization responsible for providing ISPs with the accurate identification information (possibly TruSecure Corporation, or maybe the new US-CERT) would determine the point at which fines will be imposed." Who else will have access to the information? Looks like a perfect opportunity for Russ's company to make a fortune implementing the mother of all Big Brothers.
Is this one of those things where the goverment tells us not to do it, but deep down they really WANT us to do it and KNOW we will do it anyway? Like $peeding?
fine the commerical software company
by
YouOverThere
·
· Score: 2, Interesting
Seems to be when an
car company creates a damaging defect, it isn't the driver who has to pay a fine.
Why should joe user, have to pay for the latest RPC hole?
I have to say although the article lost me from about the first line I loved this:
We aren't trying to penalize everyone for not being up-to-date or security savvy, but the level of attacks which continue to occur daily after any en-masse attack is enormous.
Uhhh yes you are...
Correct me if I'm wrong, but arn't fines a 'penality'?
Sorry, but flat out this is elitism. These people don't get how great the knowledge gap is from the average user, to anyone who might know what bugtraq is...
Think about it for 1 clock cycle.
Simply make the fine a percentage of the amount of revenue made on that product. That should put the onus back on the software company that leashed the security horror that is out there. Meanwhile, free software is protected.
Re:fine the commerical software company
by
GigsVT
·
· Score: 1
Free software isn't neccessarily no-cost software. The GPL says nothing about monetary cost. In any case, a proportional fine would be good to protect all small software developers, free or non-free.
-- I've had enough abrasive sigs. Kittens are cute and fuzzy.
Another dumb idea...
License the user
Both ideas have some dumb, expensive slow-moving govt body
out there... WRONG.
Your money or your life, it still doesn't matter
by
n3bulous
·
· Score: 1
People continue to smoke (in the USA) even though it is heavily taxed, not to mention bad for your health (if you are genetically susceptible...), disgusting, and stinky.
I skimmed the article earlier today and I didn't see it address the education aspect of the problem. If the corporate and education networks are vulnerable, how can you expect joe schmoe to know what to do in a timely fashion? Windows XP and Red Hat have auto update options, but there is a certain level of trust (or ignorance) you need to implement their services.
So, if end users get fined, they will probably opt out of the service altogether by the 2nd or 3rd fine, depriving ISPs of future revenue. Also, it sounded to me like it would be in ISPs best interest to propagate internet viruses, worms, etc. because they would get a portion of the fine.
-- "The area of penetration will no doubt be sensitive." ~ Spock
I really hope that Russ's computer doesn't get Owned or someone spoof's his IP address's. or something else that rings up fines on him without his doing.
Unless he can provide an answer to someone that will make them 100% compliante and immune then his idea is as idiotic as the others.
Fines for proven abusers? Yeah, I'll take that.
fine the little guy being abused? nope.
Fine isp's , corperations, and known asshats.
-- Do not look at laser with remaining good eye.
User selects software and puts the box on the Net
by
ColonelPanic
·
· Score: 1
The user has made the choice to run Windows and to put the computer on the Internet, despite Microsoft's well-publicized vulnerabilities. At some point, accountability for the establishment of an "attractive nuisance" should kick in.
Of course, if Microsoft were to indemnify its users against these fines, perhaps under the condition that the user maintain a reasonably well-patched system, it would be a real selling point vs. Linux, where you're essentially on your own.
-- "Skill shows through where genius wears thin." -Wittgenstein ||
Religion: uniting aviation and architecture.
If you are willing to personally verify that each person with a computer is aware of the threat, your plan sounds fine. By 'verify' I mean contact through some means other than via computer and receive a response from said user. Essentially, one would have to telephone each computer user in order to do this.
Without such explicit notice, users would not necessarily know that their computer could be commiting a 'crime'. In fact, as the populace becomes more computer literate and the number of virus/worm writes grows, we will probably see viruses/worms written with an even greater frequency than we do now; perhaps a new one each day? Ahh, you could then call everyone with a computer at least once per day.
As people begin to write adaptive/evolutionary viruses/worms, we'll probably see the number and severity of attacks increase rapidly; perhaps we'll get to the point where there are several new viruses/worms per day. Then you could just autodial everyone a few times a day - maybe even a few times per dinner! Fantastic!
In effect, your plan fines people for being ignorant, but has no safeguards or surefire methods to ensure that users will become less ignorant. There are a variety of outcomes (fewer computer users, users incurring greater and greater fines, etc.) none of which are good for the average consumer. All your plan does is provide help to the big businesses (both software providers [MSFT, etc.] and software users).
I cannot imagine any plausible situation that would cause me to support your plan.
Add THAT to your TCO figures and smoke it!
by
erroneus
·
· Score: 1
Actually, I've felt that dumb operators of computers should be treated just like dumb operators of motor vehicles. Give'm a ticket when their tail lights are out.
This would open up a whole new realm for "Microsoft Haters" but perhaps it would result in Microsoft's patches having a much faster response time as well. But imagine being fined even $5 for your software being unpatched or something...
There are thousands of other problems that could result. Microsoft would cheer this thing even though it'd give them a huge black-eye. Why? It'd give them the chance to put out patches that contain ALL KINDS of "extras" that users don't want. Remember the SP that also updated the EULA? How about DRM updates that nobody wants?
Still, I feel it is the responsibility of the computer operator ENTRUSTED to run on the public internet not to cause damage to that internet or to the other peers of that internet...either knowlingly or unknowingly.
Hrm... spammers do damage to the internet too... people who market things VIA spammers should be considered instigators of said damages. This is a really fun idea.
I vote yes.
That's a great point.
by
Anonymous Coward
·
· Score: 0
Say some Windows machines are attacking MY non-MS machine due to a flaw in Microsoft's security model. A flaw that they KNEW existed and wasn't patched correctly... shouldn't Microsoft be liable for any damage I incur to my business?
After all, I am NOT their customer. I didn't sign any EULA with them. It is, as indicated in the parent post, Microsoft's software, not the licensee. But if numerous Windows-based machines are DOSing me or spamming me because of a flaw inherent in MS's operating system, why wouldn't Microsoft be negligent in allowing harm to come to the Internet in general, and me in particular?
Go after the source, not the enduser
by
zerus
·
· Score: 1
Why not charge the company who wrote the bad software instead of the end user? The end user is paying for a service from the company, so it isn't the end users fault because the company is writing swiss cheese software. I'm just waiting for some class action lawsuits against certain companies who write software that can be exploited by any deuschbag with an internet connection
How can he suggest that I be held responsible for the security faults present in the software I paid dear money to M$ to get?
On what grounds should I be forced to pay an antivirus vendor fees, again, to protect myself from the incompetence of M$ programmers?
The reasonable thing would be to fine the author of the software that allowed the viral spread, if no patch is issued within a reasonable time period.
-- Does everything include nothing?
I think Russ Cooper...
by
Anonymous Coward
·
· Score: 0
...needs to do more Coopering and Less Whining
Re:Why don't we just remove them for a period of t
by
SiliconJesus101
·
· Score: 1
Well, where I work this is exactly what we do. Email the offending party, if they do not reply and remedy the situation they are shut off. This is usually as far as it has to go...as people all of a sudden seem to actually care when they find that their internet access is disconnected but seem to care very little if they are screwing up other peoples computers.
--
"The strong will do what they want, the weak will do what they must."
-Thucydides
I've also pondered whether this would be a valid approach or not. Virus stories in the media tend to portray the people who are actually spreading the viruses as innocent victims, with only the original author being the "bad guy". But the "bad guy" wouldn't have been able to do any damage unless people opened virus attachments, ran unpatched systems, and other no-no's.
Also, this type of approach is not unprecedented... if I fail to maintain my car and it spews pollution into the air, the fines are potentially quite hefty. How is an unmaintained computer spewing pollution onto the Internet that different?
In the end though, I don't such a thing will happen anytime soon. People would much rather think of themselves as victims when viruses go around than acknowledge they are contributing to the problem through irresponsibility. Also, enforcement is problematic at best. Finally, with many people afraid of technology already, the potential for running afoul of the law through their lack of knowledge would create a major backlash.
This will discriminate against users that arent engineers...
Most people just want to do their email and surf a bit on the web...
I am more for a penalty system where the ones that sold buggy software should pay for their bad doings, this will make them very fast trying better...
btw, why always have innocent (maybe not very smart but still innocent) people pay for the crap that a few are sending...
2 parties are guilty here, these are the ones putting all these worms and stuff on here and the ones that create the environment where this can happen.
This sounds like a scene from demolition man...
by
Osrin
·
· Score: 1
"You have been fined 5 credits for having a filthy PC"
People should be held accountible for their computers. Just because they didn't write the worm, doesn't mean they're not at fault. It's time that people started taking responsibility with their computers, and actually.. o i don't know... learning how to secure them? And someone mentioned something about kicking 90% of Internet users offline. I don't think the ignorance rate is THAT high, but I still say good riddance. (Yes I'm a bitter asshole, thank you.)
-- -------
"In times of universal deceit, telling the truth becomes a revolutionary act."
-- George Orwell
What about diseases?
by
Anonymous Coward
·
· Score: 1, Insightful
What a great source of government revenue! Let's charge people who knowingly or unknowingly pass on colds, flus, herpes, AIDS, gonnerea, typhoid,...
What about people that are sick?
by
Sir+Pallas
·
· Score: 1
I mean, maybe this means I can sue my sister for giving me the flu? Honestly! When a company just had the crap beat out of their IT division and they've already lost a lot of money, do they really need a fine? And what happens when it hits government offices? Blaster took down a train system in Pensylvania.
I propose fines for people who fund, operate, post on, frequent, or utilize web sites or services that are knowingly or unkowingly hosted on servers that suffer the/. effect!
Systems dropped of network won't be able to update
by
dsmoses
·
· Score: 1
From the article "ISPs will be expected to drop the attack traffic from their networks".
I'm guessing that ISPs will end up just disconnecting the entire network connection for the afflicted system, which of course will render the inability to update the patch or virus definition.
Thus, the endgame is that there will be no network left.
Simply amazing...
by
Anonymous Coward
·
· Score: 0
how a person who is considered knowledgeable about computers and the internet can some up with such an ignorant idea as this.
While I find this perfume intriguing, I didn't realize it was already so popular as to be invoked as a profanity. Is it some kind of god where you live?
Re:Fcuk?
by
Anonymous Coward
·
· Score: 0
You're on the wrong side of the pond me ol' china.
It's not the users' fault. Kids with nothing but time and money cause these attacks. THEY are the criminals. Lock 'em up and throw away the key. This has got to be one of the stupidest ideas coming out of gov't in a long time, and we all know how many stupid ideas come from the gov't. Start doing this, and the Net very quickly becomes a gov't controlled entity, making the "Digital Divide" absolutely huge. And it's not necessarily the software makers' fault. They may have genuinely missed it through no fault of their own. It may not be negligence at all. Besides, suing the companies would instantly put every Linux distribution out of business, since most of them are just barely hanging on as is.
The idea didn't originate in Government, nor is it in any way being sponsored by anyone in Government...at this point. It is my personal proposal to deal with the current situation.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
--
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Who would determine what's fineable or not? The 'Identification Authority' panel of industry experts? Anti-Virus experts? The same ones who make money selling software to prevent viruses/worms? Sounds like a good scheme to sell more antivirus software. More good ole' scare-tactics from the antivirus folks; 'Buy our product or you could be fined'. The determination of a 'fineable' event strikes me as very subjective! What's next, manditory antivirus software? Wouldn't the antivirus companies love that!
Continue catching and jailing the people who create these viruses, thats the best method.
-- Greg
-- Slashdot, would a spell-checker for posting be too much to ask? It's not rocket science!
Re:BAD idea
by
Anonymous Coward
·
· Score: 0
AHA. Now THAT makes sense. If one is to take these ideas seriously:
1. Follow the TruSecure rules with these comments 2. The ISPs should be fined for their mistakes. All viruses or exploits. 3. If you opt out, you assume the fine if you fail to secure your system against such exploit.
And what about when your ISP is clueless? Mine (BT Openworld UK) did the same when blaster hit, and blocked ping and traceroute as well for weeks. Now they claim to have lifted the restrictions, but my DSL line is still blocked from the outside world completly. No web server, no FTP, no terminal server... all of which worked before the blaster worm.
When I call support, they tell me that accessing my computer from the outside world is not supported. However, they say they are not blocking anything and it should work. I tell them it doesn't. They say it's not supported, I can't even open a ticket to get it looked into! The support person doesn't understand that I don't need support, I need them to unblock the ports they blocked!! They say 'sorry...'.
I really want these guys looking after my virus and worm scanning... right.
There are reasons to use port 135 over the net. People at my ISP's forums were suggesting this port be blocked, but one guy was vociferously against the idea. Turned out he worked in the security industry, and having access to ports under attack at home was extremely valuable for him. ISPs shouldn't just block ports without giving their clueful users a way to opt out (as you mention).
-- Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
I wasn't using port 135 for anything in particular......so I started tunnelling encrypted VPNs over UDP on port 135. I did this for years......and then my ISP started blocking that port. Oops, no more VPN for me.
There's a nasty pattern developing here:
1. MS produces some awful software. 2. Net admins see how awful the software is, and look for a quick and easy way to disable it. 3. Net admins find the quick and easy way: block ports 137-139. 4. MS realizes that nobody can use their software because everyone with half a brain has blocked the ports it uses. 5. MS "enhances" the awful software, which really means the same protocol (trivially patched to avoid backward compatibility) on different port numbers (135, 445, and a bunch of others...also SOAP, which goes over TCP port 80 and looks like web traffic). 6. See step 2. 7. See step 3, but substitute the new port numbers. 8. See step 4. 9. Repeat the above until there are no TCP or UDP ports left.
If your software is so awful and so ubiquitous that *BACKBONE ISPs* are blocking the port numbers it uses, then you have problems that open-source developers can only dream of having some day.
-- --
I avoid spam by accepting only OpenPGP encrypted or signed email at this address.
Clear-signed, RFC2015, heck, even
unknowingly? that makes no sense what so ever! why should you have to pay a fine because someone else has screwed up (namely Microsoft)?!
-- This comment does not represent the views or opinions of the user.
Re:Fine the OS Manufacture - not its victims!
by
Anonymous Coward
·
· Score: 0
How would you propose a refund for those running a free copy of debian that was rooted this morning?
Re:Danger, Will Robinson! Danger!
by
SuperBanana
·
· Score: 5, Funny
The Pro version will include an insurance plan in case you go on vacation for a week and leave your XP box on and a new exploit surfaces while you're gone.
Vacation? I don't leave my win2k box on when I go to WORK, lest a new exploit surrface before I get home:-)
How to clean things up....
by
Anonymous Coward
·
· Score: 0
Fines aren't the way to go. People still drive over the speed limit, right?
How about offering a discount to account holders who's computers didn't spread viruses. This creates a nice incentive to patch and secure your system, and the ISP wins out with lower telecom bills, not having to upgrade their stuff just to handle all the traffic created by viruses, etc.
Maybe a buck or 2 off your monthly charge for dialup, or $5 off for highspeed.
So this bill would give a financial reward...
by
WolfWithoutAClause
·
· Score: 3, Insightful
...to the government for me getting subverted by a worm/virus?
Wouldn't it be better to give the government an incentive to help solve the problem rather than give them an incentive to get some obscure, amoral, and deeply secret government department to release new and more virulent attacks so as to up their income?
Sure, they probably wouldn't, officially; but why take the risk that some individual in the government would be in a position to benefit from this kind of thing?
These kinds of theoretical problems always sound impossible, but I'm nearly always surprised to find out how often they really do crop up in practice.
--
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"
Re:So this bill would give a financial reward...
by
NTBugtraq
·
· Score: 1
The monies don't go to the Government, they go to ISPs, so that ISPs can finance the job of stopping attacks from spreading. Where'd you get the impression the money would go to the Government?
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
--
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Re:So this bill would give a financial reward...
by
WolfWithoutAClause
·
· Score: 1
Fair point, except I don't want to give my ISP a financial incentive to attack me either.
"Luckily our filtering caught all of your virus and worm laden content from getting onto the internet, but we're going to have to fine you for getting infected in the first place."
--
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"
Re:So this bill would give a financial reward...
by
NTBugtraq
·
· Score: 1
Sigh, read Point #7 in the detailed section, it specifically covers the fact that customers are going to require verifiable information from their ISP to prove they've transgressed.
Besides, don't you think an ISP that had such a habit would quickly lose its customers, or be widely discussed?
If you just want to disagree with the whole plan, you don't have to come up with reasons, just say you think it stinks...;-]
--
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Impossible to avoid
by
One+Louder
·
· Score: 5, Insightful
Unfortunately, at this point it's nearly impossible for a new user to keep from getting infected.
Let's say Joe Consumer is interested in a computer - he goes down to MicroCompuCenterUSA and buys a spanking new Windows XP-based machine, plugs in the cable modem, turns it on.
*WHAMMO*
He's infected before he even gets a chance to get the latest updates, assuming he even know that's something he's supposed to do.
My sister-in-law when through this exact scenario just recently. She got nailed by Blaster within a few minutes of powering up the machine for the first time. She has no idea what a firewall is, and would certainly wonder why she would need one with a brand-new computer.
This proposal is a little like buying a new car and having the wheels fall off as you drive off the lot, then being fined for causing an accident.
Re:Impossible to avoid
by
Anonymous Coward
·
· Score: 0
**EXACTLY**
This is what is needed. If people are penalized for using inherently "unsafe" products - be it cars or computer software - then perhaps we might finally get the consumer and governmental pressure that is needed to force the manufacturers and developers and service providers to improve quality.
We have this effect with cars - for example cars with poorer safety records have higher insurance costs.
The penalties can be fines, or bad effects from viruses, or being shunned/blacklisted by the community, or all three. The message goes out: use unsafe products - you suffer. Human psychology takes over and unsafe products are avoided or fixed.
You missed the point of the idea completely. Yes, today, if you put a new computer on the network then it may well quickly be infected with something, be it Blaster, Code Red, Slammer.
The reason that happens is because nobody is stopping the on-going, yet very old, attacks from continuing.
If ISPs were mandated to drop identified attack traffic, the likelihood of you being attacked quickly when placing a new PC on the network is near nil. That's the whole idea.
From that point forward you enable automatic updates and learn how not to open virus attachments.
--
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
I see no mention of any punishment for the programmer who writes the virus. Does everyone here think that those bastards are doing a public service or something? Here's an idea: what we need is to rethink the priorities - let's punish all the innocent people for unwittingly being accomplices and let the actual criminals off scot-free! After all, they're only targeting Windows machines and not Linux, so who cares? It's not like these idiots are too busy to keep their machines updated, what with work, family, etc.
-- To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
There are already existing laws to deal with the miscreants who create malware. If you have any decent suggestions as to how that can be done better than it already is, I for one would love to hear them.
Here's one possible side-effect of the penalties, however. If ISPs log all attack traffic, it may become more possible to trace attacks back to their original source.
--
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Yeah, I gotta admit, that one's a corker - but going after mostly innocent victims isn't the answer, either. Like the computer-licensing scheme, there's no way to put the cat back in the bag and start over, so to speak.
Unfortunately, we don't have a population of computer users who are mostly educated about the problems that can occur.
-- To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
Not comfortable with this.
by
0xA
·
· Score: 2, Insightful
I had this conversation last month:
Boss: I thought I told you to put that RPC patch an all our client's servers.
Me: I did.
Boss: How come these guys have Blaster then?
Me: I dunno.
Now imgaine having that conversation starting out with:
Boss: On of our clients is being fined for worm traffic...
As much as I realize that people failing to update is one of the largest enablers of these worms, I know it is possible to do everything you are suppsed to and still get nailed. Firewalled (externally) and patched but I'm still cleaning it up. I don't think I deserve a fine for that.
Terrible idea, but on the plus side
by
91degrees
·
· Score: 1
He is opening up the debate.
Are people being reckless by not installing the latest patches? Would a fine make them more likely to keep up to date? Personally, I think the answers are "No", and "no", but some other people come up with interesting alternative ideas.
This won't work. After all, the virus writers, crackers, etc are the ones breaking the laws stupid!
What DOES need to happen is for the more "grey" forms of cracking to be eliminated..i.e. Gator and such. Programs that install without user intervention and don't leave an entry in add/remove programs are viruses...same thing. Also, ISPs need to be able to handle updating users on their own...this would allow them to require/force patches before you ever get access to the internet. AOL [yes, a realy bad/. example] already does this for it's own software, they should be able to do it for the major OS too! Most people would consider it a feature. Heck AOL is already pimping virus checking for emails, port blocking, ad blocking, etc because it's too much of a problem.
The problem is that most ISPs are "common carriers" and only provide connections... and fear to loose that status [think *IAA] if they start being able to block viruses or update system. Then they could get forced into the censorship business and NOBODY wants that!
Make scanners free or there will be.... trouble.
by
barc0001
·
· Score: 1
If they are compulsory, then whichever companies make the approved scanners have a license to print money, right? I can see it now:
McCrafty Scanpro 2004, $399 for a 1 year subscription, or $39.99 a month.
Or you can go with Ed Norton Antivirus Live SuperCop mark VI - the Revenge for $399 for a 1 year subscription.
You need to buy one of them, which one is it? What's that you say? These cost more than your OS and you can't afford it? Sucks to be you... Maybe you should go back to BBSs then.
If the government mandates a software you must use under penalty of law, they should also provide an avenue for all users to acquire it.
Gimme a break, what about the assholes...
by
AzrealAO
·
· Score: 1
who write the viruses and the worms in the first place, they're the ones who are responsible for any damage done.
Re:Gimme a break, what about the assholes...
by
Anonymous Coward
·
· Score: 0
"Russ...is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly... Russ is taking a poll on his site."
No doubt he'll change his mind when his site gets assimilated by the next big worm.
-- My life is one big siesta in which I'm dreaming I wished my life was one big siesta.
Sounds like Pork, taxes and. . .
by
kfg
·
· Score: 1
90% of the people who sign/agree to this are the same ignorant people who NEVER update windows, don't have an antivirus software, and think that because they don't look at porn it "can't happen to them"...
This scheme appears to be unenforcable. Once again, the assumption is made that the entire internet exists withing the legal boundaries of the US. A better scheme would be to warn computer owners of a dangerous condition, and then if it is not fixed in a reasonable amount of time (e.g. 48 hours) then simply blacklist them; e.g. "well-behaved" routers would simply reject any packets from them. Of course, then they would still be free to propagate worms on their local subnet, but other users of their subnet are probably in a much better position to thwack them over the head with a clue-by-four than the government of a foreign country...
--
"Freedom means freedom for everybody" -- Dick Cheney
Re:Why don't we just remove them for a period of t
by
Zan+Zu+from+Eridu
·
· Score: 1
Yeah, so if your company network/servers get hit by a worm and you need the internet for your business, you must effectively close your shop for 8 days. The economical impact of the forced shutdown could very well be bigger than the damage done by the worm itself, resulting in a solution which is worse than the problem.
Is this guy kidding? How about fining the freakin' company whose software has caused most of this mess we're in. Look if they want to pass laws let them make the manufacturer's stand up for their product first. This has got to be the single most stupid thing I've heard.
Hey I know let's fine the people who keep driving on recalled Firestone tires but not Firestone, no we wouldn't want a corporation to actually have to pay for their mistake. That's it, that will fix the problem.
-- Sure information wants to be free, but how much are you willing to pay for the packaging?
Let the market decide
by
Ars-Fartsica
·
· Score: 1
Sooner or later if the costs of a software product outweigh the benefits, the market will marginalize it. I don't see a more effective, permanent, or viable option than this.
Oh i see, now were shifting blame and responsibility from the people that make the software to the people that use it. [sarcasm]That makes perfect sense.[/sarcasm]
fining the software manufacturer for allowing the exploit/hole/security problem? Bet a lot of software companies would make a LOT more rock solid apps/os's...
Any attempt to hold individual (ignorant) users liable for allowing their machines to propogate viruses, worms, spam will be a complete waste of government money, and it won't cause people to behave any differently.
-- .sigs are for post^Hers.
Unable to see the article, but, I have concerns
by
The+Revolutionary
·
· Score: 1
Will the fines apply to users of buggy software for which no patch is available? Surely this is unacceptable, although not in principle. While perhaps common sense would suggest that you not run an httpd daemon from l33t_D00d357, it seems that drawing a line of what is and is not "sufficiently buggy" software is not a decision we want the Congress in the business of making.
