Posted by
michael
on from the does-renter's-insurance-cover-this dept.
sagman writes "Russ at NTBugtraq is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly... Russ is taking a poll on his site. Russ states in an email that he wrote this up at the request of a US Senator staffer..."
A couple of problems
by
aridhol
·
· Score: 5, Interesting
First, I think this will lead to ISPs only allowing "approved" OSs on their networks, in order to prevent themselves from getting fined. Unfortunately, the approved list will probably contain the worst offenders.
Second:
ISPs must receive freedom from liability for dropping the identified traffic. False detections are the fault of the "Independent Authority", who should also be free from liability.
Sorry we blocked your critical data, but you can't do anything about it.
-- I can't say that I don't give a fuck. I've just run out of fuck to give.
Re:Soo
by
Anonymous Coward
·
· Score: 1, Interesting
That could be a valid reason to go to war. We will find the Worms of Mass Destruction.
Lawsuits abound
by
chia_monkey
·
· Score: 3, Interesting
I just see lawsuits left and right with this one. On one hand, you've got Ma and Pa Kettle who know how to turn on their computer, check their email, and play solitaire. All of a suddent they're notified they owe $2.4 billion because their computer was used to take down sixteen major corporations. Do they get to sue the ISP for not filtering? Or do they get to sue the virus programmer if they're caught? Or hell, do I get to sue them because maybe they infected me and my computer infected the corner store. Sure my fine was only $50, but maybe I'll sue them $250,000 for pain and suffering (hey, this is America, we do that). Scary...
--
"He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
Problem with this...
by
chrisgeleven
·
· Score: 3, Interesting
people aren't licensed/educated properly to use the internet. So how will they know that they have to update virus definitions and patch their systems? By e-mail notifications? When I used to work for a local ISP doing tech support, most people only checked their ISP e-mail once a month for their monthly statements, they instead had hotmail accounts for their regular e-mail. We would have to call customers non-stop to remind them to check their ISP e-mail for their bill. Now we would have to call them for their weekly virus breakout?
The key is some type of manditory education before you can advocate fines. My grandmother doesn't know a thing about antivirus protection, she just expects it to work. My grandmother doesn't know a thing about Windows Update, because she assumes the computer is safe.
So what can I do? There is no easy answers, but I guarentee fines are the last resort since none of the other options have been tried at a large scale.
Fine the O/S vendors instead
by
Dark+Coder
·
· Score: 5, Interesting
The operating system vendors should face the music.
If the U.S. Federal government mandates automobile recall because of some faulty protection system, exceeding exepected normal operation or rusted-thru "firewall", then the same should apply toward operating systems; be that may Microsoft, Linux or Unix-based.
Re:Denial of Money attack?
by
soren42
·
· Score: 2, Interesting
You make an excellent point, but that is still a real risk on a system similar to my home system. I use Time Warner's RoadRunner Cable Modem service, and have hundreds of people on my subnet.
In fact, a good percentage of attacks in general against my systems have been from "local" machines.
Besides, what better way to get back at that neighbor that pissed you off - run up their fines!
--
"Adventure? Excitement? A Jedi craves not these things."
fine the commerical software company
by
YouOverThere
·
· Score: 2, Interesting
Seems to be when an
car company creates a damaging defect, it isn't the driver who has to pay a fine.
Why should joe user, have to pay for the latest RPC hole?
I have to say although the article lost me from about the first line I loved this:
We aren't trying to penalize everyone for not being up-to-date or security savvy, but the level of attacks which continue to occur daily after any en-masse attack is enormous.
Uhhh yes you are...
Correct me if I'm wrong, but arn't fines a 'penality'?
Sorry, but flat out this is elitism. These people don't get how great the knowledge gap is from the average user, to anyone who might know what bugtraq is...
Think about it for 1 clock cycle.
Simply make the fine a percentage of the amount of revenue made on that product. That should put the onus back on the software company that leashed the security horror that is out there. Meanwhile, free software is protected.
Re:Denial of Money attack?
by
isomeme
·
· Score: 4, Interesting
There was a science fiction story many years ago (circa 1980, IIRC) in Analog (again IIRC) which predicted widespread networked home computers, and the threat of hostile programs spreading among them. In the story, the US government mandated installation of (what we would call) antivirus software, developed and provided by the government. An attorney successfully gets the program thrown out on Constitutional grounds, showing that it violates the Third Amendment, since a program guarding against national security threats is effectively a "soldier".
-- When all you have is a hammer, everything looks like a skull.
Re:Denial of Money attack?
by
njchick
·
· Score: 3, Interesting
It would push users to ISPs that do filtering for them for a few bucks a month. Also home firewalls would become more popular. That's it. It's easy to convey an idea to the end users if it's about their money.