Conceivably we could fine sites running exploitable servers for which patches exist, and say, have existed for two weeks or more.
However, this still seems incorrect. Then, what could we do with users, for whatever reason, running servers on now unsupported OSes? Clearly these people, if anyone, ought to be fined, but by these criteria they will not be.
Also, we can not correct this situation by requiring that all public servers be supported OSes, and then define what level of attention and testing constitutes "supported". This could be a nightmare for Open Source OSes and servers.
Just think, how much do you forsee the government charging to get an OS on its list of "approved" supported OSes? Or how much will they charge for a software producer to renew his or her "certification" that the OS produced is "supported"?
At the very best, we could fine sites exhibiting "gross negligence" in their system administration. The idea that, "any reasonable system administrator would have corrected or forseen this problem".
It seems to me that something like this would be workable.
It would catch sites running open relays, not due to bugs, but due to improper configuration.
It would catch sites running exploitable servers for which a patch or solution has been made prominently available through the particular distributor's "standard means of issuing alerts or updates".
So Why Would I Stay On The 'Net?
by
istartedi
·
· Score: 2, Interesting
I'd have to go back to calling brokers on the phone, and writing checks, licking stamps, and sending things through the mail. I'd have to sign up at the library if there was something that I had to get from the 'net. That's assuming the library can stand the liability. If they can't, I'd probably be limited to the library's proprietary DBs on their local LAN.
In other words, if you want to kill the 'net, just turn my PC into a slot machine that has unlimited negative payout odds.
This sounds like another example of "letting the terrorists win". It would turn the 'net into a "fascist police state".
Oh... unless there is an OS that is gauranteed secure through every revision, which we all know there can't be.
Now, if they capped the fine it might be reasonable. What would I do? Buy expensive AV software? No. I'd buy insurance against the fine and continue to exercise good practices (e.g., not using OE for mail, not downloading crap software that runs in my taskbar, etc.) Does anybody sell "virus" insurance?
-- For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Because if the virus uses their computer to propagete, its their fault.
That's the point. Such a scheme is based on the principle that if you patch and firewall your machine, and don't open random E-mails and so on, you can't get any viruses. In othr words, such a scheme is basically saying that if you get a virus, it's your owne damn fault. I agree with that principle in general (although if I run a ftpd, and someone discovers an exploit before it's publicly available, that's not my fault), but I still think that this is probably too extreme.
Seems a Bit Elitist
by
druske
·
· Score: 3, Insightful
Okay, the Slashdot crowd is probably quite a bit more tech-savvy than our old pal Bubba, clicking away at every link that arrives in his inbox and updating his software only when he buys a new machine with it.
But I'm not sure penalizing Bubba is the right answer. Maybe Bubba is ignorant; on the other hand, he might have a legitimate mental handicap. How much responsibility should someone with Alzheimer's disease or a learning disability carry? What about someone who's simply too old or too young to grasp security issues? Where should the line be drawn, and how could we charge according to ability? And how much would it cost to administer such a program?
Not to mention the difficulty of defining a reasonable amount of self-protection. If someone creative roots me through an unknown exploit, am I at fault? What about an exploit that's been made public but no fix is available yet? What if a fix is available, but it hasn't been picked up by my weekly auto-update yet? What if I'm using Windows95, and there's a fix, but it requires hours of searching because the OS is no longer supported?
Re:Seems a Bit Elitist
by
Lord+Kholdan
·
· Score: 1
Okay, the Slashdot crowd is probably quite a bit more tech-savvy than our old pal Bubba, clicking away at every link that arrives in his inbox and updating his software only when he buys a new machine with it.
But I'm not sure penalizing Bubba is the right answer. Maybe Bubba is ignorant; on the other hand, he might have a legitimate mental handicap. How much responsibility should someone with Alzheimer's disease or a learning disability carry? What about someone who's simply too old or too young to grasp security issues? Where should the line be drawn, and how could we charge according to ability? And how much would it cost to administer such a program?
Even better, should we really create a law that ~95% of people cant obey, for reasons that they do not agree on?
I have to agree on this. A computer is to most people just a tool and in many cases an overpriced deck of cards to play solitare on. As such there is something very wrong if the end users should be forced to be administrators to use their computer for the simplest of tasks.
The quality of the software should be up to the vendor and not for the user to mend afterwards. Imagine the same situation but with other goods and you get the picture of how stupid this idea is. Patches is just a temporary solution to an underlying error in how the software was planned.
-- HTTP/1.1 400
Re:Systems dropped of network won't be able to upd
by
Tackhead
·
· Score: 1
> I'm guessing that ISPs will end up just disconnecting the entire network connection for the afflicted system, which of course will render the inability to update the patch or virus definition. > > Thus, the endgame is that there will be no network left.
Judging from my spam logs, if you're talking about 200.0.0.0/8 or attbi.com, rr.com, cox.com, and videotron.ca, then GOOD RIDDANCE!
the mode of connection that provides access to things like browser plugin and propogation of viruses and worms....
As a fair counter balance it means the public in general must now be informed about this third user interface (shell and GUI are the first two) and provided easy and sensible usable access to it as well as being able to open or close such ports as IPC uses.
The organization responsible for providing ISPs with the accurate identification information (possibly TruSecure Corporation, or maybe the new US-CERT) would determine the point at which fines will be imposed.
There must be a strong smell of pork wafting out of the DHS, as first Symantec and now TruSecure try to outdo each other's arslikhan.
-- My next sig will be ready soon, but subscribers can beat the rush
Well, this article lends credence to the claim that we geeks are really good at making things complicated. This thing sounds like it was cooked up by the Louisiana Legislature during Mardi Gras.
-- computerlady - a brand new Slash-daughter - alone, but no longer invisible, in the/. world
And I have a better idea.
by
pclminion
·
· Score: 1
Let's punish rape victims for getting raped. After all, they were asking for it! They should have known better than to wear such provocative clothing.
This suggestion is badly flawed at multiple levels.
First and foremost, Russ Cooper's is suggesting that ISP's should be fined if they fail to block attacks that propagate across their networks. This proposal violates the basic end-to-end architectural principles on which the Internet was founded. Intelligence should be localized at the end node, supported by a "stupid" network infrastructure whose function is restricted to routing packets from point to point. "Smart" networks don't scale and they cost enormous amounts of money. Most individuals who are pushing these models are more concerned with supporting a business model rather than a viable technology. Consider what is necessary for Cooper's suggestion to work: Each ISP needs to preserve state on all the TCP connections emanating from a host to ensure that the host is not starting some kind of attack.
It might be possible to create a similar model assigning all liability to the computer owner: Joe Smith's decision to run an insecure system presents a potential threat to some class of computer users. Hence, this action could be considered to be actionable. Here once again, we have a logical fallacy: Suppose that Joe's computer is vulnerable to the XYZ worm. Joe's computer is compromised and used to launch the XYZ worm at other PCs on the Internet. However, the major group of people that are put at risk by Joe's vulnerability is the set of users who share this same vulnerability. In short, the class action lawsuit would be directed against the plaintiffs.
It is certainly possible to argue that compromised systems can be used to inconvenience Internet users in other ways. Case 1: A PC could be used as a Zombie in a distributed denial of service attack. Case 2: A PC could be used as a part of a SPAM generation network. Here, the "cost" of the attack is proportional to the amount of traffic being generated by the host. In theory, if you want to establish a linkage between fines and the cost of a system being compromised, the fine should be proportional to the amount of traffic being generated. I would argue that this would be better accomplished through a tarriffing system in which monthy access charges were proportional to traffic volume.
Ultimately, Cooper's proposal would require some kind of licensing system for operating systems. This is an incredibly ugly thought.
Re: Fines
by
Anonymous Coward
·
· Score: 0
That's silly to hold somebody responsible for something over which they don't have any control. This kind of 'l33t' stupid guy should be sent in a prison the next time they don't foresee the next big exploit, just for the example:)
First, we have to assume that the penalties involved will be relatively minor. Not catching a virus on your computer shouldn't put the average customer in the poorhouse. They should see a small jump in their bill and if they fail to react, have their service cut off.
Interestingly though, should this measure work and viruses are largely contained. All the investment the ISPs put forward will not be repayed by fines. Instead, the savings would have to come from them needing less bandwidth to accommadate attacks.
This also doesn't pose massive costs to the customer. Using ZoneAlarm and Mozilla's Email browser would cut their exposure to these risks dramatically and both are free.
I am curious about some things though. One incident I encountered at work saw somebody hitting us with a spoofed ip address. Our rejection responses (it turns out) were being used as part of a DDOS attack. We reacted to the matter once we realized what was going on 10 hours later. Should we have be liable for the time in between?
You ask about your rejection responses being used as part of a DDoS attack and whether that would make you liable to fines.
Quite simply, no. Firstly, the attack causing your rejection responses shouldn't reach you if its been "identified", the ISP would be dropping it before it ever got close to your network. Secondly, unless the response packets were "identified" as an attack, they wouldn't be subjected to fines. Valid responses to packets would not likely ever be "identified" as an attack.
--
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
As I think about it more, it seems that in the very worst case scenerio we would be fined, but we ( or our ISP on our behalf) would be able to levy matching fines against the source. In the end, this would level out from our perspective.
It seems like a big problem might be tracking fines. If all fines are immediately payable, in the scenerio I described above (which I realize shouldn't happen) a fine brokering agency (probably VISA) would walk away the winner.
I confess to not understanding the ISP industry as well as I should. Nor do I fully understand the proposal (which I did read). However, I do truly like the idea.
I worry that the masses who are more ignorant than I, will make this unpassable legislation. People will not be happy to learn that because their computer was attacked (they are victims) AOL is going to charge them more. The Representitive that brought them this might not be their favorite person.
The benifits of this program, while fairly obvious to techies, may well go almost entirely unnoticed by the masses. All they see is a higher bill at the end of the month.
Re:Danger, Will Robinson! Danger!
by
JWSmythe
·
· Score: 1
Vacation? I don't leave my win2k box on when I go to WORK, lest a new exploit surrface before I get home:-)
On? I don't own a Win2k machine. All mine are Linux.:)
-- Serious? Seriousness is well above my pay grade.
I'd just like the fools who criticized this post to eat some crow now. Sit down, and dig in. There's plenty to be had. I knew that this was a politically motivated exercise. Schneier and Russ Cooper - both either completely lacking in acumen or are scum bags. Making the innocent user pay for the failure of the IT professional, instead of stepping up and assuming our responsibility for this.
Where is this revenue going to go? To line the tax coffers, not to fix computer security. If you believe the latter, then I have a bridge to sell you.
This is the most disheartening news I have seen in months. It makes the SCO abortion look like a vacation.
-- HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Re:Time to eat some crow ...
by
NTBugtraq
·
· Score: 1
Ahem.
Should we ban attachments in email?
Should we make OS' which don't allow users to invoke a program of their chosing?
If not, how do IT Professionals prevent some home user from double-clicking on the "document_all.pif" attachment in a SoBig.F message? After all, its just an application, for all we know the user may have a valid reason to use email this way.
And if someone does double-click on a SoBig.F attachment, can you honestly call them "innocent"? What were they thinking it was?
I've had a "Safe Email Practices" web page FAQ up for years. The only failure is that I haven't had it widely published such that consumers are aware of the few points it makes.
Our "failure" is that we have been unable to get consumers to pay attention before they are exploited.
Most people don't have to do anything to avoid fines. They simply need to continue practicing the safe networking principles they already practice. They don't need to update, patch, use AV, or any other product in order to avoid fines. They only need to prevent unauthorized access to NICs and think before they double-click on anything. A free personal firewall in its default configuration does the trick just fine.
As far as the revenue, I don't know where you got the impression it would go into tax coffers. If you believe that, I have a bridge to sell you. Try reading the proposal again.
--
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Capitalism at it's best?
by
baneblackblade
·
· Score: 2, Insightful
If this does pass (which I sincerely hope it doesn't), what's to stop the guy who collects the fines from writing a virus, snail-mailing it to his buddy in Finland for distribution so his computer isn't picked up by the "scanning software" over in the US and then kicking back to watch the money come in? What is the money going to be used for anyway? I doubt that it would be put to any sort of use in preventing further fines or attacks.
Microsoft
by
Anonymous Coward
·
· Score: 0
I propose fines for Microsoft, whose Windows-running computers allow the propagation of viruses, worms, etc., knowingly or unknowingly.
From excellent karma to terible karma with a single +5 funny post...
Fines for whoever is responsible
by
AmiMoJo
·
· Score: 1
It seems to me like there are two kinds of problem. There are those problems that arise because of software bugs or security flaws. Things like Outlook viruses that execute when you download them without even opening the mail, or IE exploits. In those cases, the software manufacturer is most responsible. Sure, eventually anti-virus software will catch up, but until then you can't blame people for reading their email.
The other type is the kind that relies on stupidity. Computers are complex tools. If someone crashed a car because they couldn't drive, they would be at fault. Similarly, if a computer starts causing problems for other people because some moron clicked on the "britney spears game.exe" they got as an attachment, they should be held responsible. Of course, it's hard to track these people down and collect.
MoJo
-- const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
A legally sanctioned DOS attack...
by
Darlok
·
· Score: 3, Interesting
For the love of... I think the last paragraph of this article contains the most telling statement: "...make every effort to assist in bringing about a change in the way the Internet is managed..."
The first point is that the Internet is NOT managed, at least in the sense I believe Russ is advocating it should be. Not to go all scary-conservative here, but this is just like the discussion over banning guns -- if you get rid of all the handguns in people's closets, then only the criminals will have them. If you legislate enforceable fines for doing, effectively, nothing, then you force out the majority of people who are scared of incurring any liability, and put a powerful weapon in the hands of those who would cause trouble.
Example:
Gee, I don't like Bob. Bob gets his connection through UUNet. His Windows IIS has never been patched, so next time he goes on vacation I'm going to write a worm that exploits MS00-078. Now, I'm going to turn him in to the "Identification Authority" and hope that while he's gone, he racks up enormous fines. Meanwhile, UUNet has to block port 80 for, effectively, every customer on its network if my worm has managed to infect even one other vulnerable machine.
Suddenly, script kiddies have the ability to embargo the entire net by taking advantage of bugs that happen to listen on well-known ports. I would point out today's earlier Slashdot article. Should all of our ISPs be blocking SSH traffic now?
You can't legislate against stupidity. Nor can you make perfect software. Nor can you expect to fine neophytes into becoming security experts. Even trying would simply place incredible power in the hands of the software vendors, and then huge segments of the computing world become subject to destruction from one malformed "patch", or even worse, when someone finds a way to exploit the update mechanisms.
This is the worst possible sort of power transference. Because people can not, will not, or in some cases _should_ not independently deal with their own technology issues, you empower central entities with an enormous amount of control over individual users. Novice users will relinquish that control, or be forced to pay some ridiculous sum of money in fines. In the end, chances are you end up with even worse problems than you started with.
-- Notice: Your mouse has been moved. Windows will now restart so this change can take effect.
Forget this "You must stay up to date or be fined" lark. If we could just have a reasonable way of getting it back to a user that their system is comprimised, that would be great! Systems I administrate get hundreds (literally) of attacks per month against them, almost all of them from Windows boxes infected with some worm.
If there was somewhere I could put in the IP addresses, and if there were enough complaints against a specific IP, they would investigate, that would be great. Give the organisation some actual power to disconnect users that are shown to be causing problems, until they get themselves patched, and we're sorted!
1- Look up the IP under ARIN to see who it's been assigned to at the class C level. 2- Curse creatively as the IP turns up to be from APNIC, and thus has no contact information you can act on. 3- Beer.
Russ Cooper is a control freak.
by
Anonymous Coward
·
· Score: 0
There seem to be two problems with his idea.
1. This would force the regulation of the Internet, ISPs would become responsible for their content instead of common carriers, the govt would get larger and more red-tapey. And this is just the US. How would you propose this should work for other countries?
2. You're fining people for getting sick essentially. You don't imprison people who catch colds or the flu, do you? If someone willfully tries to get others sick, then they're guilty of assault and existing laws can handle that.
3. Russ Cooper is a doody head.
Re:Danger, Will Robinson! Danger!
by
Anonymous Coward
·
· Score: 0
Grandma: "What is this fine in the mail? What is a firewall? Why am I being fined? Is is the gremlins in my computer again?"
Not to mention underfunded organizations like Libraries and schools that may not be completely up to speed. This is a stupid idea. I put this up on the shelf with that idea to destroy people's computers for "piracy".
I find it amazing that people are so amazed that no one patches their computers. Think of your grandparents. What do they know about firewalls and TCP/IP and man-in-the-middle attacks? My mother has a VAGUE understanding of updating software and that it's important, but she doesn't know why. If you don't know why you are doing something, it's hard to continue doing it; and they are bound to miss something important along the way.
Someone had a good idea on another thread. ISP's should be the firewall for the little guy, and if you are in the know, you just opt-out. I work for SBC tech support. They decided to block port 135 due to all the MSBlast+derivatives activity. I think it's only temporary, but it is a good solution. No one really has any reason to be using port 135 over the net anyway. Locally, yes, internet no. You should be using a VPN if it is that important to you.
-- -- Having a Creationist Museum is like having an Atheist place of worship
Re:Danger, Will Robinson! Danger!
by
praedor
·
· Score: 1
Jeez...you're just ASKING for it. You actually even turn it on?!
-- In Bushworld, they struggle to keep church and state separate in Iraq as they increasingly merge the two in America.
Kind of a dumb assed plan really...
by
snwcrash
·
· Score: 1
It's nice how the plan shields all the corporate entities (and governments for that matter) from liability. Like there hasn't been enough abuse done by corprate America even with the treat of lawsuits from consumer groups. Look at HMO's shield law and how that's used by greedy corporations to keep profits up.
If they identify you system incorrectly and fine you, you should be able to take them to small claims court and get more than your money back. Maybe I'm the only one that's had to argue with a call center operator in India about why my deactivated phone could not possibly have made a call and I shouldn't be held responsible for $9.48... and spent 2 hours arguing about it.
Not to mention that someone has already been hurt once by the virus writter, now the government is coming to pile on and make sure the person is sorry about letting themselves be victimized.
Also, how are you going to fix your system if the ISP knocks you off the net? Somebody from the ISP going to go to everyone's computer to verify it's patch load they way some Corp. IT staff have to?
-- Save a life, sign your organ donor card.
Ban the non-technically astute users!
by
LPCalendarGirl
·
· Score: 1
What a great idea! Russ Cooper's plan would remove the majority of non-geek users, such as myself, who constitute a large portion of Internet users leaving more bandwidth for y'all.
I'm a longtime NTBigtraq reader
by
Anonymous Coward
·
· Score: 0
and I've got to say, "Dumb idea Russ." You're not even an American. Don't fuck up our country because one of our dumbass DC residents asks yo to.
Punishing the poor for the failings of the rich...
by
Anonymous Coward
·
· Score: 1, Interesting
"We aren't trying to penalize everyone for not being up-to-date or security savvy, but the level of attacks which continue to occur daily after any en-masse attack is enormous. It represents a significant lack of awareness by a very large segment of the public, be they individuals or corporations. Financial incentives have proven effective in increasing public awareness for a very long time. Applying them here is simply a logical extension of our social environment."
Why should grandma foot the bill for the poor software engineering practices of the software industry? Why not fine companies who distribute programs that are susceptible to these security breaches? Perhaps it is the "release first, patch later" philosophy of many closed/open source applications currently in distribution. What about your 14-year-old first-time Windows/Linux/Mac user who can't afford virus software (or, perhaps, is ignorant of such software/risks)? Do you fine the (potentially technically naive) guardian of the 14-year old? While one could argue that the guardian should be aware of the actions of the child, if the child is an innocent internet user (i.e., no porn/warez, etc...), what signs would tip off the guardian? Should the guardian/child be expected to enroll in classes to learn about security risks? While a creative idea, I only see this as punishing the innocent for the crimes of the negligent.
The should be fineing the company
by
Anonymous Coward
·
· Score: 0
who makes the software. Its there fault that the exploit is there. So what the exploit was patched, you should send an email to every user telling them about the exploit and what could happen if you don't apply this patch. I'm sure someone like Microsoft which is known for lackluster security could have the resources to do this.
OK, this is off the cuff so probably got a few 'rough edges'.
X = Yearly cost of internet worms and other infectous software to (for instance) UK
Y = Cost of purchasing a virus scanner company & maintaining the database for 10 years. This could be reduced by encouraging community maintenance.
If X >= Y then I propose the government buyout a virus scanner company, open source the product, provide a sourceforge-like page to attract a few geeks, perhaps funds for a full-time developer or two & giveaway the whole lot.
Benefits: - A Government Approved free virus scanner far more likely to be installed and used by users - An open source Free virus scanner for those that shun 'Government Approved', ie mind-rays-removed - Reduced outages due to worms and email viruses, ie less hassle, more lower TCO
Issues - If too successful this would create a monoculture, although FLOSS approaches and it's inevitable cross platform nature might mitigate - Government sponsored anti competitive monopolistic practises (if you're in the AV business) - You still need to persuade people to install and keep the software up to date.
If I read the article right there is supposed to be some type of system that identifies the attack, validates who the attacker/offending user is, and notifies them via email that they've been fined. With all this effort going in to tracking and such, why don't they just block the attacks? Blaster could have been slowed if the appropriate ports were blocked at an ISP level. SoBig could have been blocked by mail servers (either looking for a specific file size or blocking certain subjects). If we have enough technology to find these problems, why don't we block them?
Also, what happens when an ISP feels they don't like file sharing? Would user's be fined for having certain file sharing ports opened on their pc's?
Re:Just block the attacks
by
NTBugtraq
·
· Score: 1
Seems you didn't read the entire article. The whole idea is that ISPs would block the attacks, period, once they've been identified. Problem is, just blocking attacks isn't enough, we want to stop the attacks from eminating continually.
So they block the attack attempt by Computer X, and then fine the owner of Computer X for having to block it. That owner will then clean Computer X so it no longer attacks. Attack eventually stops.
As for ISPs deciding what they do and don't like, they already have that right in their Acceptable Use Policies. If they want to add in there that they will not permit file sharing, that's their right. You can then choose whether or not to continue being with an ISP who has that in their AUP or not.
My proposal only has to do with an independent body's determination of what an "attack" is. Its not intended to become a censorship protocol.
--
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
now all the paranoid people withing two miles of me will ask me to fix their computers every week to avoid getting busted.
-- -Tim Louden
Go after the purchaser of bad code?
by
jav1231
·
· Score: 1
Yeah, penalize the end user and let the author of faulty code go unscathed? People already do pretty-well keeping AV software up to date. Most of the problems we see are from newer viruses and I mean large scale. The two most recent are a result of vulnerabilities. But hey, let's go after the end user. It's been working in the drug war for years and it's already being adopted by the RIAA so it's gotta work!
JAV
Is Russ Cooper...
by
Anonymous Coward
·
· Score: 0
George Bush's illegitimate son or something? Maybe they sent the less evil twin away?
This crowd has an element that admires malware propagators, and the rest at least respect their 'genius'. They shouldn't be prosecuted or persecuted, but their victims should. What a great idea. You just helped widen the chasm with your arrogant bullshit, Mr Cooper.
The way it's described here just makes it far too complex to manage. Any savings made by this might not look too good if the expenses are higher. I can just smell the amount of useless lawsuits this would raise.
Now, I don't want to blame the writer completely. Somebody had to take the first step and I do feel that people should have responsibilites. However, I'd start this with warnings instead of fines. Some strict way to report that the user is causing harm to the network and if that continues, the users agreement with the ISP can be discontinued.
I don't know the case currently - can an ISP get sued for disconnecting a user who's flooding with viruses and worms? If so, I believe that's a good place to start, let the ISP's react to problems. If a user just won't react to some reports, then it's byebye.
No, this isn't problem-free either, but whatever the solution is, it should be taken step by step and using encouragement instead of fear as the main tool. Tax reductions for purchasing antivirus software? Free instruction videos for using Windows Update? Firewalls for consumer internet connections that are set to strict levels by default(some ISP's do that here, works great).
Yes! Let us fine people who have their computer taken over by a virus. Also let's fine people who have their car stolen and used in a crime. Also people who have their identity stolen and used for illegal immigrants. Don't these people know enough to not park in dangerous areas and not to give out their social security number.
We should blame and punish the victim, they are so much more fun to attack than the people actually writing/releasing viruses.
Better example: car licensing
by
axxackall
·
· Score: 1
When I buy the car, new or old, I have to get the license for it. The part of the procedure is to get the car checked for basic safity and environmental conditions. I the car makes a lot of noise or pollution or its brakes do not work - it cannot be licensed and i have to fix it (paying to the mechanics or doing it by myself).
Besides the car I have to get a driver license and I have to renew it from time to time. If I get too many penalty points or if I am noticed in one-time serious traffic violation my driving license can be suspended.
Same thing should be for comupters (AND networks) at the moment of connecting them to ISP:
each computer (or a whole network) must have a license to be connected to Internet;
periodically (as often as it's appropriate) safity and environmental checks must be take care:
the computer must be protected in terms of ports opened and mail filters installed;
the nightly based cron procedure must do the check and alert ISP if anything wrong found;
from time to time (weekly or so) ISP must scan clients from outside;
Besides my computer, my Internet and PC end-user skills must be licensed:
if I don't know how to update my OS or to install a security patch on it then I cannot be licensed;
if my PC is noticed as a source of virus/attacks and it's proven it's been cracked/infected than I've got my penalty points and have to pay a small fine (bellow a hundred of $);
if I am noticed as distributing viruses knowingly or hacking myself then my license should be suspended - I have to get the end-user class again, renew my license and pay a big fine (thousands of $);
IMHO it will improve overall Internet safity (imagine how much less there will be opened port and unpatched computers) and accelerate the whole national economy (imaging how many "mechanics garage" companies will rise their revenue!). It will open many new IT jobs and improve exisiting ones (now my boss cannot tell me "I don't belief some one may crack us - we don't have any useful information"). By the end of the day companies will actually safe money as they spend too much now to fight security in such insecure world.
Also it will improve the competition on the market as people will prefer more secure OS to be installed on their PCs. Oops, Bill gates may hate it and lobyy against it. But I still love the idea.
A gang of thugs has been plaguing the city as of late, breaking into houses and stealing millions of dollars worth of property. The city responded by levying fines to all the property owners who failed to properly lock down their homes, which allowed for the gang of thugs to easily wreak havoc in subdivision after subdivision.
Motorists everwhere failed to visit the dealer when the recall notices were sent out so that their brake pads wouldn't fail when vandals spray a special substance on the roads, and now the crash victims want to sue the motorists for not allowing the manufacturer to fix the known defects.
Who's to blame
by
Anonymous Coward
·
· Score: 0
I think we should be placing fines on the service providers THE TRUE CULPRITS in this fiasco, for providing a conduit for the propagation in the first place. People like Verizon and ATT and such... (just kidding)
Really though, it's crazy to think that you can fine someone for this. I'll leave it up to the courts to decide who is responsible. (NOONE)...in other news, coming up with stories like this is a great way to vie for management! Look at all the buzz he's getting because of this! WOW! Management will actually recognize the face with the name now, instead of saying things like, "Who the hell is that geek, and why didn't he shower today?" Other managment type, "I've seen him before too, at the snack machine, snarfing on Grandma's cookies like there's no tomorrow!"
This seems to assume a lot like: 1) that virus/worm attacks have a easily identified packet signature; 2) that patches keep up with viruses; 3) that anti-virus sources keep up; 4) that patch installation/maintenace is fool-proof and easy enough for the average user; 5) that there isn't a better solution like sending out a worm to patch/update all machines; 6) that a large part of liability doesn't belong to software vendors putting out easily exploitable products (Microsoft especially).
This solution is to largely blame the victim and extract money for a more widespread and fundamental set of problems. It should not be given support.
Analogy time. I get to work, lock my car and go in for the day. An enterprising car thief steals my car, which he then uses to pickup his buddies and they proceed to steal more cars. The police finally catch the guy that stole my car. They return my car, and fine me $100 for each additional car that was stolen.
Now then, how would this be my fault? Should I check to see that my car is secure every 15 minutes? Install a new security system every month?
As a programmer, I've learned that there is one truth above all others: The users are users! They're not sysadmins. Some log on for 15 minutes a night to check their email. To put the blame on the victim for not sufficiently protecting themself flies smack in the face of our judicial system (Remember the ole 'Dressed like that, she was asking to be raped' defense?)
Why are ISP's not doing some level of firewalling.
This would probably help kick start it, in an effort to not allow it to take effect.
Obviously they don't want to piss off their customer base because some messenger thing won't run, but almost everyone is going and getting a cable/dsl router to protect themselves and doing port forwarding if they are smart enough to even host something.
Why not do this at the ISP, why aren't ISP monitoring their own customers and telling them they are infected, or taking them off the network if they are. Hell, offer a $20 an hour service to fix it with some kind of remoting software. People would love that. ISPs should become support shops, they are already connected to your box, and their are a lot of admins without work right now.
Fines for companies
by
Decameron81
·
· Score: 2, Interesting
What about hunting down those guys that actually released the virus?
This sounds as stupid to me as a fine for people that let thieves into their houses.
Decameron
-- diegoT
What's next penalty plan for stupid slashdot posts
by
Mustang+Matt
·
· Score: 1
That's a dumb proposal.
-- The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Yeah, and I'm wondering...
by
Azureflare
·
· Score: 1
Hey, yeah, I agree. Also, I went to the story link to take the poll and got this at the bottom of the page:
An error occurred on the server when processing the URL. Please contact the system administrator.
Will the slashdot effect be ruled a "worm"? It seems to propogate itself pretty well =)) It's like a DDoS attack isn't it?
Re:Fines for companies - it's a good thing.
by
rocketsled
·
· Score: 1
I like Russ's idea, it has nothing to do with suing the people who let thieves in their house.
Russ's idea is more like suing people who let their house turn into a crack house.
What about an economy of deliberate security holes
by
DunbarTheInept
·
· Score: 1
So let's say that a company produces a product that they know has holes. Let's say they put them there on purpose. Later, they charge for an update to the product that fixes them. Customers are stuck having to either (a) stop using the product which by now they probably have already committed to in ways that are hard to back out of, or (b) be fined by this rule when their machine is used in an attack, or (c) buy the upgrade.
Sounds like a sweet deal for the company - planned obsolescence where the customer is fined for being out of date.
This law should be written so it will only apply to people who could have fixed the problem without paying their own money to do so. i.e. the company produces a free upgrade that fixes it and NOTHING ELSE. It's also no fair to be tying mandatory fine-avoiding upgrades to features the customers don't want. "Get the latest security update now on our website or you could get fined for the hole! Oh, and the update installs Spyware Bendover Plus 2.1 as well, for your convenience."
My other concern is with companies that make antivirus software. Can't they secretly make viruses and release them into the wild, and then magicaly come out with the patch that works on them a few days later? If there is no law forcing you to buy their stuff you can just say 'screw you' and not buy their software. But if the law says you must patch or be fined, then the anti-virus company just wrote itself a blank check.
--
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
This is flat-out stupid. Not to mention the legal problems with enforcing, but this would totally screw up the current net structure. I'm perfectly happy the way things are now, where the punishment IS the multitude of viruses trashing an insecure user. If traffic volume is the concern, go after spam first.
Anyone have stats on how much bandwith goes through the various Mae West peering points in a single hour? And you want to scan that UNGODLY amount of traffic for viruses? It's flat-out impossible for someone like UUnet to sort, assemble and scan every traffic stream just to see if it might have a virus. The amount of RAM needed for that buffer doesn't even exist in a geek's wet dream. So ISPs could never police each other, let alone filter infected traffic that's coming from a peer.
Okay, so the part about determining fines is pretty silly, how about the ISP controlling its users? Gonna need some major high-dollar router/firewall units or servers to handle this traffic in near real-time. Better throw in one for each datacenter, so you don't have to backtrack traffic just to get it scanned. Hmm, looks like we'll need some more techies, viruses spread fast and fixes might not be as simple as a firmware update. Oh yeah, and those highly trained techs will need to be on-call so we can raise them any time there's an outbreak alert, and they can't be contractors since they'll be busy trying to fix filtering devices for a lot of other companies all at once. Whew, good thing we went to all this expense so we don't get fined, but it looks like we'll have to recover costs by... oh wait, there's no positive incentive for us.
NO FUCKING WAY am I gonna pay more for access, deal with longer latency, and have 99% of foreign networks inaccessible.
But it's nice that he threw in a plug for his own data security company in the middle of the proposal.
This is analogous to getting arrested for manslaughter because someone stole your car and killed someone during the getaway. Regardless of whether you locked your car and he was a good thief, or you left the doors unlocked and the key in the ignition, you're not guilty of manslaughter. Having an insecure computer should not be a criminal offense, only writing software to break into that computer should be. Prosecute the criminals, not the victims.
-- Vote for Pedro
Re:This is analogous to...
by
cute-boy
·
· Score: 1
Lets extend this scenario....
What if, after the thief crashed your car (which looked road worthy and didn't have a notice saying 'this car is unsafe, do not drive'), your brakes were found to be faulty. Had they worked, the thief would probably have not killed someone during the getaway. Your own driving technique probably accomodates your faulty brakes, it was on your 'to-do' list...
Do you share some of the liability?
RG
Re:Denial of Sense attack?
by
Bearpaw
·
· Score: 2, Insightful
Sorry, buy my bullshit-o-meter went of the scale here.
My bullshit-o-meter goes off the scale whenever anyone sets up a "poll" like this. The results of such a poll wouldn't mean anything, even if the question was sensible. But he doesn't even ask a real question; he wants to know whether people agree or disagree with the "information". If he doesn't know whether or not the information he presents is correct, he should find out. If he knows it's correct, why does he care what other people think about it?
If he'd like feedback on his suggestions, he should say so.
Sorry. In irritates me when people call this sort of thing a "poll", and it makes me less inclined to take them seriously.
To move the responsibility of making secure systems from the manufacturer to forcing the user fixing them afterwards is a terrible idea. It would be much better if security was adressed by design instead of by trial and error as of today. After the software has been released its already too late to adress security concerns. All that is left is a total rewrite or constant patching until the codebase is so filled with patches that ot cant be successfully audited anymore.
Especially OS should be made secure by design since they cant be altered less breaking compability with the applications running ontop of it. It should be up to the software maker to design the software to be as persistant as possible to attacks. Vsftpd is an example that everyone else should follow. Because it is designed on the presumption that there will be bugs in it the result of a breach is much much smaller than if it would have been designed to be flawless. Since software has proven itself to be very hard to make flawless it is a stupid approach to try anyway.
Making software error persistant requires that it is first well thought trough and designed for security before the first line of code is written.
To just put the blame on the users when the problem lies in the fact that nobody paid any attention on safety is just backwards as it relinguish the vendors from making software secure in the first place. That kind of thinking will keep us in etarnal patch land.
-- HTTP/1.1 400
Get the fuck off the Internet, Congress...
by
anthony_dipierro
·
· Score: 1
The Internet is a private system owned by private companies. Participation in the system is completely voluntary. There is absolutely no reason for the the government to get involved in it. If you don't like the rules given by the ISPs which own the system, then don't connect to the Internet. It's as simple as that.
If the ISPs want to get together and form a confederation of sorts, that's a completely different story. But for now, unless we're talking about a physical crime which merely uses the Internet as a medium (say, mail fraud), the government should mind its own business.
Re:Danger, Will Robinson! Danger!
by
IIRCAFAIKIANAL
·
· Score: 1
Sorry, I was in the bathroom and I turned off my w2k box. What were we talking about?
-- Robots are everywhere, and they eat old people's medicine for fuel.
I work at a VAR/Consulting firm, not national, but large. We all came in this morning and were introduced to our new "hired gun" who was a Cisco expert, but could easily do any of our jobs (yadda, yadda, yadda). It was kind of a funny combination because she had a smoking body but a face that would curdle milk on proximity, but I digress. Anyway, when they went around the room she kind of snickered when she was introduced to my group (MS Enterprise support, shut up, not all MS admins suck and I push Linux where it fits), and was more than a little smug.
Well, I just left the client site she went to this morning, because she got booted when her personal laptop (that she insisted she had to have because it was better than company issue) running Windows ME (???) was pumping out trojans and mass mailing worms by the dozen. The first mail she sent was to the clients director outlining what was wrong with his security, and it popped his NAV client instantly. The client is smaller but has been around for a while, so we are giving him some free labor and all appears to be forgiven (since we did implement a solid patching and anti-virus system for them last year), but it goes without saying we are embarassed.
Wonder how much Russ would charge her for that, and I hope she doesn't have a job in the A.M.
Sounds like a slow day at the office
by
Anonymous Coward
·
· Score: 0
Sure that'll work, right after they start reimbursing people stuck in traffic due to an accident or stalled car on the road.
Re:Fines for companies - it's a good thing.
by
Anonymous Coward
·
· Score: 0
Fine, crack shouldn't be illegal either. Only selling it to minors.
Re:Fines for companies - it's a good thing.
by
Decameron81
·
· Score: 1
I like Russ's idea, it has nothing to do with suing the people who let thieves in their house. Russ's idea is more like suing people who let their house turn into a crack house.
The point is not everybody knows that something entered their box. People don't even know if their boxes have security holes, so there is no rational reason why they should be punished.
Also, remember that sometimes you just have no way to have your box protected, as someone could be taking advantage of a still-unknown security hole in your OS. And believe me, there are plenty of those.
20% of adults read at or below a 5th-grade reading level, according to the National Institute for Literacy. The innumeracy rate is bound to be worse. But somehow, every computer user is expected to know how to patch their OS and keep their anti-virus software up-to-date? Riiiiiiight.
Cyber warfare would thus become a reality. You pay someone to write viruses specifically to porpagate on a certain businesses machines and then alert the feds. They get fined; you win.
-- There's a growing sense that even if The Future comes, most of us won't be able to afford
it.
-- Lemmy
Re:Why don't we just remove them for a period of t
by
Cederic
·
· Score: 1
You cut off my link for 8 days, I'm going to look at cutting off your air supply until my link is restored.
Translation:
Person(s) responsible for Blaster/SoBig virus: Fine them for creating the virus/exploit
Microsoft: Fine them for allowing their OS to be exploited.
Linux Users: Free beer and money.
All your base are belong to us.
I pay the ISP to flow bits at a certain rate
by
Anonymous Coward
·
· Score: 0
I don't want them to filter my content at all thank you very much. Perhaps I perform penetration tests, will I be fined if a pen test matches a virus exploit?
Outlook Express?
by
Anonymous Coward
·
· Score: 0
I hate to point out that OE's been pretty thorougly patched for several years now (there are still holes but none of the recent problems have been caused by the holes).
The problem is executables as attachments. As long as programs allow the use of executable programs as attachments, this problem won't go away. And it's a problem with OE, Mozilla, Eudora, and others.
The problem with dumb users opening attachments is widespread - until ALL the email program vendors prevent users from opening attachments, the problem won't go away.
I know you ment that to be funny, or at least hope you were, however I fear my country may try to something horrible in the future. I for one intend to move to Germany within the next five years. As soon as I graduate from college that is.
-- --fetch daddy's blue fright wig, i must be handsome when i release my rage
Re:From the UK
by
Anonymous Coward
·
· Score: 0
Ya Germany has a much better record on individual rights and freedoms than Britain.
Not to mention that Microsoft could then tout their "Magic Bullet." Oh, security... well we can't be 100% secure without DRM, it's the only way to really make your system foolproof.
Can you name ANY of the exploits that have been released into the wild over the past two years that weren't already patched by Microsoft? I can't - some of the patches had been out for over a year before the exploit was released.
Similarly for the exploits for ANY of the operating systems out there - the Cisco router exploit from August, the Linux LZW exploit from 6 months ago, etc.
There were patches available for ALL of those problems and the attacks were STILL a problem.
The problem isn't that Microsoft writes crappy code, or that Cisco writes crappy code, or that the open source community writes crappy code. The problem is that users don't keep on track of the patches available for their machines, and don't install those patches when they're available.
If you're going to hold Microsoft liable for their exploits, are you going to hold Linus liable for a linux exploit? If not, then why not? If it's not Linus who's responsible, then is it RedHat?
Russ's idea (which, btw, I think is UTTERLY stupid) is simply to move the responsibility of patching from the ISPs to the users that are propogating the problem.
Re:But is it Microsoft's fault?
by
Fermier+de+Pomme+de
·
· Score: 2, Insightful
Why is it that the users are blamed for all of this.
If someone wants to have a box on their desk that lets them chat w/friends, read mail, check the weather, etc. why does that person have to understand open ports, trojans, viruses, firewalls, etc?
Something smells funny then again programmers are great for forgetting that someone actually has to use the stuff that they write. I'll give you a hint - when you blame a user for repeatedly falling into the same trap you are missing the real problem: the software doesn't meet the user's needs.
Why should someone either be forced to become an MCSE or RHCE to maintain their system? Why should someone be forced to outsource their system maintenence to a 3rd party? Why do we even need virus scanners for email? Who the hell needs macros and scripting in a freaking email client? Why can't the box the user's desk just do the things the company advertises without taking out infrastructure and attacking other machines?
Because software is created/tested in a half-assed way.
Don't think so? Why do buffer overrun attacks still happen today? Is this something an end user should be responsible for? To take the car analogy above further this would be like selling someone a car with brakes that fail every 2-3 weeks. This is now the owner's fault? WTF?
Windows Update, and Up2Date are 2 examples of offerings that make it possilbe for non-tech users to stay patched. The industry is (somewhat slowly) moving to address the problem of unpatched systems.
Corporations do feel the heat from the ever increasing number of attacks and you can bet that some of the larger customers are giving MS an earful w/regards to what a virus attack does to their TCO. Microsoft is in turn reacting to this, though the lack of competition on the desktop is probably slowing progress here.
Market forces seem to be taking care of this issue gradually. I hope that things can be improved without lameass legislation put together by a group of people that make luddites look like early-adopters. The scary thing is that large corporations are whispering in ears saying things like: "Don't hold us liable, it will be bad for the economy". Is there anyone that is letting our elected officials know what a screw-job it would be to blame end users for problems whose technical solutions are beyond their understanding?
Re:Fines for companies - it's a good thing.
by
rocketsled
·
· Score: 1
Decameron81, I understand what your saying but I believe that the spirit of what Russ suggested was suggesting was not to fine for cutting edge holes but to fine if known holes are not patched right away.
So we're not just talking about a nice house that has been maintained but something built and lacking patches. Perhaps even something abandoned.
In my neighbourhood if your house (read:server) can not be protected and you are an absentee landlord then when someone makes a complaint the following happens.
Neighbours lodge complaint.
Sheriff surveys the house and determines status.
Sheriff locates owner and force them to clean up.
Sheriff revisits and revisits house status.
If no action taken Sheriff has it boarded up.
An invoice for work added to tax bill.
Sheriff revisits and revisits house status.
If no action taken Court will step in.
If house determined to be a risk then bulldoze.
Problem solved.
If your house is made up of lots and lots of Windows, I suggest third party bricks.
I am a software engineer, and spend quite a bit of time on the Internet working, doing research and such. While the idea of imposing fines on computer users seems to be a step in the right direction, I believe that the methods proposed could become needlessly onerous on the end user.
First of all, the levying of fines and disconnection from the Internet results in the end users being treated as CRIMINALS. From the description of the "detailed workings" of this plan, the end user has no way to "argue" innocence. The ISP is able to disconnect an end user from the network, without prior notification, or due process. In the U.S. this may have Constitutional ramifications. There are no appeals. What will keep ISP employees from misusing the system to get even with some end user? Is the end user without recourse in this event? Is the ISP without liablity?
Just stating in a contract that a user "maybe" disconnected is not notification that a problem exists. ISPs MUST actively involve their customers in policing the network. If the customer refuses to make the requested updates, then and ONLY THEN is disconnection from the network permissible. My ISP, Newnan Utilities , follows this model.
Secondly, someone must be held accountable for "false positives." Making an unsubstantiated accusation and disconnecting a business from the net, brings monetary damage upon that business. Like SPAM, some URLs are spoofed, either intentionally or accidentally through misconfiguration. I had this very problem some years ago. My ISP misconfigured a cable modem for a new install. When I would log on to the network, I would get an error indicating my assigned IP was already in use. The problem was resolved by my ISP in a few days. However, under your "plan" if the other guy was broadcasting virii or worms or whatever, I would get blamed for it and be penalized. I would have no appeal. I would be judged guilty without a trial even though it was not my fault. This would be a false positive, and the end user MUST have the ability to seek restitution for any losses that result.
Third, someone could be held responsible for an attack just because they were on vacation. I get this from the following, "Those responsible for permitting attacks to continue are only penalized after a "reasonable" amount of time." For example, many people like to check their e-mail just before going off on vacation. These are average people, have virus scanners, and update Windows occasionally. When they checked their e-mail they got infected. They go off on vacation for 2 weeks or more. They hear about XYZ worm that exploits Windows. When they return from vacation, they try to do the right thing. They log on, get a worm removal program from their virus scanning supplier, they get the Windows update, and they think they are safe. But wait, the next day their ISP has disconnected them from the network. Why??? The first time they used the computer after being infected, it was identified as"permitting the attacks to continue." Further more they are penalized immediately because "penalties occur only for attacks which come after such updates could have been reasonably installed," and the worm removal program they were downloading is made available on the second day of the attack, the first day of their vacation. Basically, what is a reasonable amount of time? With the scenario described, the people involved were being reasonable. But ISPs, stating this plan, would say a reasonable amount of time had elapsed and they were guilty. Supremely unfair.
Clearly end users MUST have a means to defend themselves against unjust accusations and penalties. But how? Install a log on every computer? Again, the end user gets screwed. It has been my experience that most end users do not know squat about computers. I know people that can barely use their e-mail. Asking them to locate something in a log fil
I only removed liability from ISPs for dropping identified attack traffic, not for disconnecting alleged attackers incorrectly or levying fines against someone who is not guilty. Those liabilities would continue to exist for the ISP, and they would be responsible for determining how they will deal with their customers on such matters. These issues would all become part of the contract you have with your ISP, so you'd be able to decide against an ISP who does not provide you a way to refute their claims, should one exist in your area. Otherwise, the terms would be similar to the Acceptable Use Policies ISPs already have, and enforce.
No matter what the agreement with you, ISPs would be mandated to drop any attack traffic entering their networks. They may choose not to enforce fining of individuals at all, but instead make the service charge for connecting slightly higher (or no higher at all.) Since the fines are imposed by the ISPs on their own customers only, its a matter for them to work out with you.
False positives are an issue, and I explained in Point #7 of the plan that this has to be detailed sufficiently so consumers are able to verify claims made by their ISP against them.
While your vacation scenario is possible, it misses the point. Yes, someone may well be fined while they are away on their vacation. But let's imagine that those same people left their electric space heater on, with a towel over it, just before leaving. The house burns down, causes other homes to burn, and then they return from vacation. Are they not responsible?
Bottom line, you want to avoid the scenario you propose, simply turn your computer off while you're away. Otherwise, assuming what you suggested actually happened, slap yourself upside the head for not turning the computer off.
Finally, I must point out again, there is no law governing user compliance or fines. The only law I propose is that ISPs must drop attack traffic. Everything to do with the ISP customers is a contractual arrangement between you and them, and is therefore refutable in civil court. It would be handled no differently than any violation of an AUP would be handled, IMO.
--
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
This is a ridiculous idea. In the past month I have been patching servers like mad just to keep up with the latest discovered flaws. If my employer were fined because one of our servers contributed to a virus outbreak, how long would it be before they docked my pay for it? I would be pretty po'd if after a month of putting fires out my boss said, "nice work, but you're paying the bill!" This is yet another one of those "tough action" things that really only ends up hurting the little guy. Just like the virus authors themselves, it is ultimately the sys admins that have to pay the price.
--
A vacuum is a hell of a lot better than some of the stuff that nature replaces it with. - Tennessee Williams
If you are running an operating system that is the digital equivalent of a crack house, may be you should be fined or ordered to disconnect it from the public Internet. Ownership of private property does not give you immunity from the law.
-- Mea navis aericumbens anguillis abundat
Re:Fines for companies - it's a good thing.
by
rocketsled
·
· Score: 1
I agree, Bureaucracy breeds inefficiency.
Also adds insult to injury...
by
Vladislas
·
· Score: 1
Say a virus somehow finds its way into your computer after you've worked hard to secure your system, and you've shelled out cash for anti-virus/firewall software.
The virus does damage to your computer, erases information, etc., and then continues to propogate using your exploited computer. Your investment in security has failed, you have to pay the necessary costs to repair the damage and restore your records, AND you have to pay a fine.