So Why Would I Stay On The 'Net?
by
istartedi
·
· Score: 2, Interesting
I'd have to go back to calling brokers on the phone, and writing checks, licking stamps, and sending things through the mail. I'd have to sign up at the library if there was something that I had to get from the 'net. That's assuming the library can stand the liability. If they can't, I'd probably be limited to the library's proprietary DBs on their local LAN.
In other words, if you want to kill the 'net, just turn my PC into a slot machine that has unlimited negative payout odds.
This sounds like another example of "letting the terrorists win". It would turn the 'net into a "fascist police state".
Oh... unless there is an OS that is gauranteed secure through every revision, which we all know there can't be.
Now, if they capped the fine it might be reasonable. What would I do? Buy expensive AV software? No. I'd buy insurance against the fine and continue to exercise good practices (e.g., not using OE for mail, not downloading crap software that runs in my taskbar, etc.) Does anybody sell "virus" insurance?
-- For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
A legally sanctioned DOS attack...
by
Darlok
·
· Score: 3, Interesting
For the love of... I think the last paragraph of this article contains the most telling statement: "...make every effort to assist in bringing about a change in the way the Internet is managed..."
The first point is that the Internet is NOT managed, at least in the sense I believe Russ is advocating it should be. Not to go all scary-conservative here, but this is just like the discussion over banning guns -- if you get rid of all the handguns in people's closets, then only the criminals will have them. If you legislate enforceable fines for doing, effectively, nothing, then you force out the majority of people who are scared of incurring any liability, and put a powerful weapon in the hands of those who would cause trouble.
Example:
Gee, I don't like Bob. Bob gets his connection through UUNet. His Windows IIS has never been patched, so next time he goes on vacation I'm going to write a worm that exploits MS00-078. Now, I'm going to turn him in to the "Identification Authority" and hope that while he's gone, he racks up enormous fines. Meanwhile, UUNet has to block port 80 for, effectively, every customer on its network if my worm has managed to infect even one other vulnerable machine.
Suddenly, script kiddies have the ability to embargo the entire net by taking advantage of bugs that happen to listen on well-known ports. I would point out today's earlier Slashdot article. Should all of our ISPs be blocking SSH traffic now?
You can't legislate against stupidity. Nor can you make perfect software. Nor can you expect to fine neophytes into becoming security experts. Even trying would simply place incredible power in the hands of the software vendors, and then huge segments of the computing world become subject to destruction from one malformed "patch", or even worse, when someone finds a way to exploit the update mechanisms.
This is the worst possible sort of power transference. Because people can not, will not, or in some cases _should_ not independently deal with their own technology issues, you empower central entities with an enormous amount of control over individual users. Novice users will relinquish that control, or be forced to pay some ridiculous sum of money in fines. In the end, chances are you end up with even worse problems than you started with.
-- Notice: Your mouse has been moved. Windows will now restart so this change can take effect.
Re:Denial of Money attack?
by
RevMike
·
· Score: 2, Interesting
The only way to do something like this is to make virus scanning software compulsory, which opens up an entirely new can of worms relating to privacy rights, freedoms related to what one can do with one's own property, and implementation of such a thing without a.) forcing every American to spend money on virus scanning software or b.) jacking up everyone's tax rates.
You're right that it would be difficult for the government to require that individuals install anti-virus software and the like. However, the US Federal Government is empowered by the interstate commerce clause to regulate the ISPs. One could write a law that requires that ISPs act in good faith to secure their network. An ISP could then require anti-virus software, firewall software, etc. as part of their terms of service.
I would imagine that an ISP might periodically run that new version of nmap on each of the IP addresses that have been handed out to clients. If a service with known security holes is discovered, and email is sent to the owner and a restrictive filter is put on that IP until it is patched. That should reduce the incidence of worms.
The ISP would also route all outbound SMTP packets through its own mail server.
Antivirus software there would look for email attachments containing viruses. This would take a nice bite out of viruses. <tinfoilhat>This also provides a convenient place for the government to monitor your email.</tinfoilhat>
I'm not sure, yet, what the best approach to trojans is.
Punishing the poor for the failings of the rich...
by
Anonymous Coward
·
· Score: 1, Interesting
"We aren't trying to penalize everyone for not being up-to-date or security savvy, but the level of attacks which continue to occur daily after any en-masse attack is enormous. It represents a significant lack of awareness by a very large segment of the public, be they individuals or corporations. Financial incentives have proven effective in increasing public awareness for a very long time. Applying them here is simply a logical extension of our social environment."