In fact, since most virii are self-propogating these days, EVERYONE who woudl claim damages must also pay fines. Now think of it on the corporate scale...
--
Sig Sig Sputnik
On the other side of the coin
by
Morf
·
· Score: 1
Here in Australia, I've heard of at least one consumer who was able to recoup the cost from a retailer for rebuilding their system after a virus attack.
Consumer rights advocates are starting to see virus attacks as being part of a forseeable problem that users will encounter during reasonable computer use, and that a 1 year warranty (mandated by fair trading laws, here) therefore covers it.
In the case of the consumer above, the retailer didn't provide antivirus software in the computer package, and didn't tell the consumer to purchase/use antivirus software. They paid the $66 to rebuild the computer after Blaster hit.
In other words, the cost of fines will be payable by the retailer, who is liable under the terms of the warranty.
You can be thatt retailer is going to look to recoup it from the supplier, and on up the chain.
interesting stuff.
-- --
Why should I question authority?!
Re:Fine the OS Manufacture - not its victims!
by
Anonymous Coward
·
· Score: 0
If you were on vacation, and had a door lock with a defect that thieves used to break in. Afterwards, the thieves used numbers from your phone rolodex to call and case the surrounding neighbourhood. Would you charge the original house a penalty? I think not!
If several thousand locks are found to be extremely defective countless times over... perhaps you'd charge the lock company...?
police everything!
by
Anonymous Coward
·
· Score: 0
The internet is a communal tool. You know a community. Lately everyone's getting all right-wing and 'just' all over the shop. What happened to the whole global commmunity thing? Fuck if you want a controlled environment, go connect to MSN. Last thing we need is so called elite policing the net for our benefit (like Truesecure), and the US "fining" other countries?
Whats the bet this guy voted for bush.
what a fuckwhit.
All how you view it
by
mindstrm
·
· Score: 2, Insightful
Let's face it. We've survived these worms pretty well. Some minor inconveniences. Sure, some people paid some money.. but it was spread around. We've survived lots of worms, and viruses, and other disasters... each time we learn a lesson, systems are hardened a bit. Pundits bitch about how security isn't getting any better, but if you look at the number of new hosts on the net in the last 10 years, it's surprising how FEW big problems there have been. The Interent is so far, successful.
Fines for people? No way. ISPs need to be responsible, peopel need to be responsible.. and that's about it. I'm not in favor of licenses, fines, or any other scheme for keeping the net "safe". It will just create beurocracy.
What I AM in favor of is making the pricing reflect costs. If your computer uses a ton of baniwidth because of some worm, you SHOULD pay for it. The fact that you didn't know is irrelevant... your computer used it.. it's your responsibility (though not necessarily your fault). Of course, ISPs will not go to this length.. customers won't like the pricing model.. its' better to charge based on average usage, and then kick off the "abusers".
The net has done well so far. Let's keep it open, and let it grow.. and if some organisation really misbehaves, we jus't wont play with them more.
Actually it should be a FEDERAL OFFENSE to have your computer taken over, or your house broken into for that matter. People whom have either happen to them should get A MINIMUM of 20 years. Come on you know it's going to happen, U.S. law is like that. Your property is government property, so if someone breaks in then you are aiding terrorism. And yes the people breaking in are terrorist since they are terrorizing you. So I say let those probably unsecure bastards rot in jail, along with the non-violent drug offenders. They deserve it since EVERYTHING IS TERRORISM regardless. And yes your computer is government property, and although the people are flipping a bajillion microscopic switches on a piece of silicon, it's STILL TERRORISM since those bajillion switches may, or may not, attempt to set another group of switches to it's own EVIL way!!!
Does this guy think he has control over everyone in his organization? I would love to see the story about his shit getting owned and people filing lawsuits against him for obsenity when they post nudies on his front page!
Fines for Microsoft? Partial vs Impartial
by
Anonymous Coward
·
· Score: 0
For this to be impartial, fines would first and foremost have to be levied at Microsoft for time and again allowing bad code and not fixing it fast enough. Actually, under current law, it could probably be dealt with, if we didn't have such a partial justice system to begin with, on the order of its impossible to convict or penalize the rich, yet the poor pay to the last dime.
To his credit, the guy is asking for feedback. This is what I sent him:
Your proposed "Internet Penalties Plan" is flawed in several aspects.
First, the concept of penalizing the victim of a crime, in this case the user of poorly written software, is morally and economically wrong beyond words. Have you ever taken a moment to read the EULAs to most software you install and run every day? The software industry dodges responsibility for its actions like no other industry ever could. If auto manufacturers forced consumers to sell away their rights in the event of neglect or incompetence on the part of the manufacturer, they'd be faced with several class action law suits. Yet when a analogous situation happens with software companies, we blame the customer? Perhaps it is the customer's fault . . . for letting the industry get away with such crimes. Ultimately, the poor design of software is too blame, specifically on the technical and user levels. Technical flaws allow the exploits to exist in the first place. Flaws at the user level keep the masses largely and, in most cases, inescapably ignorant of the problem and of any means to fix it. If software companies were held responsible for their actions, there'd be better software, and with better software we wouldn't be having this conversation.
Secondly, even if what you propose weren't horribly immoral, it would still be technically impractical. You'd like to levy fines against people who unknowingly contribute to malicious computer attack. How do you propose on identifying those "responsible"? IP addresses, MAC addresses, and other means of computer identification can and will always be forged. Now, instead of crippling a company's network, all an attacker has to do is trick "the system" into thinking the company is the unknowing accomplice in another attack, thus incurring financial and legal woes for that company. Any proposal too trusting of technology will inevitably be reduced to yet another tool by those who would initiate such malicious attacks. Of course, there's also the issue of logistics, in that it would be virtually impossible to successfully levy all fines imposed since a large portion of these "unknowing" conspirators would lie outside the jurisdiction of the United States.
Overall, while I understand your logic, I believe you to be on the wrong track. Your proposal is fundamentally flawed and ultimately counterproductive.
Sincerely,
Re:Why don't we just remove them for a period of t
by
Zan+Zu+from+Eridu
·
· Score: 1
You know there is a new ssh exploit out? How many firewalls with an open port 22 would there be around? Would it be impossible to write a worm that infects a lot of boxes running ssh? Just some questions that spring to mind.
Anyway, in cases like this ssh exploit, the warnings and patches come after the live exploits. Accidents are going to happen, people are going to get infected before patches or even warnings get out in the future too. If you don't patch really quick when the patch gets out (Murphy dictates this will be at 4:30am local time), you'll find yourself 8 days without internet.
No, no, no, you've got it all wrong.
by
rice_burners_suck
·
· Score: 1
I have a better idea: Propose a new federal law that would require an annual payment of $1000.00 by each user of each copy of any Microsoft product to a federal government department that will distribute the money to Linux developers.
Nazi Law and Scam
by
Anonymous Coward
·
· Score: 0
This is another example of taking away freedom and money away from the population.
Any time you put money and corporations into any equation, and you throw in law, there is always corruption and you and me always end up footing the bill. Does it hurt a big corporation to be fined hundreds of thousands of dollars? no, it is just a tax write off. Dump it on the share holders (us again). What happens when you and me get fined several hundred dollars? I guess that car repair can wait. I'll think twice about going on the internet (freedom being limited by threats of fines). That SPAM mail sender/script kiddie who crapped on my computer is ok to make more money and have more fun though.
The internet is what it is today because it is a free place where the exchange of information is almost unlimited. Pretty soon, spreading of certain anti-government/political party opinions will be deemed damaging, therefore, the offenders will be prosecuted.
Firstly, the article is deceptive in
saying there is a poll (unless that
was the SSI error), rather's it's an RFC
It's a bad idea. Having a compromisable machine is not like owning a pool
and not fencing off your yard to keep the neighborhood rugrats out; it's
not a public nuisance. Instead, operating a compromisable machine is more
like owning a Pinto and being unaware there was a recall. Only wait, there
never was a recall of Windows 9xCeMeNT2KXP was there?
-- Were that I say, pancakes?
And my response to this nut..
by
Anonymous Coward
·
· Score: 0
Here are a couple of scenarios to mull over:
1. My grandma lives in Provo, Utah. I get her a windows PC for her birthday with video chat software and show her what to click to chat with her favourite grand-daughters and grand-sons. I am back at San Jose. Now there is a new email blaster virus. He computer gets affected and the ISP starts fining her for not making sure that she can prevent this malicious attack via her computer. I am on a business tour and she cant contact me. She ends up getting fined for a whole week before I can finally get there and fix the problem
2. The same Grandma. She is supposed to do all the updates as soon as the vendors release the updates. However she does not know how to do it. I have three options:
- Let her keep using until the next email attack. At that point she is pretty much screwed since she has not updated atleast 6 updates - I keep travelling to Utah every week and keep her uptodate. This way she will be fined for a maximum of one week. - I tell grandma, that according to Russ she is a moron and should not be allowed near fatal weapons like computers
3. I apply all the patches that my OS vendor and various app vendors put out there. So my system is secure. However the last fligh-simulator I downloaded from the web and installed turned out to be a trojan and my computer quietly spread email viruses while I was happily playing flight-simulator. In the current proposal I will be held responsible for this malicious attack and be fined for as long as this happened
4. Hackers get super-smart and create a false trail as to what systems are involved. One of the IP they used for this is mine. Of course the hackers are so smart that they make it look authentic. The" identification agency" cannot figure out this spoof, and I get slammed.
5. I buy a new computer, hook it to my ever-on DSL and go on a vacation. When I am back after a month, I am slammed for a whole bunch of viruses that shook the nation when I was away... oh, incidentally using my computer.
Anyway genious, (yawn) this is getting boring. But I must say I admire your guts in suggesting your own company TruSecure Corporation should be one of the companies which determine when the fines are imposed. Already people have been enough mis-informed. Please stop spreading more of this, surgeon general.
FINE THE OS WRITER
by
Anonymous Coward
·
· Score: 0
Do I hear only one name starting with an M?
This would just scare people away
by
blueworm
·
· Score: 1
All that would do is scare people away from using computers, and make it very unpopular to be connected to the internet. Not going to happen.
While we're at it...
by
Anonymous Coward
·
· Score: 0
let's fine people who catch a cold. They should be taking their vitamins, damnit.
Great.....My boxen gets infected because I could not patch fast enough and NOW I get a fine because of it. Sheesh, I lose data, my connection and half my friends won't open my email anymore and NOW I have Joe Schmoe senator saying I should drain my bank account because of faulty (yet popular) software that the government THEMSELVES actually use. When does the insanity end? Someone, please....tell me there's an end.
-- [SIG] Remember Mattel handheld games?
Fines for spreading virii and worms, et. al.
by
stmfreak
·
· Score: 1
Shall we also fine those who spread the common cold? Or how about the more serious detractor from American productivity: Influenza.
I'm sure we can think of other virii and such that are communicable, that people can take pro-active measures against, and yet still continue to plague society today. These virii are far more insidious than SoBig or other W32 worms. They don't just disrupt productivity and affect markets, they kill people!! So can we also arrange for a fee-schedule for those found carrying these and spreading them to others? I propose a fee-schedule below, you'll note some of the penalties are self-enforcing:
I think we should institute fines for really bad ideas.... let's start here. I vote we levy a fine of one months salary for this horrible, horrible idea... After that we can go after the DMCA.
blaming the user is the wrong answer.
by
twitter
·
· Score: 1
This guy is smoking crack. No such proposal will ever fly. End users have been let down and are in a mood to hang people not pay fines.
The users are not at fault and have been let down by Microsoft, "computer experts" and news organizations. They have been told for years that Windows is a reliable and secure operating system that is easy for novices to use. People selling microsoft infested computer have been happy to spout the party lines. For years the press has shielded Microsoft from a bad reputation by refering to M$ transmitted worms as "computer worms". All of it adds up to a rapidly diminishing ignorance: Microsoft has never been easy, secure or reliable.
Now that the end user is suffering more than ever, this idiot proposes to fine them? Patching, upgrading and virus scans are all in vain, yet the end user has been pumping much energy and money into all of these things and they are still getting hit. So having been so let down, people are going to go after the people who have been lying to them. I give this silly idea about 1/1000 chance of becoming law.
The education you seek is ongoing and costly. People are losing all of their files and having their systems completely screwed by all of these nasty Microsoft transmitted worms. As they pay for new systems and start from scratch, they realize just how shitty software from Microsoft is. They were promissed a computer that was easy to use, reliable and secure. What they are now getting is a lecture on virus definitions, "patches", "updates" and all sorts of other trouble. What they need to hear is that free software delivers on the original prommise. They sill soon hear that. Isn't that what drove many of us to free software to begin with?
My grandmother doesn't know a thing about Windows Update, because she assumes the computer is safe. So what can I do?
Put her on Debian. Set up a desktop icon to run kppp or put her on a cable modem. Set up a chorn job to apt-get update and upgrade. SSH into that box every now an then to make sure things are going well. Then, sleep well.
--
Friends don't help friends install M$ junk.
There is one possible benefit
by
crapulent
·
· Score: 1
I find the whole notion presented in this article deplorable. What ISP is going to want to self-inflict a barrel customer rage? Where does all this money go? Who's in charge of verifying claims? What's to stop malicious users from filing false reports, or clandistinely installing software to incriminate an enemy's PC? How are all these ignorant customers supposed to be educated that they're suddenly liable for tens or hundreds of dollars in fines? If you just start arbitralily fining people, I don't care how little it is, you will bring down a boatloat of wrath and ire. People -hate- fees they don't know of in advance.
But one good thing would come of such a plan: egress filtering by all ISPs. This means that source-spoofed packets would be dropped before they get very far. It would make it significantly harder to spoof anything. No more RFC1918 packets on the public internet. If you ever run a public server on the internet, sometime try adding firewall rules to log and then drop all Bogon packets: those from unrouteable IP space, reserved or unallocated space, etc. You will be surprised how much of that stuff is floating around on the public internet, just soaking up legitimate bandwidth. Egress filtering would cause a much higher level of net-hygeine, in my opinion.
Broken Poll Web Site - Pay a Fine Too?
by
billstewart
·
· Score: 1
If you're running a polling web site, and it's broken, which Russ's site is, obviously you should be paying the fine too, right?
--
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Oh I get it, it's all MY fault!
by
serutan
·
· Score: 1
Come on folks, if this idea makes sense then I guess we could take a big bite out of crime by penalizing people whose houses get robbed. After all, if everybody had a top notch security system then we wouldn't have any burlaries, would we? Yeah, I see now, it's the people who create the opportunity for crime who are really responsible for it.
Holy Christ, somebody get me off this freakin planet.
This is a _Bad_ idea. If anything like this became law, instantly, the government can fine/arrest someone for trivial things.. like hosting a web page.. or running an SSH server that circumvents "network security." Next thing you know, your grandma is going to jail for failing to patch her system.
While we're at it, maybe we should create a bill that requires anyone who runs an alternative OS (read: Not Windows) to be fined/computers seized/computer "privileges" taken away/etc. because their system is not "secure"...
-- Your Silence speaks more than words ever could.
Re:Danger, Will Robinson! Danger!
by
kilgore_47
·
· Score: 4, Insightful
Riight, lets punish the ignorant victims for their ignorance... 'Cause fining the richest man in the world, or his company that is the cause of most of the problems, why.. that... that would be crazy!
*shakes head*
This is a horrible idea for oh so many reasons. The first that comes to mind is that government mandates about ISP logging and packet blocking are a bad thing. Once a national infrastructure is in place that allows a government sponsored program to declare certain packets or application signatures "bad", what's to stop them from adding more things than just viruses? It would be trivial, technically, to write a 'virus definition' for p2p traffic. It would be almost as trivial, and only a bit more expensive, to get this done on a political level (a certain senator from disney would probably love to help out). When the DMCA crowd is done adding their firewall rules, maybe the Patriot Act fan club will want to throw in a few too... What it comes down to is that the U.S. government cannot be allowed to regulate the internet in this manner.
Which also brings up another point; being US-only, this system is pretty worthless for stopping attacks. To be effective, the law would need to require extensive "border" filtering at sites with international peers. See point above about why this is really bad. Fortunately, this whole proposition is such preposterous crazytalk that I don't think it actually has much of any chance at happening.
I think a better idea would be to implement new regulations surrounding software warranties. I don't know how exactly it should be done, but I do know that (a) if a company's ReallyExpensiveProduct routinely breaks and causes large financial damages for it's users, the company should be somehow held liable, and they shouldn't be able to get out of it with a clause in an EULA. But at the same time, (b) independent programmers who are giving their software away need to be able to do it without taking on liability, or they won't be able to do it at all, and we won't have Free software. The No Warranty clause of the GPL is a very important one. It would be great if paying for software meant you had more guarantee that it was going to work... it's really a bit bizarre that today the software you can get for free works better than the software that costs money. Perhaps a sliding scale price based warranty would help with that.
-- ___ The way to see by faith is to shut the eye of reason. --Ben Franklin
tis a bit like having your car stolen and used in a robbery, then being punished for the robbery itself.
The fact that the locks can be picked with a screwdriver, or that the dash just unclips for convenient hotwireage has no bearing at all.
Users on the whole dont knowingly open security holes - they are open by default. If any fines should be issued, it is to the people at fault not the victims.
If a user were to find a suspicious program or newe exploit - they would be less inclined to report the incident because of the fine.
-- This perpetual motion machine Lisa made is a joke, it just keeps getting faster and faster. - Homer
And there is really no reason to limit this to corporations only. A buffer overflow in some Linux code? Look into the source for the copyright notice and sue the hell out of the poor schmuck who wrote it!
One of the basis of commerce (in the US, I have no experience elsewhere) is the concept of "Merchantability" - in other words, when selling a product, the product sold had better be pretty much what was promised.
If I sold a widget to a customer, and the widget did not perform to "reasonable expectation" then the customer is entitled to a functional widget or his/her money back.
In the case of the immerchantability causing personal harm, some additional liability may be incurred by the vendor as well.
However, if I *give* something away, the idea of merchantability is thrown on its ear. Merchantability as a concept depends on the existence of a profit on the item which ownership of is being transferred.
I can give you defective stuff until we're both blue in the face - but I incur no particular liability or requirement that the stuff perform to any standard, because when it's given away noncommercially, it's not merchandise.
Even in the case of Red Hat, merchantability starts to weaken - they don't really provide the software, per se, they provide the package. They provide additional services to otherwise free software. Since they give it away, they are certainly not charging for the software itself!
It's a fine line, and one that's increasingly solidifying.
-- I have no problem with your religion until you decide it's reason to deprive others of the truth.
Sorry, but this is just utter nonsense. You can't punish people for not being "literate" computer users. I'm all for security awareness and all, but this is just ridiculous.
-- If a train station is a place where a train stops, what's a workstation?
Money from the Government for the Government
by
Madcapjack
·
· Score: 1
Well based off of my own experience, I'll make a bet that the outcome of such a plan will be that government agencies and departmens, especially local goverment, will end up paying a lot of fines. sounds fine to me.
hey that was a pun! ha ha ha I didn't know it at the time. ha ha ha i'm punny
His heart is in the right place..
by
Anonvmous+Coward
·
· Score: 1
... but I have difficulty seeing how any of this could work without a standardized system. Maybe, just maybe if everybody ran the same version of [$IdealOS], this would be possible. But it just doesn't work that way. Even if you just isolate the Windows users out there, everybody has different tasks for their computers. Somebody who sets up a PC as a VCR, for example, is going to treat it like an appliance, not like a car that has to be maintained. (Sorry for the weak example, I'm sleep deprived.)
No, this idea may have the right intentions, but it's not a well executed one.
Consider this another wrinkle in the Total Cost of Ownership debate.
But who owns it??? Expect MS to change their EULA in response.
"Microsoft reserves the right to muddle your OS install in any way we see fit, but you poor suckers are ultimately responsible when your computer becomes a festering mass of worms and virus's."
-- When the people fear their government, there is tyranny; when the government fears the people, there is liberty.
Software makers are always going on about how when you buy software, you dont actually own it, you own a licence to use it. Therefore, if the software allows a virus to spread, surely its the software makers role to bare the responsibility, as they are the only ones who own the software?
If they argue that the user owns the software, then we are allowed to reverse engineer it etc...
Russ think twice
by
Anonymous Coward
·
· Score: 0
Dear Russ,
Do you realy think that this wil solve this problem, i gues not!
Remember, the internet is a free medium, and it should be free! SO enforcing youre idea is very wrong.
1. Fining either users or OS manufacturers presents a problem because it creates an incentive for others to write viruses targetting systems they don't like. Linux proponents, for the sake of argument, might decide to take Microsoft down a peg by releasing a series of viruses targetting Windows. If the government fines users, users will rapidly get pissed at MS and switch to another OS. If the government fines MS directly, Microsoft gets hurt. Some slashdotters might find this situation desirable, but you have to consider that there would then be just as much incentive for MS to release malware that targets Linux or Darwin. And with the open source nature of those projects, an adversary might well be able to introduce flaws into the source just for the sake of creating future exploits.
2. The real culprits here are the people writing viruses. Yes, software manufacturers need to do all that they can to make their products secure. But even an insecure OS works well if people act in an ethical manner. Put another way: when someone pours sugar into your gas tank, do you blame Ford because your filler cap doesn't lock? Of course not; you blame the malicious punk that did the damage.
3. There's no reason that market forces couldn't work to push manufacturers to fix their security issues. They don't work right now because consumers either don't understand that Windows is full of holes, or they feel that they don't have any choice in the matter, or they feel that the benefit of using Windows outweighs the drawbacks. Educating people in this respect is something that we can do ourselves, and that includes educating your elected representatives. Indeed, I'd guess that virus attacks would be significantly reduced in both frequency and impact if 50% of federal, state, and local government computers ran anything other than Windows. A heterogeneous environment is our best defense against malicious software.
Re:most people only checked their ISP
by
Technician
·
· Score: 1
When I used to work for a local ISP doing tech support, most people only checked their ISP e-mail once a month
My ISP only provides one account. My wife uses her school account, I use my work account, the kids don't get mail due to inapropriate unsolicited spam. (my 9 yearold doesn't need Viagra or any alternative.) I can easly understand why the ISP mailbox goes unchecked for long periods of time. ISP's may change often due to service problems, better offers, etc. Who wants to change mail to get a better ISP offer? I've had 3 ISP's in the last 6 years and have not changed e-mail addresses. Others get spammed to death, so they use disposable e-mail accounts. Who wants to change ISP's to get a new account that the marketers hasn't got? Many people only use the ISP provided mailbox for the billing statement because any other use could soon turn it into a spam collection repository. I've never mailed anyone with my ISP provided mailbox for that reason. It's the only way to keep it unlisted. Only the ISP has the address.
-- The truth shall set you free!
verisign isn't the only one
by
Anonymous Coward
·
· Score: 0
(copy infringed from a post of the debian users email list posted there by Michael D Schleif)
dnsqr a *.nu answer: \052.nu 86375 A 64.55.105.9 answer: \052.nu 86375 A 212.181.91.6
dnsqr a *.com answer: \052.com 167 A 64.94.110.11
dnsqr a *.net answer: \052.net 211 A 64.94.110.11
dnsqr a *.ac answer: \052.ac 86376 A 194.205.62.122
dnsqr a *.museum answer: \052.museum 156 A 195.7.77.20
dnsqr a *.cc answer: \052.cc 3577 A 206.253.214.102
dnsqr a *.cx answer: \052.cx 86378 A 219.88.106.80
dnsqr a *.tm answer: \052.tm 86378 A 194.205.62.42
dnsqr a *.ws answer: \052.ws 10779 A 216.35.187.246
Won't work for the masses......
by
wagsworld
·
· Score: 1
Let's say I am on vacation for two weeks. On the first day of the first week of my vacation a major worm virus event happens. Since I am not at home to update my machines I get infected. Becuase of the virus my machine cannot automaticly update it's virus definitions or my Antivirus software crashes in the process or part of the virus disables the autoupdate feature of my Antivirus and OS automatic updates fail also. Since I am on vacation I do not check my computers. I have no idea that any problems exist. For argument sake we will say I am Hiking somewhere remote or visiting the outback region of a foreign country. Assuming that we say the reasonable time the "Identification Athority" or my ISP has set is one week then I get fined starting some time in the second week. You have just fined me for something I could not predict, prevent or respond to.
These fines might work against corporations and small businesses but I can never see them being set against the public at large.
I think that you are giving the ISP's way to much credit. Most ISP's are understaffed and the bulk of the staff they do have is grossly under trained for their jobs. My ISP at home is Time Warner Cable. I once spent 3 hours talking to them and trying to convince them that the Web Browser I was using had nothing to do with why I couldn't ping my default route they were assigning via DHCP. I can only imagine how long it would take me to convince them that I was a false positive and get the charge reversed. Worse yet trying to convince them that my IP Address had switched between the time they detected the offense and they decided to bill me.
Yeah, that's it, this will work...
by
Anonymous Coward
·
· Score: 0
not... Lets compare this to an almost identical real world scenario, shall we? Russ leaves his keys in his car, or does not purchase a car alarm.
His car gets stolen. The person who stole it, drives through a market doing 40 and kills 15 people.
Should Russ pay a fine or be held responsible in any way for what this criminal did? I bet Russ wouldn't think so.
How about this. Russ, instead of buying the $60 schlage lock for his front door, on his house, skimps and buys the $20 one.
A thief, who is expert at breaking these $20 locks, comes along and breaks into his house, and steals Russ's steak knife set.
The thief then stabs an FBI agent, or a congressmen, or an Army corporal.
Should Russ pay a fine for this?
Grow up Russ. People should protect their property, but there is no constitutional or legal grounds that requires them to do so. Only criminals are responsible for what criminals do.
While I agree that only an idiot leaves his door, car, or computer unlocked, you can't penalize him.
l8, AC
Guess who MY first target would be...
by
ehrichweiss
·
· Score: 1
Jeez, is the guy that retarded? He'd be the first unknowing propagator if I wrote worms/virii just to make a point...especially since hiding the origin wouldn't be difficult. *Knowingly* propagating them is already a federal crime..what the hell does he hope to accomplish? Seems it's time for a non-wintendoze OS for the masses...QNX anyone?
Re:Guess who MY first target would be...
by
NTBugtraq
·
· Score: 1
So, you can spoof my networks to my ISP? How? I mean, as part of Point #7 in the proposal I stated that the ISPs would have to be able to provide sufficiently detailed logs to customers to prove they emitted attack traffic. Don't you think I'm going to want to see the logs from the router my router connects to? Now how exactly are you going to spoof traffic from my network on that router's interface to me?
Granted, if I have a root'd system in my network, that could certainly be used to cause me to incur fines with my ISP. But I'd really like to see people stop talking about spoofing.
--
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Re:Guess who MY first target would be...
by
ehrichweiss
·
· Score: 1
Now how exactly are you going to spoof traffic from my network on that router's interface to me?
My first answer: about 4 phone calls will get me all that I desire. 2nd: Not everyone has your config and I don't hafta spoof the attack coming from your network, I simply have to infect your network from a spoofed or anonymous address...you then provide all the evidence necessary. With the new sendmail vulnerability announced, this is getting easier and easier to accomplish in almost any way I see fit...so where's the challenge in that?
-- 0x09F911029D74E35BD84156C5635688C0
Automated fines and the law of large numbers
by
Anonymous Coward
·
· Score: 0
"Each year there are approximately 10-20 such attacks."
"The attack is captured by anyone and sent to the 'Identification Authority', that organization responsible for determining the most accurate method to identify the attack 'on the wire' with a false positive rate less than 0.001%."
So each ISP customer has 0.010% to 0.020% chance (100 to 200 in one million) of being falsely accused and fined within any given year. A mega-ISP with, say, 10 million subscribers would make thousands of false claims every year, and that assumes this scheme operates at its stated performance level of 10-20ppm false positives (which seems very ambitious). The resulting poor word-of-mouth will put a dent their market share. I bet this doesn't fly, certainly not for very long!
Re:Danger, Will Robinson! Danger!
by
Anonymous Coward
·
· Score: 0
Software warranties are all that great either. I think you're just looking to stick it to the 'man'. With everyone and their brother trying to poke holes in MS products prices will go up and innovation down. Furthermore, for email viruses, you won't see your warrantee kick in. Someone sent you an email with a program that does something bad. You ran that program. Your fault not Microsofts.
You'd see a litigation explosion as well. I've had customers who had their configuration wrong, didn't check their output, and sent their output along. That cost them money and they wanted us to pay for it. While even under warrantee we shouldn't be liable for that, litigation risks are scary.
Worse for us, we specialize in providing custom code to customers. They frequently ask for changes and we respond quickly. This means things break more often than otherwise but we're able to fix those problems quickly. If we had to do super rigourous testing each time we altered the program. We'd have to triple our prices or stop offering custom work. Our customers don't have triple the money and so we'd lose that competitive advantage.
Maybe we've reached the point where software should stop developing quickly, where we get new features regurlarly etc. Maybe we should have simple software that works flawlessly. But I don't think we're ready for that.
Slashdot Mirror
I can just see the virus protection software making changes to their notifications to keep track of attacks that could cost people money and list it in a tally window: "You've saved $764 in internet fines this year because you used Morton AntiVirus 2005! Want to upgrade to the Pro version?"
The Pro version will include an insurance plan in case you go on vacation for a week and leave your XP box on and a new exploit surfaces while you're gone.
A programmer is a machine for converting coffee into code.
The problem with this system is that it opens people who already aren't that skilled at running a computer to a new kind of attack. Imagine someone spoofing your IP and broadcasting worm packets, running up your fines.
ISPs probably would have too much volume to deal with to investigate every packet, so it becomes easier to pay the fine than fight the system.
There's got to be a better solution than this.
"Adventure? Excitement? A Jedi craves not these things."
"..whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly
Rather than fining the people (victims?) of poorly written software and OSes, why not have a class-action suit against the corporations that make the worms & viruses possible in the first place? Most people are up in arms when the RIAA goes after the wallet of individuals who knowingly download their Evil MP3s whereas the bulk of users that get these infections just don't know any better.
Fining lusers won't give them clues, education will.
Trolling is a art,
The logistics and implications of infringments of rights, it would never happen
I'd much prefer bounties.
Stop by my site where I write about ERP systems & more
Make all the laws you want. Enforcement will always be the issue that causes less-than-satisfactory results.
Same for spam, parasiteware, etc.
oh, btw.. Almost First Post!
do() || do_not();
Great,
Just what I need, my grandma getting hit with fines because she wants email to talk to the grandkids.
yes! make the stupid people pay extra to use their computers!
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
... Mrs Granny, 82, is being fined $5000 after two young 15y old hoodlums by the names "1337" & "31331" stole her car and drove it into a shopfront.
I maintain several win and linux computers and I certainly don't have the time to lurk security mailing lists to stay ahead of every friggin' exploit.
BOO! TERRO
Rather than making my great Aunt pay if her computer gets infected with a virus...
Make the computer maker, and and Operating system vendor pay. Their the ones that told her she could run her own system, and who sold her overpriced, out-of-date, insecure software and hardware.
Wouldn't that be a big kick in the butt to make commercially-available Operating systems more secure!
And the worms ate into his brain.
What about foriegn computers that propogate this problem?
--fetch daddy's blue fright wig, i must be handsome when i release my rage
My car has a defect that makes it cause accidents, is that my fault or the manufacturers?
Factor this in to the TCO comparisons of Windows and Linux. Companies are being hit by these worms as well.
Of course the Microsoft lobby will make sure that it never happens, and if it did then a group of virus writers would convene in a well hidden room in Redmond . . .
Mielipiteet omiani - Opinions personal, facts suspect.
Bounty hunters have all sorts of cool rights and stuff. They can break in to people's houses and kill them sometimes. That'd be awesome for computers.
does this mean that we could fine the Microsoft Corporation ... ONE... HUNDRED... BILLION DOLLARS???
muuwaahahahahahahaha!!!
My Sig Beat up your Honor Roll Sig
What he proposes is way too strict. Right now, I run through a firewall and proxy, keep my system up to date, etc. Is it my fault if someone hacks into my computer and uses it? No. I've done everything possible to make my computer secure, short of spending thousands of dollars on corporate-level firewalls, etc., or disconnecting it from the internet completely. No computer is 100% hackproof.
Right. A person who doesn't know about patching gets fined? An understaffed public library that has no-one to patch their public terminals gets fined?
And last time I checked, speeding tickets didn't stop people from speeding...
-jls
Techno-pagan
What about a penalty for Microsoft for being the reason behind the viruses in the first place? You can't fine granny for not patching her computer - it's unethical and just plain ignorant.
No sig for you. YOU GET NO SIG!
If someone's negligence allows their computer to participate in a DoS, why should they have to pay money to a 3rd party regulatory body or government?
Jason
ProrQuotes
But since nobody can still afford it, we (geeks) will end up in an internet of... the early 1980s...
/Points an laughs
Glad not the live in the US. How the fcuk do they expect to police and enforce that in Asia and the rest of the world.
I am all in favor of fining software makers, that may get them to at least beta test there work before its shipped.
Second:
Sorry we blocked your critical data, but you can't do anything about it.I can't say that I don't give a fuck. I've just run out of fuck to give.
In order for some entity to levy a fine, there must first be some sort of law broken. As far as I know, there are no laws requiring virus protection or mandatory software/OS updates.
Are we really willing to consider allowing our computers' software, configurations, etc. to be dictated to us by the government? After all, isn't one of the selling points of "free" software having a choice in which OS/programs we use?
I don't want to be told by anybody that I must/must not download any updates to any software I choose to use (unless that particular program's EULA requires it). And I don't think I'm the only one.
William
When you're not looking, this sig is in Latin.
Punish people for a crime they didn't know they commited?This is horrible. To commit a crime, you should have to have INTENT.
The truth is, "ignorant" is a case sometimes.
Just look at the English man who lots his children because someone put a virus on his computer that downloaded porn and he was charged with looking at Child Porn. He was found innocent, but he STILL lost his kids.
According to the article, this kind of thing IS the VICTIMS fault.
Well this is certainly not a well thought out idea. Why should a consumer of the product be responsible for the product? Computers are not pets, they're an appliance. If a computer is malfunctioning, hold the manufacturer responsible! You should start with holding MS responsible for their bugs and refuse their license which allows them to be untouchable.
For the majority of enduser systems out there the user does not own the software on the system. Microsoft owns the software and has all rights to modify and control the software.
Is the enduser responsible or the actual owner of the software?
The real damage is done by Microsoft employees, these kids with purple hair who had 1.9 GPAs in college and were hired just because they're good at riddles, and their tendency to write horrible, horrible code that is incredibly insecure.
Someone once emailed me some code review and QA type data from the Web department at Microsoft (the IIS people, SQL folks, etc.) and it was absolutely horrible and a bit funny to read the kinds of simple mistakes that were being made.
It seems that Microsoft really does try to push the "innovation" envelope, but they do so at the cost of security. There are dozens of programs today with huge holes that go unpatched.
Let's hold Microsoft accountable, not the people who paid for their products (which are supposed to work).
(I don't see anyone suing Ford owners because their tires don't work properly.)
Reply or e-mail; don't vaguely moderate. Ex-O'Reilly/MIT employee, now a full-time Google employee.
Russ Cooper's Internet Penalties Plan
Written by Russ Cooper - 9/16/2003 5:18:48 PM
At the bottom of this document is a poll I'd like you to participate in indicating your agreement, or disagreement, with the information contained here-in. Please take the time to respond to the poll.
Internet Penalities Plan
I have previously made proposals regarding the use of penalties to limit malicious code on the Internet. It is important to realize that the vast majority of the volume of attacks caused by any malicious code come as a result of ignorance;
* Computers that Corporations don't realize they even have
* Home computers without anti-virus protection
* Student computers connected to high-bandwidth University networks outside of the University Network Administrator's control
* Computers owned by individuals who don't know how to complete Windows Update
* Individuals who either haven't heard that attachments are bad, or, don't believe attachments represent a risk
This idea, put simply, is to monitor the Internet for new viruses, worms, or trojans. They may be network-based or email-borne. Based on TruSecure's proven Ballistic Threat Model, these new attacks will be assessed to determine if they will represent a significant wide-spread threat. Each year there are approximately 10-20 such attacks. The attack will be profiled, and a method determined, so Internet Service Providers (ISPs) can accurately (99.99%) identify it, and given to them. From that point forward, ISPs will be expected to drop the attack traffic from their networks. When fines are levied from that point depends on the method of attack;
* If the attack exploits a missing patch or a mis-configuration, fines are levied immediately
or
* If the attack requires updated Anti-Virus definitions to stop and/or cleanse, fines begin once the majority of AV companies have released updates which include detection
Customers who will be levied any fine will be notified by email by their ISP immediately upon the first infraction, and then daily after that. Fines will be included in the customer's ISP invoice. The organization responsible for providing ISPs with the accurate identification information (possibly TruSecure Corporation, or maybe the new US-CERT) would determine the point at which fines will be imposed. The fines would be used by ISPs to support the significant efforts required to continually block identified attack traffic.
Such an effort could be implemented within the U.S. only, or more broadly if other countries choose to participate. It would require modifications to existing contracts, both between ISPs, and between ISPs and customers. If mandated by law, it would make such contract modifications easier.
A more detailed look follows;
1. A new attack occurs, be it a new email-borne virus or a new network-based worm. Security companies, and ISPs, constantly monitor for such new attacks.
2. The attack is captured by anyone and sent to the "Identification Authority", that organization responsible for determining the most accurate method to identify the attack "on the wire" with a false positive rate less than 0.001%.
3. The "Identification Authority" establishes the criteria and method to identify attacks for the nation it represents.
4. The "Identification Authority" provides the method to its nation's ISPs. Any ISP conducting business in that nation is to abide by the criteria, identification, and policies provided by that nation's "Identification Authority". Further, the receipt of this identification for a given attack represents the date and time at which fines will begin if it is a network-based attack. In the case of Slammer, this was less than 4 hours into the event, after a considerable number of hosts had already been compromised. In the case of Blaster, this was less than 5 hours into the event, at which point comparatively very few hosts had been compromised.
This guy needs a reality check. A majority of computer users are dumb. When they get OSes like XP, they have absolutely no idea how to secure it. The problem lies in the OS and not in the user.
a fine for slashdotting a site into oblivion?
I just see lawsuits left and right with this one. On one hand, you've got Ma and Pa Kettle who know how to turn on their computer, check their email, and play solitaire. All of a suddent they're notified they owe $2.4 billion because their computer was used to take down sixteen major corporations. Do they get to sue the ISP for not filtering? Or do they get to sue the virus programmer if they're caught? Or hell, do I get to sue them because maybe they infected me and my computer infected the corner store. Sure my fine was only $50, but maybe I'll sue them $250,000 for pain and suffering (hey, this is America, we do that). Scary...
"He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
I'm sorry, I'm sorry. Russ was just a little crabby yesterday when he came up with this idea.
I personally blame my parents, they smoked pot in college, and being older than me, he managed to inhale. Luckily I was raised in a less dirty-hippy fashion.
But, again, my apologies.
The included URL, for reference.
I was recently quoted in a WashingtonPost.com article saying I was in favor of fines against people who emit viruses or worms (not just originate, but infectees who perpetuate attacks.) There wasn't any meat in that article describing my proposal, so it comes off sounding kind of cold. I've had this proposal for quite some time, after being asked by a U.S. Senator staffer once to write something up to identify what's lacking in the U.S. National CyberSecurity Strategy document.
I've tried to explain it as clearly as I can, and have included a poll to take your feedback on whether you think the idea would be valuable to you. I'd appreciate it if you'd give it a read and take the poll.
I hereby acknowledge that the poll is hosted on my little T1, so you may well experience bandwidth-related fun. At least you only have to click two buttons to take the vote.
Feel free to repost this request to other lists.
Cheers,Russ - NTBugtraq Editor
I don't think insurance can (or want to) pay fines for you.
<sig>Guvf vf abg n frperg zrffntr
if this were to happen the Microsoft could create a anti-virus company. Make money from insecure software and from the viruses.
Instead of trying to get money out of them (look at all the young pirates bitching about being sued for a few grand, they don't have money) why don't we just cut their link for a period of time, say 8 days? It's short enough that you can deal but long enough to really piss you off so you had better make sure you don't let that stuff happen.
Grasping any opportunity at all (never mind if the measure will be effective, or even if it is practical) just to squeeze some more tax dollars out of their constituents.
people aren't licensed/educated properly to use the internet. So how will they know that they have to update virus definitions and patch their systems? By e-mail notifications? When I used to work for a local ISP doing tech support, most people only checked their ISP e-mail once a month for their monthly statements, they instead had hotmail accounts for their regular e-mail. We would have to call customers non-stop to remind them to check their ISP e-mail for their bill. Now we would have to call them for their weekly virus breakout?
The key is some type of manditory education before you can advocate fines. My grandmother doesn't know a thing about antivirus protection, she just expects it to work. My grandmother doesn't know a thing about Windows Update, because she assumes the computer is safe.
So what can I do? There is no easy answers, but I guarentee fines are the last resort since none of the other options have been tried at a large scale.
The government can't even figure out a way to keep me from getting a hundred penis enlargement spams a day, but somehow they are going to figure this out?
"Oh Come On"
would be much smarter to make the companies who's voulnerabilities alowed for the trojan/worm/virus to infest the comp, instead of having the users do it...
if a car maker has a flaw in it's engine causing it to blow up, should the car user or the car maker be forced to pay the damages?
Solid Splash design
...For smaller customers, such as a home or small company, the ISP policy might be to simply disconnect them, either for a time or permanently, their choice as specified in the customer contract...
/.ers, but we don't make up the majority of the internet subscribers.
And just how are they supposed to get the virus and patch updates? And don't just say "Oh well they can just go over to a friend's house, family member's house, or the library." And then what do they do? Put them on a floppy? That's funny. Norton virus definitions are several megs these days. Stuff isn't easy for the regular 5 hours a month computer user. Sure it'd be easy for
ISP's can block the viruses too. Mail filters, port blocking, etc. This is not something that can only be prevented by the end user.
I mean the majority of attacks originate or are written outside of the US, it's just that Microsoft is based here. you gonna hold just a very small percentage of the total Internet users responsible and FINE them?? FUck man, my Ip is going to originate from Thailand from now on.
The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants.
The operating system vendors should face the music.
If the U.S. Federal government mandates automobile recall because of some faulty protection system, exceeding exepected normal operation or rusted-thru "firewall", then the same should apply toward operating systems; be that may Microsoft, Linux or Unix-based.
So I can see how when a bill comes in from Nigeria to some random department's web server at a university in Myanmar that the threat of fine will have a profound impact, NOT!
The penalty that is understood is loss of network service.
Successively, pestilant host owners should be notified and given a decent interval to fix their problem.
If not, then the ISP is notified and given a decent interval to get the owner to clean up his act or to disconnect service.
Likewise, up the chain, to the largest ISPs, who would have to agree to knock down major service if the client didn't play the game.
Distributed problem fixing at its finest.
"Provided by the management for your protection."
Folks, the USA is a socialist country. The government needs more of your wealth to implement vast domestic and global welfare programs. It needs money to properly arm the police with the latest military equipment to make sure that the populace is obedient and to confiscate any guns they might have. It's time for you people to grow up and become adults. You're here to serve the state, not the other way around. If you don't support our great socialist government then you're unamerican... besides, ww can't kill the gun toting right wingers without money. Support these fines.
will have to change the way they do business. They'll need to hire a lot of lawyers.
-- No sig for you!
To computer and network insurance.
Take computers used, software used, servers used, general topo of network, speed of pipes (together) and competancy of admin. The conglomeration is the "Computer and Network Insurance (CANI)".
I wonder how much would be charged for a competant unix admin, on heavilly firewalled subnet of mac and windows (seperated, of course) boxen, with Linux servers, and a T-3. --- Probably not as much as Winders with MCSE.
My brother had a cold last week. I have a cold this week that I got from him. Can I sue him?
If they can fine people who don't know their kids are downloading music. Sure lets fine virus spreaders. But how?
Russ at NTBugtraq is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly...
...
- Russ Cooper is editor at NTBugTraq
- NTBugTraq is a division of TruSecure Corporation
- Russ Cooper is chief scientist at TruSecure Corporation
- TruSecure Corporation sells security solutions and services.
In other news, the Haagen Das corporation is pushing a proposal to hasten global warming
Another fine impartial article brought to you by Slashdot.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Is this one of those things where the goverment tells us not to do it, but deep down they really WANT us to do it and KNOW we will do it anyway? Like $peeding?
Why should joe user, have to pay for the latest RPC hole?
I have to say although the article lost me from about the first line I loved this :
We aren't trying to penalize everyone for not being up-to-date or security savvy, but the level of attacks which continue to occur daily after any en-masse attack is enormous.
Uhhh yes you are...
Correct me if I'm wrong, but arn't fines a 'penality'? Sorry, but flat out this is elitism. These people don't get how great the knowledge gap is from the average user, to anyone who might know what bugtraq is...
Think about it for 1 clock cycle.
Simply make the fine a percentage of the amount of revenue made on that product. That should put the onus back on the software company that leashed the security horror that is out there. Meanwhile, free software is protected.
Another dumb idea... License the user
Both ideas have some dumb, expensive slow-moving govt body out there... WRONG.
People continue to smoke (in the USA) even though it is heavily taxed, not to mention bad for your health (if you are genetically susceptible...), disgusting, and stinky.
I skimmed the article earlier today and I didn't see it address the education aspect of the problem. If the corporate and education networks are vulnerable, how can you expect joe schmoe to know what to do in a timely fashion? Windows XP and Red Hat have auto update options, but there is a certain level of trust (or ignorance) you need to implement their services.
So, if end users get fined, they will probably opt out of the service altogether by the 2nd or 3rd fine, depriving ISPs of future revenue. Also, it sounded to me like it would be in ISPs best interest to propagate internet viruses, worms, etc. because they would get a portion of the fine.
"The area of penetration will no doubt be sensitive." ~ Spock
I really hope that Russ's computer doesn't get Owned or someone spoof's his IP address's. or something else that rings up fines on him without his doing.
Unless he can provide an answer to someone that will make them 100% compliante and immune then his idea is as idiotic as the others.
Fines for proven abusers? Yeah, I'll take that.
fine the little guy being abused? nope.
Fine isp's , corperations, and known asshats.
Do not look at laser with remaining good eye.
The user has made the choice to run Windows and to put the computer on the Internet, despite Microsoft's well-publicized vulnerabilities. At some point, accountability for the establishment of an "attractive nuisance" should kick in.
Of course, if Microsoft were to indemnify its users against these fines, perhaps under the condition that the user maintain a reasonably well-patched system, it would be a real selling point vs. Linux, where you're essentially on your own.
"Skill shows through where genius wears thin." -Wittgenstein || Religion: uniting aviation and architecture.
To Whom It May Concern,
If you are willing to personally verify that each person with a computer is aware of the threat, your plan sounds fine. By 'verify' I mean contact through some means other than via computer and receive a response from said user. Essentially, one would have to telephone each computer user in order to do this.
Without such explicit notice, users would not necessarily know that their computer could be commiting a 'crime'. In fact, as the populace becomes more computer literate and the number of virus/worm writes grows, we will probably see viruses/worms written with an even greater frequency than we do now; perhaps a new one each day? Ahh, you could then call everyone with a computer at least once per day.
As people begin to write adaptive/evolutionary viruses/worms, we'll probably see the number and severity of attacks increase rapidly; perhaps we'll get to the point where there are several new viruses/worms per day. Then you could just autodial everyone a few times a day - maybe even a few times per dinner! Fantastic!
In effect, your plan fines people for being ignorant, but has no safeguards or surefire methods to ensure that users will become less ignorant. There are a variety of outcomes (fewer computer users, users incurring greater and greater fines, etc.) none of which are good for the average consumer. All your plan does is provide help to the big businesses (both software providers [MSFT, etc.] and software users).
I cannot imagine any plausible situation that would cause me to support your plan.
Actually, I've felt that dumb operators of computers should be treated just like dumb operators of motor vehicles. Give'm a ticket when their tail lights are out.
This would open up a whole new realm for "Microsoft Haters" but perhaps it would result in Microsoft's patches having a much faster response time as well. But imagine being fined even $5 for your software being unpatched or something...
There are thousands of other problems that could result. Microsoft would cheer this thing even though it'd give them a huge black-eye. Why? It'd give them the chance to put out patches that contain ALL KINDS of "extras" that users don't want. Remember the SP that also updated the EULA? How about DRM updates that nobody wants?