Why should grandma foot the bill for the poor software engineering practices of the software industry? Why not fine companies who distribute programs that are susceptible to these security breaches? Perhaps it is the "release first, patch later" philosophy of many closed/open source applications currently in distribution. What about your 14-year-old first-time Windows/Linux/Mac user who can't afford virus software (or, perhaps, is ignorant of such software/risks)? Do you fine the (potentially technically naive) guardian of the 14-year old? While one could argue that the guardian should be aware of the actions of the child, if the child is an innocent internet user (i.e., no porn/warez, etc...), what signs would tip off the guardian? Should the guardian/child be expected to enroll in classes to learn about security risks? While a creative idea, I only see this as punishing the innocent for the crimes of the negligent.
Fines for companies
by
Decameron81
·
· Score: 2, Interesting
What about hunting down those guys that actually released the virus?
This sounds as stupid to me as a fine for people that let thieves into their houses.
As I read the BugTraq article I was wondering who was going to provide the "approved" software to monitor all this bad traffic and keep up with the fines, etc. "The organization responsible for providing ISPs with the accurate identification information (possibly TruSecure Corporation, or maybe the new US-CERT) would determine the point at which fines will be imposed." Who else will have access to the information? Looks like a perfect opportunity for Russ's company to make a fortune implementing the mother of all Big Brothers.
Slashdot Mirror
I maintain several win and linux computers and I certainly don't have the time to lurk security mailing lists to stay ahead of every friggin' exploit.
BOO! TERRO
Second:
Sorry we blocked your critical data, but you can't do anything about it.I can't say that I don't give a fuck. I've just run out of fuck to give.
That could be a valid reason to go to war. We will find the Worms of Mass Destruction.
I just see lawsuits left and right with this one. On one hand, you've got Ma and Pa Kettle who know how to turn on their computer, check their email, and play solitaire. All of a suddent they're notified they owe $2.4 billion because their computer was used to take down sixteen major corporations. Do they get to sue the ISP for not filtering? Or do they get to sue the virus programmer if they're caught? Or hell, do I get to sue them because maybe they infected me and my computer infected the corner store. Sure my fine was only $50, but maybe I'll sue them $250,000 for pain and suffering (hey, this is America, we do that). Scary...
"He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
people aren't licensed/educated properly to use the internet. So how will they know that they have to update virus definitions and patch their systems? By e-mail notifications? When I used to work for a local ISP doing tech support, most people only checked their ISP e-mail once a month for their monthly statements, they instead had hotmail accounts for their regular e-mail. We would have to call customers non-stop to remind them to check their ISP e-mail for their bill. Now we would have to call them for their weekly virus breakout?
The key is some type of manditory education before you can advocate fines. My grandmother doesn't know a thing about antivirus protection, she just expects it to work. My grandmother doesn't know a thing about Windows Update, because she assumes the computer is safe.
So what can I do? There is no easy answers, but I guarentee fines are the last resort since none of the other options have been tried at a large scale.
The operating system vendors should face the music.
If the U.S. Federal government mandates automobile recall because of some faulty protection system, exceeding exepected normal operation or rusted-thru "firewall", then the same should apply toward operating systems; be that may Microsoft, Linux or Unix-based.
You make an excellent point, but that is still a real risk on a system similar to my home system. I use Time Warner's RoadRunner Cable Modem service, and have hundreds of people on my subnet.
In fact, a good percentage of attacks in general against my systems have been from "local" machines.
Besides, what better way to get back at that neighbor that pissed you off - run up their fines!
"Adventure? Excitement? A Jedi craves not these things."
Why should joe user, have to pay for the latest RPC hole?
I have to say although the article lost me from about the first line I loved this :
We aren't trying to penalize everyone for not being up-to-date or security savvy, but the level of attacks which continue to occur daily after any en-masse attack is enormous.
Uhhh yes you are...
Correct me if I'm wrong, but arn't fines a 'penality'? Sorry, but flat out this is elitism. These people don't get how great the knowledge gap is from the average user, to anyone who might know what bugtraq is...
Think about it for 1 clock cycle.
Simply make the fine a percentage of the amount of revenue made on that product. That should put the onus back on the software company that leashed the security horror that is out there. Meanwhile, free software is protected.
There was a science fiction story many years ago (circa 1980, IIRC) in Analog (again IIRC) which predicted widespread networked home computers, and the threat of hostile programs spreading among them. In the story, the US government mandated installation of (what we would call) antivirus software, developed and provided by the government. An attorney successfully gets the program thrown out on Constitutional grounds, showing that it violates the Third Amendment, since a program guarding against national security threats is effectively a "soldier".
When all you have is a hammer, everything looks like a skull.
It would push users to ISPs that do filtering for them for a few bucks a month. Also home firewalls would become more popular. That's it. It's easy to convey an idea to the end users if it's about their money.
I'd have to go back to calling brokers on the phone, and writing checks, licking stamps, and sending things through the mail. I'd have to sign up at the library if there was something that I had to get from the 'net. That's assuming the library can stand the liability. If they can't, I'd probably be limited to the library's proprietary DBs on their local LAN.