Still, I feel it is the responsibility of the computer operator ENTRUSTED to run on the public internet not to cause damage to that internet or to the other peers of that internet...either knowlingly or unknowingly.
Hrm... spammers do damage to the internet too... people who market things VIA spammers should be considered instigators of said damages. This is a really fun idea.
I vote yes.
Say some Windows machines are attacking MY non-MS machine due to a flaw in Microsoft's security model. A flaw that they KNEW existed and wasn't patched correctly... shouldn't Microsoft be liable for any damage I incur to my business?
After all, I am NOT their customer. I didn't sign any EULA with them. It is, as indicated in the parent post, Microsoft's software, not the licensee. But if numerous Windows-based machines are DOSing me or spamming me because of a flaw inherent in MS's operating system, why wouldn't Microsoft be negligent in allowing harm to come to the Internet in general, and me in particular?
Why not charge the company who wrote the bad software instead of the end user? The end user is paying for a service from the company, so it isn't the end users fault because the company is writing swiss cheese software. I'm just waiting for some class action lawsuits against certain companies who write software that can be exploited by any deuschbag with an internet connection
On what grounds should I be forced to pay an antivirus vendor fees, again, to protect myself from the incompetence of M$ programmers?
The reasonable thing would be to fine the author of the software that allowed the viral spread, if no patch is issued within a reasonable time period.
Does everything include nothing?
...needs to do more Coopering and Less Whining
Well, where I work this is exactly what we do. Email the offending party, if they do not reply and remedy the situation they are shut off. This is usually as far as it has to go...as people all of a sudden seem to actually care when they find that their internet access is disconnected but seem to care very little if they are screwing up other peoples computers.
"The strong will do what they want, the weak will do what they must."
-Thucydides
I've also pondered whether this would be a valid approach or not. Virus stories in the media tend to portray the people who are actually spreading the viruses as innocent victims, with only the original author being the "bad guy". But the "bad guy" wouldn't have been able to do any damage unless people opened virus attachments, ran unpatched systems, and other no-no's.
Also, this type of approach is not unprecedented... if I fail to maintain my car and it spews pollution into the air, the fines are potentially quite hefty. How is an unmaintained computer spewing pollution onto the Internet that different?
In the end though, I don't such a thing will happen anytime soon. People would much rather think of themselves as victims when viruses go around than acknowledge they are contributing to the problem through irresponsibility. Also, enforcement is problematic at best. Finally, with many people afraid of technology already, the potential for running afoul of the law through their lack of knowledge would create a major backlash.
This will discriminate against users that arent engineers...
Most people just want to do their email and surf a bit on the web...
I am more for a penalty system where the ones that sold buggy software should pay for their bad doings, this will make them very fast trying better...
btw, why always have innocent (maybe not very smart but still innocent) people pay for the crap that a few are sending...
2 parties are guilty here, these are the ones putting all these worms and stuff on here and the ones that create the environment where this can happen.
"You have been fined 5 credits for having a filthy PC"
People should be held accountible for their computers. Just because they didn't write the worm, doesn't mean they're not at fault. It's time that people started taking responsibility with their computers, and actually.. o i don't know... learning how to secure them? And someone mentioned something about kicking 90% of Internet users offline. I don't think the ignorance rate is THAT high, but I still say good riddance. (Yes I'm a bitter asshole, thank you.)
-------
"In times of universal deceit, telling the truth becomes a revolutionary act."
-- George Orwell
What a great source of government revenue! Let's charge people who knowingly or unknowingly pass on colds, flus, herpes, AIDS, gonnerea, typhoid, ...
I mean, maybe this means I can sue my sister for giving me the flu? Honestly! When a company just had the crap beat out of their IT division and they've already lost a lot of money, do they really need a fine? And what happens when it hits government offices? Blaster took down a train system in Pensylvania.
I propose fines for people who fund, operate, post on, frequent, or utilize web sites or services that are knowingly or unkowingly hosted on servers that suffer the /. effect!
From the article "ISPs will be expected to drop the attack traffic from their networks".
I'm guessing that ISPs will end up just disconnecting the entire network connection for the afflicted system, which of course will render the inability to update the patch or virus definition.
Thus, the endgame is that there will be no network left.
how a person who is considered knowledgeable about computers and the internet can some up with such an ignorant idea as this.
How the fcuk do they expect to ....
While I find this perfume intriguing, I didn't realize it was already so popular as to be invoked as a profanity. Is it some kind of god where you live?
It's not the users' fault. Kids with nothing but time and money cause these attacks. THEY are the criminals. Lock 'em up and throw away the key. This has got to be one of the stupidest ideas coming out of gov't in a long time, and we all know how many stupid ideas come from the gov't. Start doing this, and the Net very quickly becomes a gov't controlled entity, making the "Digital Divide" absolutely huge. And it's not necessarily the software makers' fault. They may have genuinely missed it through no fault of their own. It may not be negligence at all. Besides, suing the companies would instantly put every Linux distribution out of business, since most of them are just barely hanging on as is.
Who would determine what's fineable or not? The 'Identification Authority' panel of industry experts? Anti-Virus experts? The same ones who make money selling software to prevent viruses/worms? Sounds like a good scheme to sell more antivirus software. More good ole' scare-tactics from the antivirus folks; 'Buy our product or you could be fined'. The determination of a 'fineable' event strikes me as very subjective! What's next, manditory antivirus software? Wouldn't the antivirus companies love that!
Continue catching and jailing the people who create these viruses, thats the best method.
-- Greg
Slashdot, would a spell-checker for posting be too much to ask? It's not rocket science!
unknowingly? that makes no sense what so ever! why should you have to pay a fine because someone else has screwed up (namely Microsoft)?!
This comment does not represent the views or opinions of the user.
How would you propose a refund for those running a free copy of debian that was rooted this morning?
Vacation? I don't leave my win2k box on when I go to WORK, lest a new exploit surrface before I get home :-)
Please help metamoderate.
Fines aren't the way to go. People still drive over the speed limit, right?
How about offering a discount to account holders who's computers didn't spread viruses. This creates a nice incentive to patch and secure your system, and the ISP wins out with lower telecom bills, not having to upgrade their stuff just to handle all the traffic created by viruses, etc.
Maybe a buck or 2 off your monthly charge for dialup, or $5 off for highspeed.
Wouldn't it be better to give the government an incentive to help solve the problem rather than give them an incentive to get some obscure, amoral, and deeply secret government department to release new and more virulent attacks so as to up their income?
Sure, they probably wouldn't, officially; but why take the risk that some individual in the government would be in a position to benefit from this kind of thing?
These kinds of theoretical problems always sound impossible, but I'm nearly always surprised to find out how often they really do crop up in practice.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"Let's say Joe Consumer is interested in a computer - he goes down to MicroCompuCenterUSA and buys a spanking new Windows XP-based machine, plugs in the cable modem, turns it on.
*WHAMMO*
He's infected before he even gets a chance to get the latest updates, assuming he even know that's something he's supposed to do.
My sister-in-law when through this exact scenario just recently. She got nailed by Blaster within a few minutes of powering up the machine for the first time. She has no idea what a firewall is, and would certainly wonder why she would need one with a brand-new computer.
This proposal is a little like buying a new car and having the wheels fall off as you drive off the lot, then being fined for causing an accident.
Some guy breaks into my house, steals my kitchen knives, uses them to serially murder dozens of other people, and *I* get penalized?
I don't have the tongue to answer that level of idiocy....
I see no mention of any punishment for the programmer who writes the virus. Does everyone here think that those bastards are doing a public service or something? Here's an idea: what we need is to rethink the priorities - let's punish all the innocent people for unwittingly being accomplices and let the actual criminals off scot-free! After all, they're only targeting Windows machines and not Linux, so who cares? It's not like these idiots are too busy to keep their machines updated, what with work, family, etc.
To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
Boss: I thought I told you to put that RPC patch an all our client's servers.
Me: I did.
Boss: How come these guys have Blaster then?
Me: I dunno.
Now imgaine having that conversation starting out with:
Boss: On of our clients is being fined for worm traffic...
As much as I realize that people failing to update is one of the largest enablers of these worms, I know it is possible to do everything you are suppsed to and still get nailed. Firewalled (externally) and patched but I'm still cleaning it up. I don't think I deserve a fine for that.
He is opening up the debate.
Are people being reckless by not installing the latest patches? Would a fine make them more likely to keep up to date? Personally, I think the answers are "No", and "no", but some other people come up with interesting alternative ideas.
What DOES need to happen is for the more "grey" forms of cracking to be eliminated..i.e. Gator and such. Programs that install without user intervention and don't leave an entry in add/remove programs are viruses...same thing. Also, ISPs need to be able to handle updating users on their own...this would allow them to require/force patches before you ever get access to the internet. AOL [yes, a realy bad /. example] already does this for it's own software, they should be able to do it for the major OS too! Most people would consider it a feature. Heck AOL is already pimping virus checking for emails, port blocking, ad blocking, etc because it's too much of a problem.
The problem is that most ISPs are "common carriers" and only provide connections... and fear to loose that status [think *IAA] if they start being able to block viruses or update system. Then they could get forced into the censorship business and NOBODY wants that!
How about fining MS instead of innocent users?
Don't Tread on OpenSource
If they are compulsory, then whichever companies make the approved scanners have a license to print money, right? I can see it now:
McCrafty Scanpro 2004, $399 for a 1 year subscription, or $39.99 a month.
Or you can go with Ed Norton Antivirus Live SuperCop mark VI - the Revenge for $399 for a 1 year subscription.
You need to buy one of them, which one is it? What's that you say? These cost more than your OS and you can't afford it? Sucks to be you... Maybe you should go back to BBSs then.
If the government mandates a software you must use under penalty of law, they should also provide an avenue for all users to acquire it.
who write the viruses and the worms in the first place, they're the ones who are responsible for any damage done.
"Russ...is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly... Russ is taking a poll on his site."
No doubt he'll change his mind when his site gets assimilated by the next big worm.
My life is one big siesta in which I'm dreaming I wished my life was one big siesta.
expansion of governmental surviellence to me.
Yummy, where do I sign up?
KFG
Complain about spam and worms.
Yet support file sharing.
Allowed to take someone else's files.
Bitch when someone else takes the bandwidth.
Hey, everything's unlimited, right? Sure thing.
Business isn't willing to pay for products, innovation and careers, so we get brands, mortgage commercials and layoffs.
90% of the people who sign/agree to this are the same ignorant people who NEVER update windows, don't have an antivirus software, and think that because they don't look at porn it "can't happen to them"...
Ave Molech Setting
This scheme appears to be unenforcable. Once again, the assumption is made that the entire internet exists withing the legal boundaries of the US. A better scheme would be to warn computer owners of a dangerous condition, and then if it is not fixed in a reasonable amount of time (e.g. 48 hours) then simply blacklist them; e.g. "well-behaved" routers would simply reject any packets from them. Of course, then they would still be free to propagate worms on their local subnet, but other users of their subnet are probably in a much better position to thwack them over the head with a clue-by-four than the government of a foreign country...
"Freedom means freedom for everybody" -- Dick Cheney
Yeah, so if your company network/servers get hit by a worm and you need the internet for your business, you must effectively close your shop for 8 days. The economical impact of the forced shutdown could very well be bigger than the damage done by the worm itself, resulting in a solution which is worse than the problem.
Is this guy kidding? How about fining the freakin' company whose software has caused most of this mess we're in. Look if they want to pass laws let them make the manufacturer's stand up for their product first. This has got to be the single most stupid thing I've heard.
Hey I know let's fine the people who keep driving on recalled Firestone tires but not Firestone, no we wouldn't want a corporation to actually have to pay for their mistake. That's it, that will fix the problem.
Sure information wants to be free, but how much are you willing to pay for the packaging?
Sooner or later if the costs of a software product outweigh the benefits, the market will marginalize it. I don't see a more effective, permanent, or viable option than this.
Oh i see, now were shifting blame and responsibility from the people that make the software to the people that use it. [sarcasm]That makes perfect sense.[/sarcasm]
75% of all statistics are made up!
fining the software manufacturer for allowing the exploit/hole/security problem? Bet a lot of software companies would make a LOT more rock solid apps/os's...
Ave Molech Setting
There's no need to read it.
Any attempt to hold individual (ignorant) users liable for allowing their machines to propogate viruses, worms, spam will be a complete waste of government money, and it won't cause people to behave any differently.
.sigs are for post^Hers.
Conceivably we could fine sites running exploitable servers for which patches exist, and say, have existed for two weeks or more.
However, this still seems incorrect. Then, what could we do with users, for whatever reason, running servers on now unsupported OSes? Clearly these people, if anyone, ought to be fined, but by these criteria they will not be.
Also, we can not correct this situation by requiring that all public servers be supported OSes, and then define what level of attention and testing constitutes "supported". This could be a nightmare for Open Source OSes and servers.
Just think, how much do you forsee the government charging to get an OS on its list of "approved" supported OSes? Or how much will they charge for a software producer to renew his or her "certification" that the OS produced is "supported"?
At the very best, we could fine sites exhibiting "gross negligence" in their system administration. The idea that, "any reasonable system administrator would have corrected or forseen this problem".
It seems to me that something like this would be workable.
It would catch sites running open relays, not due to bugs, but due to improper configuration.
It would catch sites running exploitable servers for which a patch or solution has been made prominently available through the particular distributor's "standard means of issuing alerts or updates".
But what about home users?
.sig Realistic fines for copyright in
I'd have to go back to calling brokers on the phone, and writing checks, licking stamps, and sending things through the mail. I'd have to sign up at the library if there was something that I had to get from the 'net. That's assuming the library can stand the liability. If they can't, I'd probably be limited to the library's proprietary DBs on their local LAN.
In other words, if you want to kill the 'net, just turn my PC into a slot machine that has unlimited negative payout odds.
This sounds like another example of "letting the terrorists win". It would turn the 'net into a "fascist police state".
Oh... unless there is an OS that is gauranteed secure through every revision, which we all know there can't be.
Now, if they capped the fine it might be reasonable. What would I do? Buy expensive AV software? No. I'd buy insurance against the fine and continue to exercise good practices (e.g., not using OE for mail, not downloading crap software that runs in my taskbar, etc.) Does anybody sell "virus" insurance?
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Those who are damaged by the virus/worm will be fined, too.
Because if the virus uses their computer to propagete, its their fault.
If you follow this chain of thought, than writing worms cant be a crime, because its all the fault of the people whose systems were infected...
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
Okay, the Slashdot crowd is probably quite a bit more tech-savvy than our old pal Bubba, clicking away at every link that arrives in his inbox and updating his software only when he buys a new machine with it.
But I'm not sure penalizing Bubba is the right answer. Maybe Bubba is ignorant; on the other hand, he might have a legitimate mental handicap. How much responsibility should someone with Alzheimer's disease or a learning disability carry? What about someone who's simply too old or too young to grasp security issues? Where should the line be drawn, and how could we charge according to ability? And how much would it cost to administer such a program?
>
> Thus, the endgame is that there will be no network left.
Judging from my spam logs, if you're talking about 200.0.0.0/8 or attbi.com, rr.com, cox.com, and videotron.ca, then GOOD RIDDANCE!
the mode of connection that provides access to things like browser plugin and propogation of viruses and worms....
As a fair counter balance it means the public in general must now be informed about this third user interface (shell and GUI are the first two) and provided easy and sensible usable access to it as well as being able to open or close such ports as IPC uses.
the three User Interfaces
From Cooper's page about this:
There must be a strong smell of pork wafting out of the DHS, as first Symantec and now TruSecure try to outdo each other's arslikhan.
My next sig will be ready soon, but subscribers can beat the rush
Well, this article lends credence to the claim that we geeks are really good at making things complicated. This thing sounds like it was cooked up by the Louisiana Legislature during Mardi Gras.
computerlady - a brand new Slash-daughter - alone, but no longer invisible, in the
Let's punish rape victims for getting raped. After all, they were asking for it! They should have known better than to wear such provocative clothing.
This suggestion is badly flawed at multiple levels.
First and foremost, Russ Cooper's is suggesting that ISP's should be fined if they fail to block attacks that propagate across their networks. This proposal violates the basic end-to-end architectural principles on which the Internet was founded. Intelligence should be localized at the end node, supported by a "stupid" network infrastructure whose function is restricted to routing packets from point to point. "Smart" networks don't scale and they cost enormous amounts of money. Most individuals who are pushing these models are more concerned with supporting a business model rather than a viable technology. Consider what is necessary for Cooper's suggestion to work: Each ISP needs to preserve state on all the TCP connections emanating from a host to ensure that the host is not starting some kind of attack.
It might be possible to create a similar model assigning all liability to the computer owner: Joe Smith's decision to run an insecure system presents a potential threat to some class of computer users. Hence, this action could be considered to be actionable. Here once again, we have a logical fallacy: Suppose that Joe's computer is vulnerable to the XYZ worm. Joe's computer is compromised and used to launch the XYZ worm at other PCs on the Internet. However, the major group of people that are put at risk by Joe's vulnerability is the set of users who share this same vulnerability. In short, the class action lawsuit would be directed against the plaintiffs.
It is certainly possible to argue that compromised systems can be used to inconvenience Internet users in other ways. Case 1: A PC could be used as a Zombie in a distributed denial of service attack. Case 2: A PC could be used as a part of a SPAM generation network. Here, the "cost" of the attack is proportional to the amount of traffic being generated by the host. In theory, if you want to establish a linkage between fines and the cost of a system being compromised, the fine should be proportional to the amount of traffic being generated. I would argue that this would be better accomplished through a tarriffing system in which monthy access charges were proportional to traffic volume.
Ultimately, Cooper's proposal would require some kind of licensing system for operating systems. This is an incredibly ugly thought.
That's silly to hold somebody responsible for something over which they don't have any control. :)
This kind of 'l33t' stupid guy should be sent in a prison the next time they don't foresee the next big exploit, just for the example
It would create a good marketing campaign for Apple.
First, we have to assume that the penalties involved will be relatively minor. Not catching a virus on your computer shouldn't put the average customer in the poorhouse. They should see a small jump in their bill and if they fail to react, have their service cut off.
Interestingly though, should this measure work and viruses are largely contained. All the investment the ISPs put forward will not be repayed by fines. Instead, the savings would have to come from them needing less bandwidth to accommadate attacks.
This also doesn't pose massive costs to the customer. Using ZoneAlarm and Mozilla's Email browser would cut their exposure to these risks dramatically and both are free.
I am curious about some things though. One incident I encountered at work saw somebody hitting us with a spoofed ip address. Our rejection responses (it turns out) were being used as part of a DDOS attack. We reacted to the matter once we realized what was going on 10 hours later. Should we have be liable for the time in between?
Vacation? I don't leave my win2k box on when I go to WORK, lest a new exploit surrface before I get home :-)
:)
On? I don't own a Win2k machine. All mine are Linux.
Serious? Seriousness is well above my pay grade.
I'd just like the fools who criticized this post to eat some crow now. Sit down, and dig in. There's plenty to be had. I knew that this was a politically motivated exercise. Schneier and Russ Cooper - both either completely lacking in acumen or are scum bags. Making the innocent user pay for the failure of the IT professional, instead of stepping up and assuming our responsibility for this.
Where is this revenue going to go? To line the tax coffers, not to fix computer security. If you believe the latter, then I have a bridge to sell you.
This is the most disheartening news I have seen in months. It makes the SCO abortion look like a vacation.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
If this does pass (which I sincerely hope it doesn't), what's to stop the guy who collects the fines from writing a virus, snail-mailing it to his buddy in Finland for distribution so his computer isn't picked up by the "scanning software" over in the US and then kicking back to watch the money come in? What is the money going to be used for anyway? I doubt that it would be put to any sort of use in preventing further fines or attacks.
I propose fines for Microsoft, whose Windows-running computers allow the propagation of viruses, worms, etc., knowingly or unknowingly.
Fnie the bsadtras at Mifcorost!
From excellent karma to terible karma with a single +5 funny post...
It seems to me like there are two kinds of problem. There are those problems that arise because of software bugs or security flaws. Things like Outlook viruses that execute when you download them without even opening the mail, or IE exploits. In those cases, the software manufacturer is most responsible. Sure, eventually anti-virus software will catch up, but until then you can't blame people for reading their email.
The other type is the kind that relies on stupidity. Computers are complex tools. If someone crashed a car because they couldn't drive, they would be at fault. Similarly, if a computer starts causing problems for other people because some moron clicked on the "britney spears game.exe" they got as an attachment, they should be held responsible. Of course, it's hard to track these people down and collect.
MoJo
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
For the love of... I think the last paragraph of this article contains the most telling statement: "...make every effort to assist in bringing about a change in the way the Internet is managed..."
The first point is that the Internet is NOT managed, at least in the sense I believe Russ is advocating it should be. Not to go all scary-conservative here, but this is just like the discussion over banning guns -- if you get rid of all the handguns in people's closets, then only the criminals will have them. If you legislate enforceable fines for doing, effectively, nothing, then you force out the majority of people who are scared of incurring any liability, and put a powerful weapon in the hands of those who would cause trouble.
Example:
Gee, I don't like Bob. Bob gets his connection through UUNet. His Windows IIS has never been patched, so next time he goes on vacation I'm going to write a worm that exploits MS00-078. Now, I'm going to turn him in to the "Identification Authority" and hope that while he's gone, he racks up enormous fines. Meanwhile, UUNet has to block port 80 for, effectively, every customer on its network if my worm has managed to infect even one other vulnerable machine.
Suddenly, script kiddies have the ability to embargo the entire net by taking advantage of bugs that happen to listen on well-known ports. I would point out today's earlier Slashdot article. Should all of our ISPs be blocking SSH traffic now?
You can't legislate against stupidity. Nor can you make perfect software. Nor can you expect to fine neophytes into becoming security experts. Even trying would simply place incredible power in the hands of the software vendors, and then huge segments of the computing world become subject to destruction from one malformed "patch", or even worse, when someone finds a way to exploit the update mechanisms.
This is the worst possible sort of power transference. Because people can not, will not, or in some cases _should_ not independently deal with their own technology issues, you empower central entities with an enormous amount of control over individual users. Novice users will relinquish that control, or be forced to pay some ridiculous sum of money in fines. In the end, chances are you end up with even worse problems than you started with.
Notice: Your mouse has been moved. Windows will now restart so this change can take effect.
Forget this "You must stay up to date or be fined" lark. If we could just have a reasonable way of getting it back to a user that their system is comprimised, that would be great! Systems I administrate get hundreds (literally) of attacks per month against them, almost all of them from Windows boxes infected with some worm.
If there was somewhere I could put in the IP addresses, and if there were enough complaints against a specific IP, they would investigate, that would be great. Give the organisation some actual power to disconnect users that are shown to be causing problems, until they get themselves patched, and we're sorted!
Thoughts anyone?
There seem to be two problems with his idea.
1. This would force the regulation of the Internet, ISPs would become responsible for their content instead of common carriers, the govt would get larger and more red-tapey. And this is just the US. How would you propose this should work for other countries?
2. You're fining people for getting sick essentially. You don't imprison people who catch colds or the flu, do you? If someone willfully tries to get others sick, then they're guilty of assault and existing laws can handle that.
3. Russ Cooper is a doody head.
w00t w00t w00t!
Grandma: "What is this fine in the mail? What is a firewall? Why am I being fined? Is is the gremlins in my computer again?"
Not to mention underfunded organizations like Libraries and schools that may not be completely up to speed. This is a stupid idea. I put this up on the shelf with that idea to destroy people's computers for "piracy".
I find it amazing that people are so amazed that no one patches their computers. Think of your grandparents. What do they know about firewalls and TCP/IP and man-in-the-middle attacks? My mother has a VAGUE understanding of updating software and that it's important, but she doesn't know why. If you don't know why you are doing something, it's hard to continue doing it; and they are bound to miss something important along the way.
Someone had a good idea on another thread. ISP's should be the firewall for the little guy, and if you are in the know, you just opt-out. I work for SBC tech support. They decided to block port 135 due to all the MSBlast+derivatives activity. I think it's only temporary, but it is a good solution. No one really has any reason to be using port 135 over the net anyway. Locally, yes, internet no. You should be using a VPN if it is that important to you.
-- Having a Creationist Museum is like having an Atheist place of worship
Jeez...you're just ASKING for it. You actually even turn it on?!
In Bushworld, they struggle to keep church and state separate in Iraq as they increasingly merge the two in America.
It's nice how the plan shields all the corporate entities (and governments for that matter) from liability. Like there hasn't been enough abuse done by corprate America even with the treat of lawsuits from consumer groups. Look at HMO's shield law and how that's used by greedy corporations to keep profits up. If they identify you system incorrectly and fine you, you should be able to take them to small claims court and get more than your money back. Maybe I'm the only one that's had to argue with a call center operator in India about why my deactivated phone could not possibly have made a call and I shouldn't be held responsible for $9.48... and spent 2 hours arguing about it. Not to mention that someone has already been hurt once by the virus writter, now the government is coming to pile on and make sure the person is sorry about letting themselves be victimized. Also, how are you going to fix your system if the ISP knocks you off the net? Somebody from the ISP going to go to everyone's computer to verify it's patch load they way some Corp. IT staff have to?
Save a life, sign your organ donor card.
What a great idea! Russ Cooper's plan would remove the majority of non-geek users, such as myself, who constitute a large portion of Internet users leaving more bandwidth for y'all.
and I've got to say, "Dumb idea Russ." You're not even an American. Don't fuck up our country because one of our dumbass DC residents asks yo to.
"We aren't trying to penalize everyone for not being up-to-date or security savvy, but the level of attacks which continue to occur daily after any en-masse attack is enormous. It represents a significant lack of awareness by a very large segment of the public, be they individuals or corporations. Financial incentives have proven effective in increasing public awareness for a very long time. Applying them here is simply a logical extension of our social environment."
Why should grandma foot the bill for the poor software engineering practices of the software industry? Why not fine companies who distribute programs that are susceptible to these security breaches? Perhaps it is the "release first, patch later" philosophy of many closed/open source applications currently in distribution. What about your 14-year-old first-time Windows/Linux/Mac user who can't afford virus software (or, perhaps, is ignorant of such software/risks)? Do you fine the (potentially technically naive) guardian of the 14-year old? While one could argue that the guardian should be aware of the actions of the child, if the child is an innocent internet user (i.e., no porn/warez, etc...), what signs would tip off the guardian? Should the guardian/child be expected to enroll in classes to learn about security risks? While a creative idea, I only see this as punishing the innocent for the crimes of the negligent.
who makes the software. Its there fault that the exploit is there. So what the exploit was patched, you should send an email to every user telling them about the exploit and what could happen if you don't apply this patch. I'm sure someone like Microsoft which is known for lackluster security could have the resources to do this.
Viruses are running wild so this jerk's answer is to fine the victoms!
The race isn't always to the swift... but that's the way to bet!
OK, this is off the cuff so probably got a few 'rough edges'.
X = Yearly cost of internet worms and other infectous software to (for instance) UK
Y = Cost of purchasing a virus scanner company & maintaining the database for 10 years. This could be reduced by encouraging community maintenance.
If X >= Y then I propose the government buyout a virus scanner company, open source the product, provide a sourceforge-like page to attract a few geeks, perhaps funds for a full-time developer or two & giveaway the whole lot.
Benefits:
- A Government Approved free virus scanner far more likely to be installed and used by users
- An open source Free virus scanner for those that shun 'Government Approved', ie mind-rays-removed
- Reduced outages due to worms and email viruses, ie less hassle, more lower TCO
Issues
- If too successful this would create a monoculture, although FLOSS approaches and it's inevitable cross platform nature might mitigate
- Government sponsored anti competitive monopolistic practises (if you're in the AV business)
- You still need to persuade people to install and keep the software up to date.
Thoughts? Comments?
Regards
Alex
If I read the article right there is supposed to be some type of system that identifies the attack, validates who the attacker/offending user is, and notifies them via email that they've been fined. With all this effort going in to tracking and such, why don't they just block the attacks? Blaster could have been slowed if the appropriate ports were blocked at an ISP level. SoBig could have been blocked by mail servers (either looking for a specific file size or blocking certain subjects). If we have enough technology to find these problems, why don't we block them?
Also, what happens when an ISP feels they don't like file sharing? Would user's be fined for having certain file sharing ports opened on their pc's?
At the university, we just kick them off of the network... works pretty well.
====
Crudely Drawn Games
now all the paranoid people withing two miles of me will ask me to fix their computers every week to avoid getting busted.
-Tim Louden
Yeah, penalize the end user and let the author of faulty code go unscathed? People already do pretty-well keeping AV software up to date. Most of the problems we see are from newer viruses and I mean large scale. The two most recent are a result of vulnerabilities. But hey, let's go after the end user. It's been working in the drug war for years and it's already being adopted by the RIAA so it's gotta work! JAV
George Bush's illegitimate son or something? Maybe they sent the less evil twin away?
This crowd has an element that admires malware propagators, and the rest at least respect their 'genius'. They shouldn't be prosecuted or persecuted, but their victims should. What a great idea. You just helped widen the chasm with your arrogant bullshit, Mr Cooper.
The way it's described here just makes it far too complex to manage. Any savings made by this might not look too good if the expenses are higher. I can just smell the amount of useless lawsuits this would raise.
Now, I don't want to blame the writer completely. Somebody had to take the first step and I do feel that people should have responsibilites. However, I'd start this with warnings instead of fines. Some strict way to report that the user is causing harm to the network and if that continues, the users agreement with the ISP can be discontinued.
I don't know the case currently - can an ISP get sued for disconnecting a user who's flooding with viruses and worms? If so, I believe that's a good place to start, let the ISP's react to problems. If a user just won't react to some reports, then it's byebye.
No, this isn't problem-free either, but whatever the solution is, it should be taken step by step and using encouragement instead of fear as the main tool. Tax reductions for purchasing antivirus software? Free instruction videos for using Windows Update? Firewalls for consumer internet connections that are set to strict levels by default(some ISP's do that here, works great).
Yes! Let us fine people who have their computer taken over by a virus. Also let's fine people who have their car stolen and used in a crime. Also people who have their identity stolen and used for illegal immigrants. Don't these people know enough to not park in dangerous areas and not to give out their social security number.
We should blame and punish the victim, they are so much more fun to attack than the people actually writing/releasing viruses.
Besides the car I have to get a driver license and I have to renew it from time to time. If I get too many penalty points or if I am noticed in one-time serious traffic violation my driving license can be suspended.
Same thing should be for comupters (AND networks) at the moment of connecting them to ISP:
- each computer (or a whole network) must have a license to be connected to Internet;
- periodically (as often as it's appropriate) safity and environmental checks must be take care:
- the computer must be protected in terms of ports opened and mail filters installed;
- the nightly based cron procedure must do the check and alert ISP if anything wrong found;
- from time to time (weekly or so) ISP must scan clients from outside;
Besides my computer, my Internet and PC end-user skills must be licensed:if I don't know how to update my OS or to install a security patch on it then I cannot be licensed;
if my PC is noticed as a source of virus/attacks and it's proven it's been cracked/infected than I've got my penalty points and have to pay a small fine (bellow a hundred of $);
if I am noticed as distributing viruses knowingly or hacking myself then my license should be suspended - I have to get the end-user class again, renew my license and pay a big fine (thousands of $); IMHO it will improve overall Internet safity (imagine how much less there will be opened port and unpatched computers) and accelerate the whole national economy (imaging how many "mechanics garage" companies will rise their revenue!). It will open many new IT jobs and improve exisiting ones (now my boss cannot tell me "I don't belief some one may crack us - we don't have any useful information"). By the end of the day companies will actually safe money as they spend too much now to fight security in such insecure world.
Also it will improve the competition on the market as people will prefer more secure OS to be installed on their PCs. Oops, Bill gates may hate it and lobyy against it. But I still love the idea.
Less is more !
A gang of thugs has been plaguing the city as of late, breaking into houses and stealing millions of dollars worth of property. The city responded by levying fines to all the property owners who failed to properly lock down their homes, which allowed for the gang of thugs to easily wreak havoc in subdivision after subdivision.
I think we should be placing fines on the service providers THE TRUE CULPRITS in this fiasco, for providing a conduit for the propagation in the first place. People like Verizon and ATT and such... (just kidding)
...in other news, coming up with stories like this is a great way to vie for management! Look at all the buzz he's getting because of this! WOW! Management will actually recognize the face with the name now, instead of saying things like, "Who the hell is that geek, and why didn't he shower today?" Other managment type, "I've seen him before too, at the snack machine, snarfing on Grandma's cookies like there's no tomorrow!"
;)
Really though, it's crazy to think that you can fine someone for this. I'll leave it up to the courts to decide who is responsible. (NOONE)
pwned!
This seems to assume a lot like:
1) that virus/worm attacks have a easily identified packet signature;
2) that patches keep up with viruses;
3) that anti-virus sources keep up;
4) that patch installation/maintenace is fool-proof and easy enough for the average user;
5) that there isn't a better solution like sending out a worm to patch/update all machines;
6) that a large part of liability doesn't belong to software vendors putting out easily exploitable products (Microsoft especially).
This solution is to largely blame the victim and extract money for a more widespread and fundamental set of problems. It should not be given support.
Analogy time. I get to work, lock my car and go in for the day. An enterprising car thief steals my car, which he then uses to pickup his buddies and they proceed to steal more cars. The police finally catch the guy that stole my car. They return my car, and fine me $100 for each additional car that was stolen.
Now then, how would this be my fault? Should I check to see that my car is secure every 15 minutes? Install a new security system every month?
As a programmer, I've learned that there is one truth above all others: The users are users! They're not sysadmins. Some log on for 15 minutes a night to check their email. To put the blame on the victim for not sufficiently protecting themself flies smack in the face of our judicial system (Remember the ole 'Dressed like that, she was asking to be raped' defense?)
What cod piece?
Why are ISP's not doing some level of firewalling.
This would probably help kick start it, in an effort to not allow it to take effect.
Obviously they don't want to piss off their customer base because some messenger thing won't run, but almost everyone is going and getting a cable/dsl router to protect themselves and doing port forwarding if they are smart enough to even host something.
Why not do this at the ISP, why aren't ISP monitoring their own customers and telling them they are infected, or taking them off the network if they are. Hell, offer a $20 an hour service to fix it with some kind of remoting software. People would love that. ISPs should become support shops, they are already connected to your box, and their are a lot of admins without work right now.
What about hunting down those guys that actually released the virus?
This sounds as stupid to me as a fine for people that let thieves into their houses.
Decameron
diegoT
That's a dumb proposal.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
An error occurred on the server when processing the URL. Please contact the system administrator.
Will the slashdot effect be ruled a "worm"? It seems to propogate itself pretty well =)) It's like a DDoS attack isn't it?
I like Russ's idea, it has nothing to do with suing the people who let thieves in their house. Russ's idea is more like suing people who let their house turn into a crack house.
So let's say that a company produces a product that they know has holes. Let's say they put them there on purpose. Later, they charge for an update to the product that fixes them. Customers are stuck having to either (a) stop using the product which by now they probably have already committed to in ways that are hard to back out of, or (b) be fined by this rule when their machine is used in an attack, or (c) buy the upgrade.
Sounds like a sweet deal for the company - planned obsolescence where the customer is fined for being out of date.
This law should be written so it will only apply to people who could have fixed the problem without paying their own money to do so. i.e. the company produces a free upgrade that fixes it and NOTHING ELSE. It's also no fair to be tying mandatory fine-avoiding upgrades to features the customers don't want. "Get the latest security update now on our website or you could get fined for the hole! Oh, and the update installs Spyware Bendover Plus 2.1 as well, for your convenience."
My other concern is with companies that make antivirus software. Can't they secretly make viruses and release them into the wild, and then magicaly come out with the patch that works on them a few days later? If there is no law forcing you to buy their stuff you can just say 'screw you' and not buy their software. But if the law says you must patch or be fined, then the anti-virus company just wrote itself a blank check.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
This is flat-out stupid. Not to mention the legal problems with enforcing, but this would totally screw up the current net structure. I'm perfectly happy the way things are now, where the punishment IS the multitude of viruses trashing an insecure user. If traffic volume is the concern, go after spam first.
Anyone have stats on how much bandwith goes through the various Mae West peering points in a single hour? And you want to scan that UNGODLY amount of traffic for viruses? It's flat-out impossible for someone like UUnet to sort, assemble and scan every traffic stream just to see if it might have a virus. The amount of RAM needed for that buffer doesn't even exist in a geek's wet dream. So ISPs could never police each other, let alone filter infected traffic that's coming from a peer.
Okay, so the part about determining fines is pretty silly, how about the ISP controlling its users? Gonna need some major high-dollar router/firewall units or servers to handle this traffic in near real-time. Better throw in one for each datacenter, so you don't have to backtrack traffic just to get it scanned. Hmm, looks like we'll need some more techies, viruses spread fast and fixes might not be as simple as a firmware update. Oh yeah, and those highly trained techs will need to be on-call so we can raise them any time there's an outbreak alert, and they can't be contractors since they'll be busy trying to fix filtering devices for a lot of other companies all at once. Whew, good thing we went to all this expense so we don't get fined, but it looks like we'll have to recover costs by... oh wait, there's no positive incentive for us.
NO FUCKING WAY am I gonna pay more for access, deal with longer latency, and have 99% of foreign networks inaccessible.
But it's nice that he threw in a plug for his own data security company in the middle of the proposal.
This is analogous to getting arrested for manslaughter because someone stole your car and killed someone during the getaway. Regardless of whether you locked your car and he was a good thief, or you left the doors unlocked and the key in the ignition, you're not guilty of manslaughter. Having an insecure computer should not be a criminal offense, only writing software to break into that computer should be. Prosecute the criminals, not the victims.
Vote for Pedro
My bullshit-o-meter goes off the scale whenever anyone sets up a "poll" like this. The results of such a poll wouldn't mean anything, even if the question was sensible. But he doesn't even ask a real question; he wants to know whether people agree or disagree with the "information". If he doesn't know whether or not the information he presents is correct, he should find out. If he knows it's correct, why does he care what other people think about it?
If he'd like feedback on his suggestions, he should say so.
Sorry. In irritates me when people call this sort of thing a "poll", and it makes me less inclined to take them seriously.
To move the responsibility of making secure systems from the manufacturer to forcing the user fixing them afterwards is a terrible idea. It would be much better if security was adressed by design instead of by trial and error as of today. After the software has been released its already too late to adress security concerns. All that is left is a total rewrite or constant patching until the codebase is so filled with patches that ot cant be successfully audited anymore.
Especially OS should be made secure by design since they cant be altered less breaking compability with the applications running ontop of it. It should be up to the software maker to design the software to be as persistant as possible to attacks. Vsftpd is an example that everyone else should follow. Because it is designed on the presumption that there will be bugs in it the result of a breach is much much smaller than if it would have been designed to be flawless. Since software has proven itself to be very hard to make flawless it is a stupid approach to try anyway.
Making software error persistant requires that it is first well thought trough and designed for security before the first line of code is written.
To just put the blame on the users when the problem lies in the fact that nobody paid any attention on safety is just backwards as it relinguish the vendors from making software secure in the first place. That kind of thinking will keep us in etarnal patch land.
HTTP/1.1 400
The Internet is a private system owned by private companies. Participation in the system is completely voluntary. There is absolutely no reason for the the government to get involved in it. If you don't like the rules given by the ISPs which own the system, then don't connect to the Internet. It's as simple as that.
If the ISPs want to get together and form a confederation of sorts, that's a completely different story. But for now, unless we're talking about a physical crime which merely uses the Internet as a medium (say, mail fraud), the government should mind its own business.
Sorry, I was in the bathroom and I turned off my w2k box. What were we talking about?
Robots are everywhere, and they eat old people's medicine for fuel.
Well, I just left the client site she went to this morning, because she got booted when her personal laptop (that she insisted she had to have because it was better than company issue) running Windows ME (???) was pumping out trojans and mass mailing worms by the dozen. The first mail she sent was to the clients director outlining what was wrong with his security, and it popped his NAV client instantly. The client is smaller but has been around for a while, so we are giving him some free labor and all appears to be forgiven (since we did implement a solid patching and anti-virus system for them last year), but it goes without saying we are embarassed.
Wonder how much Russ would charge her for that, and I hope she doesn't have a job in the A.M.
Sure that'll work, right after they start reimbursing people stuck in traffic due to an accident or stalled car on the road.
Fine, crack shouldn't be illegal either. Only selling it to minors.
I like Russ's idea, it has nothing to do with suing the people who let thieves in their house. Russ's idea is more like suing people who let their house turn into a crack house.
The point is not everybody knows that something entered their box. People don't even know if their boxes have security holes, so there is no rational reason why they should be punished.
Also, remember that sometimes you just have no way to have your box protected, as someone could be taking advantage of a still-unknown security hole in your OS. And believe me, there are plenty of those.
Decameron
diegoT
20% of adults read at or below a 5th-grade reading level, according to the National Institute for Literacy. The innumeracy rate is bound to be worse. But somehow, every computer user is expected to know how to patch their OS and keep their anti-virus software up-to-date? Riiiiiiight.
lets fine the owners ( ie victim ) for illegal use of cars, phones and credit cards when they are stolen too !
The worst part of these attacks is that if you properly proxy firewall, they can't happen.
It sounds like Russ is tired of administrating windows network. So he should try to get a better OS so he doesn't have to be so bitter.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
the company i own ... it has a firewall. i um, get all these code red attempts from these two servers that both turn out to be www.riaa.org.
so, cary sherman, i'd like a check for 4000 billion dollars please
vodka, straight up, thank you!
Cyber warfare would thus become a reality. You pay someone to write viruses specifically to porpagate on a certain businesses machines and then alert the feds. They get fined; you win.
There's a growing sense that even if The Future comes,
most of us won't be able to afford it.
-- Lemmy
You cut off my link for 8 days, I'm going to look at cutting off your air supply until my link is restored.
~Cederic can't live without the internet.
Politician will be the first to be fined. On second thought, though?
how long until
So, if there is a known defect in a garage door openers setup, someone breaks into my house, steals my gun, shoots someone, and I'm to blame?
The PRIMARY culprit is the person who broke in.
The only other culprit I would go after is the vendor of the lock.
I don't see a difference regarding virus'es in this particular case.
I don't want them to filter my content at all thank you very much. Perhaps I perform penetration tests, will I be fined if a pen test matches a virus exploit?
I hate to point out that OE's been pretty thorougly patched for several years now (there are still holes but none of the recent problems have been caused by the holes).
The problem is executables as attachments. As long as programs allow the use of executable programs as attachments, this problem won't go away. And it's a problem with OE, Mozilla, Eudora, and others.
The problem with dumb users opening attachments is widespread - until ALL the email program vendors prevent users from opening attachments, the problem won't go away.
I, for one, welcome our new American overlords.
Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
Not to mention that Microsoft could then tout their "Magic Bullet." Oh, security... well we can't be 100% secure without DRM, it's the only way to really make your system foolproof.
You know they'd try. Hell, they already are.
Can you name ANY of the exploits that have been released into the wild over the past two years that weren't already patched by Microsoft? I can't - some of the patches had been out for over a year before the exploit was released.
Similarly for the exploits for ANY of the operating systems out there - the Cisco router exploit from August, the Linux LZW exploit from 6 months ago, etc.
There were patches available for ALL of those problems and the attacks were STILL a problem.
The problem isn't that Microsoft writes crappy code, or that Cisco writes crappy code, or that the open source community writes crappy code. The problem is that users don't keep on track of the patches available for their machines, and don't install those patches when they're available.
If you're going to hold Microsoft liable for their exploits, are you going to hold Linus liable for a linux exploit? If not, then why not? If it's not Linus who's responsible, then is it RedHat?
Russ's idea (which, btw, I think is UTTERLY stupid) is simply to move the responsibility of patching from the ISPs to the users that are propogating the problem.
Decameron81, I understand what your saying but I believe that the spirit of what Russ suggested was suggesting was not to fine for cutting edge holes but to fine if known holes are not patched right away. So we're not just talking about a nice house that has been maintained but something built and lacking patches. Perhaps even something abandoned. In my neighbourhood if your house (read:server) can not be protected and you are an absentee landlord then when someone makes a complaint the following happens. Neighbours lodge complaint. Sheriff surveys the house and determines status. Sheriff locates owner and force them to clean up. Sheriff revisits and revisits house status. If no action taken Sheriff has it boarded up. An invoice for work added to tax bill. Sheriff revisits and revisits house status. If no action taken Court will step in. If house determined to be a risk then bulldoze. Problem solved. If your house is made up of lots and lots of Windows, I suggest third party bricks.
I am a software engineer, and spend quite a bit of time on the Internet working, doing research and such. While the idea of imposing fines on computer users seems to be a step in the right direction, I believe that the methods proposed could become needlessly onerous on the end user.
First of all, the levying of fines and disconnection from the Internet results in the end users being treated as CRIMINALS. From the description of the "detailed workings" of this plan, the end user has no way to "argue" innocence. The ISP is able to disconnect an end user from the network, without prior notification, or due process. In the U.S. this may have Constitutional ramifications. There are no appeals. What will keep ISP employees from misusing the system to get even with some end user? Is the end user without recourse in this event? Is the ISP without liablity?
Just stating in a contract that a user "maybe" disconnected is not notification that a problem exists. ISPs MUST actively involve their customers in policing the network. If the customer refuses to make the requested updates, then and ONLY THEN is disconnection from the network permissible. My ISP, Newnan Utilities , follows this model.
Secondly, someone must be held accountable for "false positives." Making an unsubstantiated accusation and disconnecting a business from the net, brings monetary damage upon that business. Like SPAM, some URLs are spoofed, either intentionally or accidentally through misconfiguration. I had this very problem some years ago. My ISP misconfigured a cable modem for a new install. When I would log on to the network, I would get an error indicating my assigned IP was already in use. The problem was resolved by my ISP in a few days. However, under your "plan" if the other guy was broadcasting virii or worms or whatever, I would get blamed for it and be penalized. I would have no appeal. I would be judged guilty without a trial even though it was not my fault. This would be a false positive, and the end user MUST have the ability to seek restitution for any losses that result.
Third, someone could be held responsible for an attack just because they were on vacation. I get this from the following, "Those responsible for permitting attacks to continue are only penalized after a "reasonable" amount of time." For example, many people like to check their e-mail just before going off on vacation. These are average people, have virus scanners, and update Windows occasionally. When they checked their e-mail they got infected. They go off on vacation for 2 weeks or more. They hear about XYZ worm that exploits Windows. When they return from vacation, they try to do the right thing. They log on, get a worm removal program from their virus scanning supplier, they get the Windows update, and they think they are safe. But wait, the next day their ISP has disconnected them from the network. Why??? The first time they used the computer after being infected, it was identified as"permitting the attacks to continue." Further more they are penalized immediately because "penalties occur only for attacks which come after such updates could have been reasonably installed," and the worm removal program they were downloading is made available on the second day of the attack, the first day of their vacation. Basically, what is a reasonable amount of time? With the scenario described, the people involved were being reasonable. But ISPs, stating this plan, would say a reasonable amount of time had elapsed and they were guilty. Supremely unfair.
Clearly end users MUST have a means to defend themselves against unjust accusations and penalties. But how? Install a log on every computer? Again, the end user gets screwed. It has been my experience that most end users do not know squat about computers. I know people that can barely use their e-mail. Asking them to locate something in a log fil
SELECT * FROM User WHERE Clue > 0
0 rows returned
This is a ridiculous idea. In the past month I have been patching servers like mad just to keep up with the latest discovered flaws. If my employer were fined because one of our servers contributed to a virus outbreak, how long would it be before they docked my pay for it? I would be pretty po'd if after a month of putting fires out my boss said, "nice work, but you're paying the bill!" This is yet another one of those "tough action" things that really only ends up hurting the little guy. Just like the virus authors themselves, it is ultimately the sys admins that have to pay the price.
A vacuum is a hell of a lot better than some of the stuff that nature replaces it with. - Tennessee Williams
An error occurred on the server when processing the URL. Please contact the system administrator.
I guess I'll just have to bill him.
who are those slashdot people? they swept over like Mongol-Tartars.
Well such an idea is theoretically fleasible. I only wonder how easy it would be to actually implement it.
I would also tend to fear a missmanagement of such a system on the long run.
Decameron
diegoT
If you are running an operating system that is the digital equivalent of a crack house, may be you should be fined or ordered to disconnect it from the public Internet. Ownership of private property does not give you immunity from the law.
Mea navis aericumbens anguillis abundat
I agree, Bureaucracy breeds inefficiency.
Say a virus somehow finds its way into your computer after you've worked hard to secure your system, and you've shelled out cash for anti-virus/firewall software.