In other words, if you want to kill the 'net, just turn my PC into a slot machine that has unlimited negative payout odds.
This sounds like another example of "letting the terrorists win". It would turn the 'net into a "fascist police state".
Oh... unless there is an OS that is gauranteed secure through every revision, which we all know there can't be.
Now, if they capped the fine it might be reasonable. What would I do? Buy expensive AV software? No. I'd buy insurance against the fine and continue to exercise good practices (e.g., not using OE for mail, not downloading crap software that runs in my taskbar, etc.) Does anybody sell "virus" insurance?
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
For the love of... I think the last paragraph of this article contains the most telling statement: "...make every effort to assist in bringing about a change in the way the Internet is managed..."
The first point is that the Internet is NOT managed, at least in the sense I believe Russ is advocating it should be. Not to go all scary-conservative here, but this is just like the discussion over banning guns -- if you get rid of all the handguns in people's closets, then only the criminals will have them. If you legislate enforceable fines for doing, effectively, nothing, then you force out the majority of people who are scared of incurring any liability, and put a powerful weapon in the hands of those who would cause trouble.
Example:
Gee, I don't like Bob. Bob gets his connection through UUNet. His Windows IIS has never been patched, so next time he goes on vacation I'm going to write a worm that exploits MS00-078. Now, I'm going to turn him in to the "Identification Authority" and hope that while he's gone, he racks up enormous fines. Meanwhile, UUNet has to block port 80 for, effectively, every customer on its network if my worm has managed to infect even one other vulnerable machine.
Suddenly, script kiddies have the ability to embargo the entire net by taking advantage of bugs that happen to listen on well-known ports. I would point out today's earlier Slashdot article. Should all of our ISPs be blocking SSH traffic now?
You can't legislate against stupidity. Nor can you make perfect software. Nor can you expect to fine neophytes into becoming security experts. Even trying would simply place incredible power in the hands of the software vendors, and then huge segments of the computing world become subject to destruction from one malformed "patch", or even worse, when someone finds a way to exploit the update mechanisms.
This is the worst possible sort of power transference. Because people can not, will not, or in some cases _should_ not independently deal with their own technology issues, you empower central entities with an enormous amount of control over individual users. Novice users will relinquish that control, or be forced to pay some ridiculous sum of money in fines. In the end, chances are you end up with even worse problems than you started with.
Notice: Your mouse has been moved. Windows will now restart so this change can take effect.
You're right that it would be difficult for the government to require that individuals install anti-virus software and the like. However, the US Federal Government is empowered by the interstate commerce clause to regulate the ISPs. One could write a law that requires that ISPs act in good faith to secure their network. An ISP could then require anti-virus software, firewall software, etc. as part of their terms of service.
I would imagine that an ISP might periodically run that new version of nmap on each of the IP addresses that have been handed out to clients. If a service with known security holes is discovered, and email is sent to the owner and a restrictive filter is put on that IP until it is patched. That should reduce the incidence of worms.
The ISP would also route all outbound SMTP packets through its own mail server. Antivirus software there would look for email attachments containing viruses. This would take a nice bite out of viruses. <tinfoilhat>This also provides a convenient place for the government to monitor your email.</tinfoilhat>
I'm not sure, yet, what the best approach to trojans is.
"We aren't trying to penalize everyone for not being up-to-date or security savvy, but the level of attacks which continue to occur daily after any en-masse attack is enormous. It represents a significant lack of awareness by a very large segment of the public, be they individuals or corporations. Financial incentives have proven effective in increasing public awareness for a very long time. Applying them here is simply a logical extension of our social environment."
Why should grandma foot the bill for the poor software engineering practices of the software industry? Why not fine companies who distribute programs that are susceptible to these security breaches? Perhaps it is the "release first, patch later" philosophy of many closed/open source applications currently in distribution. What about your 14-year-old first-time Windows/Linux/Mac user who can't afford virus software (or, perhaps, is ignorant of such software/risks)? Do you fine the (potentially technically naive) guardian of the 14-year old? While one could argue that the guardian should be aware of the actions of the child, if the child is an innocent internet user (i.e., no porn/warez, etc...), what signs would tip off the guardian? Should the guardian/child be expected to enroll in classes to learn about security risks? While a creative idea, I only see this as punishing the innocent for the crimes of the negligent.
What about hunting down those guys that actually released the virus?
This sounds as stupid to me as a fine for people that let thieves into their houses.
Decameron
diegoT
As I read the BugTraq article I was wondering who was going to provide the "approved" software to monitor all this bad traffic and keep up with the fines, etc. "The organization responsible for providing ISPs with the accurate identification information (possibly TruSecure Corporation, or maybe the new US-CERT) would determine the point at which fines will be imposed." Who else will have access to the information? Looks like a perfect opportunity for Russ's company to make a fortune implementing the mother of all Big Brothers.