The virus does damage to your computer, erases information, etc., and then continues to propogate using your exploited computer. Your investment in security has failed, you have to pay the necessary costs to repair the damage and restore your records, AND you have to pay a fine.
In fact, since most virii are self-propogating these days, EVERYONE who woudl claim damages must also pay fines. Now think of it on the corporate scale...
Sig Sig Sputnik
Here in Australia, I've heard of at least one consumer who was able to recoup the cost from a retailer for rebuilding their system after a virus attack.
Consumer rights advocates are starting to see virus attacks as being part of a forseeable problem that users will encounter during reasonable computer use, and that a 1 year warranty (mandated by fair trading laws, here) therefore covers it.
In the case of the consumer above, the retailer didn't provide antivirus software in the computer package, and didn't tell the consumer to purchase/use antivirus software. They paid the $66 to rebuild the computer after Blaster hit.
In other words, the cost of fines will be payable by the retailer, who is liable under the terms of the warranty.
You can be thatt retailer is going to look to recoup it from the supplier, and on up the chain.
interesting stuff.
-- Why should I question authority?!
A truckload of Jolt cola would be nice.
If you were on vacation, and had a door lock with a defect that thieves used to break in. Afterwards, the thieves used numbers from your phone rolodex to call and case the surrounding neighbourhood. Would you charge the original house a penalty? I think not!
If several thousand locks are found to be extremely defective countless times over... perhaps you'd charge the lock company...?
The internet is a communal tool. You know a community. Lately everyone's getting all right-wing and 'just' all over the shop. What happened to the whole global commmunity thing? Fuck if you want a controlled environment, go connect to MSN. Last thing we need is so called elite policing the net for our benefit (like Truesecure), and the US "fining" other countries?
Whats the bet this guy voted for bush.
what a fuckwhit.
Let's face it. We've survived these worms pretty well. Some minor inconveniences. Sure, some people paid some money.. but it was spread around. We've survived lots of worms, and viruses, and other disasters... each time we learn a lesson, systems are hardened a bit. Pundits bitch about how security isn't getting any better, but if you look at the number of new hosts on the net in the last 10 years, it's surprising how FEW big problems there have been. The Interent is so far, successful.
Fines for people? No way. ISPs need to be responsible, peopel need to be responsible.. and that's about it.
I'm not in favor of licenses, fines, or any other scheme for keeping the net "safe". It will just create beurocracy.
What I AM in favor of is making the pricing reflect costs. If your computer uses a ton of baniwidth because of some worm, you SHOULD pay for it. The fact that you didn't know is irrelevant... your computer used it.. it's your responsibility (though not necessarily your fault).
Of course, ISPs will not go to this length.. customers won't like the pricing model.. its' better to charge based on average usage, and then kick off the "abusers".
The net has done well so far. Let's keep it open, and let it grow.. and if some organisation really misbehaves, we jus't wont play with them more.
Actually it should be a FEDERAL OFFENSE to have your computer taken over, or your house broken into for that matter. People whom have either happen to them should get A MINIMUM of 20 years. Come on you know it's going to happen, U.S. law is like that. Your property is government property, so if someone breaks in then you are aiding terrorism. And yes the people breaking in are terrorist since they are terrorizing you. So I say let those probably unsecure bastards rot in jail, along with the non-violent drug offenders. They deserve it since EVERYTHING IS TERRORISM regardless. And yes your computer is government property, and although the people are flipping a bajillion microscopic switches on a piece of silicon, it's STILL TERRORISM since those bajillion switches may, or may not, attempt to set another group of switches to it's own EVIL way!!!
Does this guy think he has control over everyone in his organization? I would love to see the story about his shit getting owned and people filing lawsuits against him for obsenity when they post nudies on his front page!
For this to be impartial, fines would first and foremost have to be levied at Microsoft for time and again allowing bad code and not fixing it fast enough. Actually, under current law, it could probably be dealt with, if we didn't have such a partial justice system to begin with, on the order of its impossible to convict or penalize the rich, yet the poor pay to the last dime.
To his credit, the guy is asking for feedback. This is what I sent him:
Your proposed "Internet Penalties Plan" is flawed in several aspects.
First, the concept of penalizing the victim of a crime, in this case the user of poorly written software, is morally and economically wrong beyond words. Have you ever taken a moment to read the EULAs to most software you install and run every day? The software industry dodges responsibility for its actions like no other industry ever could. If auto manufacturers forced consumers to sell away their rights in the event of neglect or incompetence on the part of the manufacturer, they'd be faced with several class action law suits. Yet when a analogous situation happens with software companies, we blame the customer? Perhaps it is the customer's fault . . . for letting the industry get away with such crimes. Ultimately, the poor design of software is too blame, specifically on the technical and user levels. Technical flaws allow the exploits to exist in the first place. Flaws at the user level keep the masses largely and, in most cases, inescapably ignorant of the problem and of any means to fix it. If software companies were held responsible for their actions, there'd be better software, and with better software we wouldn't be having this conversation.
Secondly, even if what you propose weren't horribly immoral, it would still be technically impractical. You'd like to levy fines against people who unknowingly contribute to malicious computer attack. How do you propose on identifying those "responsible"? IP addresses, MAC addresses, and other means of computer identification can and will always be forged. Now, instead of crippling a company's network, all an attacker has to do is trick "the system" into thinking the company is the unknowing accomplice in another attack, thus incurring financial and legal woes for that company. Any proposal too trusting of technology will inevitably be reduced to yet another tool by those who would initiate such malicious attacks. Of course, there's also the issue of logistics, in that it would be virtually impossible to successfully levy all fines imposed since a large portion of these "unknowing" conspirators would lie outside the jurisdiction of the United States.
Overall, while I understand your logic, I believe you to be on the wrong track. Your proposal is fundamentally flawed and ultimately counterproductive.
Sincerely,
Anyway, in cases like this ssh exploit, the warnings and patches come after the live exploits. Accidents are going to happen, people are going to get infected before patches or even warnings get out in the future too. If you don't patch really quick when the patch gets out (Murphy dictates this will be at 4:30am local time), you'll find yourself 8 days without internet.
I have a better idea: Propose a new federal law that would require an annual payment of $1000.00 by each user of each copy of any Microsoft product to a federal government department that will distribute the money to Linux developers.
This is another example of taking away freedom and money away from the population.
Any time you put money and corporations into any equation, and you throw in law, there is always corruption and you and me always end up footing the bill. Does it hurt a big corporation to be fined hundreds of thousands of dollars? no, it is just a tax write off. Dump it on the share holders (us again). What happens when you and me get fined several hundred dollars? I guess that car repair can wait. I'll think twice about going on the internet (freedom being limited by threats of fines). That SPAM mail sender/script kiddie who crapped on my computer is ok to make more money and have more fun though.
The internet is what it is today because it is a free place where the exchange of information is almost unlimited. Pretty soon, spreading of certain anti-government/political party opinions will be deemed damaging, therefore, the offenders will be prosecuted.
It's a bad idea. Having a compromisable machine is not like owning a pool and not fencing off your yard to keep the neighborhood rugrats out; it's not a public nuisance. Instead, operating a compromisable machine is more like owning a Pinto and being unaware there was a recall. Only wait, there never was a recall of Windows 9xCeMeNT2KXP was there?
Were that I say, pancakes?
Here are a couple of scenarios to mull over:
1. My grandma lives in Provo, Utah. I get her a windows PC for her birthday with video chat software and show her what to click to chat with her favourite grand-daughters and grand-sons. I am back at San Jose. Now there is a new email blaster virus. He computer gets affected and the ISP starts fining her for not making sure that she can prevent this malicious attack via her computer. I am on a business tour and she cant contact me. She ends up getting fined for a whole week before I can finally get there and fix the problem
2. The same Grandma. She is supposed to do all the updates as soon as the vendors release the updates. However she does not know how to do it. I have three options:
- Let her keep using until the next email attack. At that point she is pretty much screwed since she has not updated atleast 6 updates
- I keep travelling to Utah every week and keep her uptodate. This way she will be fined for a maximum of one week.
- I tell grandma, that according to Russ she is a moron and should not be allowed near fatal weapons like computers
3. I apply all the patches that my OS vendor and various app vendors put out there. So my system is secure. However the
last fligh-simulator I downloaded from the web and installed turned out to be a trojan and my computer quietly spread email viruses while I was happily playing flight-simulator. In the current proposal I will be held responsible for this malicious attack and be fined for as long as this happened
4. Hackers get super-smart and create a false trail as to what systems are involved. One of the IP they used for this is mine. Of course the hackers are so smart that they make it look authentic. The" identification agency" cannot figure out this spoof, and I get slammed.
5. I buy a new computer, hook it to my ever-on DSL and go on a vacation. When I am back after a month, I am slammed
for a whole bunch of viruses that shook the nation when I was away... oh, incidentally using my computer.
Anyway genious, (yawn) this is getting boring. But I must say I admire your guts in suggesting your own company TruSecure Corporation should be one of the companies which determine when the fines are imposed.
Already people have been enough mis-informed. Please stop spreading more of this, surgeon general.
Do I hear only one name starting with an M?
All that would do is scare people away from using computers, and make it very unpopular to be connected to the internet. Not going to happen.
let's fine people who catch a cold. They should be taking their vitamins, damnit.
Great.....My boxen gets infected because I could not patch fast enough and NOW I get a fine because of it. Sheesh, I lose data, my connection and half my friends won't open my email anymore and NOW I have Joe Schmoe senator saying I should drain my bank account because of faulty (yet popular) software that the government THEMSELVES actually use. When does the insanity end? Someone, please....tell me there's an end.
[SIG] Remember Mattel handheld games?
I'm sure we can think of other virii and such that are communicable, that people can take pro-active measures against, and yet still continue to plague society today. These virii are far more insidious than SoBig or other W32 worms. They don't just disrupt productivity and affect markets, they kill people!! So can we also arrange for a fee-schedule for those found carrying these and spreading them to others? I propose a fee-schedule below, you'll note some of the penalties are self-enforcing:
These opinions guaranteed or your money back.
I think we should institute fines for really bad ideas.... let's start here. I vote we levy a fine of one months salary for this horrible, horrible idea... After that we can go after the DMCA.
The users are not at fault and have been let down by Microsoft, "computer experts" and news organizations. They have been told for years that Windows is a reliable and secure operating system that is easy for novices to use. People selling microsoft infested computer have been happy to spout the party lines. For years the press has shielded Microsoft from a bad reputation by refering to M$ transmitted worms as "computer worms". All of it adds up to a rapidly diminishing ignorance: Microsoft has never been easy, secure or reliable.
Now that the end user is suffering more than ever, this idiot proposes to fine them? Patching, upgrading and virus scans are all in vain, yet the end user has been pumping much energy and money into all of these things and they are still getting hit. So having been so let down, people are going to go after the people who have been lying to them. I give this silly idea about 1/1000 chance of becoming law.
Friends don't help friends install M$ junk.
My grandmother doesn't know a thing about Windows Update, because she assumes the computer is safe. So what can I do?
Put her on Debian. Set up a desktop icon to run kppp or put her on a cable modem. Set up a chorn job to apt-get update and upgrade. SSH into that box every now an then to make sure things are going well. Then, sleep well.
Friends don't help friends install M$ junk.
I find the whole notion presented in this article deplorable. What ISP is going to want to self-inflict a barrel customer rage? Where does all this money go? Who's in charge of verifying claims? What's to stop malicious users from filing false reports, or clandistinely installing software to incriminate an enemy's PC? How are all these ignorant customers supposed to be educated that they're suddenly liable for tens or hundreds of dollars in fines? If you just start arbitralily fining people, I don't care how little it is, you will bring down a boatloat of wrath and ire. People -hate- fees they don't know of in advance.
But one good thing would come of such a plan: egress filtering by all ISPs. This means that source-spoofed packets would be dropped before they get very far. It would make it significantly harder to spoof anything. No more RFC1918 packets on the public internet. If you ever run a public server on the internet, sometime try adding firewall rules to log and then drop all Bogon packets: those from unrouteable IP space, reserved or unallocated space, etc. You will be surprised how much of that stuff is floating around on the public internet, just soaking up legitimate bandwidth. Egress filtering would cause a much higher level of net-hygeine, in my opinion.
If you're running a polling web site, and it's broken, which Russ's site is, obviously you should be paying the fine too, right?
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Come on folks, if this idea makes sense then I guess we could take a big bite out of crime by penalizing people whose houses get robbed. After all, if everybody had a top notch security system then we wouldn't have any burlaries, would we? Yeah, I see now, it's the people who create the opportunity for crime who are really responsible for it.
Holy Christ, somebody get me off this freakin planet.
This is a _Bad_ idea. If anything like this became law, instantly, the government can fine/arrest someone for trivial things.. like hosting a web page.. or running an SSH server that circumvents "network security." Next thing you know, your grandma is going to jail for failing to patch her system.
While we're at it, maybe we should create a bill that requires anyone who runs an alternative OS (read: Not Windows) to be fined/computers seized/computer "privileges" taken away/etc. because their system is not "secure"...
Your Silence speaks more than words ever could.
Riight, lets punish the ignorant victims for their ignorance... 'Cause fining the richest man in the world, or his company that is the cause of most of the problems, why.. that... that would be crazy!
*shakes head*
This is a horrible idea for oh so many reasons. The first that comes to mind is that government mandates about ISP logging and packet blocking are a bad thing. Once a national infrastructure is in place that allows a government sponsored program to declare certain packets or application signatures "bad", what's to stop them from adding more things than just viruses? It would be trivial, technically, to write a 'virus definition' for p2p traffic. It would be almost as trivial, and only a bit more expensive, to get this done on a political level (a certain senator from disney would probably love to help out). When the DMCA crowd is done adding their firewall rules, maybe the Patriot Act fan club will want to throw in a few too... What it comes down to is that the U.S. government cannot be allowed to regulate the internet in this manner.
Which also brings up another point; being US-only, this system is pretty worthless for stopping attacks. To be effective, the law would need to require extensive "border" filtering at sites with international peers. See point above about why this is really bad. Fortunately, this whole proposition is such preposterous crazytalk that I don't think it actually has much of any chance at happening.
I think a better idea would be to implement new regulations surrounding software warranties. I don't know how exactly it should be done, but I do know that (a) if a company's ReallyExpensiveProduct routinely breaks and causes large financial damages for it's users, the company should be somehow held liable, and they shouldn't be able to get out of it with a clause in an EULA. But at the same time, (b) independent programmers who are giving their software away need to be able to do it without taking on liability, or they won't be able to do it at all, and we won't have Free software. The No Warranty clause of the GPL is a very important one. It would be great if paying for software meant you had more guarantee that it was going to work... it's really a bit bizarre that today the software you can get for free works better than the software that costs money. Perhaps a sliding scale price based warranty would help with that.
___
The way to see by faith is to shut the eye of reason. --Ben Franklin
Comment removed based on user account deletion
tis a bit like having your car stolen and used in a robbery, then being punished for the robbery itself.
The fact that the locks can be picked with a screwdriver, or that the dash just unclips for convenient hotwireage has no bearing at all.
Users on the whole dont knowingly open security holes - they are open by default. If any fines should be issued, it is to the people at fault not the victims.
If a user were to find a suspicious program or newe exploit - they would be less inclined to report the incident because of the fine.
This perpetual motion machine Lisa made is a joke, it just keeps getting faster and faster. - Homer
And there is really no reason to limit this to corporations only. A buffer overflow in some Linux code? Look into the source for the copyright notice and sue the hell out of the poor schmuck who wrote it!
One of the basis of commerce (in the US, I have no experience elsewhere) is the concept of "Merchantability" - in other words, when selling a product, the product sold had better be pretty much what was promised.
If I sold a widget to a customer, and the widget did not perform to "reasonable expectation" then the customer is entitled to a functional widget or his/her money back.
In the case of the immerchantability causing personal harm, some additional liability may be incurred by the vendor as well.
However, if I *give* something away, the idea of merchantability is thrown on its ear. Merchantability as a concept depends on the existence of a profit on the item which ownership of is being transferred.
I can give you defective stuff until we're both blue in the face - but I incur no particular liability or requirement that the stuff perform to any standard, because when it's given away noncommercially, it's not merchandise.
Even in the case of Red Hat, merchantability starts to weaken - they don't really provide the software, per se, they provide the package. They provide additional services to otherwise free software. Since they give it away, they are certainly not charging for the software itself!
It's a fine line, and one that's increasingly solidifying.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Sorry, but this is just utter nonsense. You can't punish people for not being "literate" computer users. I'm all for security awareness and all, but this is just ridiculous.
If a train station is a place where a train stops, what's a workstation?
hey that was a pun! ha ha ha I didn't know it at the time. ha ha ha i'm punny
Logic, macros, and more
... but I have difficulty seeing how any of this could work without a standardized system. Maybe, just maybe if everybody ran the same version of [$IdealOS], this would be possible. But it just doesn't work that way. Even if you just isolate the Windows users out there, everybody has different tasks for their computers. Somebody who sets up a PC as a VCR, for example, is going to treat it like an appliance, not like a car that has to be maintained. (Sorry for the weak example, I'm sleep deprived.)
No, this idea may have the right intentions, but it's not a well executed one.
But who owns it??? Expect MS to change their EULA in response.
When the people fear their government, there is tyranny; when the government fears the people, there is liberty.
Software makers are always going on about how when you buy software, you dont actually own it, you own a licence to use it. Therefore, if the software allows a virus to spread, surely its the software makers role to bare the responsibility, as they are the only ones who own the software?
If they argue that the user owns the software, then we are allowed to reverse engineer it etc...
Dear Russ,
Do you realy think that this wil solve this problem, i gues not!
Remember, the internet is a free medium, and it should be free! SO enforcing youre idea is very wrong.
Think about it next time you do these things...
1. Fining either users or OS manufacturers presents a problem because it creates an incentive for others to write viruses targetting systems they don't like. Linux proponents, for the sake of argument, might decide to take Microsoft down a peg by releasing a series of viruses targetting Windows. If the government fines users, users will rapidly get pissed at MS and switch to another OS. If the government fines MS directly, Microsoft gets hurt. Some slashdotters might find this situation desirable, but you have to consider that there would then be just as much incentive for MS to release malware that targets Linux or Darwin. And with the open source nature of those projects, an adversary might well be able to introduce flaws into the source just for the sake of creating future exploits.
2. The real culprits here are the people writing viruses. Yes, software manufacturers need to do all that they can to make their products secure. But even an insecure OS works well if people act in an ethical manner. Put another way: when someone pours sugar into your gas tank, do you blame Ford because your filler cap doesn't lock? Of course not; you blame the malicious punk that did the damage.
3. There's no reason that market forces couldn't work to push manufacturers to fix their security issues. They don't work right now because consumers either don't understand that Windows is full of holes, or they feel that they don't have any choice in the matter, or they feel that the benefit of using Windows outweighs the drawbacks. Educating people in this respect is something that we can do ourselves, and that includes educating your elected representatives. Indeed, I'd guess that virus attacks would be significantly reduced in both frequency and impact if 50% of federal, state, and local government computers ran anything other than Windows. A heterogeneous environment is our best defense against malicious software.
When I used to work for a local ISP doing tech support, most people only checked their ISP e-mail once a month
My ISP only provides one account. My wife uses her school account, I use my work account, the kids don't get mail due to inapropriate unsolicited spam. (my 9 yearold doesn't need Viagra or any alternative.) I can easly understand why the ISP mailbox goes unchecked for long periods of time. ISP's may change often due to service problems, better offers, etc. Who wants to change mail to get a better ISP offer? I've had 3 ISP's in the last 6 years and have not changed e-mail addresses. Others get spammed to death, so they use disposable e-mail accounts. Who wants to change ISP's to get a new account that the marketers hasn't got? Many people only use the ISP provided mailbox for the billing statement because any other use could soon turn it into a spam collection repository. I've never mailed anyone with my ISP provided mailbox for that reason. It's the only way to keep it unlisted. Only the ISP has the address.
The truth shall set you free!
(copy infringed from a post of the debian users email list posted there by Michael D Schleif)
dnsqr a *.nu
answer: \052.nu 86375 A 64.55.105.9
answer: \052.nu 86375 A 212.181.91.6
dnsqr a *.com
answer: \052.com 167 A 64.94.110.11
dnsqr a *.net
answer: \052.net 211 A 64.94.110.11
dnsqr a *.ac
answer: \052.ac 86376 A 194.205.62.122
dnsqr a *.museum
answer: \052.museum 156 A 195.7.77.20
dnsqr a *.cc
answer: \052.cc 3577 A 206.253.214.102
dnsqr a *.cx
answer: \052.cx 86378 A 219.88.106.80
dnsqr a *.tm
answer: \052.tm 86378 A 194.205.62.42
dnsqr a *.ws
answer: \052.ws 10779 A 216.35.187.246
Let's say I am on vacation for two weeks. On the first day of the first week of my vacation a major worm virus event happens. Since I am not at home to update my machines I get infected. Becuase of the virus my machine cannot automaticly update it's virus definitions or my Antivirus software crashes in the process or part of the virus disables the autoupdate feature of my Antivirus and OS automatic updates fail also. Since I am on vacation I do not check my computers. I have no idea that any problems exist. For argument sake we will say I am Hiking somewhere remote or visiting the outback region of a foreign country. Assuming that we say the reasonable time the "Identification Athority" or my ISP has set is one week then I get fined starting some time in the second week. You have just fined me for something I could not predict, prevent or respond to.
These fines might work against corporations and small businesses but I can never see them being set against the public at large.
I think that you are giving the ISP's way to much credit. Most ISP's are understaffed and the bulk of the staff they do have is grossly under trained for their jobs. My ISP at home is Time Warner Cable. I once spent 3 hours talking to them and trying to convince them that the Web Browser I was using had nothing to do with why I couldn't ping my default route they were assigning via DHCP. I can only imagine how long it would take me to convince them that I was a false positive and get the charge reversed. Worse yet trying to convince them that my IP Address had switched between the time they detected the offense and they decided to bill me.
not...
Lets compare this to an almost identical real world scenario, shall we?
Russ leaves his keys in his car, or does not purchase a car alarm.
His car gets stolen.
The person who stole it, drives through a market doing 40 and kills 15 people.
Should Russ pay a fine or be held responsible in any way for what this criminal did? I bet Russ wouldn't think so.
How about this.
Russ, instead of buying the $60 schlage lock for his front door, on his house, skimps and buys the $20 one.
A thief, who is expert at breaking these $20 locks, comes along and breaks into his house, and steals Russ's steak knife set.
The thief then stabs an FBI agent, or a congressmen, or an Army corporal.
Should Russ pay a fine for this?
Grow up Russ. People should protect their property, but there is no constitutional or legal grounds that requires them to do so. Only criminals are responsible for what criminals do.
While I agree that only an idiot leaves his door, car, or computer unlocked, you can't penalize him.
l8,
AC
Business intelligence is just a nice way of saying "You're Out of Business".
0x09F911029D74E35BD84156C5635688C0
"The attack is captured by anyone and sent to the 'Identification Authority', that organization responsible for determining the most accurate method to identify the attack 'on the wire' with a false positive rate less than 0.001%."
So each ISP customer has 0.010% to 0.020% chance (100 to 200 in one million) of being falsely accused and fined within any given year. A mega-ISP with, say, 10 million subscribers would make thousands of false claims every year, and that assumes this scheme operates at its stated performance level of 10-20ppm false positives (which seems very ambitious). The resulting poor word-of-mouth will put a dent their market share. I bet this doesn't fly, certainly not for very long!
Software warranties are all that great either. I think you're just looking to stick it to the 'man'. With everyone and their brother trying to poke holes in MS products prices will go up and innovation down. Furthermore, for email viruses, you won't see your warrantee kick in. Someone sent you an email with a program that does something bad. You ran that program. Your fault not Microsofts.
You'd see a litigation explosion as well. I've had customers who had their configuration wrong, didn't check their output, and sent their output along. That cost them money and they wanted us to pay for it. While even under warrantee we shouldn't be liable for that, litigation risks are scary.
Worse for us, we specialize in providing custom code to customers. They frequently ask for changes and we respond quickly. This means things break more often than otherwise but we're able to fix those problems quickly. If we had to do super rigourous testing each time we altered the program. We'd have to triple our prices or stop offering custom work. Our customers don't have triple the money and so we'd lose that competitive advantage.
Maybe we've reached the point where software should stop developing quickly, where we get new features regurlarly etc. Maybe we should have simple software that works flawlessly. But I don't think we're ready for that.